Using `trust-manager` for generating keystores

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.

https://cert-manager.io/docs/projects/trust-manager/

Apache License 2.0

233 stars 64 forks source link

Using `trust-manager` for generating keystores #283

Closed k8ieone closed 5 months ago

k8ieone commented 5 months ago

We have an application, which sources private keys stored in a .jks keystore.

I wanted to use trust-manager for generating these keystores from .pem private key files, but it seems this is not a supported use case as of now.

invalid PEM block in bundle: only CERTIFICATE blocks are permitted but found 'PRIVATE KEY'

I knew the chances of this just working were slim, since the documentation only talks about truststores and trust bundles.

Do you think this could be a supported use case in the future? Is there a different project that does this?

erikgb commented 5 months ago

@k8ieone I am not sure if I understand your use case. Are you looking for an operator to convert PEM to JKS in general? I am not aware of any - if that's what you are looking for.

k8ieone commented 5 months ago

@erikgb Yes, trust-manager can take a bunch of certificates in .pem format (text starting with -----BEGIN CERTIFICATE-----) and create a jks trust store.

In my case, I don't want to add certificates into the jks, but private keys - -----BEGIN PRIVATE KEY-----.

erikgb commented 5 months ago

The goal of trust-manager is specifically the distribution of trust anchors, and not a generic format converter.

Some suggestions for you use case:

migrate the application to support PEM format (JKS is somehow deprecated)
add an init-container to the application pod to convert from PEM to JKS using the standard JDK keytool CLI.

I am going to close this issue as not relevant for trust-manager.

/close

jetstack-bot commented 5 months ago

@erikgb: Closing this issue.

In response to [this](https://github.com/cert-manager/trust-manager/issues/283#issuecomment-1918817995): >The goal of trust-manager is specifically the distribution of trust anchors, and not a generic format converter. > >Some suggestions for you use case: > >- migrate the application to support PEM format (JKS is somehow deprecated) >- add an init-container to the application pod to convert from PEM to JKS using the standard JDK `keytool` CLI. > >I am going to close this issue as not relevant for trust-manager. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

k8ieone commented 5 months ago

Alright, thanks for the suggestion.

Just for the record, if anyone happens to find this issue - migrating the app is not a possibility at this time.

Using an init container with an emptydir volume sounds like a good approach, which we'll likely use.