Closed jsblake closed 1 year ago
From an RBAC and management perspective, only the creation of Acmebot per Key Vault is supported.
I'm not sure what that means, but maybe I could explain the use case in our company
Different teams are responsible for different application environments, for example the ops team may be responsible for production, dev team responsible for development environments, etc. The security team is responsible for procuring certificates and distributing them to the downstream consumers
For security purposes we don't want the dev team to pull the production certs as they are different domains, and because of the way permissions work on keyvaults I can't give different identities in Azure the ability to only pull certain certificates from the one keyvault that acmebot uses. Anyone who can pull one cert can pull all certs
So, the solution is a keyvault per RBAC boundary for consumers of certs, but this means our security team needs to run, maintain, and interact with multiple instances of acmebot. The same security team is responsbile for all certs, so on THAT side of it, there is no RBAC issue as we want the same people to be able to manage all of the certs. It's the consumers of the certs downstream that we need to have different RBAC boundaries for, and that should not impact acmebot in any way as those consumers are not interacing with acmebot
For info, you could possibly use https://certifytheweb.com (which I develop) - it needs to run on a windows/server instance (linux version with web ui is coming) but can send each cert to any keyvault (see the Tasks tab to add a Deploy to Keyvault task). You can get help at https://community.certifytheweb.com or licensed users get access to a ticketing helpdesk.
Is your feature request related to a problem? Please describe. We have multiple keyvaults for different use cases (IE: a keyvault for prod, a keyvault for dev environment) and must maintain a separate instance of acmebot for each keyvault
Describe the solution you'd like ability to provide more than one keyvault in the configuration such that acmebot will manage/renew the certificates in all of the listed keyvaults. when creating a new certificate, a dropdown could be displayed for the user to select the desired location for the new certificate
Describe alternatives you've considered we are currently running multiple instances of acmebot
Additional context n/a