search

truecharts / charts

Community Helm Chart Repository
https://truecharts.org
GNU Affero General Public License v3.0
1.13k stars 623 forks source link

clusterissuer: CA.key and CA.cer can't be decoded #9446

Closed schnerring closed 8 months ago

schnerring commented 1 year ago

Is your feature request related to a problem?

Providing certificates via Custom CA cert (experimental) and Custom CA key (experimental) fields doesn't work because the GUI joins multi-line strings by replacing line breaks with spaces. The clusterissuer is then unable to parse the certificate string. Here's the k3s kubectl describe clusterissuer debug output:

Events:
  Type     Reason         Age                From                         Message
  ----     ------         ----               ----                         -------
  Warning  ErrGetKeyPair  19s (x3 over 24s)  cert-manager-clusterissuers  Error getting keypair for CA issuer: error decoding certificate PEM block
  Warning  ErrInitIssuer  19s (x3 over 24s)  cert-manager-clusterissuers  Error initializing issuer: error decoding certificate PEM block

Describe the solution you'd like

I would like to be able to pass multi-line strings to the clusterissuer via Web GUI, but I think this isn't possible right now.

There is an upstream issue that was created by @Ornias1993 addressing the issue of multi-line text. Its status is gathering interest 😄 but since this was created in 2021, it's unclear when and if this will be added to SCALE's Web GUI.

Describe alternatives you've considered

Currently, we use Helm to base64-encode the plain values provided by the Web GUI like this:

apiVersion: v1
kind: Secret
metadata:
  name: {{ .name }}-ca
  namespace: cert-manager
data:
  tls.crt: {{ .crt | b64enc }}
  tls.key: {{ .key | b64enc }}
{{- end }}

Two workarounds exist:

  1. We let users do the base64-encoding via cat crt.pem | base64 -w0 (as described in the cert-manager docs) and pass along the provided value like this: tls.crt: {{ .crt }}
  2. We "undo" the string joining of the Web GUI with something like this: {{ .crt | replace " " "\n" | b64enc }}

1)) seems more involved for end users and 2)) seems more brittle.

I'll be happy to provide a PR for either solution.

Additional context

No response

I've read and agree with the following

radarlog commented 1 year ago

I tried to manually remove spaces and still have the issue. @schnerring Is it the same for you?

schnerring commented 1 year ago

Yeah, I accidentally created an enhancement issue, but this actually is a bug. In it's current form, this feature doesn't work because the input field of the SCALE Web GUI strips the newlines from the input string.

Under the hood, cert-manager uses the encoding/pem go package to parse the string, which requires the newlines to be intact. Have a look the the test cases here, if you're interested: golang/go/encoding/pem/pem_test.go

PrivatePuffin commented 1 year ago

Yeah, I accidentally created an enhancement issue, but this actually is a bug. In it's current form, this feature doesn't work because the input field of the SCALE Web GUI strips the newlines from the input string.

Under the hood, cert-manager uses the encoding/pem go package to parse the string, which requires the newlines to be intact. Have a look the the test cases here, if you're interested: golang/go/encoding/pem/pem_test.go

No this is not a bug. It IS an enhancement request. There is nothing wrong or broken with TrueCharts.

schnerring commented 1 year ago

No this is not a bug. It IS an enhancement request. There is nothing wrong or broken with TrueCharts.

The "experimental" feature of adding CAs, that you added to TrueCharts, is simply broken for SCALE. And currently, there is no way to make it work. How is this not a bug?

PrivatePuffin commented 1 year ago

No this is not a bug. It IS an enhancement request. There is nothing wrong or broken with TrueCharts.

The "experimental" feature of adding CAs, that you added to TrueCharts, is simply broken for SCALE. And currently, there is no way to make it work. How is this not a bug?

First off: It's experiemental mostly BECAUSE of not being verified on SCALE. But we don't build just for SCALE.

If the SCALE GUI doesn't have text fields, you'll have to assume things of more than a few hunderd characters not being supported by TrueCharts due to SCALE limitations.

Simply put: It's a bug but not OUR bug. We are not going to spend time maintaining non-common workarounds specifically for TrueNAS SCALE.

truecharts-admin commented 9 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.