-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSR Duration KEP #2788
CSR Duration KEP #2788
Conversation
Signed-off-by: Monis Khan <[email protected]>
/assign @deads2k |
Signed-off-by: Monis Khan <[email protected]>
The design and the PRR both lgtm. The exception request was approved. /lgtm placing a hold to allow additional reviewers this week. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm as well
- Confirm with [cert-manager](https://github.com/jetstack/cert-manager/pull/3646) that the new functionality addresses their use case | ||
- Confirm with [pinniped](https://pinniped.dev) that the new functionality addresses their use case |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
non-blocking for merge of this doc, but can you confirm with them this addresses their use case ~now, not in a release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good from the cert-manager side!
We currently use an annotation to allow clients to set requested duration. We can fallback to checking this annotation if this field is nil for users running older versions of kube.
Once pre 1.22 Kubernetes versions are no longer supported by cert-manager, we can remove the annotation completely.
/cc @munnerz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good for the Pinniped use case as well. Our planned usage is for a credential exchange API just like the second user story:
- External user authenticates to a trusted service (using some custom application-specific credential).
- Trusted service creates a CSR with a short
spec.expirationSeconds
(probably the 10 minute minimum). - Trusted service approves its own CSR and relies on a default signer to sign it.
- Trusted service retrieves the signed certificate and returns it to the authenticated external user.
We would quickly add support for new flow but keep some fallback code that uses a custom signer until we no longer support current Kubernetes versions. We can probe for this feature dynamically and select the modern or fallback implementation appropriately.
Sorry for the delay, I thought I dropped a "this looks good and Jordan and David hit all of my comments already", but it looks like I never pressed comment. This looks good to me, no further comments above what was already landed. |
Hi @enj 👋🏽. Supriya here, 1.22 Enhancements Shadow.
Thank you! |
/hold cancel |
Signed-off-by: Monis Khan [email protected]
/sig auth
/assign @liggitt @smarterclayton @mikedanese