Security Self Assessment: [STRIDE-INFODISCLOSE-3] RFE: Improve certificate management in Cluster API #5490
Description
User Story
As a user/operator I would like to have control on how certificates are created
As a user/operator I would like to have visibility on certificate expiration date
As a user/operator I would like CAPI to support me in certificate lifecycle management
As a user/operator I would like to have the option to rely on external tools for certificate management
Detailed Description
As of today Cluster API provide a minimal support for certificate management, mostly util for management of secrets with certificate authorities, while over time the responsibility of creating certificates has been delegated to control plane providers.
While this approach worked well, some shortcomings are starting to surface, mostly boiling up to the fact that there is no top level certificate management primitives in our API, and this makes it difficult and fragmented the answer to:
- how can I customise certificate at provisioning time
- how can I monitor state of my certificates (expiration date)
- how can CAPI support me in certificate lifecycle management tasks, like certificate renewal or CA rotation
Last but not least, CAPI leaks of a clean interface for integrating with external tools for certificate management, like e.g Hashicorp Vault.
This issue is about starting an effort for rethinking this area, and providing a clean solution for addressing above concerns starting from the two issues that mostly concern users, that are better support for certificate renewal and CA rotation tasks
/kind feature
/kind proposal
@randomvariable to add more from a provider PoV