Adds the CertificateRequest annotations section to the jep with

reference to the self signing private key secret requirement Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
2019-08-01 22:08:51 +01:00 · 2019-08-01 22:08:51 +01:00 · 21c237adaf
commit 21c237adaf
parent 8fa48c2148
1 changed files with 12 additions and 1 deletions
--- a/design/20190708.certificate-request-crd.md
+++ b/design/20190708.certificate-request-crd.md
@ -11,7 +11,7 @@ approvers:
  - "@munnerz"
 editor: "@joshvanl"
 creation-date: 2019-07-08
-last-updated: 2019-07-09
+last-updated: 2019-08-01
 status: implementable
 ---

@ -206,6 +206,17 @@ ownership of the default pool of issuers in the cert-manager project.
 Until the mutating webhook is fully implemented, we will handle defaulting
 internally in the controller.

+### CertificateRequest Annotations
+In order for `CertificateRequest` controllers to resolve requests, extra
+information may be needed that is not present in the API Spec. To pass on this
+information, a set of one or more annotations should be defined, with reliable
+value pairs. These are;
+
+- `certmanager.k8s.io/private-key-secret-name`: The name of the secret, in the
+  same namespace as the `CertificateRequest`, that stores the private key which
+  was used to sign the x509 certificate signing request. This is required by the
+ `SelfSigning` issuer to sign its own certificate.
+
 ### Test Plan

 Standard unit and end-to-end tests will be used to verify new behaviour, as used