(no commit message)

diff --git a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
index 91b4a91e65ac1918e3b6836aadcf977832771dcf..6cc81d13f8444030ed2c88d722e10995029db3b2 100644 (file)
--- a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
+++ b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
@@ -152,23 +152,30 @@ We continue on the step-ca host:
 
 $ # Copy the signed cert into pki/issued/ca.kubecluster.example.org.crt.
 $ # Copy the root ca crt from pk/ca.crt into pki/ca.crt
-$ pwgen -s 50 1 > pwd
-$ step ca init --password-file=pwd --provisioner-password-file=pwd --name=test1 --key-password-file=pwd --deployment-type=standalone --dns ca.kubecluster.example.org --dns step-certificates.step-ca.svc.cluster.local --address=:9000 --provisioner=step-ca-issuer --helm > test1.yaml
-$ cat ./test1.yaml  | yq -o json | jq --arg fingerprint "$(openssl x509 -in pki/ca.crt -noout -fingerprint -sha256 | sed 's/.*=//; s/://g')" --rawfile root_ca_crt pki/ca.crt --rawfile intermediate_ca_pw ./intermediate-pw --rawfile intermediate_ca_key pki/private/ca.kubecluster.home.stejau.vpn.key --rawfile intermediate_ca_crt pki/issued/ca.kubecluster.home.stejau.vpn.crt '.inject.certificates.root_ca = $root_ca_crt | .inject.secrets.x509.root_ca_key = null | .inject.certificates.intermediate_ca = $intermediate_ca_crt | .inject.secrets.x509.intermediate_ca_key = $intermediate_ca_key | .inject.secrets.ca_password = ($intermediate_ca_pw | @base64) | .inject.secrets.provisioner_password = null | .inject.config.files["defaults.json"].fingerprint = $fingerprint' |  yq -o yaml -P | tee test2.yaml
 
-$ # you now have the step-ca config inside test2.yaml.
+$ bash finaggle-step-configs.sh ca.kubecluster.example.org step-certificates.step-ca.svc.cluster.local step-ca-issuer
 
 ```
 
-TODOs:
+Follow the helm repo part from https://github.com/smallstep/step-issuer and install the repo and the step-issuer via helm.
+
+The files:
+- test2.yaml will contain your helm values to be fed to "helm upgrade --install --create-namespace --namespace step-ca --values test2.yaml step-certificates smallstep/step-certificates"
+- test-cluster.issuer-filled.yaml will contain the manifest for the cluster issuer, it can simply be applied.
+
+If this works the cmd "kubectl get stepclusterissuers.certmanager.step.sm step-cluster-issuer -o yaml" should output "StepClusterIssuer verified and ready to sign certificates" or "Ready"/"true".
+
+With this you can annotate your resources properly and will get certificates.
+
 
-* How to get from test2.yaml to a working step-ca
-* Add provisioner password to above invokation
-* step-ca-cluster-issuer - generate config like above
+
+
+TODOs:
+* [!] put finaggle-step-configs.sh and its deps somewhere
+* document stuff around cert-manager / ingress-shim docs - https://cert-manager.io/docs/usage/ingress/#supported-annotations
 * multiple provisioners - how to do?
 * ???
-
+* PROFIT
 
 Caveat:
-
 * it might be that x509-types in a modern easy-rsa install is under pki/ instead of in the same dir as the easy-rsa script