-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Local CA Issuer #43
Conversation
@lcavajani Thank you for your contribution. |
Thank you @lcavajani for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below. |
Signed-off-by: lcavajani <lcavajani@suse.com>
I have updated the existing copyrights and added the missing ones. |
@lcavajani There is one problem, if I try to create a new ca issuer with a new CA certificate following the steps you described it openssl genrsa -out CA-key.pem 4096
openssl req -new -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
kubectl create secret tls issuer-ca-secret --cert=CA-cert.pem --key=CA-key.pem -oyaml --dry-run=client and use it for the issuer, this error is reported:
Any idea what's missing? |
With this adjustment I could resolve the problem with "certificate is not a CA": openssl genrsa -out CA-key.pem 4096
CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
"
openssl req -new -nodes -x509 -config <(echo "$CONFIG") -key CA-key.pem -subj "/CN=Hello" -extensions ext -days 1000 -out CA-cert.pem
kubectl create secret tls issuer-ca-secret --cert=CA-cert.pem --key=CA-key.pem -oyaml --dry-run=client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ltgm
I'm looking forward to the next PR with updating the readme.
Thanks again!
@MartinWeindel Command |
What this PR does / why we need it:
This PR adds the possibility for a user to provide its own
Certificate Authority
. This can be useful in airgap environment or in enterprise environment where noACME
server is present.The created certificate have the same parameters (duration, Key algorithm and key usage) as the
letsencrypt
default.This is configurable by configuring a
TLS Secret
and a newIssuer
(see examples/20-issuer-ca.yaml):After some validation on the CA Certificate, the issuer looks like this:
Current differences with the
ACME
Issuer:For testing puproses, it could be helpful to have this feature but I didn't want to include it in this PR.
Special notes for your reviewer:
What is the proper way to bump the
version
?I plan on updating the
README.md
in an other PR once the feature is fully ready.Release note: