-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specialise Bundle
for X.509 Certificates
#44
Comments
@SgtCoDFish Would it make sense to consider this issue in relation to #243 and the new API version planned, ref. #242? I think it's a fair assumption to consider all bundle sources as PEM-encoded certificates now. If this breaks for users, we could just say that we're fixing a bug. 😉 |
I'd forgotten about this! I actually made the (then-breaking) change to force all inputs to be valid PEM already: #75 - that means this issue is partially done. The other part of this issue was to add the ability to specify sources of a different type, e.g. JKS, PKCS#12 or DER. I guess that makes this issue a bit redundant. I agree this is kinda related to the issues you raised. Maybe this issue could be simplified now that #75 does part of it? |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@cert-manager-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
(This is a follow up from discussions which took place in the cert-manager biweekly meeting on 2022-07-27)
Currently
Bundle
is essentially a Kubernetes implementation of the Unixcat
command - it takes several text inputs and concatenates them into an output. This allows it to be agnostic to the type of thing it's concatenating, but it has a few shortcomings:For example, it's currently essentially impossible to create a TLS trust
Bundle
which includes as inputs a list of PEM certificates and separately a DER-encoded certificate, and produce an output in any meaningful format. Without context, we can't decode the base64-encoded binary data for the DER certificate or convert it to PEM, and we can't concatenate a PEM input certificate with a DER certificate without doing some conversion beforehand.It would also be desirable to support outputting in PEM or JKS or other keystore types.
Proposal
What was discussed in the biweekly meeting was the following:
Bundle
as it exists today becomes specialised for X.509 certificates (specifically for the purposes of creating TLS trust bundles, but we can support X.509 more widely)Example
This would produce an output containing all the certs in "my-pem-certs" with the cert in "my-der-cert" appended to the end. The output would be in PEM format.
The text was updated successfully, but these errors were encountered: