Merge branch 'master' into herman/ignore-empty-acme-meta
commit
02d679e160
@ -0,0 +1,32 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"encoding/pem"
|
||||
"net/http"
|
||||
|
||||
"github.com/smallstep/certificates/api/render"
|
||||
)
|
||||
|
||||
// CRL is an HTTP handler that returns the current CRL in DER or PEM format
|
||||
func CRL(w http.ResponseWriter, r *http.Request) {
|
||||
crlBytes, err := mustAuthority(r.Context()).GetCertificateRevocationList()
|
||||
if err != nil {
|
||||
render.Error(w, err)
|
||||
return
|
||||
}
|
||||
|
||||
_, formatAsPEM := r.URL.Query()["pem"]
|
||||
if formatAsPEM {
|
||||
pemBytes := pem.EncodeToMemory(&pem.Block{
|
||||
Type: "X509 CRL",
|
||||
Bytes: crlBytes,
|
||||
})
|
||||
w.Header().Add("Content-Type", "application/x-pem-file")
|
||||
w.Header().Add("Content-Disposition", "attachment; filename=\"crl.pem\"")
|
||||
w.Write(pemBytes)
|
||||
} else {
|
||||
w.Header().Add("Content-Type", "application/pkix-crl")
|
||||
w.Header().Add("Content-Disposition", "attachment; filename=\"crl.der\"")
|
||||
w.Write(crlBytes)
|
||||
}
|
||||
}
|
@ -1,91 +0,0 @@
|
||||
#########################################
|
||||
# Building Docker Image
|
||||
#
|
||||
# This uses a multi-stage build file. The first stage is a builder (that might
|
||||
# be large in size). After the build has succeeded, the statically linked
|
||||
# binary is copied to a new image that is optimized for size.
|
||||
#########################################
|
||||
|
||||
ifeq (, $(shell which docker))
|
||||
DOCKER_CLIENT_OS := linux
|
||||
else
|
||||
DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null))
|
||||
endif
|
||||
|
||||
DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64
|
||||
DOCKER_IMAGE_NAME = smallstep/step-ca
|
||||
|
||||
docker-prepare:
|
||||
# Ensure, we can build for ARM architecture
|
||||
ifeq (linux,$(DOCKER_CLIENT_OS))
|
||||
[ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64
|
||||
endif
|
||||
|
||||
# Register buildx builder
|
||||
mkdir -p $$HOME/.docker/cli-plugins
|
||||
|
||||
test -f $$HOME/.docker/cli-plugins/docker-buildx || \
|
||||
(wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \
|
||||
chmod +x $$HOME/.docker/cli-plugins/docker-buildx)
|
||||
|
||||
docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true
|
||||
|
||||
.PHONY: docker-prepare
|
||||
|
||||
#################################################
|
||||
# Releasing Docker Images
|
||||
#
|
||||
# Using the docker build infrastructure, this section is responsible for
|
||||
# logging into docker hub.
|
||||
#################################################
|
||||
|
||||
# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
|
||||
# equivalent environment
|
||||
docker-login:
|
||||
$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
|
||||
|
||||
.PHONY: docker-login
|
||||
|
||||
#################################################
|
||||
# Targets for different type of builds
|
||||
#################################################
|
||||
|
||||
define DOCKER_BUILDX
|
||||
# $(1) -- Image Tag
|
||||
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
||||
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
||||
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
|
||||
|
||||
endef
|
||||
|
||||
# For non-master builds don't build the docker containers.
|
||||
docker-branch:
|
||||
|
||||
# For master builds don't build the docker containers.
|
||||
docker-master:
|
||||
|
||||
# For all builds with a release candidate tag build and push the containers.
|
||||
docker-release-candidate: docker-prepare docker-login
|
||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
||||
|
||||
# For all builds with a release tag build and push the containers.
|
||||
docker-release: docker-prepare docker-login
|
||||
$(call DOCKER_BUILDX,latest,--push)
|
||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
||||
|
||||
.PHONY: docker-branch docker-master docker-release-candidate docker-release
|
||||
|
||||
# XXX We put the output for the build in 'output' so we don't mess with how we
|
||||
# do rule overriding from the base Makefile (if you name it 'build' it messes up
|
||||
# the wildcarding).
|
||||
DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
|
||||
|
||||
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME)
|
||||
DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) .
|
||||
|
||||
docker-dev: docker/Dockerfile.step-ca
|
||||
mkdir -p $(DOCKER_OUTPUT)
|
||||
$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
|
||||
$(call DOCKER_BUILD)
|
||||
|
||||
.PHONY: docker-dev
|
@ -0,0 +1,232 @@
|
||||
package pki
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"os"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"go.step.sm/crypto/jose"
|
||||
"go.step.sm/linkedca"
|
||||
|
||||
"github.com/smallstep/certificates/cas/apiv1"
|
||||
)
|
||||
|
||||
func TestPKI_WriteHelmTemplate(t *testing.T) {
|
||||
var preparePKI = func(t *testing.T, opts ...Option) *PKI {
|
||||
o := apiv1.Options{
|
||||
Type: "softcas",
|
||||
IsCreator: true,
|
||||
}
|
||||
|
||||
// Add default WithHelm option
|
||||
opts = append(opts, WithHelm())
|
||||
|
||||
// TODO(hs): invoking `New` doesn't perform all operations that are executed
|
||||
// when `ca init --helm` is executed. Ideally this logic should be handled
|
||||
// in one place and probably inside of the PKI initialization. For testing
|
||||
// purposes the missing operations to fill a Helm template fully are faked
|
||||
// by `setKeyPair`, `setCertificates` and `setSSHSigningKeys`
|
||||
p, err := New(o, opts...)
|
||||
assert.NoError(t, err)
|
||||
|
||||
// setKeyPair sets a predefined JWK and a default JWK provisioner. This is one
|
||||
// of the things performed in the `ca init` code that's not part of `New`, but
|
||||
// performed after that in p.GenerateKeyPairs`. We're currently using the same
|
||||
// JWK for every test to keep test variance small: we're not testing JWK generation
|
||||
// here after all. It's a bit dangerous to redefine the function here, but it's
|
||||
// the simplest way to make this fully testable without refactoring the init now.
|
||||
// The password for the predefined encrypted key is \x01\x03\x03\x07.
|
||||
setKeyPair(t, p)
|
||||
|
||||
// setCertificates sets some static intermediate and root CA certificate bytes. It
|
||||
// replaces the logic executed in `p.GenerateRootCertificate`, `p.WriteRootCertificate`,
|
||||
// and `p.GenerateIntermediateCertificate`.
|
||||
setCertificates(t, p)
|
||||
|
||||
// setSSHSigningKeys sets predefined SSH user and host certificate and key bytes.
|
||||
// This replaces the logic in `p.GenerateSSHSigningKeys`
|
||||
setSSHSigningKeys(t, p)
|
||||
|
||||
return p
|
||||
}
|
||||
type test struct {
|
||||
pki *PKI
|
||||
testFile string
|
||||
wantErr bool
|
||||
}
|
||||
var tests = map[string]func(t *testing.T) test{
|
||||
"ok/simple": func(t *testing.T) test {
|
||||
return test{
|
||||
pki: preparePKI(t),
|
||||
testFile: "testdata/helm/simple.yml",
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-provisioner": func(t *testing.T) test {
|
||||
return test{
|
||||
pki: preparePKI(t, WithProvisioner("a-provisioner")),
|
||||
testFile: "testdata/helm/with-provisioner.yml",
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-acme": func(t *testing.T) test {
|
||||
return test{
|
||||
pki: preparePKI(t, WithACME()),
|
||||
testFile: "testdata/helm/with-acme.yml",
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-admin": func(t *testing.T) test {
|
||||
return test{
|
||||
pki: preparePKI(t, WithAdmin()),
|
||||
testFile: "testdata/helm/with-admin.yml",
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-ssh": func(t *testing.T) test {
|
||||
return test{
|
||||
pki: preparePKI(t, WithSSH()),
|
||||
testFile: "testdata/helm/with-ssh.yml",
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"ok/with-ssh-and-acme": func(t *testing.T) test {
|
||||
return test{
|
||||
pki: preparePKI(t, WithSSH(), WithACME()),
|
||||
testFile: "testdata/helm/with-ssh-and-acme.yml",
|
||||
wantErr: false,
|
||||
}
|
||||
},
|
||||
"fail/authority.ProvisionerToCertificates": func(t *testing.T) test {
|
||||
pki := preparePKI(t)
|
||||
pki.Authority.Provisioners = append(pki.Authority.Provisioners,
|
||||
&linkedca.Provisioner{
|
||||
Type: linkedca.Provisioner_JWK,
|
||||
Name: "Broken JWK",
|
||||
Details: nil,
|
||||
},
|
||||
)
|
||||
return test{
|
||||
pki: pki,
|
||||
wantErr: true,
|
||||
}
|
||||
},
|
||||
}
|
||||
for name, run := range tests {
|
||||
tc := run(t)
|
||||
t.Run(name, func(t *testing.T) {
|
||||
|
||||
w := &bytes.Buffer{}
|
||||
if err := tc.pki.WriteHelmTemplate(w); (err != nil) != tc.wantErr {
|
||||
t.Errorf("PKI.WriteHelmTemplate() error = %v, wantErr %v", err, tc.wantErr)
|
||||
return
|
||||
}
|
||||
|
||||
if tc.wantErr {
|
||||
// don't compare output if an error was expected on output
|
||||
return
|
||||
}
|
||||
|
||||
wantBytes, err := os.ReadFile(tc.testFile)
|
||||
assert.NoError(t, err)
|
||||
if diff := cmp.Diff(wantBytes, w.Bytes()); diff != "" {
|
||||
t.Logf("Generated Helm template did not match reference %q\n", tc.testFile)
|
||||
t.Errorf("Diff follows:\n%s\n", diff)
|
||||
t.Errorf("Full output:\n%s\n", w.Bytes())
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// setKeyPair sets a predefined JWK and a default JWK provisioner.
|
||||
func setKeyPair(t *testing.T, p *PKI) {
|
||||
t.Helper()
|
||||
|
||||
var err error
|
||||
|
||||
p.ottPublicKey, err = jose.ParseKey([]byte(`{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"}`))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
p.ottPrivateKey, err = jose.ParseEncrypted("eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
var claims *linkedca.Claims
|
||||
if p.options.enableSSH {
|
||||
claims = &linkedca.Claims{
|
||||
Ssh: &linkedca.SSHClaims{
|
||||
Enabled: true,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
publicKey, err := json.Marshal(p.ottPublicKey)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
encryptedKey, err := p.ottPrivateKey.CompactSerialize()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
p.Authority.Provisioners = append(p.Authority.Provisioners, &linkedca.Provisioner{
|
||||
Type: linkedca.Provisioner_JWK,
|
||||
Name: p.options.provisioner,
|
||||
Claims: claims,
|
||||
Details: &linkedca.ProvisionerDetails{
|
||||
Data: &linkedca.ProvisionerDetails_JWK{
|
||||
JWK: &linkedca.JWKProvisioner{
|
||||
PublicKey: publicKey,
|
||||
EncryptedPrivateKey: []byte(encryptedKey),
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes.
|
||||
func setCertificates(t *testing.T, p *PKI) {
|
||||
raw := []byte("these are just some fake root CA cert bytes")
|
||||
p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw})
|
||||
p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{
|
||||
Type: "EC PRIVATE KEY",
|
||||
Bytes: []byte("these are just some fake root CA key bytes"),
|
||||
})
|
||||
p.Files[p.Intermediate] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake intermediate CA cert bytes")})
|
||||
p.Files[p.IntermediateKey] = pem.EncodeToMemory(&pem.Block{
|
||||
Type: "EC PRIVATE KEY",
|
||||
Bytes: []byte("these are just some fake intermediate CA key bytes"),
|
||||
})
|
||||
sum := sha256.Sum256(raw)
|
||||
p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
|
||||
}
|
||||
|
||||
// setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes.
|
||||
func setSSHSigningKeys(t *testing.T, p *PKI) {
|
||||
|
||||
if !p.options.enableSSH {
|
||||
return
|
||||
}
|
||||
|
||||
p.Files[p.Ssh.HostKey] = pem.EncodeToMemory(&pem.Block{
|
||||
Type: "EC PRIVATE KEY",
|
||||
Bytes: []byte("fake ssh host key bytes"),
|
||||
})
|
||||
p.Files[p.Ssh.HostPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=")
|
||||
p.Files[p.Ssh.UserKey] = pem.EncodeToMemory(&pem.Block{
|
||||
Type: "EC PRIVATE KEY",
|
||||
Bytes: []byte("fake ssh user key bytes"),
|
||||
})
|
||||
p.Files[p.Ssh.UserPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=")
|
||||
}
|
@ -0,0 +1,81 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","options":{"x509":{},"ssh":{}}}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
@ -0,0 +1,82 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","options":{"x509":{},"ssh":{}}}
|
||||
- {"type":"ACME","name":"acme"}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
@ -0,0 +1,81 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: true
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","options":{"x509":{},"ssh":{}}}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
@ -0,0 +1,81 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"a-provisioner","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","options":{"x509":{},"ssh":{}}}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
@ -0,0 +1,105 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
ssh:
|
||||
hostKey: /home/step/secrets/ssh_host_ca_key
|
||||
userKey: /home/step/secrets/ssh_user_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
|
||||
- {"type":"ACME","name":"acme"}
|
||||
- {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# ssh_host_ca contains the text of the public ssh key for the SSH root CA
|
||||
ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=
|
||||
|
||||
# ssh_user_ca contains the text of the public ssh key for the SSH root CA
|
||||
ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
ssh:
|
||||
# ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
|
||||
host_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# ssh_user_ca_key contains the contents of your encrypted SSH User CA key
|
||||
user_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
@ -0,0 +1,104 @@
|
||||
# Helm template
|
||||
inject:
|
||||
enabled: true
|
||||
# Config contains the configuration files ca.json and defaults.json
|
||||
config:
|
||||
files:
|
||||
ca.json:
|
||||
root: /home/step/certs/root_ca.crt
|
||||
federateRoots: []
|
||||
crt: /home/step/certs/intermediate_ca.crt
|
||||
key: /home/step/secrets/intermediate_ca_key
|
||||
ssh:
|
||||
hostKey: /home/step/secrets/ssh_host_ca_key
|
||||
userKey: /home/step/secrets/ssh_user_ca_key
|
||||
address: 127.0.0.1:9000
|
||||
dnsNames:
|
||||
- 127.0.0.1
|
||||
logger:
|
||||
format: json
|
||||
db:
|
||||
type: badgerv2
|
||||
dataSource: /home/step/db
|
||||
authority:
|
||||
enableAdmin: false
|
||||
provisioners:
|
||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
|
||||
- {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
|
||||
tls:
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
minVersion: 1.2
|
||||
maxVersion: 1.3
|
||||
renegotiation: false
|
||||
|
||||
defaults.json:
|
||||
ca-url: https://127.0.0.1
|
||||
ca-config: /home/step/config/ca.json
|
||||
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||
root: /home/step/certs/root_ca.crt
|
||||
|
||||
# Certificates contains the root and intermediate certificate and
|
||||
# optionally the SSH host and user public keys
|
||||
certificates:
|
||||
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||
intermediate_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||
dGVz
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
|
||||
# root_ca contains the text of the root CA Certificate
|
||||
root_ca: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# ssh_host_ca contains the text of the public ssh key for the SSH root CA
|
||||
ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=
|
||||
|
||||
# ssh_user_ca contains the text of the public ssh key for the SSH root CA
|
||||
ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=
|
||||
|
||||
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||
# private keys
|
||||
secrets:
|
||||
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||
# This value must be base64 encoded.
|
||||
ca_password:
|
||||
provisioner_password:
|
||||
|
||||
x509:
|
||||
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||
intermediate_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||
ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# root_ca_key contains the contents of your encrypted root CA key
|
||||
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||
root_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
ssh:
|
||||
# ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
|
||||
host_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
||||
|
||||
# ssh_user_ca_key contains the contents of your encrypted SSH User CA key
|
||||
user_ca_key: |
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
Loading…
Reference in New Issue