Rukpak clients should be able to get CA cert without getting access to CA key

[joelanford]

We use cert-manager to generate a rukpak-wide CA, and then use that CA to sign all of the certs for rukpak services. Clients of rukpak then need to read that CA to be able to verify connections to those rukpak services.

Currently, the situation is that clients read the rukpak-ca secret's data["ca.crt"] value to get the CA cert. However, that secret also contains the CA's key, which clients could use to sign more keys that would be trusted by anyone using the CA.

We need to ensure that the object read by clients contains only the CA cert. It seems like cert-manager does not support this out of the box (see cert-manager/cert-manager#2722 (comment)), so we may need to run our own controller that knows how to inject the CA into a separate configmap.

[awgreene]

We discussed this in the upstream meeting and it seems like we'll be updating the RukPak operator to include a controller that injects the CA into a separate configMap based on the presence of an annotation.

[github-actions]

This issue has become stale because it has been open 60 days with no activity. The maintainers of this repo will remove this label during issue triage or it will be removed automatically after an update. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.