Merge pull request #734 from wireapp/wpb-11121

add step-certificates example values
wireapp · Sep 26, 2024 · 5240f86 · 5240f86
2 parents 48f223c + fbf32ca
commit 5240f86
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 3 deletions.
diff --git a/offline/ci.sh b/offline/ci.sh
@@ -92,11 +92,12 @@ docker.io/kubernetesui/metrics-scraper:v1.0.8
 quay.io/wire/ldap-scim-bridge:0.9
 bats/bats:1.8.1
 docker.io/openebs/linux-utils:3.5.0
-cr.dtsx.io/datastax/cass-config-builder:1.0-ubi8
-cr.k8ssandra.io/k8ssandra/cass-management-api:3.11.16
-cr.k8ssandra.io/k8ssandra/system-logger:v1.19.1
+docker.io/datastax/cass-config-builder:1.0-ubi8
+docker.io/k8ssandra/cass-management-api:3.11.16
+docker.io/k8ssandra/system-logger:v1.19.1
 docker.io/thelastpickle/cassandra-reaper:3.5.0
 docker.io/k8ssandra/medusa:0.20.1
+cr.step.sm/smallstep/step-ca:0.25.3-rc7
 EOF
 }
 
@@ -223,6 +224,10 @@ echo "quay.io/wire/zauth:$wire_version" | create-container-dump containers-admin
 sed -i -Ee 's/federation: false/federation: true/' "$(pwd)"/values/wire-server/prod-values.example.yaml
 sed -i -Ee 's/useSharedFederatorSecret: false/useSharedFederatorSecret: true/' "$(pwd)"/charts/wire-server/charts/federator/values.yaml
 
+# drop step-certificates/.../test-connection.yaml because it lacks an image tag
+# cf. https://github.com/smallstep/helm-charts/pull/196/files
+rm -v charts/step-certificates/charts/step-certificates/templates/tests/*
+
 # Get and dump required containers from Helm charts. Omit integration test
 # containers (e.g. `quay.io_wire_galley-integration_4.22.0`.)
 for chartPath in "$(pwd)"/charts/*; do

diff --git a/values/step-certificates/prod-values.example.yaml b/values/step-certificates/prod-values.example.yaml
@@ -0,0 +1,89 @@
+step-certificates:
+  image:
+    repository: cr.step.sm/smallstep/step-ca
+    initContainerRepository: busybox:1.36.1
+    tag: 0.25.3-rc7
+  bootstrap:
+    image:
+      repository: cr.smallstep.com/smallstep/step-ca-bootstrap
+      tag: 0.22.0
+
+  # bootstrap:
+  #   enabled: false
+  #   configmaps: false
+
+  # inject:
+  #   enabled: false
+
+  # existingSecrets:
+  #   enabled: true
+  #   ca: true
+  #   data:
+  #     ca.key: "/secrets/ca.key" # Example; adjust the path as needed
+  #     password: "/secrets/password" # Example; adjust the path as needed
+  #     root_ca_key: "/secrets/root_ca_key" # Example; adjust the path as needed
+
+  # ca:
+  #   env:
+  #     - name: STEPDEBUG
+  #       value: "1"
+
+  # ingress:
+  #   enabled: true
+  #   annotations:
+  #     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+  #     nginx.ingress.kubernetes.io/ssl-redirect: "false"
+  #     nginx.ingress.kubernetes.io/use-regex: "true"
+  #     nginx.ingress.kubernetes.io/enable-cors: "true"
+  #     nginx.ingress.kubernetes.io/cors-allow-origin: "local.domain" # Adjust the domain as needed
+  #     nginx.ingress.kubernetes.io/cors-expose-headers: "Replay-Nonce, Location"
+  #   ingressClassName: "nginx"
+  #   tls:
+  #     - hosts:
+  #         - "acme.local.domain" # Adjust the domain as needed
+  #       secretName: "ingress-cert" # Adjust the secret name as needed
+  #   hosts:
+  #     - host: "acme.local.domain" # Adjust the domain as needed
+  #       paths:
+  #         - "/version"
+  #         - "/roots.pem"
+  #         - "/root/(.*)"
+  #         - "/federation"
+  #         - "/provisioners(.*)"
+  #         - "/crl"
+  #         - "/acme/(.*)"
+
+  # stepConfig:
+  #   enabled: true
+  #   dnsName: "acme.local.domain" # Adjust the domain as needed
+  #   additionalDNSNames:
+  #     - "localhost"
+  #   federatedRoots:
+  #     - "/home/step/certs/ca.crt"
+  #     # Add more paths for federated roots if needed
+
+  #   authority:
+  #     jwk: "/secrets/jwk_provisioner.json" # Adjust the path as needed
+  #     acme:
+  #       name: "keycloakteams"
+  #       dpop:
+  #         key: "/secrets/dpop_key.pem" # Adjust the path as needed
+  #         wireDomain: "local.domain" # Adjust the domain as needed
+  #       oidc:
+  #         clientId: "wireapp"
+  #         discoveryBaseUrl: ""
+  #         issuerUrl: "https://keycloak.example.com/auth/realms/master?client_id=wireapp" # URL to the oidc issuer
+  #         jwksUrl: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/certs" # URL where issuer publishes its JSON Web Key Set
+  #       x509:
+  #         organization: "local.domain"
+
+  # existingCerts:
+  #   enabled: true
+  #   data:
+  #     ca.crt: "/certs/ca.crt"
+  #     root_ca.crt: "/certs/root_ca.crt'"
+  #     # Add cross certificates if available
+
+  # caPassword:
+  #   enabled: true
+  #   password: "/secrets/password"