Feature: support secret target #10
Comments
|
Hi @cortopy, there is no technical reason why adding |
|
thanks @JoshVanL for such a quick answer. I hadn't thought of that but the path you propose sounds excellent |
|
As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names? |
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <guillaume.ludinard@japannext.co.jp>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <guillaume.ludinard@japannext.co.jp>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <guillaume.ludinard@japannext.co.jp>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <guillaume.ludinard@japannext.co.jp>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <guillaume.ludinard@japannext.co.jp>
This was requested in cert-manager#10 Motivation: Many helm charts/operators support a certificate authority mount only in the form of a Secret, and do not support ConfigMap. This is due to the fact that certificate authority is often shipped with TLS-type secrets (along with their certificate and key). cert-manager also require a certificate authority in the form of a Secret for its Vault issuer. trust-manager should support the target being a Secret, along with a ConfigMap, to guarantee maximum usability. For security concerns, we will allow trust-manager to only view/update a given list of managed secrets in the helm chart. Signed-off-by: Guillaume Ludinard <guillaume.ludinard@japannext.co.jp>
|
I support adding secrets as an opt-in target for bundles. There are just so many tools that only support obtaining CA certificates from secrets. And one could argue that even if a CA certificate bundle is not strictly secret, defining who you trust is definitely important for overall security.
@james-callahan I don't think this is possible in general. As a user of trust-manager, I would expect to be allowed to express the secret name in the bundle resource. AFAIK the controller-runtime mechanics (and Kubernetes API) do not really support watching resources cluster-wide by name(s). |
|
I believe is issue was fixed by #193 /close |
|
@erikgb: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Currently only
configMapis supported astarget. It feels to me like that's the obvious choice for distributing a ca file. However, a lot of off-the-shelf applications out there only support mounting ca files via secretsWould it be possible to add it for compatibility reasons?
The text was updated successfully, but these errors were encountered: