trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Feature: support secret target

Open cortopy opened this issue 3 years ago • 3 comments

Currently only configMap is supported as target. It feels to me like that's the obvious choice for distributing a ca file. However, a lot of off-the-shelf applications out there only support mounting ca files via secrets

Would it be possible to add it for compatibility reasons?

cortopy avatar Jan 17 '22 11:01 cortopy

Hi @cortopy, there is no technical reason why adding Secret as a target could not be done, however is poses security implications (trust would be able read + write all Secrets in all namespaces). If added, we would likely want this feature disabled by default, and users would have to explicitly toggle that they 1. want this target available, and 2. grant and understand they are giving trust the permissions to do this.

JoshVanL avatar Jan 17 '22 11:01 JoshVanL

thanks @JoshVanL for such a quick answer. I hadn't thought of that but the path you propose sounds excellent

cortopy avatar Jan 17 '22 17:01 cortopy

As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names?

james-callahan avatar May 02 '22 02:05 james-callahan

I support adding secrets as an opt-in target for bundles. There are just so many tools that only support obtaining CA certificates from secrets. And one could argue that even if a CA certificate bundle is not strictly secret, defining who you trust is definitely important for overall security.

As a mitigation to that risk, perhaps a suggestion for RBAC on secret to explicitly list resource names?

@james-callahan I don't think this is possible in general. As a user of trust-manager, I would expect to be allowed to express the secret name in the bundle resource. AFAIK the controller-runtime mechanics (and Kubernetes API) do not really support watching resources cluster-wide by name(s).

erikgb avatar Aug 28 '23 15:08 erikgb

I believe is issue was fixed by https://github.com/cert-manager/trust-manager/pull/193

/close

erikgb avatar Oct 18 '23 12:10 erikgb

@erikgb: Closing this issue.

In response to this:

I believe is issue was fixed by https://github.com/cert-manager/trust-manager/pull/193

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot avatar Oct 18 '23 12:10 jetstack-bot