-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reference a secret instead of directly pasting a base64 encoded pem file to TLSspec.certificateAuthorityData #1570
Comments
Thanks for creating this issue @mhoshi-vm! It looks like you are talking about the These are not currently references to a Kubernetes Secret for a few reasons.
We would want to avoid making a breaking change to remove the existing Could you share more about your use case? What in your use case makes it hard to read the CA bundle from your cert-manager Secret at the time that you are creating the identity provider CR? Is it because you are hoping to install everything in a single step? Have you considered using things like init containers or Jobs to copy the CA bundle to the identity provider CR? |
Hi @cfryanr, I'll jump in here and provide my use case :) I'm talking about the You're right, there is no confidential data involved in this case. But for customers like us, who are using a Secret Management solution like 1Password Operator or External Secrets Operator, it would be a huge plus to store this kind of Certificates in a Secret. Why? The secrets can be update in the Secret Operator and will then be automatically replaced in the Kubernetes Secret. Not only for Pinniped, also for all other Deployments that use the CA Certificate from the same Secret. So no more manual update of Certificates in multiple Kubernetes YAML Files. There is might no standard way for a CA Certificate to be stored in a secret. Might just let use specify the name same way as used to mount a Certificate from Secret to a container as volume:
|
@mhoshi-vm Were you also talking about the |
Is your feature request related to a problem? Please describe.
As written below, we need to copy paste the base64 pem file to the following parameter
https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#k8s-api-go-pinniped-dev-generated-1-20-apis-supervisor-idp-v1alpha1-tlsspec
This is pretty hard to automate, for example using tools such as cert-manager that dynamically creates certificates
Describe the solution you'd like
Allow to reference a Kubernetes secret
Describe alternatives you've considered
I thought of using secretgen/secrettemplate to map the secret components, but it can only create
kind: secret
objectsThe text was updated successfully, but these errors were encountered: