Custom authentication header in issuer's request to /sign endpoint #341
Description
My setup has a step-ca running on a central K8s cluster, configured with a JWK provisioner and several step-issuers running on separate remote K8s clusters. The issuers will send signing requests to the central step-ca to get signed certificates.
I was wondering, how to implement authentication between the issuers and step-ca. I don't want to introduce another credential or mTLS Certificate as it would become a distribution problem.
My idea is to use a gateway in front of the step-ca server, validate the signing request based on a custom header and approve/deny. The header value is a short lived token, to be precise a JWT token created off the Service Account, which the gateway can validate against cluster's JWKS key.
But I couldn't find a way to include this custom header in issuer's request to /sign endpoint. Has anyone have similar requirements in past?