Kerberos: Consider PKINIT support? #612
Description
Currently, we always issue Kerberos keytabs, which require us to know the password for each Kerberos user (and prevents us from rotating those passwords, to avoid locking out old pods).
PKINIT would allow us to reuse our existing TLS infrastructure instead, and generate ephemeral keys like we do for TLS.
Open questions:
- Migrating existing application?
- Does Java's Kerberos stack support the extension?
- What about AD?
- We need to give the CA(s) to the KDC (
TrustStore?). - What about Cert-Manager and other out-of-tree issuers?