Comments (4)
I just read that the secret has to be the same namespace as trust-manager. I guess that solves the problem. Any reason why this is scoped to the trust-managers namespace?
from trust-manager.
Works now. Had it tangled up somehow
from trust-manager.
1- security issue: never give permission "read all secrets from any namespaces" ^^ you can check ClusterRole here https://github.com/cert-manager/trust-manager/blob/main/deploy/charts/trust-manager/templates/clusterrole.yaml
2- related code: https://github.com/cert-manager/trust-manager/blob/main/deploy/charts/trust-manager/templates/trust.cert-manager.io_bundles.yaml#L80 https://github.com/cert-manager/trust-manager/blob/main/pkg/bundle/sync.go#L121
Set the "default" source namespace:
- https://github.com/cert-manager/trust-manager/blob/main/pkg/bundle/bundle.go#L62
- https://github.com/cert-manager/trust-manager/blob/main/cmd/trust-manager/app/options/options.go#L148
I think this can be done easily :-)
from trust-manager.
I see how I can make it work with values -> app.trust.namespace = "my-namespace"
but I am still a bit confused.
I want to use a ClusterIssuer
to bootstrap a Certificate
for a CA Issuer
(let's say in a default
namespace).
Option 1:
I create Certificate
in the namespace cert-manager
. Then trust-manager
can access it and create a ConfigMap
, however the Issuer
has no access to it from the default
namespace :(
Option 2:
I create Certificate
in the default
namespace. Issuer
can access it but trust-manager
will need a values -> app.trust.namespace = "default"
value to access it. This works but does not scale – what if I have another Issuer
in namespace custom
?
What is the recommended behaviour? Should I create a custom ClusterRole
for trust-manager
? Looks like I am missing something :(
from trust-manager.
Related Issues (20)
- New alpha version helm chart kubeVersion needs a dash 0 at the end to work in eks? HOT 3
- Create trust bundle based on Debian bookworm HOT 22
- Allow TLS to be configured on the admission webhook server
- Support of setting arbitrary password for PKCS12 truststore HOT 19
- Allow to select multiple "trust" namespaces
- Allow Bundle to specify jks keystore alias HOT 3
- [Feature] - Ability to inject a CA cert into a cert-manager managed secret resource HOT 4
- Custom trust namespace - permissions issue HOT 7
- trust-manager and Kubernetes version compatibility HOT 2
- New version of Bundle API HOT 14
- More flexible and better organized target specification in API HOT 6
- Split Bundle controller into multiple controllers HOT 2
- Incorrect error handling in cert-manager-package-debian updater
- Use label selector to add sources to a bundle
- Bundle is continuously synced when PKCS12 is enabled HOT 2
- cluster role does not have sufficient permission to update resources HOT 1
- Add option to filter out expired certificates
- Improve filtered certs error reporting HOT 5
- Issue with CRDs when having trust-manager as chart dependency
- No flag to set structured logging format, e.g. JSON? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trust-manager.