New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow defining keystore password as litteral instead of SecretRef #5665
Comments
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale I would be intersted in feedback from the maintainers and/or community |
Issues go stale after 90d of inactivity. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale I see there's another proposal for hardcoded password (#6269), and I'd be fine with that too, the password value is irrelevant. |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is your feature request related to a problem? Please describe.
Keystore generation is a great feature of cert-manager, but it could be simplified a little. Today we have:
The fact of encrypting keystores with a password in Java keytool predates the Kubernetes era.
The Java ecosystem is slowly moving towards generating keystores programmatically at runtime from PEM files.
Meanwhile, since the generated keystore is stored in a Kubernetes secret, the fact of encrypting it has become irrelevant (if you can access secrets, then you can also access the secret containing the encryption password ...)
Even worse, since Kubernetes
Secret
resources shouldn't be stored in Gitops repositories (and tools like ArgoCD may be configured to never synchronize such resources), this forces to synchronize from a vault, making things very complex for something than doesn't actually need it.Describe the solution you'd like
We should be able to hardcode the keystore password in the PKCS12Keystore, for instance:
/kind feature
The text was updated successfully, but these errors were encountered: