controllers/csr: pass full certificate chain as part of certificate

intel / trusted-certificate-issuer

Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).

Apache License 2.0

29 stars 15 forks source link

controllers/csr: pass full certificate chain as part of certificate #12

Closed avalluri closed 2 years ago

avalluri commented 2 years ago

Add an command-line option to configure the csr controller such that it fills the full certificate chain (signed cert + ca-cert) in status.certificate on a successful certificate signing.

The full cert chain with root certificate is expected by Istio v1.12, otherwise this feature should not be enabled.

avalluri commented 2 years ago

Suppose you also need to modify certificate_request_controller to support this function: https://github.com/intel/trusted-certificate-issuer/blob/main/controllers/certificate_request_controller.go#L203

@irisdingbj In the CertificateRequest case, there is a Status.CA to hold the CA certificate. I think it is better to keep the CA certificate there instead of filling in the Certificate.

irisdingbj commented 2 years ago

@avalluri Make sense! I forgot that field.

avalluri commented 2 years ago

Suppose you also need to modify certificate_request_controller to support this function: https://github.com/intel/trusted-certificate-issuer/blob/main/controllers/certificate_request_controller.go#L203

I submitted a new PR #14 that fills the CA certificate in CertificateRequest status.