Comments (11)
@dcamzn , @divyansh-gupta Thank you for taking the discussion ahead. The annotation approach should work, but we might have to put additional validation to ensure that the generated cert has the right pathlen
constraint.
e.g. scenario:
- Subordinate CA gets created in AWS with template:
SubordinateCACertificate_PathLen2/V1
- While creating
Certificate
custom resource for a CA certificate, and using anIssuer
to use the above created Subordinate CA, end user decides to put annotationacm-pca.template-arn: SubordinateCACertificate_PathLen3/V1
- From
pathlen: 2
Issuing cert, can we create a CA cert withpathlen: 3
? Assuming that the answer is no- We would have to put a validation corresponding to the annotation value:acm-pca.template-arn: SubordinateCACertificate_PathLen3/V1
so that accidentally users don't pass a template value which has higher path len than the Issuing cert path len.
If we have to put in a validation like that, we would have to get the path len of the Issuing cert
and then compare with the requested path len of the new CA cert.
Can we do it this way?
- We fetch the
path len of the Issuing cert
. Let's call this value "n" - If the annotation
acm-pca.template-arn
is not present, and if theCertificate.spec.isCA
is set totrue
, we generate the CA cert with a pathlen "n-1" - If the annotation is present, we check if the requested path len is less than the Issuing path len or not. If its less, then we set the path len based on the requested path len.
- If the annotation is present, and the requested path len is greater than the issuing cert path len, we don't generate a cert and print the error that the requested len must be <= "n-1"
I'm sure some other boundary conditions for this validation need to be present. What do you all think?
from aws-privateca-issuer.
@find-arka thanks for the feedback and reviewing our approach! We agree with you that we need to put additional validations with this approach. We will review validation requirements and come back for your thoughts.
from aws-privateca-issuer.
Hi @find-arka, thanks for the issue. I wouldn't say this is a bug - more of a missing feature. The root of the problem here is that this issuer does not allow users to set the TemplateArn themselves. This is a feature that we have discussed having, but have not committed resources to determine the best method to do so. I will discuss with the team.
from aws-privateca-issuer.
Related: #98
from aws-privateca-issuer.
Hello @divyansh-gupta, Thank you for the quick response! Looking forward to hearing more about the team-discussion outcomes on this.
from aws-privateca-issuer.
Hi @find-arka, discussed with the team, there are several things we can do here:
-
We can ask cert-manager to include an optional
pathLen
in their Certificate Resource API (currently unsupported https://cert-manager.io/docs/usage/certificate/) and consume that in this plugin to issue the certificate with the appropriate Private CA certificate template. -
We can make this a more general feature to allow users to specifically name the Private CA template they would like to issue with. We can do this in two ways:
a. We update the Issuer Resource to take in a new optionalTemplateArn
parameter. We can then apply this template to all issuances that happen through this Issuer. This has the disadvantage that users will have to make multiple Issuers if they want to issue with more than 1 type of Private CA template.b. We talk to cert-manager and see if there is a way we can include TemplateArn as a custom API parameter in the Certificate Resource API (unlikely).
We aren't sure which is the right path forward yet, but would love to get your thoughts?
from aws-privateca-issuer.
Hello @divyansh-gupta ,
Hope you are doing well! My sincere apologies for the late response on this. Thank you very much for your suggestions.
Had a discussion with @jmunozro , and we both felt that option 2.a sounds like the best one:
- We can make this a more general feature to allow users to specifically name the Private CA template they would like to issue with. We can do this in two ways:
a. We update the Issuer Resource to take in a new optional TemplateArn parameter. We can then apply this template to all issuances that happen through this Issuer. This has the disadvantage that users will have to make multiple Issuers if they want to issue with more than 1 type of Private CA template.
from aws-privateca-issuer.
Hello @divyansh-gupta ,
Hope you are doing well! Any thoughts on how this could be taken forward?
from aws-privateca-issuer.
Hi @find-arka, we're having discussions as a team, and when we have a path forward we'll update you. If you have solutions we'll be happy to take a look at a pull request. Thanks for checking in!
from aws-privateca-issuer.
Hi @find-arka, we will look into using Kubernetes annotations. With annotations, we think you can pass in the template ARN that you'd like to use. If we're right, then you can specify the a template with the path length that you need. Do you have any thoughts or feedback on our approach?
from aws-privateca-issuer.
Just to add to that, the annotation would be something like:
kind: Certificate
metadata:
annotations:
acm-pca.template-arn: templateArn
from aws-privateca-issuer.
Related Issues (20)
- [Feature Request]: Integration with cert-manager 1.10 HOT 4
- [Bug]: Using the default version causes image pull failures HOT 4
- Integration with cert-manager, istio-csr fails pod to pod mTLS. HOT 5
- [Bug]: Image Tag in Helm Chart doesn't match Contianer Image Tag HOT 9
- topologySpreadConstraints support in helm chart HOT 6
- [Bug]: cert-manager.io/cluster-issuer annotation does not work for AWSPCAClusterIssuer HOT 12
- [Feature Request]: helm chart: support optional podDisruptionBudget HOT 1
- [Feature Request]: Documentation of useage with ingress annotations HOT 2
- [Bug]: panic: runtime error: invalid memory address or nil pointer dereference HOT 8
- security HOT 3
- [Feature Request]: Support temporary AWS credentials (including AWS_SESSION_TOKEN) HOT 1
- [Bug]: Error: failed to sts.GetCallerIdentity when using IRSA HOT 11
- [Bug]: awspca-issuer not using secretRef to obtain CA HOT 7
- [Feature Request]: Issue image out of more official ECR Public Repo HOT 2
- [Feature Request]: Support ARM64 architecture HOT 4
- [Feature Request]: Add feature to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value HOT 3
- [Bug]: Issuer is not ready and certificate creation fails HOT 10
- [Bug]: Connection to AWS PCA not working HOT 5
- [Feature Request]: Replace deprecated `set-output` command with environment file HOT 1
- [Troubleshoot]: Reconciler error StorageError: invalid object, Code: 4 HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-privateca-issuer.