cert-manager
Specify Name Constraints in CA Certificate
Is your feature request related to a problem? Please describe.
When creating a Certificate CR using flag isCA: true, there is today no possibility to specify Name Constraints to apply restrictions on the CN and SAN for this Sub-CA.
Describe the solution you'd like
a new section spec.nameConstraints in Certificate CR for example:
spec:
isCA: true
nameConstraints:
- type: permitted
critical: true
constraints:
dns: [.private, .corp]
ipAddress: [192.168.3.0/255.255.255.0]
- type: excluded
critical: true
constraints:
dns: [.secret.corp]
/kind feature
Important Feature: Will be a critical addition to controlling boundaries for Sub CAs.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close
@jetstack-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity. Reopen the issue with
/reopen. Mark the issue as fresh with/remove-lifecycle rotten. Send feedback to jetstack. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@t-cas: Reopened this issue.
In response to this:
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale
@smarunich i'm just another observer on this issue, but I think it's pretty clear that this is not currently a priority of the maintainers and there are no timelines.
It seems likely that this will only happen if/when this work is funded and someone engages the maintainers with a concrete proposal and implementation.
Hey,
I am happy to report that this feature request is very high in the list of community requests for bugs and features! It currently stands at the 6th position. We (Venafi-sponsored maintainers) often use the number of thumbs up as a way to guide what to do next on our community-focused time.
At this point, the most requested feature is "certificate presets" with 49 thumbs up. That's what we have decided to work on for the next release as part of our "community time".
In the meantime, I'd be glad to talk and help design the feature and to review a contributor's PR if someone is interested!
@maelvls , looks like this issue has got more votes since then. Can you help in taking this up in the current cycle?
@maelvls Is someone working on this? If not I am interested to take this forward.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
This seems possible now if enabling a feature gate, ref. https://cert-manager.io/docs/usage/certificate/#creating-certificate-with-name-constraints. I wonder if this issue can be closed, or if there is something missing? It would be nice to get some feedback from users who have showed interest in this feature!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
