diff --git a/offline/ci.sh b/offline/ci.sh index 5d403e51d..7c1f68e2d 100755 --- a/offline/ci.sh +++ b/offline/ci.sh @@ -92,11 +92,12 @@ docker.io/kubernetesui/metrics-scraper:v1.0.8 quay.io/wire/ldap-scim-bridge:0.9 bats/bats:1.8.1 docker.io/openebs/linux-utils:3.5.0 -cr.dtsx.io/datastax/cass-config-builder:1.0-ubi8 -cr.k8ssandra.io/k8ssandra/cass-management-api:3.11.16 -cr.k8ssandra.io/k8ssandra/system-logger:v1.19.1 +docker.io/datastax/cass-config-builder:1.0-ubi8 +docker.io/k8ssandra/cass-management-api:3.11.16 +docker.io/k8ssandra/system-logger:v1.19.1 docker.io/thelastpickle/cassandra-reaper:3.5.0 docker.io/k8ssandra/medusa:0.20.1 +cr.step.sm/smallstep/step-ca:0.25.3-rc7 EOF } @@ -223,6 +224,10 @@ echo "quay.io/wire/zauth:$wire_version" | create-container-dump containers-admin sed -i -Ee 's/federation: false/federation: true/' "$(pwd)"/values/wire-server/prod-values.example.yaml sed -i -Ee 's/useSharedFederatorSecret: false/useSharedFederatorSecret: true/' "$(pwd)"/charts/wire-server/charts/federator/values.yaml +# drop step-certificates/.../test-connection.yaml because it lacks an image tag +# cf. https://github.com/smallstep/helm-charts/pull/196/files +rm -v charts/step-certificates/charts/step-certificates/templates/tests/* + # Get and dump required containers from Helm charts. Omit integration test # containers (e.g. `quay.io_wire_galley-integration_4.22.0`.) for chartPath in "$(pwd)"/charts/*; do diff --git a/values/step-certificates/prod-values.example.yaml b/values/step-certificates/prod-values.example.yaml new file mode 100644 index 000000000..1964d96c2 --- /dev/null +++ b/values/step-certificates/prod-values.example.yaml @@ -0,0 +1,89 @@ +step-certificates: + image: + repository: cr.step.sm/smallstep/step-ca + initContainerRepository: busybox:1.36.1 + tag: 0.25.3-rc7 + bootstrap: + image: + repository: cr.smallstep.com/smallstep/step-ca-bootstrap + tag: 0.22.0 + + # bootstrap: + # enabled: false + # configmaps: false + + # inject: + # enabled: false + + # existingSecrets: + # enabled: true + # ca: true + # data: + # ca.key: "/secrets/ca.key" # Example; adjust the path as needed + # password: "/secrets/password" # Example; adjust the path as needed + # root_ca_key: "/secrets/root_ca_key" # Example; adjust the path as needed + + # ca: + # env: + # - name: STEPDEBUG + # value: "1" + + # ingress: + # enabled: true + # annotations: + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/ssl-redirect: "false" + # nginx.ingress.kubernetes.io/use-regex: "true" + # nginx.ingress.kubernetes.io/enable-cors: "true" + # nginx.ingress.kubernetes.io/cors-allow-origin: "local.domain" # Adjust the domain as needed + # nginx.ingress.kubernetes.io/cors-expose-headers: "Replay-Nonce, Location" + # ingressClassName: "nginx" + # tls: + # - hosts: + # - "acme.local.domain" # Adjust the domain as needed + # secretName: "ingress-cert" # Adjust the secret name as needed + # hosts: + # - host: "acme.local.domain" # Adjust the domain as needed + # paths: + # - "/version" + # - "/roots.pem" + # - "/root/(.*)" + # - "/federation" + # - "/provisioners(.*)" + # - "/crl" + # - "/acme/(.*)" + + # stepConfig: + # enabled: true + # dnsName: "acme.local.domain" # Adjust the domain as needed + # additionalDNSNames: + # - "localhost" + # federatedRoots: + # - "/home/step/certs/ca.crt" + # # Add more paths for federated roots if needed + + # authority: + # jwk: "/secrets/jwk_provisioner.json" # Adjust the path as needed + # acme: + # name: "keycloakteams" + # dpop: + # key: "/secrets/dpop_key.pem" # Adjust the path as needed + # wireDomain: "local.domain" # Adjust the domain as needed + # oidc: + # clientId: "wireapp" + # discoveryBaseUrl: "" + # issuerUrl: "https://keycloak.example.com/auth/realms/master?client_id=wireapp" # URL to the oidc issuer + # jwksUrl: "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/certs" # URL where issuer publishes its JSON Web Key Set + # x509: + # organization: "local.domain" + + # existingCerts: + # enabled: true + # data: + # ca.crt: "/certs/ca.crt" + # root_ca.crt: "/certs/root_ca.crt'" + # # Add cross certificates if available + + # caPassword: + # enabled: true + # password: "/secrets/password"