From ec884f73ce58e0c11461d90554537977faf4479f Mon Sep 17 00:00:00 2001
From: Alexandre Nicolaie <alexandre.nicolaie@gmail.com>
Date: Thu, 16 Jul 2020 18:48:17 +0200
Subject: [PATCH] feat: use secret for private key certs during bootstrap

---
 docker/step-ca-bootstrap/entrypoint.sh      | 6 +++---
 step-certificates/templates/ca.yaml         | 4 ++--
 step-certificates/templates/configmaps.yaml | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docker/step-ca-bootstrap/entrypoint.sh b/docker/step-ca-bootstrap/entrypoint.sh
index 373f78a..cc6e655 100755
--- a/docker/step-ca-bootstrap/entrypoint.sh
+++ b/docker/step-ca-bootstrap/entrypoint.sh
@@ -112,15 +112,15 @@ function kbreplace() {
 # It allows to properly remove them on help delete
 kbreplace -n $NAMESPACE create configmap $PREFIX-config --from-file $(step path)/config
 kbreplace -n $NAMESPACE create configmap $PREFIX-certs --from-file $(step path)/certs
-kbreplace -n $NAMESPACE create configmap $PREFIX-secrets --from-file $(step path)/secrets
 
+kbreplace -n $NAMESPACE create secret generic $PREFIX-secrets --from-file $(step path)/secrets
 kbreplace -n $NAMESPACE create secret generic $PREFIX-ca-password --from-literal "password=${CA_PASSWORD}"
 kbreplace -n $NAMESPACE create secret generic $PREFIX-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
 
 # Label all configmaps and secrets
 kubectl -n $NAMESPACE label configmap $PREFIX-config $LABELS
 kubectl -n $NAMESPACE label configmap $PREFIX-certs $LABELS
-kubectl -n $NAMESPACE label configmap $PREFIX-secrets $LABELS
+kubectl -n $NAMESPACE label secret $PREFIX-secrets $LABELS
 kubectl -n $NAMESPACE label secret $PREFIX-ca-password $LABELS
 kubectl -n $NAMESPACE label secret $PREFIX-provisioner-password $LABELS
 
@@ -160,4 +160,4 @@ echo -e "\e[1mStep Certificates installed!\e[0m"
 echo
 echo "CA URL: ${CA_URL}"
 echo "CA Fingerprint: ${FINGERPRINT}"
-echo
\ No newline at end of file
+echo
diff --git a/step-certificates/templates/ca.yaml b/step-certificates/templates/ca.yaml
index 806534c..d5e8632 100644
--- a/step-certificates/templates/ca.yaml
+++ b/step-certificates/templates/ca.yaml
@@ -95,8 +95,8 @@ spec:
         configMap:
           name: {{ include "step-certificates.fullname" . }}-config
       - name: secrets
-        configMap:
-          name: {{ include "step-certificates.fullname" . }}-secrets
+        secret:
+          secretName: {{ include "step-certificates.fullname" . }}-secrets
       - name: ca-password
         secret:
           secretName: {{ include "step-certificates.fullname" . }}-ca-password
diff --git a/step-certificates/templates/configmaps.yaml b/step-certificates/templates/configmaps.yaml
index 33d10aa..e7c7226 100644
--- a/step-certificates/templates/configmaps.yaml
+++ b/step-certificates/templates/configmaps.yaml
@@ -121,15 +121,15 @@ data:
     # It allows to properly remove them on helm delete
     kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-config --from-file $(step path)/config
     kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-certs --from-file $(step path)/certs
-    kbreplace -n {{ .Release.Namespace }} create configmap {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
 
+    kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-secrets --from-file $(step path)/secrets
     kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-ca-password --from-literal "password=${CA_PASSWORD}"
     kbreplace -n {{ .Release.Namespace }} create secret generic {{ include "step-certificates.fullname" . }}-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
 
     # Label all configmaps and secrets
     kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-config {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
     kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-certs {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
-    kubectl -n {{ .Release.Namespace }} label configmap {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
+    kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-secrets {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
     kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-ca-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
     kubectl -n {{ .Release.Namespace }} label secret {{ include "step-certificates.fullname" . }}-provisioner-password {{ include "step-certificates.labels" . | replace ": " "=" | replace "\n" " " }}
 
@@ -144,4 +144,4 @@ data:
     echo
     echo "CA URL: {{include "step-certificates.url" .}}"
     echo "CA Fingerprint: $(step certificate fingerprint $(step path)/certs/root_ca.crt)"
-    echo
\ No newline at end of file
+    echo