search

shibayan / keyvault-acmebot

Automated ACME SSL/TLS certificates issuer for Azure Key Vault (App Service / Container Apps / App Gateway / Front Door / CDN / others)
Apache License 2.0
912 stars 236 forks source link

Add support for multiple keyvaults #601

Closed jsblake closed 1 year ago

jsblake commented 1 year ago

Is your feature request related to a problem? Please describe. We have multiple keyvaults for different use cases (IE: a keyvault for prod, a keyvault for dev environment) and must maintain a separate instance of acmebot for each keyvault

Describe the solution you'd like ability to provide more than one keyvault in the configuration such that acmebot will manage/renew the certificates in all of the listed keyvaults. when creating a new certificate, a dropdown could be displayed for the user to select the desired location for the new certificate

Describe alternatives you've considered we are currently running multiple instances of acmebot

Additional context n/a

shibayan commented 1 year ago

From an RBAC and management perspective, only the creation of Acmebot per Key Vault is supported.

jsblake commented 1 year ago

I'm not sure what that means, but maybe I could explain the use case in our company

Different teams are responsible for different application environments, for example the ops team may be responsible for production, dev team responsible for development environments, etc. The security team is responsible for procuring certificates and distributing them to the downstream consumers

For security purposes we don't want the dev team to pull the production certs as they are different domains, and because of the way permissions work on keyvaults I can't give different identities in Azure the ability to only pull certain certificates from the one keyvault that acmebot uses. Anyone who can pull one cert can pull all certs

So, the solution is a keyvault per RBAC boundary for consumers of certs, but this means our security team needs to run, maintain, and interact with multiple instances of acmebot. The same security team is responsbile for all certs, so on THAT side of it, there is no RBAC issue as we want the same people to be able to manage all of the certs. It's the consumers of the certs downstream that we need to have different RBAC boundaries for, and that should not impact acmebot in any way as those consumers are not interacing with acmebot

webprofusion-chrisc commented 1 year ago

For info, you could possibly use https://certifytheweb.com (which I develop) - it needs to run on a windows/server instance (linux version with web ui is coming) but can send each cert to any keyvault (see the Tasks tab to add a Deploy to Keyvault task). You can get help at https://community.certifytheweb.com or licensed users get access to a ticketing helpdesk.