New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Making ACME Issuer privateKeySecretRef optional #1751
Comments
This private key is used to store the ACME/Let's Encrypt account private key, not the private key used for any Certificate resources. The account private key identifies your company/you as a user of the ACME service, and is used to sign all requests/communication with the ACME server to validate your identity. We could look at allowing this field to be omitted altogether and auto-generating the name. I see two options:
On the other hand, making the fact that an account private key exists obvious to users can be seen as beneficial as it illustrates to users that they do have an identity with the ACME server, and that it can be transferred between clusters. Although perhaps this is a more advanced use-case that is necessary to expose on the 'quick start' path 😄 /area api |
I donno if its relevent here but is there a way you use existing secret? I tried putting the key/cert in the issuer secret and ingress controller secret, but it doesnt take it. |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
I don't think this is really something we are looking to support in the near future. Given users don't need to define a issuer resources particularly often, I think the burden of requiring a user name a Secret resource to contain the credentials, and thus acknowledge that the credentials exist, is much burden. |
I as a new user was very confused about |
I appreciate that the current, mandatory status of this parameter forced me to learn that I have a crypto identity with my ACME provider, because I do constantly destroy and rebuild k8s clusters to make sure my process is consistent. Based on my new understanding, it sounds like I could discard this identity every time I rebuild and still produce new certs for my domain, but I'd lose my ability to revoke older certs from previous incarnations of my cluster. Maybe no big deal, but if I had a use-case where it was important I'd be upset to learn I'd made a mistake after-the-fact. That said, it took some digging for me to understand this. A lot would have been saved if the doc-comments in the example configs at https://cert-manager.io/docs/configuration/acme/ were just made a bit richer. Perhaps some wording like?:
|
I've been fighting this all day, these docs certainly need to be cleaned up there is a bunch of 'yada yada' type shortcuts in them and it makes for a long day trying to Google-fu past their poor docs. |
Hello Everyone, I have an issuer with the name "aeg-eab" and the privateKeySecretRef as name: "aeg-secret". Which is said in the official docs. Is there anything that I am missing with. Thanks |
Currently the Issuer/ClusterIssuer Custom Resource Spec contains 'privateKeySecretRef' attribute. The controller internally creates a Secret with the name specified in this attribute's value. Is this secret supposed to be used by users anywhere/anytime? If not, can this field be removed? The controller can internally create a Secret using some random name.
The Issuer/ClusterIssuer Specs have several attributes. By removing privateKeySecretRef if it is not used, configuring and using the Custom Resource will become simpler.
The text was updated successfully, but these errors were encountered: