Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confusing paragraph - cert-manager integration. #1194

Open
earik87 opened this issue Mar 2, 2023 · 2 comments
Open

Confusing paragraph - cert-manager integration. #1194

earik87 opened this issue Mar 2, 2023 · 2 comments
Labels
documentation Improvements or additions to documentation priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@earik87
Copy link

earik87 commented Mar 2, 2023

Few issues related to this paragraph;

  1. There are two scenarios here, as I understand. But what is the difference between them? In Case 1, we have Secret. But in Case 2, it is recommended to copy that secret into a seperate one? Why? We already have one?

Say you have a cert-manager Issuer which has the root certificate you want to trust in ca.crt. It's tempting to use the Secret directly and point at ca.crt, but a best practice would be to copy that root into a separate ConfigMap (or Secret).

  1. What is the step here? It seems vague to me.

It's very strange in the Kubernetes world to suggest intentionally adding a step which seems to make automating infrastructure harder, but in the case of TLS trust stores it can be a wise choice.

@earik87 earik87 changed the title Not clear what is said in the paragraph - cert-manager integration. Confusing paragraph - cert-manager integration. Mar 2, 2023
@irbekrm
Copy link
Contributor

irbekrm commented Mar 22, 2023

What is the step here? It seems vague to me.

The step is to copy the CA certificate into a separate Secret, not consume it directly from the Secret where cert-manager wrote it to. The reason is so that when cert-manager updates the CA cert in the Certificate Secret, you can manually orchestrate rotation as is needed by your apps. Otherwise - if the CA cert was consumed directly from cert-manager's Secret - trust-manager would immediately overwrite all your trust bundle targets with the new CA certs, so your apps would no longer trust any certs signed by the old CA cert which may not be what you wanted.

Probably would be worth to write up a step-by-step rotation guide for a common use case (cc @SgtCoDFish )

@irbekrm irbekrm added the documentation Improvements or additions to documentation label Mar 22, 2023
@hawksight
Copy link
Member

@wallrj - just flagging this issue as potenitally solvable or partially solved via a good tutorial on CAs in cluster etc.

@inteon inteon added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Development

No branches or pull requests

4 participants