infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/step-ca-chart/templates/configmaps.yaml

{{- /*
# *****************************************************************************
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
# ******************************************************************************
*/ -}}

# ConfigMaps that will be updated by the configuration job:
# 1. Step CA config directory.
# 2. Step CA certs direcotry.
# 3. Step CA secrets directory.
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "step-certificates.fullname" . }}-config
  namespace: {{.Release.Namespace}}
  labels: {{ include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "step-certificates.fullname" . }}-certs
  namespace: {{.Release.Namespace}}
  labels: {{ include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: v1
data:
  intermediate_ca_key: ""
  root_ca_key: ""
kind: ConfigMap
metadata:
  name: {{ include "step-certificates.fullname" . }}-secrets
  namespace: {{.Release.Namespace}}
  labels: {{ include "step-certificates.labels" . | nindent 4 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "step-certificates.fullname" . }}-bootstrap
  namespace: {{.Release.Namespace}}
  labels: {{ include "step-certificates.labels" . | nindent 4 }}
data:
  bootstrap.sh: |-
    #!/bin/sh
    STEPPATH=/home/step
    echo -e "\e[1mWelcome to Step Certificates configuration.\e[0m\n"
    function permission_error () {
      echo -e "\033[0;31mPERMISSION ERROR:\033[0m $1\n"
      exit 1
    }
    function kbreplace() {
      kubectl $@ -o yaml --dry-run=client | kubectl replace -f -
    }

    echo -e "\e[1mConfiguring kubctl with service account...\e[0m"
    # Use the service account context
    kubectl config set-cluster cfc --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    kubectl config set-credentials bootstrap --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
    kubectl config set-context cfc --cluster=cfc --user=bootstrap
    kubectl config use-context cfc

    echo -e "\n\e[1mChecking cluster permissions...\e[0m"
    echo -n "Checking for permission to create configmaps in {{.Release.Namespace}} namespace: "
    kubectl auth can-i create configmaps --namespace {{.Release.Namespace}}
    if [ $? -ne 0 ]; then
      permission_error "create configmaps"
    fi

    echo -n "Checking for permission to create secrets in {{.Release.Namespace}} namespace: "
    kubectl auth can-i create secrets --namespace {{.Release.Namespace}}
    if [ $? -ne 0 ]; then
      permission_error "create secrets"
    fi
    {{ if .Values.autocert.enabled }}
    echo -n "Checking for permission to create mutatingwebhookconfiguration in {{.Release.Namespace}} namespace: "
        kubectl auth can-i create mutatingwebhookconfiguration --namespace {{.Release.Namespace}}
        if [ $? -ne 0 ]; then
          permission_error "create mutatingwebhookconfiguration"
      fi
    {{- end }}

    # Setting this here on purpose, after the above section which explicitly checks
    # for and handles exit errors.
      set -e

      echo -e "\n\e[1mInitializating the CA...\e[0m"

    # CA password
    {{- if .Values.ca.password }}
      CA_PASSWORD={{ quote .Values.ca.password }}
    {{- else }}
      CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
    {{- end }}
    # Provisioner password
    {{- if .Values.ca.provisioner.password }}
      CA_PROVISIONER_PASSWORD={{ quote .Values.ca.provisioner.password }}
    {{- else }}
      CA_PROVISIONER_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
    {{- end }}

    TMP_CA_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
    TMP_CA_PROVISIONER_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)

    echo $CA_PASSWORD > $TMP_CA_PASSWORD
    echo $CA_PROVISIONER_PASSWORD > $TMP_CA_PROVISIONER_PASSWORD

    step ca init \
    --name "{{.Values.ca.name}}" \
    --dns "{{include "step-certificates.dns" .}}" \
    --address "{{.Values.ca.address}}" \
    --provisioner "{{.Values.ca.provisioner.name}}" \
    --with-ca-url "{{include "step-certificates.url" .}}" \
    --password-file "$TMP_CA_PASSWORD" \
    --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" {{ if not .Values.ca.db.enabled }}--no-db{{ end }}

    rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD

    echo -e "\n\e[1mCreating configmaps and secrets in {{.Release.Namespace}} namespace ...\e[0m"

    # Replace secrets created on helm install
    # It allows to properly remove them on helm delete
    kbreplace -n {{.Release.Namespace}} create configmap {{ include "step-certificates.fullname" . }}-config --from-file $(step path)/config
    kbreplace -n {{.Release.Namespace}} create configmap {{ include "step-certificates.fullname" . }}-certs --from-file $(step path)/certs
    kbreplace -n {{.Release.Namespace}} create configmap {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets

    kbreplace -n {{.Release.Namespace}} create secret generic {{ include "step-certificates.fullname" . }}-ca-password --from-literal "password=${CA_PASSWORD}"
    kbreplace -n {{.Release.Namespace}} create secret generic {{ include "step-certificates.fullname" . }}-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"

    # Label all configmaps and secrets
    kubectl -n {{.Release.Namespace}} label configmap {{ include "step-certificates.fullname" . }}-config {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
    kubectl -n {{.Release.Namespace}} label configmap {{ include "step-certificates.fullname" . }}-certs {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
    kubectl -n {{.Release.Namespace}} label configmap {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
    kubectl -n {{.Release.Namespace}} label secret {{ include "step-certificates.fullname" . }}-ca-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
    kubectl -n {{.Release.Namespace}} label secret {{ include "step-certificates.fullname" . }}-provisioner-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}

    # Patch webhook if autocert is enabled
    {{ if .Values.autocert.enabled }}
      CA_BUNDLE=$(cat $(step path)/certs/root_ca.crt | base64 | tr -d '\n')
      kubectl patch mutatingwebhookconfigurations {{ .Release.Name }}-autocert-webhook-config \
      --type json -p="[{\"op\":\"replace\",\"path\":\"/webhooks/0/clientConfig/caBundle\",\"value\":\"$CA_BUNDLE\"}]"
    {{- end }}

      echo -e "\n\e[1mStep Certificates installed!\e[0m"
      echo
    echo "CA URL: {{include "step-certificates.url" .}}"
    echo "CA Fingerprint: $(step certificate fingerprint $(step path)/certs/root_ca.crt)"
    echo