Provide support for PKCS8 TLS key format

[fvaleri]

When I try to deploy a bundle containing a a ValidatingAdmissionWebhook linked to a Quarkus application deployment, I get the following exception when loading the generated TLS key:

io.vertx.core.VertxException: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : version mismatch: (supported:     00, parsed:     01
    at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:350)
    at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:355)
    at jdk.crypto.ec/sun.security.ec.ECPrivateKeyImpl.<init>(ECPrivateKeyImpl.java:74)
    at jdk.crypto.ec/sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)
    at jdk.crypto.ec/sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)
    at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390)
    at io.vertx.core.net.impl.KeyStoreHelper.lambda$loadPrivateKey$1(KeyStoreHelper.java:265)
    at io.vertx.core.net.impl.KeyStoreHelper.loadPems(KeyStoreHelper.java:335)
    at io.vertx.core.net.impl.KeyStoreHelper.loadPrivateKey(KeyStoreHelper.java:259)
    at io.vertx.core.net.impl.KeyStoreHelper.loadKeyCert(KeyStoreHelper.java:246)
    at io.vertx.core.net.PemKeyCertOptions.getHelper(PemKeyCertOptions.java:405)
    at io.vertx.core.net.KeyStoreHelperTest.testKeyStoreHelperSupportsECPrivateKeys(KeyStoreHelperTest.java:69)

Now, the OLM generates the key in SEC1/PEM format instead of the PKCS8/PEM format, which is required by the JDK. If I get the key from the generated secret and convert it to PKCS8 format, then it works fine.

openssl pkcs8 -topk8 -inform pem -in tls.key -outform pem -nocrypt -out tls-new.key

Instead, certificates generated by the Service CA Operator work fine.

These are the format delimiters that you can see when extracting the key from the secret.

OLM key (KO): -----BEGIN EC PRIVATE KEY-----
Converted OLM key (OK): -----BEGIN PRIVATE KEY-----
Service CA key (OK): -----BEGIN RSA PRIVATE KEY-----

Is there a way to generate the key in PKCS8 format? If not, can we add a flag to support it?

[exdx]

Does cert-manager support this feature?

OLM currently manages certs and generates self-signed certs for things like webhooks but we are interested in getting out of that altogether and delegating to a tool like cert-manager instead. This is on the near term roadmap.

[fvaleri]

@exdx it looks like it is supported: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey

[ppatierno]

My concern is about "near term roadmap" meaning ... any real ETA for that? Good to know that OLM is moving toward using cert-manager but I don't see it as a trivial task but maybe I could be wrong.

[fvaleri]

@exdx in the meantime, is it possible to add a flag to enable that conversion?

[exdx]

I think it's possible, we would definitely review a patch with that enabled.

We will triage this issue more in our Thursday issue triage call at 10 AM EST, if you wanted to discuss with the members of the OLM team. https://docs.google.com/document/d/1LMQ5QlEYgGBeSc75fhHh-VFJ8_B2j4ieBcagIa-QfwU/edit#heading=h.8ngolbigvi7q

[fvaleri]

Thanks @exdx, that would be great.

[exdx]

One option is to create another volume mount in every APIService/Webhook that OLM creates in the PKCS8 such that this change is backwards-compatible. Changing the cert to PKCS8 entirely may risk breaking some of the existing APIServices and other components.

[ppatierno]

@exdx yes it makes more sense.