cert-manager
Vault Issuer Read caBundle from ConfigMap
Is your feature request related to a problem? Please describe.
We use company-internal PKI a lot and are starting to adopt https://github.com/cert-manager/trust-manager to distribute trust anchors throughout our clusters. When attempting to configure a Vault issuer against an external Vault, with a certificate issued by our internal root CA, we have to configure the issuer with a custom caBundle - to avoid TLS handshake errors.
The problem is that the Vault issuer doesn't currently allow loading caBundle from configmaps, only secrets - using the caBundleSecretRef field. This seems to have been discussed in the PR that added the new feature for loading CA certificates from secret.
Describe the solution you'd like
I would like the ability to configure Vault issuers with a custom caBundle from configmaps. That will allow us to use the configmaps already distributed by trust-manager.
Describe alternatives you've considered
Simple workaround is to create a custom secret for this, and refer to it from the Vault issuer. But that means we have duplicated information in our clusters and more trust roots to maintain.
Additional context
Related issue: https://github.com/cert-manager/cert-manager/issues/5514
/kind feature /area vault /area api
+1 we should add a caBundleConfigMapRef field
caBundleSecretRef and caBundleConfigMapRef should be added to Vault and Venafi issuers
@erikgb quick tip: you can already "globally" use a custom ca by mounting your configmap in cert-manager's trust store /etc/ssl/certs/.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
@erikgb see https://github.com/cert-manager/cert-manager/pull/6228 for the design document & feel free to leave a review.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close
@cert-manager-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity. Reopen the issue with
/reopen. Mark the issue as fresh with/remove-lifecycle rotten. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![cert-manager-prow[bot] avatar](https://avatars.githubusercontent.com/in/877404?v=4 "Published by a pub.dev verified publisher"){kind=small}