erikgb
commented
1 month ago Hi @Ceddaerrix, this seems to be a multi-purpose issue. 😉
It seems like the trust-manager API documentation is out-of-date. Thanks for letting us know! I will look into what's happened here.
Would it possible to set spec.target.additionalFormats.jks.password/spec.target.additionalFormats.pkcs12.password from a secret reference and key?
Why do you need this? It would make the controller mechanics considerably more complex. Passwords on JKS/PKCS#12 keystores/truststores do not make things more secure and should be considered legacy. There is a note about them in our FAQ: https://cert-manager.io/docs/faq/#why-are-passwords-on-jks-or-pkcs12-files-not-helpful
Would it be possible to have that password included in to the generated secret, or a separate one?
Why? If you think the keystore/truststore password represent anything useful, you should keep it separate from the keystore/password and manage it independently. 😸
I have recently discovered trust-manager and started experimenting with it. To me, the part about JKS/PKCS12 password lacks some clarity:
spec.target.additionalFormats.jks.passwordandspec.target.additionalFormats.pkcs12.passwordare introduced as a mean to overwrite the default 'changeit' password.Looking to use the bundle outcome (as a secret) with Jenkins for the HTTPS keystore (see https://github.com/jenkinsci/helm-charts/blob/e60a42b6e11f41328f73c4a90bcbcce14f535165/charts/jenkins/values.yaml#L836-L846), I was under the impression that the JKS/PKCS12 password would be included into the generated secret. Unfortunately, tests showed that it is not the case...
spec.target.additionalFormats.jks.password/spec.target.additionalFormats.pkcs12.passwordfrom a secret reference and key?