search

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
262 stars 70 forks source link

Allow auto-trust Bundles tracking a certain Issuer #54

Open SpectralHiss opened 2 years ago

SpectralHiss commented 2 years ago

This is perhaps a flawed request from a security standpoint. However, it would increase the user-friendliness of the trust project potentially.

Just like how currently a certificate in cert-manager has a ca.crt key, it would be great to not have to manually fetch the root for a certain issuer and just have a Bundle object "trust" an issuer, so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.

Is this something you would explore perhaps?

Thanks!

SgtCoDFish commented 1 year ago

so that it would get the root automatically since the issuer can already fetch it but also, more importantly, rotate the root automatically across the cluster when it changes.

This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have Issuers as sources for bundles, but it does come with risks.

I wrote about some of that in this comment, under "Enabling Safe Rotation". Does that make sense here?

Jamstah commented 1 year ago

What type of issuers are you suggesting here? I don't think you can get the root CA for every issuer using the k8s API, you would need to understand the issuer type and be able to request its CA cert(s) somehow.

For on cluster CA issuers, I have suggested this approach: #144

erikgb commented 1 year ago

This can be super dangerous when it comes to rotating a root unless planned for very carefully. I don't see why we couldn't have Issuers as sources for bundles, but it does come with risks.

Adding a breadcrumb to @munnerz interesting suggestion to introduce a status.rootTrustBundle on cert-manager issuers: https://github.com/cert-manager/cert-manager/issues/2722#issuecomment-707614798

cert-manager-bot commented 3 weeks ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. /lifecycle stale