New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundle generating empty truststore.p12 when no password is provided #296
Comments
I tested this a bit locally and I think what's happening is simply that keytool can't parse the file. Still worth a fix, but we're not making an empty p12 - we're just making one that keytool can't read. Our tests do check that a passwordless file can be read - but obviously they're using our pkcs12 library which can read passwordless files. The library says this:
I've confirmed that the following patch creates a passwordless PKCS#12 file that keytool can read: diff --git a/pkg/bundle/sync.go b/pkg/bundle/sync.go
index 1966af0..ea36eaf 100644
--- a/pkg/bundle/sync.go
+++ b/pkg/bundle/sync.go
@@ -320,7 +320,13 @@ func (e pkcs12Encoder) encode(trustBundle string) ([]byte, error) {
})
}
- return pkcs12.LegacyRC2.EncodeTrustStoreEntries(entries, e.password)
+ encoder := pkcs12.LegacyRC2
+
+ if e.password == "" {
+ encoder = pkcs12.Passwordless
+ }
+
+ return encoder.EncodeTrustStoreEntries(entries, e.password)
}
// syncConfigMapTarget syncs the given data to the target ConfigMap in the given namespace. And I've also confirmed that the resulting file is readable by our tests. I'd like to check with the team if we're happy to make that change in general. |
Thanks for the investigation, @SgtCoDFish! I submitted the PR adding PKCS#12 support, and I should have tested the truststore with |
I used the below config to create a pkcs12 additional format bundle without password. But the created truststore is empty.
The secret contains the required bundle, but the truststore.p12 is empty.
The result remains the same when I use a configmap source.
The text was updated successfully, but these errors were encountered: