feat: use secret for private key certs during bootstrap

docker/step-ca-bootstrap/entrypoint.sh

@@ -112,15 +112,15 @@ function kbreplace() {
 # It allows to properly remove them on help delete
 kbreplace -n $NAMESPACE create configmap $PREFIX-config --from-file $(step path)/config
 kbreplace -n $NAMESPACE create configmap $PREFIX-certs --from-file $(step path)/certs
-kbreplace -n $NAMESPACE create configmap $PREFIX-secrets --from-file $(step path)/secrets
 
+kbreplace -n $NAMESPACE create secret generic $PREFIX-secrets --from-file $(step path)/secrets
 kbreplace -n $NAMESPACE create secret generic $PREFIX-ca-password --from-literal "password=${CA_PASSWORD}"
 kbreplace -n $NAMESPACE create secret generic $PREFIX-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
 
 # Label all configmaps and secrets
 kubectl -n $NAMESPACE label configmap $PREFIX-config $LABELS
 kubectl -n $NAMESPACE label configmap $PREFIX-certs $LABELS
-kubectl -n $NAMESPACE label configmap $PREFIX-secrets $LABELS
+kubectl -n $NAMESPACE label secret $PREFIX-secrets $LABELS
 kubectl -n $NAMESPACE label secret $PREFIX-ca-password $LABELS
 kubectl -n $NAMESPACE label secret $PREFIX-provisioner-password $LABELS
 
@@ -160,4 +160,4 @@ echo -e "\e[1mStep Certificates installed!\e[0m"
 echo
 echo "CA URL: ${CA_URL}"
 echo "CA Fingerprint: ${FINGERPRINT}"
-echo
+echo

step-certificates/templates/ca.yaml

@@ -95,8 +95,8 @@ spec:
  configMap:
  name: {{ include "step-certificates.fullname" . }}-config
  - name: secrets
- configMap:
- name: {{ include "step-certificates.fullname" . }}-secrets
+ secret:
+ secretName: {{ include "step-certificates.fullname" . }}-secrets
  - name: ca-password
  secret:
  secretName: {{ include "step-certificates.fullname" . }}-ca-password

step-certificates/templates/configmaps.yaml

@@ -121,15 +121,15 @@ data:
  # It allows to properly remove them on helm delete
  kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-config --from-file $(step path)/config
  kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-certs --from-file $(step path)/certs
- kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
 
+ kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
  kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-ca-password --from-literal "password=${CA_PASSWORD}"
  kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
 
  # Label all configmaps and secrets
  kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-config {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
  kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-certs {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
- kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+ kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
  kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-ca-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
  kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-provisioner-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
 
@@ -144,4 +144,4 @@ data:
  echo
  echo "CA URL: {{include "step-certificates.url" .}}"
  echo "CA Fingerprint: $(step certificate fingerprint $(step path)/certs/root_ca.crt)"
- echo
+ echo