DisableTrustOnFirstUse option for OIDC provisioner #2169
Description
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
I would like the option DisableTrustOnFirstUse for the OIDC provisioner too, just like the cloud provisioners (Azure, AWS, GCP). Ref.
https://github.com/smallstep/certificates/blob/master/authority/provisioner/azure.go#L117
Why is this needed?
I have integrated Smallstep CA with my Kubernetes environment, which has a OIDC-backed service account issuer. This enables my Kubernetes workloads to fetch certificates based on their service account token. The OIDC provisioner is brilliant for this purpose, as it fetches the signing key dynamically from the cluster OIDC endpoint (rather than hardcoding the service account signing key using the K8SSA provisioner). Sometimes the Kubernetes-based workloads crash and restart, but the service account token is not rotated on a container restart - forcing me to reschedule the error-prone pods to make it obtain a new and unused token. Allowing reuse of a token would simplify operations. Token reuse should still be disallowed by default (as-is), but possible to allow in scenarios where one can accept the risk.
If the change sounds reasonable, I would be happy to file PRs with the change. AFAIK, this would require changes in three repositories (smallstep/certificates, smallstep/linkedca, and smallstep/doc).