-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add/update docs for new trust-manager features #1351
Add/update docs for new trust-manager features #1351
Conversation
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
9f38d9a
to
f53b43d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @erikgb this is an awesome contribution! The changes look good, there is one paragraph that I will reread and add some comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few suggestions on this; what do you think?
1d832da
to
6d4d6d3
Compare
6d4d6d3
to
7a0e065
Compare
secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT | ||
be protected by a password alone, and needs to be protected by additional measures. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT | |
be protected by a password alone, and needs to be protected by additional measures. | |
secrets. For that reason, these passwords do not provide any security value and don't have to remain secret. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if I agree with this suggestion. Users want to use passwords on trust stores to protect the integrity of the trust store. We all can agree that a trust store doesn't contain anything secret, but some think it's important to use a secret password - even in Kubernetes. I am open to rewording here, it's just that I find the suggestion not logic in the context. 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section is so tricky and it's screaming out for me to write that FAQ I'd been talking about on why these passwords aren't useful. I think the PR as-written is not quite correct, but Tim's suggestion isn't the wording I'd go for either. I'll make an alternative suggestion which tries to stay neutral here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Ash! Your suggestion was so good that I included you as a co-author on this PR. ❤️ I hope Tim also thinks it's ok now.
7a0e065
to
3b2b566
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few little bits - what do you think?
secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT | ||
be protected by a password alone, and needs to be protected by additional measures. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section is so tricky and it's screaming out for me to write that FAQ I'd been talking about on why these passwords aren't useful. I think the PR as-written is not quite correct, but Tim's suggestion isn't the wording I'd go for either. I'll make an alternative suggestion which tries to stay neutral here.
44fdf54
to
a3dac03
Compare
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com> Signed-off-by: Erik Godding Boye <egboye@gmail.com>
a3dac03
to
e564f83
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
This is definitely a big improvement. Thanks!
(not sure if this'll go through if you added me as a co-author - we'll see 😁 )
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I noticed that trust-manager docs are not updated for new features available since trust-manager v0.7.0:
Secret
targetsIt also seems like the trust-manager API docs are outdated. Do we have CI to update it, or is it done manually? If we don't have CI, it would probably make sense to include an update in this PR?Update: API docs for trust-manager is now updated to v0.7.0.\cc @inteon @SgtCoDFish