Setting port via ca.address variable for ACME provisioner deployed on K8s about helm-charts HOT 10 OPEN

We can try to make the port configurable, but this PR from @clive-jevons will probably fix this smallstep/certificates#236

from helm-charts.

Overriding ca-url does not work.
Temporary solution is to set runAsAdmin: true.
Also it would be nice to enable provisioners - like ACME directly in chart.

from helm-charts.

Just a guess, but would overriding ca.url work?

from helm-charts.

Same problem here.

from helm-charts.

I have the same problem as well

from helm-charts.

Has anyone tried changing ca.dns and/or ca.url in the helm values? The CA has two different settings to support this use case already: one specified where it listens, the other specifies the name & port clients connect to. They end up as address and dnsNames in ca.json, respectively. But maybe somethings not being passed through correctly in helm?

from helm-charts.

@mmalone unfortunately, neither of those settings work as it is a problem of port.
I think the problem is not related to a Helm chart itself but the fact that it's not possible to configure step-ca to serve another port in directory listing.

For example, docker container with step-ca is set to listen on :9000, but due to K8S ingress & service deployment this fact is hidden and we expect ACME clients to visit default 443 instead.

However REST API discovery will list ACME directory:

{
  "newNonce": "https://127.0.0.1:443:9000/acme/acme/new-nonce",
  "newAccount": "https://127.0.0.1:443:9000/acme/acme/new-account",
  "newOrder": "https://127.0.0.1:443:9000/acme/acme/new-order",
  "revokeCert": "https://127.0.0.1:443:9000/acme/acme/revoke-cert",
  "keyChange": "https://127.0.0.1:443:9000/acme/acme/key-change"
}

where all subsequent requests fail due to 9000 port used.
I didn't find the solution to this, maybe only patching step-ca source code will help with the current version.

Should I open issue on the code base?

from helm-charts.

FYI, I have found the similar issue exist in certificates repo already:
smallstep/certificates#193

from helm-charts.

I've hit this issue as well. My current attempt at a workaround is to set the k8s Service being created to listen on :9000 instead of :443. My use case is using the step-ca cluster-internal to issue certificates for istio gateways (at least, that's my goal - still working on the complete setup). So the ACME URL is then step-certificates.security.svc.cluster.local:9000 (I've deployed the chart into the 'security' namespace in my k8s cluster).

What I've done is to render the helm chart out into a YAML locally and then tweak the Service definition manually and then using kubectl to apply it.

Not pretty, but at least now my ClusterIssuer for cert-manager is able to successfully register with the step-ca acme API.

A clean solution would definitely be to provide a way to better configure the URLs which step-ca uses in building the URLs used in building the acme directory response payload (e.g. override which port is used in those, or allowing a while-sale override of the host used therein).

from helm-charts.

Another option is the way boulder does this, as explained here smallstep/certificates#193 (comment)

from helm-charts.