Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
When following the tutorial at README to create the TCSIssuer on sandbox namespace all is good:
$ kubectl get tcsissuers -n sandbox
NAME AGE READY REASON MESSAGE
my-ca 2m True Reconcile Success
However, when I delete the tcsissuer the logs say:
INFO controllers.TCSIssuer Failed to update finalizer on Secret {"issuer": "tcsissuer.tcs.intel.com/sandbox.my-ca", "error": "failed to patch object (sandbox/my-ca-cert) with update finalizer : secrets \"my-ca-cert\" is forbidden: User \"system:serviceaccount:intel-system:tci-tcs-issuer\" cannot patch resource \"secrets\" in API group \"\" in the namespace \"sandbox\""}
When following the tutorial at README to create the TCSIssuer on sandbox namespace all is good:
However, when I delete the
tcsissuer
the logs say:Thus, the
my-ca-cert
is not deleted.