Skip to content

Custom authentication header in issuer's request to /sign endpoint #341

Description

@karthik-murugan-hpe

My setup has a step-ca running on a central K8s cluster, configured with a JWK provisioner and several step-issuers running on separate remote K8s clusters. The issuers will send signing requests to the central step-ca to get signed certificates.

I was wondering, how to implement authentication between the issuers and step-ca. I don't want to introduce another credential or mTLS Certificate as it would become a distribution problem.

My idea is to use a gateway in front of the step-ca server, validate the signing request based on a custom header and approve/deny. The header value is a short lived token, to be precise a JWT token created off the Service Account, which the gateway can validate against cluster's JWKS key.

But I couldn't find a way to include this custom header in issuer's request to /sign endpoint. Has anyone have similar requirements in past?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions