Closed johanot closed 5 years ago
@cbroglie Don't know if you work with certmgr as well? But since you merged my latest PR on cfssl, perhaps you'd care to review this as well? :) thanks in any case.
@kalbasit Thanks for the review. Check https://github.com/cloudflare/certmgr/pull/51/commits/bfbe3b4f397e0d3fe1da4695834e580da2d025c8 now. Sorry about the poor error handling. The panics were clearly remnants of my debugging and shouldn't have made it to the PR :) embarrassing.
@johanot no worries :), it looks great now, hopwfully someone can merge this soon. Today, I will take a look at the k8s pr over on nixpkgs.
@kisom Can I kindly ask for your comment/opinion on this change?
@terinjokes Poking blindly here, but I would be very grateful if you or one of your colleagues could take a look at this PR and tell me whether it makes sense? :) We would like to include certmgr 1.6.1 (with this patch) in the upstream NixOS Kubernetes module.
@kisom @terinjokes Re-ping -> one month after PR creation.
@terinjokes @kisom Is this something you will consider merging at some point, or is it just too far from the the core principals of certmgr? We've discussed in the NixOS kubernetes community whether to fork certmgr to be able to use self-signed certs with cfssl, or to build a new cfssl client; but I genuinely think that would be sad. I very much prefer to hear some sort of opinion from you on this, so that we can decide on whether to stick with upstream certmgr as cfssl client or not. Thanks a lot. :)
@terinjokes @kisom Any updates on this?
@johanot @adamtulinius I'm no longer at Cloudflare and don't have access to this repo anymore :).
@ferringb Is this sufficient docs? https://github.com/cloudflare/certmgr/pull/51/commits/55c595a4a2dc871726b3c8337469daf5597718a3
@johanot it is- pardon the delay in follow up.
If you run cfssl apiserver tls-enabled, it is currently not possible to use self-signed certificate, because certmgr will reject it.
This PR makes it possible to use self-signed certificate on the cfssl apiserver, by providing an optional cert-spec option
root_ca
.