search

smallstep / helm-charts

Helm packages for Kubernetes
Apache License 2.0
49 stars 72 forks source link

Renedered chart strips "y" value for JWK provisioner #109

Closed arshesney closed 2 years ago

arshesney commented 2 years ago

Subject of the issue

Deploying step-ca with ca.json from injected values, the "y" value for a JWK provisioner is missing in the rendered chart

Your environment

Steps to reproduce

Set inject.enabled: true in values.yaml and deploy with helm. Sample config:

inject:
  enabled: true
  config:
    files:
      ca.json:
        root: /home/step/certs/root_ca.crt
        federateRoots: []
        crt: /home/step/certs/intermediate_ca.crt
        key: /home/step/secrets/intermediate_ca_key
        address: 0.0.0.0:9000
        dnsNames:
          - ca.example.lan
          - myexampleca.ca.svc.cluster.local
          - 127.0.0.1
        logger:
          format: json
        db:
          type: mysql
          dataSource: stepca:...snip...@tcp(mysql.mysql.svc.cluster.local:3306)/
          database: stepca
        authority:
          claims:
            minTLSCertDuration: 5m
            maxTLSCertDuration: 8760h
            defaultTLSCertDuration: 2160h
            disableRenewal: false
            minHostSSHCertDuration: 5m
            maxHostSSHCertDuration: 1680h
            defaultHostSSHCertDuration: 720h
            minUserSSHCertDuration: 5m
            maxUserSSHCertDuration: 24h
            defaultUserSSHCertDuration: 24h
          provisioners:
            - type: ACME
              name: acme
              forceCN: true
              claims: {}
            - type: JWK
              name: me@example.lan
              key:
                use: "sig"
                kty: "EC"
                kid: "...snip..."
                crv: "P-256"
                alg: "ES256"
                x: "...snip..."
                y: "...snip..."
              encryptedKey: "...snip..."
              claims:
                enableSSHCA: true
                disableRenewal: false
                allowRenewalAfterExpiry: false
              options:
                x509: {}
                ssh: {}
        tls:
          cipherSuites:
            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_AES_128_GCM_SHA256
          minVersion: 1.2
          maxVersion: 1.3
          renegotiation: false
      defaults.json:
        ca-url: https://myexampleca.ca.svc.cluster.local
        ca-config: /home/step/config/ca.json
        fingerprint: fingerprint
        root: /home/step/certs/root_ca.crt
    templates:
      x509_leaf.tpl: |
        {
          "subject": {{ toJson .Subject }},
          "sans": {{ toJson .SANs }},
        {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
          "keyUsage": ["keyEncipherment", "digitalSignature"],
        {{- else }}
          "keyUsage": ["digitalSignature"],
        {{- end }}
          "extKeyUsage": ["serverAuth", "clientAuth"]
        }
      ssh.tpl: |
        {
          "type": {{ toJson .Type }},
          "keyId": {{ toJson .KeyID }},
          "principals": {{ toJson .Principals }},
          "extensions": {{ toJson .Extensions }},
          "criticalOptions": {{ toJson .CriticalOptions }}
        }

Expected behaviour

JWK provisioner should be configured correctly.

Actual behaviour

the configmap created doesn't have the "y" value.

Additional context

adding the missing key manually after the configmap is created allow step-ca pod to start

maraino commented 2 years ago

This is something that is part of the YAML spec. You can change y with "y" to fix this or use directly JSON as step ca init --helm does. Feel free to reopen the issue if this doesn't work.