CA injection via cert-manager in ClusterSecretStore do not work #9
Comments
|
Oh interesting. I don't know of that approach. :) I'll take a look on how to implement that. |
|
I‘m surprised, because your hack script explicitly waited for the ca-injector to be ready. ;) |
|
To be honest, at the moment I‘m in a brainstorming phase to use mTLS instead of normal TLS. It would be helpful to have the kind of communication between the services open to such concepts. |
|
Hmmm. Not entirely sure how that would work since external secrets isn't necessarily aware of the service. It's handling it as a generic something that has an api. If it would start checking any certificates it would impact the setup of the whole project too. It's not impossible I just think it's not necessarily worth the effort. 🤣 but maybe I'm wrong. 😀 |
|
Hmmm. Then again we are talking about secrets here that potentially could destroy a system. So scratch what I said. Setting up mTLS would be nice. |
|
Btw I don't think this ca injector annotation would work here since the |
|
That said... eso does have it's own injector. I wonder if I could implement something there. I will have to check that out. |
|
Hm, this is most likely not going to happen as it requires a bunch of rewrites to our injector and the recommended approach is to either point to a secret or use a bundled certificate. I will add the secret approach as well. |
|
Meaning it will get something like this: // Used to provide custom certificate authority (CA) certificates
// for a secret store. The CAProvider points to a Secret or ConfigMap resource
// that contains a PEM-encoded certificate.
type CAProvider struct {
// The type of provider to use such as "Secret", or "ConfigMap".
// +kubebuilder:validation:Enum="Secret";"ConfigMap"
Type CAProviderType `json:"type"`
// The name of the object located at the provider type.
Name string `json:"name"`
// The key where the CA certificate can be found in the Secret or ConfigMap.
// +kubebuilder:validation:Optional
Key string `json:"key,omitempty"`
// The namespace the Provider type is in.
// Can only be defined when used in a ClusterSecretStore.
// +optional
Namespace *string `json:"namespace,omitempty"`
}So the source can be a secret or a configmap too. |
|
Looks like a really fine & clean solution. 👍 |
|
I've just hit into this one as well as the I have resorted to (for now, for testing) copying the CA bundle from the CertManager output secret and adding in into the I can see you have an MR thats open which looks at a glace to be addressing this, however :) |
|
@brianramseyau Yes, the upcoming solution would be able to handle a ca certificate rotation also. |
|
This will have to be released first in ESO to take effect. So keep an eye out for 0.10.1 for ESO. |
|
Finally, ESO 0.10.1 was released :) |
Describe the bug
I tried to setup ClusterSecretStore after deployment of the self signed certificate chain and the helm installation. I tried to inject the ca instead of using the caBundle field statically.
But it tells me caBundle is a required field.
Full message from reconciliation:
To Reproduce
Steps to reproduce the behavior:
My deployment is made with flux. My yaml code can be seen here:
https://github.com/volschin/home-ops/blob/main/kubernetes/apps/external-secrets/external-secrets/stores/bitwarden-secrets/clustersecretstore.yaml
Expected behavior
It should be possible to inject the ca from the generated certificate in the ClusterSecretStore.
** Additional **
In my connected research I found this linkerd issue an pr from some years ago that goes in a same direction an perhaps helps.
linkerd/linkerd2#7353
The text was updated successfully, but these errors were encountered: