Remove the experimental.cert-manager.io/ca
annotation from CertificateSigningRequests
#4143
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CertificateSigningRequests do not have a
status.CA
field. To account for this, we add anexperimental.cert-manager.io/ca
annotation on signed CertificateSigningRequests which include the base64 encoded CA certificate.The status of a CertificateSigningRequest is a subresource, and as such, a separate API endpoint to the main object. In practice this means that when updating a CertificateSigningRequest with the signed certificate and CA, we have to make 2 API calls. An edge case can occur whereby the 2nd API call fails, causing the the second API call to never happen:
status.Certificate
The
status.Certificate
field must be set first, otherwise when the annotation is updated, a re-sync would immediately occur and a second issuance would happen.Other mitigations considered:
status.Certificate
. This is generally a bad idea as clients in practice do not expect the CA to be present in this chain. There would need to be some middleware to extract it out, causing lots of headaches.Path forward:
A mechanism for sharing the signer's CA falls under the "trust distribution" feature. Until cert-manager has some mechanism for "trust distribution", clients are suggested to find other means. Kubernetes and istio have success with a controller populating a well-known configmap in all namespaces.
I have updated the website PR by removing reference to this annotation.
This is a breaking change however is fine, since this is an alpha API and under the "experimental" group. This group has fair warning that behaviour and API is subject to change.