Allow overriding Secret data keys for the custom transport CA#9444
Conversation
The transport CA secret parser hardcodes `ca.crt`/`ca.key` (with a legacy `tls.crt`/`tls.key` fallback) and rejects secrets that contain both sets of keys as a configuration error. cert-manager always emits `tls.crt`, `tls.key`, *and* `ca.crt` (the issuing CA bundle) in its output Secret, and does not allow renaming these keys (`secretTemplate` only affects metadata, `additionalOutputFormats` only adds extra keys). The "both exist" check thus makes it impossible to point ECK directly at a cert-manager `Certificate` that mints the transport CA. Add an optional `caSecretKeys` field on `TransportTLSOptions` with `caCertKey` and `caKeyKey` overrides. When either is set, the parser reads only the named keys and bypasses the legacy/modern auto-detection and the "both exist" conflict check. When unset, behavior is unchanged. The new `ParseCustomCASecretWithKeys` is invoked from `ReconcileOrRetrieveCA`; the original `ParseCustomCASecret` remains as a no-override wrapper so other callers stay untouched.
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
I signed the CLA 👌 |
|
Hi @xrl 👋 thank you for the detailed write-up and for taking the time to contribute a PR for this - the problem is real and the cert-manager use case is a valid one. After looking at the change, I think there's a simpler path that avoids the need for a new API field altogether. As @pebrc noted in #8617, the root cause is that the conflict check in A cert-manager // before
if (legacyKeyExists || legacyCrtExists) && (keyExists || crtExists) {
// after
if (legacyKeyExists && legacyCrtExists) && (keyExists && crtExists) {With this one-line change the cert-manager secret just works without any user configuration, and we avoid adding a Would you be open to rework the PR along those lines? The test cases you wrote are a great starting point - they could be adapted into |
|
tl;dr what @pkoutsovasilis wrote (I had a stale PR view when I wrote mine) Thanks for your contribution but I think we would not want to expose these as top level fields in the CRD. For this specific problem, surfacing A safer auto-detection rule might be: That preserves the original ambiguity guard while accepting cert-manager’s CA Certificate output. It also avoids a permanent public API field, generated CRD/docs churn, and future questions like validation of arbitrary Secret key names. |
Problem
The custom transport CA Secret parser in
pkg/controller/common/certificates/ca_secret.gohardcodesca.crt/ca.key(with a legacytls.crt/tls.keyfallback) and explicitly rejects Secrets that contain both sets of keys as a configuration error.cert-manager
Certificateresources withisCA: truealways populate their output Secret with all three oftls.crt,tls.key, andca.crt(the latter being the issuing CA bundle). cert-manager does not allow renaming these data keys —secretTemplateonly customizes Secret metadata, andadditionalOutputFormatsonly appends extra fixed-name keys.The combined effect is that ECK cannot consume a cert-manager-emitted Secret as the user-provided transport CA: the parser sees
tls.*+ca.crtco-existing and returnsboth tls.* keys and ca.* keys exist in secret <ns>/<name>, this is likely a configuration error. The current workaround is to generate a CA outside the cluster withopensslandkubectl create secret genericit manually, which defeats the purpose of running cert-manager.Change
Add an optional
caSecretKeysfield onTransportTLSOptionswithcaCertKeyandcaKeyKeystring overrides. When either is set:When
caSecretKeysis unset (the default), behavior is identical to today.Implementation notes
ParseCustomCASecretis preserved as a thin wrapper over the newParseCustomCASecretWithKeys(s, certKeyOverride, keyKeyOverride). This keeps every other caller untouched and minimizes the diff against the existing auto-detect logic, which still runs verbatim when no overrides are supplied.ReconcileOrRetrieveCAreads the overrides off the spec nil-safely and forwards them.zz_generated.deepcopy.gowere regenerated withmake generate-manifests.Tests
Added
TestParseCustomCASecretWithKeysinpkg/controller/common/certificates/ca_secret_test.gocovering:ParseCustomCASecret.tls.*even whenca.crtis also present (the cert-manager shape).ca.key.ca.crt.Existing
TestParseCustomCASecretcases are unchanged and continue to pass.Checklist
main.gofmtclean,go vetclean, unit tests pass for the touched packages.