-
Task
-
Resolution: Unresolved
-
Major
-
None
-
Documentation (Ref Guide, User Guide, etc.), Release Notes
From the customer case notes:
----------------------------------------------------------
Currently Strimzi manages two PKIs, one for certificates dedicated to internal connections and one for certificates dedicated to connections coming from clients.
For both of these PKIs you can let strimzi generate a new RootCA or supply an intermediate CA, presumably signed by the customer's CA.
Both of these two options are not ideal:
1. RootCA option for external certificates is extremely inconvenient because now all clients need to import the new ca bundle.
2. intermediate CA option is for both PKIs extremely insecure because if the intermediate CA is compromised the entire customer network is compromised[2].
Ideally Strimzi would integrate with an external CA via an API and get the certificates it needs that way. We are currently migrating to Vault as our CA so that is one possible solution.
Another option is integrating with an operator that is in charge of creating certificates for applications running in the cluster. This operator would then deal with the intricacies of the certificate request processes and potentially support multiple CA implementations. This operator happens to already exist: cert-manager[1].
Our request is that one of these two options is implemented to allow more customization to the way organizations approach their security requirements.
[1]: https://github.com/jetstack/cert-manager
[2]: https://blog.openshift.com/considerations-on-openshift-pkis-and-certificates/
----------------------------------------------------------