update logic for cert and key #98
Conversation
aramase
force-pushed
the
ec
branch
7 times, most recently
from
1480313
to
d5a4d58
Compare
| err := errors.Errorf("cert key is not exportable") | ||
| return "", wrapObjectTypeError(err, objectType, objectName, objectVersion) | ||
| } | ||
| secretBundle, err := kvClient.GetSecret(ctx, *vaultURL, objectName, objectVersion) |
There was a problem hiding this comment.
NOTE: The sync k8s secrets logic in the csi driver will need to be updated to look for the private key from the secret instead of the cert. This is not backward compatible. We should make a note of this in the readme and the release note after we cut a new release from both repos.
There was a problem hiding this comment.
There wouldn't be a change in logic, right? Instead of the object type being cert, the user would need to change object type to secret to get both the private key and certificate? https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml#L21-L22
There was a problem hiding this comment.
Opened an issue to track that - #106
There was a problem hiding this comment.
Yea you are right. I thought there was an e2e that tests this logic which would need to be updated, but I guess not. We should add one :)
What this PR does / why we need it:
certis provided, only the certificate in PEM format is written to the file.secretis provided, the certificate and private in PEM format are written to the file.keyis provided, only the public key in PEM format is written to the file.This is similar to the behavior currently support with
az keyvault <secret | certificate> downloadCommands used to generate EC cerfificate
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: