-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CertHandler stores keys in peer data even when juju has secrets #297
Comments
What juju version are you on? Looking at the tls-certificates lib we're using, if on a modern-enough juju, we'll use a secret instead. |
ah never mind, if this is peer data we might be indeed storing that in the clear. We could at the cost of some extra complexity use secrets instead of peer storage where juju supports it. (This is in fact a bug for observability-libs: CertHandler) |
CertHandler was bumped to v1.5 that uses secrets in #332. Do you use juju 3 or juju 2.9? If it's 3.x then you should be able to update to latest traefik and key should already be in secrets. We can't do much about juju 2.9 as it doesn't have the notion of the secret at all. Closing this issue - feel free to reopen if you feel our answer is not enough. |
When running juju show-unit traefik-k8s/0 on a traefik charm integrated with manual-tls-certificates-operator, I noticed that there's a field private_key on the peers relation which contains the private key material related to the CSR that the unit has outstanding. This seems like too much information to me - the private key shouldn't be on display like this in an unprotected form.
The text was updated successfully, but these errors were encountered: