Add cert-manager as an UpstreamAuthority #1796
Comments
|
Hi @JoshVanL! Sorry for the delay here, I'm afraid I'm only passingly familiar with cert-manager. I am reading up on it a little bit to see exactly the capabilities, and what sort of integrations make sense. So please forgive my questions here :) SPIRE UpstreamAuthority attempts to get an intermediate CA cut. When the plugin is loaded, SPIRE Server sends a CSR for this intermediate on boot (assuming one is not cached), and every time the SPIRE authoritative keys rotate. Can cert-manager vend intermediate CA certs? I'm also curious to learn more about how we might authenticate to an upstream cert-manager, but I think my previous question is most relevant. If the answer to the first question is "yes", I don't see why we wouldn't want an integration! Would you be willing to maintain it long term? |
This is a feature request for adding cert-manager as an UpstreamAuthority to Spire.
This would enable Spire certificates to be signed by cert-manager issuers core and external.
Certificate requests can be created by creating cert-manager CertificateRequest resources, that are signed by the configured issuer on spire:
Happy to put together a PR if this is something we want to move forward with!
The text was updated successfully, but these errors were encountered: