step-certificates: clarify optional `certificate_issuer_key` / `ssh_host_ca_key` and `ssh_user_ca_key`

[flokli]

I'm following the README in https://github.com/smallstep/helm-charts/tree/master/step-certificates, looking at the Advanced configuration section.

I want to create secrets outside of helm, and configure the helm values so it points to these externally-created secrets.

Docs say I should set existingSecrets.enabled to true, and disable bootstrap and inject.

It also mentions {{ include "step-certificates.fullname" . }}-secrets is expected to contain

• intermediate_ca_key
• root_ca_key
• certificate_issuer_key (optional)
• ssh_host_ca_key (optional)
• ssh_user_ca_key (optional)

I don't understand the implications of this being optional. Can I omit the key in the secret? Can I leave it an empty string? If I omit it, do I also need to set existingSecrets.{issuer,sshHostCa,sshUserCa} to false?

In such a configuration, how does step-certificates behave? Some feature is disabled? Or will it derive these keys on its own, from intermediate_ca_key and root_ca_key? If so, where are these stored?

[maraino]

Hi @flokli I've added a PR to fix this https://github.com/smallstep/helm-charts/pull/131

When you are creating the secrets independently of the install in the helm chart, those need to have some specific names, intermediate_ca_key, ...

Optional means that you don't need a file with the ssh_host_ca_key if you don't plan to sign SSH host certificates. Or certificate_issuer_key if you don't use step-ca in RA mode.

You need to enable existingSecrets.{issuer,sshHostCa,sshUserCa} if you plan to use different passwords for those keys. If all the keys are protected with the same password those are not required.