VaultPKISecrets should have options for remove_roots_from_chain #1081
Description
Is your feature request related to a problem? Please describe.
I am working with an application that requires attestation of a complete certificate chain. Right now however, VSO automatically strips the root certificate from the chain.
Given that there is no option to toggle the default behaviour, I need to rely on a second, static, secret to fulfill this requirement
Describe the solution you'd like
A simple boolean option for this setting in the VaultPKISecrets CRD would be ideal. Set the default to true if you like as to not interfere with existing deployments.
Describe alternatives you've considered
The two alternatives that come to mind are the one I used, namely a static secret containing the chain, and skipping the VSO altogether and issuing the certificate via the VaultAgent, injecting it directly into the pod instead of using a secret.
The latter option, whilst fitting the requirements neatly, is a bit tedious as I am using Helm to create the deployment manifests. Helm and VaultAgent templating are not as straight forward to deal with, compared to simply using the VSO as Agent templates tend to either get screwed up by Helm templating or cause errors in the Helm linter by nature of both Helm and VaultAgent relying on Go templating.
Additional context
This issue is particularly annoying as it also ends up making the behaviour of VaultPKISecrets misleading.
When a VaultPKISecret is sourced from an intermediate CA, VSO will render the CA certificate into a key called "ca_chain" - even though it is missing the root certificate, therefor not containing the full chain.
Whereas if the secret is sourced from a root ca, VSO will render the secret into the key ca.crt
This quirk requires additional handling on the templating side even though, right now, in any case, ca_chain would also only contain a single certificate.