helm-charts
helm-charts copied to clipboard
smallstep
fix(step-certificates): Secrets are mounted event if we don't need them
Subject of the issue
In templates/ca.yaml volumes spec, {{ include "step-certificates.fullname" . }}-secrets is always mounted as a secret or configmap and cause secret doesn't exists when using inject.enabled=true and bootstrap.secret=false. I don't need any secret as I generate my own root certificate so the only key I need is the intermediate key, which is added via azure keyvault in the config file.
Your environment
- OS - Ubuntu
- Version - 22.04
Steps to reproduce
Create a values.yaml
existingSecrets:
enabled: false
ca: false
issuer: false
certsAsSecret: false
configAsSecret: false
sshHostCa: false
sshUserCa: false
bootstrap:
secrets: false
enabled: false
configmaps: false
inject:
enabled: true
config:
files:
ca.json:
key: azurekms:name=my-intermediate-ca-key;vault=my-keyvault?version=12345
kms:
type: azurekms
certificates:
root_ca: |
-----BEGIN CERTIFICATE-----
something
-----END CERTIFICATE-----
intermediate_ca: |
-----BEGIN CERTIFICATE-----
something
-----END CERTIFICATE-----
Expected behaviour
pod is created without the volume {{ include "step-certificates.fullname" . }}-secrets
Actual behaviour
The volume is created and pod is in error state, "secret doesn't exists"
Additional context
For the deployment to work, I need to set bootstrap.secrets=true and set a dummy value in inject.secrets.ssh.user_ca_key="unusable"
Validations should be added in template/ca.yaml to create the volume only if values exists like it is done for all other secrets, something like
{{- if and (or .Values.inject.enabled .Values.existingSecrets.enabled) (or (not (eq .Values.inject.secrets.certificate_issuer.key "") _and so on_)) }}
secret:
secretName: {{ include "step-certificates.fullname" . }}-secrets
{{- else }}
configMap:
name: {{ include "step-certificates.fullname" . }}-secrets
{{- end }}
