-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: support secret target #10
Comments
Hi @cortopy, there is no technical reason why adding |
thanks @JoshVanL for such a quick answer. I hadn't thought of that but the path you propose sounds excellent |
As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names? |
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <[email protected]>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <[email protected]>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <[email protected]>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <[email protected]>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <[email protected]>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <[email protected]>
I support adding secrets as an opt-in target for bundles. There are just so many tools that only support obtaining CA certificates from secrets. And one could argue that even if a CA certificate bundle is not strictly secret, defining who you trust is definitely important for overall security.
@james-callahan I don't think this is possible in general. As a user of trust-manager, I would expect to be allowed to express the secret name in the bundle resource. AFAIK the controller-runtime mechanics (and Kubernetes API) do not really support watching resources cluster-wide by name(s). |
I believe is issue was fixed by #193 /close |
@erikgb: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Currently only
configMap
is supported astarget
. It feels to me like that's the obvious choice for distributing a ca file. However, a lot of off-the-shelf applications out there only support mounting ca files via secretsWould it be possible to add it for compatibility reasons?
The text was updated successfully, but these errors were encountered: