-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update logic for cert and key #98
Conversation
1480313
to
d5a4d58
Compare
err := errors.Errorf("cert key is not exportable") | ||
return "", wrapObjectTypeError(err, objectType, objectName, objectVersion) | ||
} | ||
secretBundle, err := kvClient.GetSecret(ctx, *vaultURL, objectName, objectVersion) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NOTE: The sync k8s secrets logic in the csi driver will need to be updated to look for the private key from the secret instead of the cert. This is not backward compatible. We should make a note of this in the readme and the release note after we cut a new release from both repos.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There wouldn't be a change in logic, right? Instead of the object type being cert
, the user would need to change object type to secret
to get both the private key and certificate? https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml#L21-L22
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened an issue to track that - #106
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea you are right. I thought there was an e2e that tests this logic which would need to be updated, but I guess not. We should add one :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
What this PR does / why we need it:
cert
is provided, only the certificate in PEM format is written to the file.secret
is provided, the certificate and private in PEM format are written to the file.key
is provided, only the public key in PEM format is written to the file.This is similar to the behavior currently support with
az keyvault <secret | certificate> download
Commands used to generate EC cerfificate
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: