Allow auto-trust Bundles tracking a certain Issuer

[SpectralHiss]

This is perhaps a flawed request from a security standpoint. However, it would increase the user-friendliness of the trust project potentially.

Just like how currently a certificate in cert-manager has a ca.crt key, it would be great to not have to manually fetch the root for a certain issuer and just have a Bundle object "trust" an issuer, so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.

Is this something you would explore perhaps?

Thanks!

[SgtCoDFish]

so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.

This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have Issuers as sources for bundles, but it does come with risks.

I wrote about some of that in this comment, under "Enabling Safe Rotation". Does that make sense here?

[Jamstah]

What type of issuers are you suggesting here? I don't think you can get the root CA for every issuer using the k8s API, you would need to understand the issuer type and be able to request its CA cert(s) somehow.

For on cluster CA issuers, I have suggested this approach: #144

[erikgb]

This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have Issuers as sources for bundles, but it does come with risks.

Adding a breadcrumb to @munnerz interesting suggestion to introduce a status.rootTrustBundle on cert-manager issuers: cert-manager/cert-manager#2722 (comment)