Add/update docs for new trust-manager features #1351
Conversation
jetstack-bot
added
dco-signoff: yes
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
erikgb
force-pushed
the
new-features-trust-manager
branch
2 times, most recently
from
9f38d9a to
f53b43d
Compare
erikgb
force-pushed
the
new-features-trust-manager
branch
from
1d832da to
6d4d6d3
Compare
erikgb
force-pushed
the
new-features-trust-manager
branch
from
6d4d6d3 to
7a0e065
Compare
| secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT | ||
| be protected by a password alone, and needs to be protected by additional measures. |
There was a problem hiding this comment.
| secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT | |
| be protected by a password alone, and needs to be protected by additional measures. | |
| secrets. For that reason, these passwords do not provide any security value and don't have to remain secret. |
There was a problem hiding this comment.
I am not sure if I agree with this suggestion. Users want to use passwords on trust stores to protect the integrity of the trust store. We all can agree that a trust store doesn't contain anything secret, but some think it's important to use a secret password - even in Kubernetes. I am open to rewording here, it's just that I find the suggestion not logic in the context. 😉
There was a problem hiding this comment.
This section is so tricky and it's screaming out for me to write that FAQ I'd been talking about on why these passwords aren't useful. I think the PR as-written is not quite correct, but Tim's suggestion isn't the wording I'd go for either. I'll make an alternative suggestion which tries to stay neutral here.
There was a problem hiding this comment.
Thanks Ash! Your suggestion was so good that I included you as a co-author on this PR. ❤️ I hope Tim also thinks it's ok now.
erikgb
force-pushed
the
new-features-trust-manager
branch
from
7a0e065 to
3b2b566
Compare
jetstack-bot
added
size/L
| secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT | ||
| be protected by a password alone, and needs to be protected by additional measures. |
There was a problem hiding this comment.
This section is so tricky and it's screaming out for me to write that FAQ I'd been talking about on why these passwords aren't useful. I think the PR as-written is not quite correct, but Tim's suggestion isn't the wording I'd go for either. I'll make an alternative suggestion which tries to stay neutral here.
erikgb
force-pushed
the
new-features-trust-manager
branch
from
44fdf54 to
a3dac03
Compare
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com> Signed-off-by: Erik Godding Boye <egboye@gmail.com>
erikgb
force-pushed
the
new-features-trust-manager
branch
from
a3dac03 to
e564f83
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
I noticed that trust-manager docs are not updated for new features available since trust-manager v0.7.0:
SecrettargetsIt also seems like the trust-manager API docs are outdated. Do we have CI to update it, or is it done manually? If we don't have CI, it would probably make sense to include an update in this PR?Update: API docs for trust-manager is now updated to v0.7.0.\cc @inteon @SgtCoDFish