Comments (10)
We can try to make the port configurable, but this PR from @clive-jevons will probably fix this smallstep/certificates#236
from helm-charts.
Overriding ca-url does not work.
Temporary solution is to set runAsAdmin: true.
Also it would be nice to enable provisioners - like ACME directly in chart.
from helm-charts.
Just a guess, but would overriding ca.url work?
from helm-charts.
Same problem here.
from helm-charts.
I have the same problem as well
from helm-charts.
Has anyone tried changing ca.dns
and/or ca.url
in the helm values? The CA has two different settings to support this use case already: one specified where it listens, the other specifies the name & port clients connect to. They end up as address
and dnsNames
in ca.json
, respectively. But maybe somethings not being passed through correctly in helm?
from helm-charts.
@mmalone unfortunately, neither of those settings work as it is a problem of port.
I think the problem is not related to a Helm chart itself but the fact that it's not possible to configure step-ca
to serve another port in directory listing.
For example, docker container with step-ca
is set to listen on :9000, but due to K8S ingress & service deployment this fact is hidden and we expect ACME clients to visit default 443 instead.
However REST API discovery will list ACME directory:
{
"newNonce": "https://127.0.0.1:443:9000/acme/acme/new-nonce",
"newAccount": "https://127.0.0.1:443:9000/acme/acme/new-account",
"newOrder": "https://127.0.0.1:443:9000/acme/acme/new-order",
"revokeCert": "https://127.0.0.1:443:9000/acme/acme/revoke-cert",
"keyChange": "https://127.0.0.1:443:9000/acme/acme/key-change"
}
where all subsequent requests fail due to 9000 port used.
I didn't find the solution to this, maybe only patching step-ca source code will help with the current version.
Should I open issue on the code base?
from helm-charts.
FYI, I have found the similar issue exist in certificates
repo already:
smallstep/certificates#193
from helm-charts.
I've hit this issue as well. My current attempt at a workaround is to set the k8s Service being created to listen on :9000 instead of :443. My use case is using the step-ca cluster-internal to issue certificates for istio gateways (at least, that's my goal - still working on the complete setup). So the ACME URL is then step-certificates.security.svc.cluster.local:9000 (I've deployed the chart into the 'security' namespace in my k8s cluster).
What I've done is to render the helm chart out into a YAML locally and then tweak the Service definition manually and then using kubectl to apply it.
Not pretty, but at least now my ClusterIssuer for cert-manager is able to successfully register with the step-ca acme API.
A clean solution would definitely be to provide a way to better configure the URLs which step-ca uses in building the URLs used in building the acme directory response payload (e.g. override which port is used in those, or allowing a while-sale override of the host used therein).
from helm-charts.
Another option is the way boulder does this, as explained here smallstep/certificates#193 (comment)
from helm-charts.
Related Issues (20)
- Incorrect Prometheus scrape port in Service annotations [step-issuer]
- step-certificates: clarify optional `certificate_issuer_key` / `ssh_host_ca_key` and `ssh_user_ca_key` HOT 1
- step-certificates: allow enabling ssh HOT 3
- Add abililty to specify image pull secret(s) HOT 1
- [security] default registry image not available - step.sm - strange domain? HOT 3
- database dataSource as a secret HOT 2
- Typo on test-connection.yaml
- insecureAddress for SCEP provider HOT 2
- step-certificates repo is out of date HOT 1
- helm test fails for smallstep/step-certificates HOT 2
- Error getting root certificate with LinkedCA deployment on latest version HOT 3
- step-issuer fails because of helm annotation validation error HOT 1
- Simpler Way To Set Configmaps When Not Using The Bootstrap HOT 1
- step-issuer refuses to deploy if stepIssuer.create is set to true HOT 9
- Extra Containers HOT 9
- fix(step-certificates): Secrets are mounted event if we don't need them
- ServiceMonitor for Prometheus-Operator HOT 1
- step-certificates 0.26.1 has been released, Helm chart out-of-date HOT 1
- Allow usage of predefiend SSH templates HOT 2
- Test Connection Job should have SecurityContext for Restricted environments
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.