Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
In ca.json some secrets are referenced via file paths, in particular certificate files
{
"root": "examples/pki/secrets/root_ca.crt",
"federatedRoots": ["examples/pki/secrets/federated_root_ca.crt"],
"crt": "examples/pki/secrets/intermediate_ca.crt",
"key": "examples/pki/secrets/intermediate_ca_key",
"address": ":9000",However other secrets are not:
"type": "OIDC",
"name": "Google",
"clientID": "1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com",
"clientSecret": "udTrOT3gzrO7W9fDPgZQLfYJ",
"configurationEndpoint": "https://accounts.google.com/.well-known/openid-configuration",or
{
"type": "X5C",
"name": "x5c",
"roots": "LS0tLS1 ... Q0FURS0tLS0tCg==",The ideal option, would be to have the ability to reference a file path as an alternative to the raw value by an alternative, roots/ roots_file, clientSecret/clientSecret_file and so on. These files could be injected into the container by various tooling, keeping the secrets outside of ca.json.
Why is this needed?
When deploying step-ca via IaC tools, this needs to be worked around, because the ca.json cannot be simply stored as-is. This leads to various workarounds, such as storing the entire configuration as a secret, bootstrapping the container by templates, none of which are ideal.
Hello!
Issue details
In
ca.jsonsome secrets are referenced via file paths, in particular certificate files{ "root": "examples/pki/secrets/root_ca.crt", "federatedRoots": ["examples/pki/secrets/federated_root_ca.crt"], "crt": "examples/pki/secrets/intermediate_ca.crt", "key": "examples/pki/secrets/intermediate_ca_key", "address": ":9000",However other secrets are not:
or
{ "type": "X5C", "name": "x5c", "roots": "LS0tLS1 ... Q0FURS0tLS0tCg==",The ideal option, would be to have the ability to reference a file path as an alternative to the raw value by an alternative,
roots/roots_file,clientSecret/clientSecret_fileand so on. These files could be injected into the container by various tooling, keeping the secrets outside of ca.json.Why is this needed?
When deploying step-ca via IaC tools, this needs to be worked around, because the
ca.jsoncannot be simply stored as-is. This leads to various workarounds, such as storing the entire configuration as a secret, bootstrapping the container by templates, none of which are ideal.