Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify Name Constraints in CA Certificate #3655

Open
t-cas opened this issue Feb 11, 2021 · 27 comments
Open

Specify Name Constraints in CA Certificate #3655

t-cas opened this issue Feb 11, 2021 · 27 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@t-cas
Copy link

t-cas commented Feb 11, 2021

Is your feature request related to a problem? Please describe.
When creating a Certificate CR using flag isCA: true, there is today no possibility to specify Name Constraints to apply restrictions on the CN and SAN for this Sub-CA.

Describe the solution you'd like
a new section spec.nameConstraints in Certificate CR for example:

spec:
  isCA: true
  nameConstraints:
  - type: permitted
    critical: true
    constraints:
      dns: [.private, .corp]
      ipAddress: [192.168.3.0/255.255.255.0]
  - type: excluded
    critical: true
    constraints:
      dns: [.secret.corp]

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 11, 2021
@SgtCoDFish SgtCoDFish added the priority/backlog Higher priority than priority/awaiting-more-evidence. label May 27, 2021
@SivaBharahi
Copy link

SivaBharahi commented Aug 4, 2021
edited
Loading

Important Feature: Will be a critical addition to controlling boundaries for Sub CAs.

@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 2, 2021
@t-cas
Copy link
Author

t-cas commented Nov 3, 2021

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 3, 2021
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 1, 2022
@t-cas
Copy link
Author

t-cas commented Feb 1, 2022

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 1, 2022
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 2, 2022
@jetstack-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 1, 2022
@jetstack-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

@jetstack-bot
Copy link
Contributor

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@t-cas
Copy link
Author

t-cas commented Jul 4, 2022

/reopen

@jetstack-bot jetstack-bot reopened this Jul 4, 2022
@jetstack-bot
Copy link
Contributor

@t-cas: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@t-cas
Copy link
Author

t-cas commented Jul 4, 2022

/remove-lifecycle rotten

@jetstack-bot jetstack-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jul 4, 2022
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 2, 2022
@olix0r
Copy link

olix0r commented Oct 3, 2022

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 3, 2022
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 1, 2023
@sathyanarays
Copy link
Contributor

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2023
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 2, 2023
@jetstack-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 2, 2023
@alfredkrohmer
Copy link

/remove-lifecycle rotten

@jetstack-bot jetstack-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label May 7, 2023
@smarunich
Copy link

any timelines?

@olix0r
Copy link

olix0r commented May 31, 2023

@smarunich i'm just another observer on this issue, but I think it's pretty clear that this is not currently a priority of the maintainers and there are no timelines.

It seems likely that this will only happen if/when this work is funded and someone engages the maintainers with a concrete proposal and implementation.

@maelvls
Copy link
Member

maelvls commented Aug 16, 2023

Hey,

I am happy to report that this feature request is very high in the list of community requests for bugs and features! It currently stands at the 6th position. We (Venafi-sponsored maintainers) often use the number of thumbs up as a way to guide what to do next on our community-focused time.

At this point, the most requested feature is "certificate presets" with 49 thumbs up. That's what we have decided to work on for the next release as part of our "community time".

In the meantime, I'd be glad to talk and help design the feature and to review a contributor's PR if someone is interested!

@wmorgan wmorgan mentioned this issue Aug 24, 2023
Closed
@deva26
Copy link

deva26 commented Sep 28, 2023

@maelvls , looks like this issue has got more votes since then. Can you help in taking this up in the current cycle?

@tanujd11
Copy link
Member

@maelvls Is someone working on this? If not I am interested to take this forward.

@tanujd11 tanujd11 mentioned this issue Nov 19, 2023
Merged
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 14, 2024
@alfredkrohmer
Copy link

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 12, 2024
@erikgb
Copy link
Contributor

erikgb commented May 9, 2024

This seems possible now if enabling a feature gate, ref. https://cert-manager.io/docs/usage/certificate/#creating-certificate-with-name-constraints. I wonder if this issue can be closed, or if there is something missing? It would be nice to get some feedback from users who have showed interest in this feature!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests