Rukpak clients should be able to get CA cert without getting access to CA key #475
Labels
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
We use cert-manager to generate a rukpak-wide CA, and then use that CA to sign all of the certs for rukpak services. Clients of rukpak then need to read that CA to be able to verify connections to those rukpak services.
Currently, the situation is that clients read the
rukpak-ca
secret'sdata["ca.crt"]
value to get the CA cert. However, that secret also contains the CA's key, which clients could use to sign more keys that would be trusted by anyone using the CA.We need to ensure that the object read by clients contains only the CA cert. It seems like cert-manager does not support this out of the box (see cert-manager/cert-manager#2722 (comment)), so we may need to run our own controller that knows how to inject the CA into a separate configmap.
The text was updated successfully, but these errors were encountered: