ClusterIssuer / Issuer caBundle is getting decoded to the actual certificate so when starting manager the connection fails be cause the client is expecting encoded PEM format #304
Description
Sample issue.yaml file..
`
apiVersion: certmanager.step.sm/v1beta1
kind: StepClusterIssuer
metadata:
name: step-cluster-issuer
namespace: default
spec:
caBundle: MIIB3zCCAYWgAwIBAgIQKYv9Uhi4ml9d3ZDRYfIG2TAKBggqhkjOPQQDAjBOMSEwHwYDVQQKExhkZXZvcHMuYWlkZXZlbG9wbWVudC5sYWIxKTAnBgNVBAMTIGRldm9wcy5haWRldmVsb3BtZW50LmxhYiBSb290IENBMB4XDTI1MTAxMTEyMzIwM1oXDTM1MTAwOTEyMzIwM1owTjEhMB8GA1UEChMYZGV2b3BzLmFpZGV2ZWxvcG1lbnQubGFiMSkwJwYDVQQDEyBkZXZvcHMuYWlkZXZlbG9wbWVudC5sYWIgUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIu9d2Ib3TDHBKDL63lO+cyIBOV+dv+TRpj5l0qXwVqNW5U1kIhNOMTz4mrQgJtgaSKBWER15NsabJ1QqrpuvrmjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSu7ZlS115iy35GGQuTQrsQJg4/tjAKBggqhkjOPQQDAgNIADBFAiBFs3jbaFZuwEgl/vdUsPJ5vQfWyvhsG4zfGKGiHXVuFwIhAJdpLrmZdh6UCQx/ypQ7y2h0xYjYQBh5TqMl0FgsD1dw
provisioner:
name: ca-master
kid: srvjUgeOrh1PLJ6cHcLX4PgahJkrpnFHVbDFiH83NH4
passwordRef:
name: step-certificates-ca-password
key: password
namespace: default
~
`
in the stepclusterissuer_controller.go >> Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) function
when calling this function
// Initialize and store the provisioner
p, err := provisioners.NewFromStepClusterIssuer(iss, password)
iss.Spec.CABundle is actually the byte certificate not the x509 encoded PEM Data. I guess this worked in the past, so for some reason kubenetes is converting the PEM data to the actual cert.
So..
- we need to covert the cert back to x509 PEM format
- change the code to call a different method when creating the client that calls the CA. its currently calling .. getTransportFromCABundle
do we change to getTransportFromSHA256?
There is multiple ways to resolve the issue. I have coded moving the variable back to the PEM format and the manager works.
I will submit a pull request that will check the CABundle and if it is the cert convert it back over to PEM I can recreate this all day long on a fresh install on 2 different machines. macos and linux arm.