Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow auto-trust Bundles tracking a certain Issuer #54

Open
SpectralHiss opened this issue Aug 9, 2022 · 5 comments
Open

Allow auto-trust Bundles tracking a certain Issuer #54

SpectralHiss opened this issue Aug 9, 2022 · 5 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@SpectralHiss
Copy link

This is perhaps a flawed request from a security standpoint. However, it would increase the user-friendliness of the trust project potentially.

Just like how currently a certificate in cert-manager has a ca.crt key, it would be great to not have to manually fetch the root for a certain issuer and just have a Bundle object "trust" an issuer, so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.

Is this something you would explore perhaps?

Thanks!

@SgtCoDFish
Copy link
Member

so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.

This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have Issuers as sources for bundles, but it does come with risks.

I wrote about some of that in this comment, under "Enabling Safe Rotation". Does that make sense here?

@Jamstah
Copy link
Contributor

Jamstah commented Jun 27, 2023

What type of issuers are you suggesting here? I don't think you can get the root CA for every issuer using the k8s API, you would need to understand the issuer type and be able to request its CA cert(s) somehow.

For on cluster CA issuers, I have suggested this approach: #144

@erikgb
Copy link
Contributor

erikgb commented Sep 3, 2023

This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have Issuers as sources for bundles, but it does come with risks.

Adding a breadcrumb to @munnerz interesting suggestion to introduce a status.rootTrustBundle on cert-manager issuers: cert-manager/cert-manager#2722 (comment)

@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 6, 2024
@cert-manager-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

@cert-manager-prow cert-manager-prow bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Development

No branches or pull requests

5 participants