Feature: By default, require only self-signed certificates in a bundle

[SgtCoDFish]

Writing down what occurred to me at the end of the cert-manager biweekly meeting on 28/07

An issue with administering trust bundles is that it's very easy + tempting for users to put intermediates in the trust store as a way of "fixing" trust issues. Usually this occurs when an app is buggy and only sends the leaf certificate without its chain, and explicitly trusting the leaf's issuing intermediate CA seems to fix the problem for them. Crucially, when that intermediate is then rotated their app will break.

We could add a toggle, defaulting to false, such as allowIntermediateCertificates. If false, it would parse every certificate and ensure that it's self-signed. There might be other ways of achieving the same goal.

Having this in from the start could prevent so many misconfigurations by unsuspecting cluster admins.

(Complication: If we added a list of publicly trusted certs it'd probably need to default to allowing intermediates in that list by default - but we could definitely default to disallowing intermediates everywhere else)

[james-callahan]

This would disallow cross signing roots. While probably a good default, it shouldn't be added without the toggle.

[erikgb]

Somehow related to #155, at least the changes would touch overlapping areas of code.

/good-first-issue

[erikgb]

/remove-good-first-issue

At least if we like to enable this by default - which could break some users.

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[erikgb]

/remove-lifecycle stale