trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Is there a way to specify the domain

Open vishrantgupta opened this issue 2 years ago • 2 comments

I am looking for a way to create the Bundle with the domain in order to create the PEM

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: trust-bundle
  namespace: default
spec:
  sources:
  - domain: https://example.com           # <-- expecting the trust manager to pull the PEM by domain
  target:
    configMap:
      key: trust.pem

vishrantgupta avatar Jul 21 '23 03:07 vishrantgupta

There currently is no mechanism to pull in the CA from a target, whether that be an external bucket, webpage, GitHub or looking it up from a domain name. Trust manage focuses on the distribution of trust. If it was to start pulling trust from sources it opens up the possibility of those source being compromised and that being automatically propagated around your cluster.

You would have to manually get the CA from that domain and add it in cluster (as a secret or configmap) to the namespace where trust-manager is installed.

I have had a similar idea but based on my previous discussions you would be better off writing a Job or CronJob to go and fetch the CA you wanted and then populate the secret or configmap accordingly.

hawksight avatar Sep 01 '23 09:09 hawksight

Pulling from target indeed seems a bit dangerous. You might want to look into creating a cronjob to pull certificates eg. from a trusted URL?

inteon avatar Aug 29 '24 10:08 inteon