cert-manager / aws-privateca-issuer

Addon for cert-manager that issues certificates using AWS ACM PCA.
Apache License 2.0
194 stars 81 forks source link

[Feature Request]: Add feature to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value #289

Open nicholasmturner opened 1 year ago

nicholasmturner commented 1 year ago

Describe why this change is needed

In my deployment I have an AWS PCA per environment and thus it is not possible to hardcode the AWSPCAClusterIssuer spec.arn value in our codebase. Instead I deploy kubernetes secrets referencing the ARN of the PCA for each environment. But as the custom resource does not support calling a secret to get the ARN value I am forced to deploy the custom resource with a dummy value and use a batch job to patch the spec.arn value to the value of the secret. This is not an ideal scenario and is prone to failure. Please can you update the AWSPCAClusterIssuer CRD to allow the custom resource to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value. As this is not a container resource I am unable to use the usual methods for calling secrets such as environment variables/volumes.

Describe solutions and alternatives considered (optional)

spec: region: eu-west-1 arn: valueFrom: secretKeyRef: name: my-secret key: secret_key

Is there anything else you would like to add?

No response

meghanayendamuri commented 1 year ago

Hi @nicholasmturner,Thank you for submitting this feature request. We will review the request and get back to you.

divyansh-gupta commented 1 year ago

Hi @nicholasmturner - thanks for submitting the feature request. Would it be possible to use kubebuilder or other methods to dynamically build the CRD for the Issuer? In my opinion it seems odd to use a Secret to store ARNs, since PCA ARNs are not generally considered secrets.

lindsaygrace commented 5 months ago

Hi @nicholasmturner - thanks for submitting the feature request. Would it be possible to use kubebuilder or other methods to dynamically build the CRD for the Issuer? In my opinion it seems odd to use a Secret to store ARNs, since PCA ARNs are not generally considered secrets.

If this was instead a configmap it would make more sense