Open
Description
Is your feature request related to a problem? Please describe.
We previously added support for client certificates contained in the system Keychain to pomerium-cli.
When used in kubectl exec-info mode along with the route that requires client certificate to be presented, the communication would fail with
kubectl get pods
Error from server (Forbidden): unknown (get pods)
In k8s exec-credential mode, we currently fill some of the ExecCredentials parameters but not the client certificate data.
Some considerations for key selection:
- kubectl is called frequently, and the certificate selection pop-up on every command would be a major inconvenience.
- the client certificate key, in principle, may not be exportable from the keychain.