Why store CA-bundle as secret?
Opened this issue · 3 comments
From an operations perspective, we obviously treat secrets and configmaps very differently and try to avoid secrets where it's not needed.
I noticed that an issuer/clusterissuer points to a secret which contains the CA-bundle for communication with EJBCA. As CA-certificates are seldom confidential, what is the reasoning behind storing this as a secret?
Hi @smuda!
Thank you for your observation regarding the storage of CA certificates in secrets. Initially, we stored both the client certificate and the CA bundle in secrets for simplicity, as they were both used in similar contexts.
Given that CaBundleSecretName
is an optional field and considering that this API is still in its alpha phase (v1alpha1
), there are two options that I'd love your input on:
- Add a new optional field called
CaBundleConfigMapName
in thev1alpha1
API, making it mutually exclusive withCaBundleSecretName
- Create a new version
v1alpha2
whereCaBundleSecretName
is replaced byCaBundleConfigMapName
.
Your feedback is greatly appreciated!
That depends on how many are currently using the current schema. Speaking only for myself, once we put this in production the schema name will be in numerous gitops repositories and we wouldn't like changing that in all places but that's not where we are right now.
The code would be simpler with option 2, so if there are not that many users yet, I'd go with option 2. If you think there are a lot of users, I'd go with option 1 and drop CaBundleSecretName in v1alpha3 instead.
Is there anything I can do to move this issue forward?