New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable cert auth for default admin #66
Comments
Now that the
|
This looks like it may be completed. |
I did add the admin client cert via cert manager, but didn't change the login command to use it. It may be necessary to create an authenticator, which will be simpler to achieve when this feature is completed: openziti/ziti#1730 https://github.com/search?q=repo%3Aopenziti%2Fhelm-charts%20admin-client-cert&type=code |
An alternative to issuing the admin client cert with cert manager would be to add an init step for the controller. It would use the CLI to create a second admin w/ cert authenticator, enroll, unwrap the JSON to the crypto components the CLI currently requires, and then stuff them into a K8s TLS Secret resource to be mounted later by Job containers that need to do admin stuff. This would give the cluster/ziti admin the option to subsequently delete the username/password Secret from the cluster, thereby reducing exposure and safekeeping elsewhere as a backup auth method. |
Now that I think about that idea above, however, it's probably simpler to keep the client cert issued by cert manager and just use the new init or life-cycle Job to create an authenticator for the first/default admin for that cert's fingerprint. Same security posture in the end, but fewer steps. |
https://openziti.discourse.group/t/admin-life-cycle-from-password-to-long-lived-cert/1127/7?u=qrkourier
The text was updated successfully, but these errors were encountered: