-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support other ways to generate service TLS certificate in the Helm chart #407
Comments
I prefer avoiding a solution tailored for OpenShift, even if we also run OpenShift in our target clusters. But a more generic extension mechanism for webhook certs seems like a valid ask. To use the OpenShift mechanism to do this with the current webhook (validating), I think two things are needed:
|
I've never used it, but this seems to be what you are looking for: https://docs.openshift.com/container-platform/4.15/security/certificates/service-serving-certificate.html#add-service-certificate-crd_service-serving-certificate
Now that I see it, the annotation for the service has to be templated for the secret name. |
Issues go stale after 90d of inactivity. |
For anyone following this issue: I am currently working on a "webhook-cert-lib", that we also will use in cert-manager eventually - replacing the "dynamic authority" feature currently inside cert-manager to bootstrap and renew cert-manager webhook certificates. This will take some time to finish, but the process has started. Right now, I have a POC PR showing this is possible: #468. Follow the cert-manager-dev channel on Slack and/or join put bi-weekly meetings to follow the progress on this. 😺 |
Hi,
This project is exactly what I need for managing internal CAs in Openshift clusters.
I don’t use cert-manager, and ideally, I would like to be able to install trust-manager without it.
As of #157 , I see this has been addressed, but the doc advises against using this in production.
One of Openshift’s operator allows for generating service certificates in a secret by annotating a secret, signed by the cluster’s CA:
https://docs.openshift.com/container-platform/4.15/security/certificates/service-serving-certificate.html#add-service-certificate_service-serving-certificate
It also can inject a CA bundle into the webhook: https://docs.openshift.com/container-platform/4.15/security/certificates/service-serving-certificate.html#add-service-certificate-validating-webhook_service-serving-certificate
Right now, the Helm chart only allows to either use the Helm generated certificate, or the cert-manager one.
Would you be willing to have another option to use the Openshift managed certificates?
I can understand that it’s not wanted to have a solution that is specific to a platform. In that case, would you consider having an option to not manage the certificate in the Chart, and let the user configure it another way?
I could then add the needed annotations the service and webhook.
Thanks
The text was updated successfully, but these errors were encountered: