New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing alternative Secret output formats (e.g. single .pem file priv/cert output) #843
Comments
Thanks for the request. There have been similar requests for additional fields or alternative field names to be provided in the resulting secret resource. My main gripe here, is that this creates extra complexity, and thus confusion for users, in how we should behave if a certificate resource is 'out-of-sync', i.e. if the secret is missing a There's numerous edge-cases to handle, and I'd like to know that you problem can't be otherwise solved before we introduce the complexity 😄. Could you describe your use-case a bit further? For something the likes of Apache2, which does not (as far as I know) support having separate key and cert files, I see the following:
In order to trigger Apache2 to actually reload the cert pem, you will need to provide some glue that sends a SIGHUP when the file changes. If you have to create/configure this glue already, an additional piece that observes either the key or pem changing on disk and automatically calls This ultimately achieves what you are looking for, and will still allowing inotify events etc to be fired, meaning you can easily trigger reloads in reaction to these files changing on disk 😄. Perhaps your use case cannot be solved with this kind of solution? It'd be great to hear more 😄 |
Hi. First, thank you for your reply.
Here, I would like to fetch pem from the Let's encrypt Issuer, but I didn't found it and how to get it. As I can't store it into the container into the dockerfile,
Here my actual config :
The volume part :
Then In the docker entrypoint script, I do this :
And use finally the /ssl/certificate.pem as PEM into my hitch configuration. An other way I tried, was to patch the secret by adding the pem into the secret. Like this :
With a yaml like this
but here, I got an error about base 64 encode string too long Do you have a better way? |
+1 I have to do exactly the same for my Haproxy, which is starting to be default ingress in Kuber, and require .pem format as well |
Without it, it's a huge pain in the ass to make HAProxy (and all other software which needs a single |
+1 it's a blocker for me too |
Guys that would a great addition. |
Issues go stale after 90d of inactivity. |
Maybe this could instead be implemented by allowing a "post-processing" step before the secret is created, if that's somehow simpler than specifying alternative output formats? |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
/remove-lifecycle rotten We have a similar need for getting .pem files as output. Our use case is, that we are running opendistro for elasticsearch in a kubernetes cluster and do not want to build the pki ourself. |
This is something we'd like to support in cert-manager, but we're uncertain on how it should best be done. If anyone has any insight on what we could do here, a few things at the front-of-mind:
Should these fields be related? How can we represent this in our API? /lifecycle frozen |
This is an issue when installing applications with built-in certificate management (eg. elasticsearch and xpack security). Is there any known workaround to continue using cert-manager in such instances? |
There are multiple axes of encodings standards, there's PEM and DER, and there's PKCS*. So you can have PEM encoded PKCS1, DER encoded PKCS8, PEM encoded PKCS8 etc. PKCS* is more commonly referred to as the format (in some places its called the syntax), while PEM and DER are the ascii and binary encodings of whichever format you've chosen, and so are more commonly referred to as the encoding. That said, openssl just calls them all formats. It's really a mess. If it were me, I this is what I would do:
JVM apps, with the out of the box JDK crypto libraries, can only read keys in either PKCS8 DER encoding, or PKCS12 key stores (there's also JKS but let's just pretend that doesn't exist). PKCS12 key stores is in some cases more convenient, a PKCS12 file contains both the key and the cert chain, and you can make many of the standard network APIs in Java use your key store by setting a single system property. However, there are many cases where a PKCS8 DER encoded private key is necessary, for example, the postgres jdbc driver requires a PKCS8 DER encoded private key. So, I think it would be useful to add PKCS12 support. Note that if PKCS12 were used, you would probably call the output file |
Along with #586, we keep getting hit by this. We are not comfortable about creating a PR since our knowledge about these is limited and we keep getting lost in the terminology used by openssl and java tools, i can see some of the reasons in @jroper's above post. I guess many others are in a similar status, so for so long we've not been getting a PR this :( |
Adding my support to the PEM format here. I am using HAProxy in docker (edge server outside cluster) and all the PEMs are in one directory. If I use Cert-manager I get a list of individual secrets, which I would need to copy individually, reload the HAproxy config, every time there is certificate events. I am too new to Kubernetes to know how to do this, perhaps if someone has sample code to show the strategy. |
I am also requesting .PEM format support. I am using dovecot inside a docker image that runs inside a k8 pod. |
now we have |
We're taking on this for the v1.1 release, pkcs#12 and jks support already solves many of the usecases described above. Similar to this it would be nice to add "single PEM" support in something like: apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: crt
spec:
secretName: crt-secret
dnsNames:
- foo.example.com
- bar.example.com
issuerRef:
name: letsencrypt-prod
keystores:
pkcs12:
create: true
cobinedPEM:
create: true using the logic of the already present alternate keyStores. |
Would it be possible to add support for |
@GrandChaman hey can you file a separate issue for that? that will make it easy to track and assign this! |
Adding an additional use case. The spec for the webhookclientconfig takes a PEM encoded bundle. If the secret produced by cert-manager produced a pem file it would drastically reduce the overhead for the setup/maintenance for the ValidatingWebhookConfiguration for the nginx-ingress controller. |
We also have this exact similar use case for MongoDB deployments, Mongo expects certs to be in pem format , so we are converting the certs generated by cert-manager into pem format but as a result when ever cert-manager rotates certs mongo can't consume the same directly and even if I write a k8's cron job it won't be full proof because there will be some time delay on when certs are renewed vs when cron triggers and there may be some intermediate downtime |
@meyskens the pem creation, is this being picked in any of the upcoming releases ? |
Another one seeking this |
Maybe we could have a CSI driver that would do exactly that? I was imagining something like: apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: my-frontend
image: busybox
volumeMounts:
- mountPath: "/tls"
name: tls
command: [ "sleep", "1000000" ]
volumes:
- name: tls
csi:
driver: pem-merger.csi.cert-manager.io
volumeAttributes:
pem-merger.csi.cert-manager.io/secret: my-tls-secret The CSI driver would read the TLS Secret, and write a -----BEGIN RSA PRIVATE KEY-----
# Content of tls.key
MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3
tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
# Content of tls.crt
MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
kQ7ALfUfUh/RUpCV4uI6sEI3NDX2YqQbOtsBD/hNaL1F85FA
-----END CERTIFICATE----- The CSI driver would also have to watch the Secret and reload the |
A CSI driver seems like a good idea to add this feature for those who need it, and could even be a generic secret transformer driver containing different templates for other kinds of transformations! |
Woah, CSI drivers seem quite involved. I read through cert-manager's csi-driver and csi-driver-hostpath and I felt overwhelmed. Maybe the "Secret controller" road is easier? I propose using a tiny controller secret-transform that takes the apiVersion: v1
kind: Secret
metadata:
annotations:
cert-manager.io/secret-transform: tls.pem
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg== The new data key will be created with the name apiVersion: v1
kind: Secret
metadata:
annotations:
cert-manager.io/secret-transform: tls.pem
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg==
tls.pem: LS0tLS1CRUdJTiBSUXc0ZHk3NTNl...kQgQ0VSVElGSUNBVEUtLS0tLQo= # ✨ What do you think? (Please try out https://github.com/maelvls/secret-transform so that we can decide whether it is a good approach or not) |
and
It seems like OpenDistro for Elasticsearch (or "OpenSearch" nowadays) can be configured using a PKCS#8 PEM-encoded private key file and a chain of PEM-encoded X.509 certificates, which means it is compatible with Secret resources' I also looked at the Open Distro Helm chart and it seems like everything can be configured with plain Secret resources.
and
As of 42.2.9 (Dec 2019), the PostgreSQL JDBC driver is compatible with PKCS#12 using the |
/kind feature
When we describe the generated secret, we can see tls.key and tls.crt. But if we want to get the pem output, we have to concat both to obtain it.
The problem : If a container need a secret field (PEM file) as a mounted volume, we can't mount it from the secret api.
Could be great if the CertManager generate the PEM and store it as a key to the secret.
Now we have this :
Could be great to do this :
The text was updated successfully, but these errors were encountered: