Allow mounting of managed certs in pods

[sdimovv]

Is your feature request related to a problem?

Currently, there is no way to mount managed certs (such as the ones used for ingress) into pods. This forces me to manage certs manually, which is both tiresome and prone to error (cert expiry).

I need to be able to mount certs into pods in such a way that they are replaced automatically with new certs when needed. Basically, I need a solution for managing certs mounted into pods.

I need the mounted certs for a number of reasons, one of which is SAML auth between apps (which needs trusted certificates to be used between the IdP and SP)

Describe the solution you'd like

I propose this is solved with trust-manager.

Trust-manager is a small operator which can be integrated with cert-manager (but also works standalone). It allows for setting up and managing config maps with cert "bundles" which can then be mounted into pods. It automates the whole process by automatically replacing the config maps when necessary, which allows you always to have the correct certs mounted in your pods.

In terms of chart UI, I am imagining something like the host-path mount interface, but instead of selecting a directory path on the host that you want to be mounted into your pod, you will write down the bundle name you have created in trust-manager (similar to how you write down the name of a Traefik middleware). Then select the path in the pod where you would like that bundle mounted.

Describe alternatives you've considered

Continue managing certs manually

Additional context

Example chart for trust-manager: https://github.com/cert-manager/trust-manager/tree/main/deploy/charts/trust-manager

I've read and agree with the following

• [X] I've checked all open and closed issues and my request is not there.
• [X] I've checked all open and closed pull requests and my request is not there.

[PrivatePuffin]

I never had issues with SAML tbh. I'm missing which specific Chart of ours needs that functionality...

because even if we add this, which is very well possible, we've never supported https outside of doing so via ingress and have absolutely zero plans to do so either.

[sdimovv]

Hi, no worries, I do not expect Truecharts to support HTTPS outside ingress use cases. I think support should only extend to mounting a managed cert in a pod. As long as that is working, it is then up to the user how they want to use it.

To elaborate on the particular use case I talked about above - I am currently using authentik's SAML provider to authenticate in Nextcloud. However, I have currently configured it to use its own auto-generated self-signed cert to sign the SAML assertions. This leads to 2 problems:

• Its cert will expire eventually
• I have to manually copy the cert and configure it in Nextcloud

Having the ability to mount a managed cert in the pods will simplify this a lot and will eliminate user errors.

[truecharts-admin]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.

[truecharts-admin]

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.

[sdimovv]

Still hoping this is planned...

[PrivatePuffin]

Nope not planned.

[PrivatePuffin]

not denied either htough,.

[PrivatePuffin]

If you want to expedite this enhancement, please consider putting a bounty on it here:

https://opencollective.com/truecharts-bounties/contribute/place-bounty-72003

[truecharts-admin]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.