Consider adding support for specifying a cert and a key manually for federation endpoint. #2202
Comments
caleygoff-invitae
changed the title
|
@evan2645 has volunteered to scope this out. |
|
We have recently agreed on how to configure this on the OIDC provider, and I think we can use the same approach here. Introduce a new |
evan2645
added
help wanted
|
Hello team, any update on this? I'm trying to confirm that the latest release of Spire Server does not yet support bring-your-own-cert for the Federation Endpoint. If https_web is used, one must us ACME, correct? |
|
Hi @haithamshahin333, thank you for reaching out. This is still a planned feature that has not been implemented yet. If the |
Essentially this is a request to add the ability to specify a cert bundle, a cert and a key, for the federation endpoint to use and present for consumers/clients that want to interact with the endpoint.
By allowing for manually providing this information, it would allow for thirdparty maintainers such as cert-manager to manage the bundle as a secret and then the spire federation endpoint can import that bundle. This would remove the hard dependency on acme and using the web_pki.
A reason perhaps one would want to use something like cert-manager to manage their bundle is that they have gone through the effort in adding features that allow for little trickeries for various scenarios. Currently I have a scenario in which cert-manager allows for me to use the dns-01 type to register my certs using LetsEncrypt as the Cert-Manager backend. Essentially doing what autocert is doing by only that autocert seems only allow for the http-01 type, in which for me in my specific use case causes web_pki to eventually fail.
The text was updated successfully, but these errors were encountered: