Open porwalameet opened 7 months ago
Hey @porwalameet I am not too familiar with Azure services, but in your example you are specifying a CA issuer. Is this because you have your own privately managed CA, just stored in Azure Key Vault?
Or are you issuing from an Azure service? I was just wondering if you used another issuer type, it might pull the CA back for you, like the Vault issuer.
Also although it does not solve your problem, have you also considered using trust-manager to distribute your CA?
@hawksight , I have my privately managed CA which is stored in Azure Key Vault. Since CA certificate (+key) is highly sensitive data, copying to multiple Kubernetes cluster in form of kubernetes cluster will raise security concerns. So was wondering, can cert-manager can issue certificate without expecting in k8s secret.
We are using Azure Key Vault just as storage here.
I will explore trust-manager as well and get back. Thanks.
Could it be possible to implement functionality using workload identity to read the secret from the key vault when needed, but never store it in a k8s secret?
Is your feature request related to a problem? Please describe.
Currently, the CA stored in Azure Key Vault is copied over to K8s cluster to configure ClusterIssuer/Issuer and referencing this in configuration as k8s secret. There is security constraint, as CA is replicated/leaving the Azure Key vault. The requirement is CA has to be only present in AKV and never copied to any local k8s cluster.
Example:
Describe the solution you'd like
Can cert-manager issue TLS certificate without copying the CA from Azure Key vault to local k8s cluster, like PKI issuer as done with Hashicorp Vault.. Regarding authentication, cert-manager SA can be configured with necessary RBAC to access AKV and can issue certificate based on Certificate CRO.
Describe alternatives you've considered
Additional context
Environment details (remove if not applicable):
/kind feature