vmware-tanzu
Allow Dynamic Certificate Cert/Keys in Generated Secret
Is your feature request related to a problem? Please describe.
Not a problem, per se, but hard-coded backend values do not fit my use case. For my use case, which is a Government compliance use case, I may not use self-signed certificates anywhere in my cluster, so I must replace them with trusted certificates.
Describe the solution you'd like
Allow for the configuration of hard-coded TLS keys/certs values to become configurable when provisioning the following certificates:
- pinniped-concierge-api-tls-serving-certificate
- pinniped-concierge-impersonation-proxy-signer-ca-certificate
- pinniped-concierge-impersonation-proxy-tls-serving-certificate
- pinniped-concierge-impersonation-proxy-ca-certificate
The following are currently hard-coded (there may be others as well):
https://github.com/vmware-tanzu/pinniped/blob/main/internal/controller/apicerts/certs_manager.go#L23-L26
Allowing these to become configurable will allow unpredictable use cases to become attainable when keys/values for consuming these certificates, are expected to be in a different format. Configuration can default to the current values if no additional configuration is provided.
Describe alternatives you've considered
I've considered using External Secrets as a translation layer, but this is currently not possible with their implementation. See comment https://github.com/external-secrets/external-secrets/issues/850#issuecomment-1190372993.
Are you considering submitting a PR for this feature?
Right now, I will not have time to support a PR for this feature, but I would like to if I can ever catch up.
Additional context
See conversation on Slack at https://kubernetes.slack.com/archives/C01BW364RJA/p1658264659180309
