feat(secrets): config-driven certificate vending backend#2881
Draft
wminckler wants to merge 1 commit into
Draft
Conversation
Make certificate vending a selectable, config-driven backend instead of
hardcoding it to the credential store's Vault client. This decouples PKI
issuance from credential storage and lays the seam for future non-Vault
(e.g. k8s/local-CA) backends.
- Introduce CertBackend { SharedVault | DedicatedVault } + factory
create_certificate_provider. SharedVault (the default) reuses the
credential Vault client, so existing deployments are unchanged.
- DedicatedVault is safe-by-construction: required non-Option address /
pki_mount_location / pki_role_name, no VAULT_* env fallback, and an
empty-string guard, so a partial config fails fast at startup instead
of silently re-pointing at the credential Vault.
- Add a [certificates] TOML section on CarbideConfig with a validating
conversion; selecting dedicated_vault without its settings errors.
- Resolve SPIFFE identity once from the site config and share it across
backends so certs mint under the same identity namespace.
Tests: config parse/convert (shared, dedicated, missing-section,
missing-field, unknown-field) and empty-required-field rejection.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make certificate vending a selectable, config-driven backend instead of hardcoding it to the credential store's Vault client. This decouples PKI issuance from credential storage and lays the seam for future non-Vault (e.g. k8s/local-CA) backends.
Tests: config parse/convert (shared, dedicated, missing-section, missing-field, unknown-field) and empty-required-field rejection.
Related issues
#2880
Type of Change
Breaking Changes
Testing
Additional Notes