[Feature Request]: Unable to Issue a CA certificate with the desired pathlen constraint value about aws-privateca-issuer HOT 11 OPEN

@dcamzn , @divyansh-gupta Thank you for taking the discussion ahead. The annotation approach should work, but we might have to put additional validation to ensure that the generated cert has the right pathlen constraint.

e.g. scenario:

• Subordinate CA gets created in AWS with template: SubordinateCACertificate_PathLen2/V1
• While creating Certificate custom resource for a CA certificate, and using an Issuer to use the above created Subordinate CA, end user decides to put annotation acm-pca.template-arn: SubordinateCACertificate_PathLen3/V1
• From pathlen: 2 Issuing cert, can we create a CA cert with pathlen: 3? Assuming that the answer is no- We would have to put a validation corresponding to the annotation value: acm-pca.template-arn: SubordinateCACertificate_PathLen3/V1 so that accidentally users don't pass a template value which has higher path len than the Issuing cert path len.

If we have to put in a validation like that, we would have to get the path len of the Issuing cert and then compare with the requested path len of the new CA cert.

Can we do it this way?

• We fetch the path len of the Issuing cert. Let's call this value "n"
• If the annotation acm-pca.template-arn is not present, and if the Certificate.spec.isCA is set to true, we generate the CA cert with a pathlen "n-1"
• If the annotation is present, we check if the requested path len is less than the Issuing path len or not. If its less, then we set the path len based on the requested path len.
• If the annotation is present, and the requested path len is greater than the issuing cert path len, we don't generate a cert and print the error that the requested len must be <= "n-1"

I'm sure some other boundary conditions for this validation need to be present. What do you all think?

from aws-privateca-issuer.

@find-arka thanks for the feedback and reviewing our approach! We agree with you that we need to put additional validations with this approach. We will review validation requirements and come back for your thoughts.

from aws-privateca-issuer.

Hi @find-arka, thanks for the issue. I wouldn't say this is a bug - more of a missing feature. The root of the problem here is that this issuer does not allow users to set the TemplateArn themselves. This is a feature that we have discussed having, but have not committed resources to determine the best method to do so. I will discuss with the team.

from aws-privateca-issuer.

Related: #98

from aws-privateca-issuer.

Hello @divyansh-gupta, Thank you for the quick response! Looking forward to hearing more about the team-discussion outcomes on this.

from aws-privateca-issuer.

Hi @find-arka, discussed with the team, there are several things we can do here:

1. We can ask cert-manager to include an optional pathLen in their Certificate Resource API (currently unsupported https://cert-manager.io/docs/usage/certificate/) and consume that in this plugin to issue the certificate with the appropriate Private CA certificate template.

2. We can make this a more general feature to allow users to specifically name the Private CA template they would like to issue with. We can do this in two ways:
   a. We update the Issuer Resource to take in a new optional TemplateArn parameter. We can then apply this template to all issuances that happen through this Issuer. This has the disadvantage that users will have to make multiple Issuers if they want to issue with more than 1 type of Private CA template.

   b. We talk to cert-manager and see if there is a way we can include TemplateArn as a custom API parameter in the Certificate Resource API (unlikely).

We aren't sure which is the right path forward yet, but would love to get your thoughts?

from aws-privateca-issuer.

Hello @divyansh-gupta ,
Hope you are doing well! My sincere apologies for the late response on this. Thank you very much for your suggestions.

Had a discussion with @jmunozro , and we both felt that option 2.a sounds like the best one:

2. We can make this a more general feature to allow users to specifically name the Private CA template they would like to issue with. We can do this in two ways:
   a. We update the Issuer Resource to take in a new optional TemplateArn parameter. We can then apply this template to all issuances that happen through this Issuer. This has the disadvantage that users will have to make multiple Issuers if they want to issue with more than 1 type of Private CA template.

from aws-privateca-issuer.

Hello @divyansh-gupta ,
Hope you are doing well! Any thoughts on how this could be taken forward?

from aws-privateca-issuer.

Hi @find-arka, we're having discussions as a team, and when we have a path forward we'll update you. If you have solutions we'll be happy to take a look at a pull request. Thanks for checking in!

from aws-privateca-issuer.

Hi @find-arka, we will look into using Kubernetes annotations. With annotations, we think you can pass in the template ARN that you'd like to use. If we're right, then you can specify the a template with the path length that you need. Do you have any thoughts or feedback on our approach?

from aws-privateca-issuer.

Just to add to that, the annotation would be something like:

kind: Certificate
  metadata:
    annotations:
      acm-pca.template-arn: templateArn

from aws-privateca-issuer.