Add --admin-subject to ca init

This allows the first super admin subject to be set when a new CA is initialized. Usage is effectively limited to when remote management is in use, because the super admin subject will only be created when provisioners are stored in the database and the admin API is enabled. It also doesn't work when the CA performs automatic provisioner migration, as there's no nice way to pass this information at the moment. The flag can currently not be used with `--helm`.
2025-08-07 16:02:54 +03:00 · 2022-10-14 15:55:14 +02:00
parent 6826eb668c
commit afc91c7630
3 changed files with 91 additions and 74 deletions
--- a/command/ca/init.go
+++ b/command/ca/init.go
@@ -205,6 +205,7 @@ Cloud.`,
 				Name:  "acme",
 				Usage: `Create a default ACME provisioner. Defaults to false.`,
 			},
+			flags.AdminSubject,
 			flags.ContextProfile,
 			flags.ContextAuthority,
 			flags.HiddenNoContext,
@@ -230,6 +231,7 @@ func initAction(ctx *cli.Context) (err error) {
 	helm := ctx.Bool("helm")
 	enableRemoteManagement := ctx.Bool("remote-management")
 	addDefaultACMEProvisioner := ctx.Bool("acme")
+	firstSuperAdminSubject := ctx.String("admin-subject")

 	switch {
 	case root != "" && key == "":
@@ -259,6 +261,9 @@ func initAction(ctx *cli.Context) (err error) {
 	case addDefaultACMEProvisioner && noDB:
 		// ACME functionality requires a database configuration
 		return errs.IncompatibleFlagWithFlag(ctx, "acme", "no-db")
+	case firstSuperAdminSubject != "" && helm:
+		// providing the first super admin subject is not (yet) supported with Helm output
+		return errs.IncompatibleFlagWithFlag(ctx, "admin-subject", "helm")
 	}

 	var password string
@@ -564,10 +569,10 @@ func initAction(ctx *cli.Context) (err error) {
 			return err
 		}

-		var provisioner string
 		// Only standalone deployments will create an initial provisioner.
 		// Linked or hosted deployments will use an OIDC token as the first
 		// deployment.
+		var provisioner string
 		if deploymentType == pki.StandaloneDeployment {
 			ui.Println("What would you like to name the CA's first provisioner?", ui.WithValue(ctx.String("provisioner")))
 			provisioner, err = ui.Prompt("(e.g. you@smallstep.com)",
@@ -584,7 +589,10 @@ func initAction(ctx *cli.Context) (err error) {
 			pki.WithDeploymentType(deploymentType),
 		)
 		if deploymentType == pki.StandaloneDeployment {
-			pkiOpts = append(pkiOpts, pki.WithProvisioner(provisioner))
+			pkiOpts = append(pkiOpts,
+				pki.WithProvisioner(provisioner),
+				pki.WithFirstSuperAdminSubject(firstSuperAdminSubject),
+			)
 		}
 		if deploymentType == pki.LinkedDeployment {
 			pkiOpts = append(pkiOpts, pki.WithAdmin())
@@ -600,13 +608,14 @@ func initAction(ctx *cli.Context) (err error) {

 		// enable the admin API if the `--remote-management` flag is provided. This will
 		// also result in the default provisioner being stored in the database and a default
-		// admin called `step` to be created for the default provisioner when the PKI is saved.
+		// admin (called `step` by default, but can be named with --admin-subject) to be
+		// created for the default provisioner when the PKI is saved.
 		if enableRemoteManagement {
 			pkiOpts = append(pkiOpts, pki.WithAdmin())
 		}

 		// add a default ACME provisioner named `acme` if `--acme` flag is provided
-		// and configuring a standalone CA.
+		// and configuring a standalone CA. Not yet supported for linked deployments.
 		if addDefaultACMEProvisioner && deploymentType == pki.StandaloneDeployment {
 			pkiOpts = append(pkiOpts, pki.WithACME())
 		}