charts/bitnami/ejbca/templates/NOTES.txt

CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}

⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free.
    Subscribe to Bitnami Secure Images to receive continued support and security updates.
    More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267

{{- $databaseSecretName := include "ejbca.databaseSecretName" . -}}
{{- $secretName := include "ejbca.secretName" . -}}

** Please be patient while the chart is being deployed **

{{- if .Values.diagnosticMode.enabled }}
The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with:

  command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }}
  args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }}

Get the list of pods by executing:

  kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }}

Access the pod you want to debug by executing

  kubectl exec --namespace {{ include "common.names.namespace" . }} -ti <NAME OF THE POD> -- bash

In order to replicate the container startup scripts execute this command:

    /opt/bitnami/scripts/ejbca/entrypoint.sh /opt/bitnami/scripts/ejbca/run.sh

{{- else }}

To access your EJBCA site from outside the cluster follow the steps below:

{{- $port := .Values.service.httpsPort | toString }}

1. Get the EJBCA URL by running these commands:

{{- if contains "NodePort" .Values.service.type }}

   export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ template "common.names.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo "EJBCA Public URL: https://$NODE_IP:$NODE_PORT/ejbca"
   echo "EJBCA Admin URL: https://$NODE_IP:$NODE_PORT/ejbca/adminweb"
   echo "EJBCA Enrol URL: https://$NODE_IP:$NODE_PORT/ejbca/enrol/keystore.jsp"

{{- else if contains "LoadBalancer" .Values.service.type }}

  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
        Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}'

   export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
   echo "EJBCA Public URL: https://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/publicweb"
   echo "EJBCA Admin URL: https://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/adminweb"
   echo "EJBCA RA URL: https://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/ra"

{{- else if contains "ClusterIP"  .Values.service.type }}

   kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ template "common.names.fullname" . }} {{ .Values.service.httpsPort }}:{{ .Values.service.httpsPort }} &
   echo "EJBCA Public URL: https://127.0.0.1{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/publicweb"
   echo "EJBCA Admin URL: https://127.0.0.1{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/adminweb"
   echo "EJBCA RA URL: https://127.0.0.1{{- if ne $port "80" }}:{{ .Values.service.httpsPort }}{{ end }}/ejbca/ra"

{{- end }}

2. Open a browser and access EJBCA using the obtained URL(s).

3. Refer to the official documentation (check link below) for configuring public access to RA & CA UI(s):

  - https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ra-operations-guide/configure-ejbca-for-public-access

4. In order to be able to log in to the Admin Portal, you first need to enrol (via RA) and import the generated certificate in your Browser:

   export EJBCA_ADMIN_USERNAME={{ .Values.ejbcaAdminUsername }}
   {{ include "common.utils.secret.getvalue" (dict "secret" $secretName "field" "ejbca-admin-password" "context" $) }}
   echo Username: $EJBCA_ADMIN_USERNAME
   echo Password: $EJBCA_ADMIN_PASSWORD

5. You can access the DB using the following password:
   {{ include "common.utils.secret.getvalue" (dict "secret" $databaseSecretName "field" "mariadb-password" "context" $) }}

{{- $passwordErrors := list -}}

{{- if not .Values.existingSecret -}}
  {{- $requiredEJBCAPassword := dict "valueKey" "ejbcaAdminPassword" "secret" $secretName "field" "ejbca-admin-password" "context" $ -}}
  {{- $requiredEJBCAPasswordError := include "common.validations.values.single.empty" $requiredEJBCAPassword -}}
  {{- $passwordErrors =  append $passwordErrors $requiredEJBCAPasswordError -}}
{{- end -}}

{{- $mariadbSecretName := include "ejbca.databaseSecretName" . -}}
{{- $mariadbPasswordValidationErrors := include "common.validations.values.mariadb.passwords" (dict "secret" $mariadbSecretName "subchart" true "context" $) -}}
{{- $passwordErrors = append $passwordErrors $mariadbPasswordValidationErrors -}}

{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordErrors "context" $) -}}

{{- end -}}

{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.resources" (dict "sections" (list "") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image) "context" $) }}