Regarding using PV for certificate store

[Ipsit Kumar]

Hi Team,

I have an use-case where I want the certs and keys to be stored in the PV. 

Wanted to understand how can we make cert-manager use PV as default certificate store so that cert-manager can manage the life-cycle automatically ? 

All I want to do is create a trust store which is secured by means of an additional encryption and possibly out side of kubernetes secret to reduce the memory usage when we need huge number of certificates like 10K or more.

Would you please share any documentation that talks about how we can use an external storage for the trust store ?

Best Regards,

Ipsit. 

[Irbe Krumina]

Hi Ipsit,

Thanks for bringing this up.

Does cert-manager/csi-driver, or cert-manager/csi-driver-spiffe not work for you? Issuing certs via either of these CSI drivers does not create Secrets as it does not use cert-manager Certificate resources.

Issuing certs via Certificate resources currently always uses Kuberenetes Secrets to store certificates and keys.

There are a couple ideas that we're currently looking at that might be relevant to your use case, including optionally not storing private keys in Secrets and reducing cert-manager components' memory consumption.

We'd be interested to hear more about your use case- is the only reason for wanting to use another store for certificates and keys to reduce memory usage? Is this for ingress certs?

Kind regards,

Irbe