Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for passwordless pkcs12 keystore #6783

Open
jalvarezit opened this issue Feb 21, 2024 · 3 comments
Open

Add support for passwordless pkcs12 keystore #6783

jalvarezit opened this issue Feb 21, 2024 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@jalvarezit
Copy link

Is your feature request related to a problem? Please describe.
I would like to push cert manager generated certificate to azure keyvault using external secrets operator. We need to use the certificate in a Azure Application Gateway and it only accepts pkcs12 format.

However external secrets operator only allows paswordless pkcs12 certificates:

The first step is to generate a valid P12 certificate. Currently, only PKCS1/PKCS8 types are supported. Currently only password-less P12 certificates are supported.

Describe the solution you'd like
Add the option to create a passwordless pkcs12 keystore by not specifying passwordSecretRef key.

Describe alternatives you've considered
Manually managing the certificates or using a different kubernetes operator.

Additional context
This is also related to #6269

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 21, 2024
@schedin
Copy link

schedin commented Apr 23, 2024

I would also like this feature. Just for information this is the error message I get if I try (with cert-manager 1.14) with a password set to the empty string.

$ kubectl create secret generic example-com-tls-keystore -n mynamespace --from-literal=password=""

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
  namespace: mynamespace
spec:
  secretName: my-certificate-secret
  commonName: "myName"
  issuerRef:
    name: ca-issuer
  keystores:
    pkcs12:
      create: true
      passwordSecretRef:
        name: example-com-tls-keystore
        key: password
E0423 13:30:13.858226       1 controller.go:167] "re-queuing item due to error processing" err="failed to add keystores to Secret: PKCS12 keystore password Secret contains no data for key \"password\"" logger="cert-manager.certificates-issuing" key="mynamespace/my-certificate"

This was referenced Apr 23, 2024
Open
Open
@deggja
Copy link

deggja commented May 27, 2024
edited
Loading

Not sure if it helps anyone, but I created a small operator to solve this for myself using Azure Key Vault as the certificate store and workload identity. Might be useful for someone until the support for passwordless pkcs12 is implemented in cert-manager.

@philipp-durrer-jarowa
Copy link

FYI looks like this was solved on external-secrets side too: external-secrets/external-secrets#3101 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@schedin @deggja @jetstack-bot @jalvarezit @philipp-durrer-jarowa