Closed g-bohncke closed 2 months ago
Looking more in the issue it doesn't seem to be an issue with the operator because this code https://github.com/TykTechnologies/tyk-operator/blob/master/pkg/client/dashboard/cert.go#L76 actualy does a correct upload. so it seems the root of this is in the GW and Dashboard code.
Thank you @g-bohncke for raising it. Currently, we are investigating it.
After a lot of trying I figured out what is going wrong and sadly it's due to line breaks. if the Secret tls.crt & tls.key are not created with a linebreak at the end the import will go wrong.
resulting into trying to import
-----BEGIN CERTIFICATE----- some inter cert -----END CERTIFICATE----------BEGIN RSA PRIVATE KEY----- the private key -----BEGIN RSA PRIVATE KEY-----
I would suggest to make the code more robust. by altering https://github.com/TykTechnologies/tyk-operator/blob/master/pkg/client/dashboard/cert.go#L76 combined := make([]byte, 0) combined = strings.TrimSpace(append(combined, key...)) combined = append(combined, "\n") combined = strings.TrimSpace(append(combined, crt...)) body := &bytes.Buffer{}
I noticed that when a secret contains a full chain in the tls.crt it gets wrongly imported into Tyk OSS and stored in redis.
When I have a ApiDefinition that refers to a secret
The tls.crt would contain a leaf + intermediate + root
This will result in Redis in only storing the inter and the root. And a lot of error on the operator of trying to re-upload the cert and it not finding the cert with that same identifier and on the Gateway errors with not being able to find the cert.
Where as with a cert only containing the leaf it would result in and a working application and the following result in Redis
Are intermediates not supported? even if the root is stored in the ca.crt and not in the tls.crt. the same issue persists.
This issue is Tyk specific since the same secrets work fine with nginx ingress controller and is also according to the documentation of the certmanager.io https://stackoverflow.com/questions/45796058/how-do-i-add-an-intermediate-ssl-certificate-to-kubernetes-ingress-tls-configura https://cert-manager.io/docs/configuration/ca/ According to cert-manager: "Note: If your issuer represents an intermediate, ensure that tls.crt contains the issuer's full chain in the correct order: issuer -> intermediate(s) -> root. The root (self-signed) CA certificate is optional, but adding it will ensure that the correct CA certificate is stored in the secrets for issued Certificates under the ca.crt key. If you fail to provide a complete chain, it might not be possible for consumers of issued Certificates to verify whether they're trusted."