search

smallstep / helm-charts

Helm packages for Kubernetes
Apache License 2.0
49 stars 73 forks source link

Feature#58 step certificates chart disable secret manifest creation #96

Closed ErikLundJensen closed 2 years ago

ErikLundJensen commented 2 years ago

Description

See also issue-58 The implementation of 'inject.enabled' makes it impossible to use existing secrets. The changes in this branch enables use of existing secrets. The following new values are introduced:

existingSecrets: 
  enabled: true
  ca: true
  issuer: true
  configAsSecret: true
  sshHostCa: true
  sshUserCa: true

Thereby it is possible to use specified secrets only.

existingSecrets is not compatible with bootstrap nor inject and they have to be disabled when using existingSecrets

bootstrap:
  secrets: false
  enabled: false
  configmaps: false

inject:
  enabled: false
ErikLundJensen commented 2 years ago

yes, I had the same thoughts but was uncertain which structure configuration should follow. I'll change the implementation to follow the above.

ErikLundJensen commented 2 years ago

Question: Is the role giving permissions to create/update/patch Secrets and ConfigMaps used for the bootstrap init-container or is these permissions also needed for the step-certificates container?

I can't see that the ServiceAccount is used by the Deployment/Statefulset in step-certificates.

When using existing secrets then the ServiceAccount should not give permissions to create/update/patch Secrets and ConfigMaps.

ErikLundJensen commented 2 years ago

Branch updated with new structure for externalSecrets and with documentation.

maraino commented 2 years ago

Question: Is the role giving permissions to create/update/patch Secrets and ConfigMaps used for the bootstrap init-container or is these permissions also needed for the step-certificates container?

These are for the bootstrap init-container, I want to get rid of it, and use only injected configurations, and your existing secrets functionality.