-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow auto-trust Bundles tracking a certain Issuer #54
Comments
This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have I wrote about some of that in this comment, under "Enabling Safe Rotation". Does that make sense here? |
What type of issuers are you suggesting here? I don't think you can get the root CA for every issuer using the k8s API, you would need to understand the issuer type and be able to request its CA cert(s) somehow. For on cluster CA issuers, I have suggested this approach: #144 |
Adding a breadcrumb to @munnerz interesting suggestion to introduce a status.rootTrustBundle on cert-manager issuers: cert-manager/cert-manager#2722 (comment) |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
This is perhaps a flawed request from a security standpoint. However, it would increase the user-friendliness of the trust project potentially.
Just like how currently a certificate in cert-manager has a
ca.crt
key, it would be great to not have to manually fetch the root for a certain issuer and just have a Bundle object "trust" an issuer, so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.Is this something you would explore perhaps?
Thanks!
The text was updated successfully, but these errors were encountered: