cert-manager
Support injection pem into an existing configmap
It would be great if it was supported to have certificates injected into existing ConfigMaps if they are labelled, similar to the approach that ist available in OpenShift https://docs.openshift.com/container-platform/4.11/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
Something like the snippet belo would inject the bundle to configmaps with the provided label.
target:
configMapLabel:
trust.https://cert-manager.io/inject-bundle: "true"
I like this idea and would love to see it implemented. Suggesting a small adjustment to the proposed API:
spec:
target:
configMapSelector:
my-label-key: my-label-value
The type of the selector should be map[string]string as any other Kubernetes label selector.
@erikgb: This request has been marked as suitable for new contributors.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.
In response to this:
/good-first-issue
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
I have a suggestion to the UX here, which I think can increase the usability/flexibility. What do you think of just having a well-known annotation/label key that you could add to any configmap or secret. Assuming the name of the trust-manager Bundle is my-ca-bundle, this could be as easy as:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
trust.cert-manager.io/inject-bundle: my-ca-bundle
name: ca-inject
namespace: apache
I would like to see this feature implemented, and I think I know how it could be done.
/assign
I discussed this issue with the cert-manager maintainers on today's stand-up, and if ever implemented this will probably require a design.
/remove-help /remove-good-first-issue