-
-
Notifications
You must be signed in to change notification settings - Fork 6
Allow customers to request CA cert (e.g. for external clients) #410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
This needs to be documented as well (once implemented) |
So we have a few options to go on here...
I'm inclined to say that a CM is the way to go here. It should be easier for outsiders to interact with, and is already supported by things like k8s mounts. It also means we don't have to interact with webhooks or worry about what happens when said webhook goes down. If we go with the CM approach then we also have to decide who is responsible for deciding where it should go.
So far, I'm leaning towards 2b, but that is far from a final call. |
I just wanted to mention that in the future we also need a mechanism to generate cert-pairs for the users. |
I don't think end-user authn is in scope for the secret operator. If you want to share the same PKI we should consider ways to delegate that to a different authority. Either including that CA's root cert(s), cross-signing them, or issuing sub-CA certificates directly in some fashion. |
I have a conceptual question regarding the k8sSearch solution. In pods, volume mounts are used to request contents referenced by a SecretClass. If you want to "mount" the contents into a ConfigMap instead of a Pod, volume mounts cannot be used. A TrustStore object is a replacement for a mount request into a ConfigMap. The annotation Now to the big difference when using k8sSearch: In the "Pod-case", the object containing the contents references the SecretClass with the label Would it be possible to align these two approaches somehow? ---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
name: truststore-k8ssearch
spec:
secretClassName: trust-roots
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: trust-roots
spec:
backend:
k8sSearch:
searchNamespace:
name: default
---
apiVersion: v1
kind: ConfigMap
metadata:
name: root-ca
namespace: default
labels:
secrets.stackable.tech/class: trust-roots
data:
ca.crt: ... |
Yeah.. Every secret is (ideally) unique, but (the contents of) every TrustStore targeting the same SecretClass is identical. |
Release note:
|
Thank you both @siegfriedweber @nightkr for adding docs and release notes without me having to ask 💓 |
Uh oh!
There was an error while loading. Please reload this page.
There is a similar Issue for Pods: #320
As a SDP user I need to get the current ca.crt so that I can put it in external clients or e.g. OpenShift routes.
Follow-ups
#597
Workaround
Until this is implemented you can use one of the following workarounds:
ca.crt
from the referenced Secret in the SecretClass. Usually it is calledsecret-provisioner-tls-ca
and is located either in thedefault
orstackable-operators
namespace.The text was updated successfully, but these errors were encountered: