Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Caching provisioner certificate #111

Closed
vanhtuan0409 opened this issue Aug 24, 2023 · 1 comment · Fixed by #117
Closed

Caching provisioner certificate #111

vanhtuan0409 opened this issue Aug 24, 2023 · 1 comment · Fixed by #117
Assignees
@maraino

Comments

@vanhtuan0409
Copy link

Hi, currently step-issuer controller stores each issuer certificate in memory, which causes new certificates to get generated each time the controller is restarted.
This can cause excessive endpoint/certificate charges when using the Smallstep cloud platform
Can we cache the provisioner's certificate as a K8s secret or to an attached PVC?
I linked bellow the location in code where provisioner certificate get generated

https://github.com/smallstep/step-issuer/blob/master/provisioners/step.go#L18
https://github.com/smallstep/step-issuer/blob/master/provisioners/step.go#L74
maraino added a commit that referenced this issue Aug 29, 2023
@maraino
Remove the requirement of an identity certificate
1b64cd3 
This commit removes the requirement of having an identity certificate
per issuer. This certificate was used to make the request "GET /roots"
that might require an mTLS certificate in some deployments. The change
removes these requests and uses the defined bundle in the issuer instead.

Fixes #111
@maraino maraino mentioned this issue Aug 29, 2023
Merged
@maraino
Copy link
Collaborator

maraino commented Aug 29, 2023

Hi @vanhtuan0409, I've released a new version of step-issuer, v0.8.0, that removes the identity certificate requirement. It also includes a new version of the CRDs. The easiest way to install it is using the helm charts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove the requirement of an identity certificate smallstep/step-issuer
2 participants
@maraino @vanhtuan0409