Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configure cert-manager ClusterIssuer/Issuer in k8s cluster with CA certificate stored in Azure Key Vault #6880

Open
porwalameet opened this issue Mar 31, 2024 · 2 comments
Open

configure cert-manager ClusterIssuer/Issuer in k8s cluster with CA certificate stored in Azure Key Vault #6880

porwalameet opened this issue Mar 31, 2024 · 2 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@porwalameet
Copy link

porwalameet commented Mar 31, 2024
edited

Is your feature request related to a problem? Please describe.

Currently, the CA stored in Azure Key Vault is copied over to K8s cluster to configure ClusterIssuer/Issuer and referencing this in configuration as k8s secret. There is security constraint, as CA is replicated/leaving the Azure Key vault.
The requirement is CA has to be only present in AKV and never copied to any local k8s cluster.

Example:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: sandbox
spec:
  ca:
    secretName: ca-key-pair  # k8s secret containing CA key pair.

Describe the solution you'd like

Can cert-manager issue TLS certificate without copying the CA from Azure Key vault to local k8s cluster, like PKI issuer as done with Hashicorp Vault..
Regarding authentication, cert-manager SA can be configured with necessary RBAC to access AKV and can issue certificate based on Certificate CRO.

Describe alternatives you've considered

  • Currently CA certificate is synced to K8s cluster using CSI driver/Provider or via AKV2K8S solution.

Additional context

Environment details (remove if not applicable):

  • Kubernetes version: 1.27.x, 1.29.x
  • Cloud-provider/provisioner: Azure/ Azure Key Vault
  • cert-manager version: v1.12.x
  • Install method: e.g. helm/static manifests: helm

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 31, 2024
@hawksight
Copy link
Member

Hey @porwalameet I am not too familiar with Azure services, but in your example you are specifying a CA issuer.
Is this because you have your own privately managed CA, just stored in Azure Key Vault?

Or are you issuing from an Azure service?
I was just wondering if you used another issuer type, it might pull the CA back for you, like the Vault issuer.

Also although it does not solve your problem, have you also considered using trust-manager to distribute your CA?

@porwalameet
Copy link
Author

@hawksight , I have my privately managed CA which is stored in Azure Key Vault. Since CA certificate (+key) is highly sensitive data, copying to multiple Kubernetes cluster in form of kubernetes cluster will raise security concerns. So was wondering, can cert-manager can issue certificate without expecting in k8s secret.

We are using Azure Key Vault just as storage here.

I will explore trust-manager as well and get back. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hawksight @porwalameet @jetstack-bot