Skip to content

annotations.markdown

Latest commit

 

History

History
70 lines (50 loc) · 3.5 KB

annotations.markdown

File metadata and controls

70 lines (50 loc) · 3.5 KB

Annotation Overrides for the EJBCA K8s CSR Signer

Go Report Card GitHub tag (latest SemVer) Type: application license

The EJBCA K8s CSR Signer allows you to customize the certificate signing process by using annotations. Annotations can be used to override the default configuration of the signer. The following annotations are supported:

Supported Annotations

Here are the supported annotations that can override the default values:

  • ejbca-k8s-csr-signer.keyfactor.com/endEntityName: Overrides the defaultEndEntityName field from the EJBCA Configuration. Allowed values include "cn", "dns", "uri", "ip", or any custom string.

    ejbca-k8s-csr-signer.keyfactor.com/endEntityName: "dns"

  • ejbca-k8s-csr-signer.keyfactor.com/certificateAuthorityName: Specifies the Certificate Authority (CA) name to use, overriding the default CA specified by the defaultCertificateAuthorityName field from the EJBCA Configuration.

    ejbca-k8s-csr-signer.keyfactor.com/certificateAuthorityName: "IT-Sub-CA"

  • ejbca-k8s-csr-signer.keyfactor.com/certificateProfileName: Specifies the Certificate Profile name to use, overriding the default profile specified by the defaultCertificateProfileName field from the EJBCA Configuration.

    ejbca-k8s-csr-signer.keyfactor.com/certificateProfileName: "istio-3d"

  • ejbca-k8s-csr-signer.keyfactor.com/endEntityProfileName: Specifies the End Entity Profile name to use, overriding the default profile specified by the defaultEndEntityProfileName field from the EJBCA Configuration.

    ejbca-k8s-csr-signer.keyfactor.com/endEntityProfileName: "k8s-istio"

  • ejbca-k8s-csr-signer.keyfactor.com/estAlias: Specifies the EST alias to use, overriding the default EST alias specified by the defaultEstAlias field from the EJBCA Configuration.

    ejbca-k8s-csr-signer.keyfactor.com/estAlias: "istio"

  • ejbca-k8s-csr-signer.keyfactor.com/chainDepth: Specifies the chain depth to use, overriding the default chain depth specified by the chainDepth field from the EJBCA Configuration.

    ejbca-k8s-csr-signer.keyfactor.com/chainDepth: 3

How to Apply Annotations

To apply these annotations, include them in the metadata section of your CertificateSigningRequest resource:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  annotations:
    ejbca-k8s-csr-signer.keyfactor.com/certificateProfileName: istioAuth-3d
    ejbca-k8s-csr-signer.keyfactor.com/endEntityProfileName: k8sEndEntity
    ejbca-k8s-csr-signer.keyfactor.com/certificateAuthorityName: IT-Sub-CA
    # ... other annotations
spec:
# ... rest of the spec

Compatibility with EJBCA CSR Signer v1.0

The annotations recognized in EJBCA K8s CSR Signer v2.0 are backwards compatible with v1.0 until the next major release. The following annotations are recognized in v1.0:

  • endEntityName
  • certificateAuthorityName
  • certificateProfileName
  • endEntityProfileName
  • estAlias