Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow option to expose mounted certs as secret #48

Open
cpdeethree opened this issue Apr 2, 2022 · 1 comment
Open

Allow option to expose mounted certs as secret #48

cpdeethree opened this issue Apr 2, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@cpdeethree
Copy link

cpdeethree commented Apr 2, 2022
edited

What would you like to be added

The ability to either have autocert create a secret in the namespace with the cert credentials (similar to what step-issuer does) or to write out to the volume mount a kubernetes secret containing cert file contents instead of the crt files themselves.

Why this is needed

In some cases it's nice to be able to have certs available as a secret in addition to or instead of three flat files made available via a volume mount. One use case I ran into is when I was bootstrapping timescaledb-kubernetes. In this helm chart, you can only specify certs as environment variables (secrets.certificate) or as an existing secret (secrets.certificateSecretName) when bootstrapping: https://github.com/timescale/timescaledb-kubernetes/blob/master/charts/timescaledb-single/admin-guide.md

There are some alternative solutions I could explore to continue to use volume mounted certs in this case - but none of them were particularly great as far as I could tell. Some variations to solve my problem that I explored include:

  • add some configmap with some bash script that would pull the file contents into environment variables to be used by the helm chart
  • modify the timescaledb-kubernetes helm chart to also take volume mount as input to read the cert contents
  • install some other automation to pull the info out into an existing secret

I might have gone down one of those routes if autocert wrote out the contents of the cert files as a kubernetes secret for me. There is a well documented path to using secrets in your app that are in the pod filesystem provided they are written out in the kubernetes secret format.

In the end for my use case I just manually created a secret with the certs for this use-case using cert-manager, step-issuer, step-certificates and referenced that secret in the timescaledb-kubernetes helm chart values. It would be nice to not have to have that workflow, however, and be able to use autocert to manage that.
@cpdeethree cpdeethree added enhancement New feature or request needs triage Waiting for discussion / prioritization by team labels Apr 2, 2022
@maraino
Copy link
Collaborator

maraino commented Apr 8, 2022
edited

Hi @cpdeethree, the current version of autocert is not designed to write data to secrets, for that we will require to convert autocert into a different tool, basically a k8s controller/operator, very similar to cert-manager + step-issuer. The current implementation runs as a sidecar container and obtains and renews the certificate in a fixed path.

I would love to add autocert that functionality, almost deprecating step-issuer, but right now we don't have any plans to support it.

@dopey dopey removed the needs triage Waiting for discussion / prioritization by team label Apr 13, 2022
@maraino maraino removed their assignment Apr 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maraino @dopey @cpdeethree