search

cert-manager / cert-manager

Automatically provision and manage TLS certificates in Kubernetes
https://cert-manager.io
Apache License 2.0
12.08k stars 2.08k forks source link

configure cert-manager ClusterIssuer/Issuer in k8s cluster with CA certificate stored in Azure Key Vault #6880

Open porwalameet opened 7 months ago

porwalameet commented 7 months ago

Is your feature request related to a problem? Please describe.

Currently, the CA stored in Azure Key Vault is copied over to K8s cluster to configure ClusterIssuer/Issuer and referencing this in configuration as k8s secret. There is security constraint, as CA is replicated/leaving the Azure Key vault. The requirement is CA has to be only present in AKV and never copied to any local k8s cluster.

Example:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: sandbox
spec:
  ca:
    secretName: ca-key-pair  # k8s secret containing CA key pair.

Describe the solution you'd like

Can cert-manager issue TLS certificate without copying the CA from Azure Key vault to local k8s cluster, like PKI issuer as done with Hashicorp Vault.. Regarding authentication, cert-manager SA can be configured with necessary RBAC to access AKV and can issue certificate based on Certificate CRO.

Describe alternatives you've considered

Additional context

Environment details (remove if not applicable):

/kind feature

hawksight commented 5 months ago

Hey @porwalameet I am not too familiar with Azure services, but in your example you are specifying a CA issuer. Is this because you have your own privately managed CA, just stored in Azure Key Vault?

Or are you issuing from an Azure service? I was just wondering if you used another issuer type, it might pull the CA back for you, like the Vault issuer.

Also although it does not solve your problem, have you also considered using trust-manager to distribute your CA?

porwalameet commented 5 months ago

@hawksight , I have my privately managed CA which is stored in Azure Key Vault. Since CA certificate (+key) is highly sensitive data, copying to multiple Kubernetes cluster in form of kubernetes cluster will raise security concerns. So was wondering, can cert-manager can issue certificate without expecting in k8s secret.

We are using Azure Key Vault just as storage here.

I will explore trust-manager as well and get back. Thanks.

kristeey commented 1 month ago

Could it be possible to implement functionality using workload identity to read the secret from the key vault when needed, but never store it in a k8s secret?