[RFC] Should be able to configure key-server from Issuer

intel / trusted-certificate-issuer

Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).

Apache License 2.0

29 stars 15 forks source link

[RFC] Should be able to configure key-server from Issuer #7

Open avalluri opened 2 years ago

avalluri commented 2 years ago

In case of provisioning the CA key and root certificate from a key-server using quote attestation, the key server URL and credentials could be able to configure from the Issuer sepecification:

apiVersion: tcs.intel.com/v1alpha1
kind: TCSIssuer
metadata:
    name: my-ca
    namespace: sandbox
spec:
    secretName: my-ca-cert
    keyServer:
      url: https://test-kmra-server.com:433
      secretRef: server-secret  // credentials to access the server

avalluri commented 2 years ago

This also needs changes to QuoteAttestation CRD to accommodate the key server details.