Closed mlajkim closed 6 months ago
| Identityd | IsGeneratingEachKeyForRoleCert | IsProblematic? | Why ? |
|:---------:|:------------------------------:|:--------------:|:-----:|
| No | No | Yes | [^1] |
| Yes | No | No | -- |
| No | Yes | No | -- |
| Yes | Yes | No | -- |
[^1]: The rotation period of SIA and 3rd party is most-likely differ, and the end user is unable to use the fetched role cert
Do you refer to this warning log? https://github.com/AthenZ/k8s-athenz-sia/blob/58ba7cfaed5098fdd7637550fc8aa5c65f08d79e/pkg/config/config.go#L254-L259
@WindzCUHK oh wow.. it already exists! this is possibly closable if we decide not to stop the sia rotation and warning is enough when external cert is used!
Background
The current SIA can generate RoleCert with its own generated Instance Certificate under the architecture Identityd. Yet the current sia also can generate AccessToken/RoleToken/RoleCert based on the 3rd party generated InstanceCert.
The RoleCert using X509 Certificate format requires a private key but the current architecture does not warn/or disable Generating RoleCert when
ROLE_CERT_KEY_FILE_OUTPUT=true
is a must.TODOs