joshua-rutherford
commented
5 years ago I spoke with @sofiashalotenko about this today and since she is still using it and it would be an effort to migrate away we should not repurpose this repository.
So I've created incert to house this logic. Pushed the initial commit up with a few cleaned up bits.
@danielpcox, @justincely, @chrisbsmith and @sofiashalotenko,
This is a pretty big re-work (and I know that it will break Sofia's use cases) so I want everyone to review this if you have time. I am open to doing this as it's own project instead of refactoring this one.
In short, this was never supposed to be a real certificate authority, instead it was supposed to be a tool that generated certificate chains for use in tests. We now have another use case that requires us to generate valid certificates from an ephemeral certificate authority.
To support that, I propose this pull request which move all functionality to a command line utility that issues certificates off an ephemeral authority (i.e., a new authority for every invocation). This would still allow us to generate the test certificates for checking into repositories, but also support an init container use case for laying down mTLS certificates for the proxy and service.
Thoughts?