Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

About Target JKS/PKCS12 password - Not in the generated target configMap/Secret #428

Open
Ceddaerrix opened this issue Aug 30, 2024 · 1 comment

Comments

@Ceddaerrix
Copy link

Ceddaerrix commented Aug 30, 2024

I have recently discovered trust-manager and started experimenting with it.
To me, the part about JKS/PKCS12 password lacks some clarity:

Looking to use the bundle outcome (as a secret) with Jenkins for the HTTPS keystore (see https://github.com/jenkinsci/helm-charts/blob/e60a42b6e11f41328f73c4a90bcbcce14f535165/charts/jenkins/values.yaml#L836-L846), I was under the impression that the JKS/PKCS12 password would be included into the generated secret.
Unfortunately, tests showed that it is not the case...

  1. Would it possible to set spec.target.additionalFormats.jks.password/spec.target.additionalFormats.pkcs12.password from a secret reference and key?
  2. Would it be possible to have that password included in to the generated secret, or a separate one?
@Ceddaerrix Ceddaerrix changed the title About Target JKS/PXCS12 password - Not in the generated target configMap/Secret About Target JKS/PKCS12 password - Not in the generated target configMap/Secret Sep 3, 2024
@erikgb
Copy link
Contributor

erikgb commented Oct 5, 2024

Hi @Ceddaerrix, this seems to be a multi-purpose issue. 😉

It seems like the trust-manager API documentation is out-of-date. Thanks for letting us know! I will look into what's happened here.

Would it possible to set spec.target.additionalFormats.jks.password/spec.target.additionalFormats.pkcs12.password from a secret reference and key?

Why do you need this? It would make the controller mechanics considerably more complex. Passwords on JKS/PKCS#12 keystores/truststores do not make things more secure and should be considered legacy. There is a note about them in our FAQ: https://cert-manager.io/docs/faq/#why-are-passwords-on-jks-or-pkcs12-files-not-helpful

Would it be possible to have that password included in to the generated secret, or a separate one?

Why? If you think the keystore/truststore password represent anything useful, you should keep it separate from the keystore/password and manage it independently. 😸

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants