-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Format certificates to separate out pem and key #86
Conversation
d58793d
to
2e36420
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks fantastic 😍 small question
templaterenderer/templaterenderer.go
Outdated
if *secret.ContentType == "application/x-pkcs12" { | ||
key := cloneSecret(secret) | ||
*key.Value = certutil.PemPrivateKeyFromPkcs12(*secret.Value) | ||
results[secretName+".key"] = secrets.Secret(key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think key
is already a secrets.Secret
-- what happens if you just do results[secretName+".key"] = key
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep that isn't needed anymore - I'll commit that change
2e36420
to
5e0774c
Compare
We should also update the README's list of helpers: azure-key-vault-agent/README.md Line 141 in 5e0774c
|
34db91d
to
938182b
Compare
938182b
to
a0db2d3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thank you for the new feature :)
Summary
This change adds a new template helper,
expandFullChain
, that will take a map of secrets and separate out the pem and key file if the secret is a certificate.Some modules were also updated to address the open dependabot PRs. In order to bump the package versions, we also had to update Go to version 1.17.x.
Manual Testing
A few conditions were tested:
expandFullChain
template helper works with both PEM and PKCS12 filesGetSecrets
has been updated to not pull down disabled secrets by default)Testing configuration and output:
Caveat
expandFullChain
is only expected to be used on theall-secrets
kind. Like thetoValues
template helper,expandFullChain
will throw an error if you try to use it on an individual secret or certificate. The intended behavior and use is reflected in the README.