trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard
verified publisher icon cert-manager

Support distribution of PKCS12/JKS truststores

Open erikgb opened this issue 3 years ago • 5 comments

We are using cert-manager to issue short-lived certificates to Kafka-clients running in our Kubernetes cluster. Currently we use ca.crt truststore.jks or truststore.p12 in the certificate Secret to establish trust to the Kafka cluster (mTLS). This is wrong, and only works because the client and server have certificates issued by the same root CA. 😄

To fix this, we were hoping to use this cert-manager component to distribute the trust. But since a great percentage of our clients are Java-based, we need to be able to provide the trust bundle in PKCS12/JKS format. Would it be possible to add an opt-in to provide the trust bundle in additional formats?

erikgb avatar Apr 12 '22 09:04 erikgb

You might find cert-utils useful - you can annotate a secret containing a certificate & it will add keystore & truststore keys to the secret.

yrro avatar May 27 '22 09:05 yrro

You might find cert-utils useful - you can annotate a secret containing a certificate & it will add keystore & truststore keys to the secret.

Well, cert-utils could be useful for other use-cases, but not for this IMO. I don't see the point in converting N Secrets with the same content. And I do not want to install additional software into my clusters. Especially not software that require RBAC to read secrets cluster-wide. And cert-manager already has native support for JKS and PKCS12 keystores: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateKeystores. And I think this support should/could be implemented here also.

erikgb avatar May 27 '22 11:05 erikgb

is it not implemented here? If you create a Bundle targeting the truststore in your CA, it gets distributed.

sgran avatar Sep 06 '22 15:09 sgran

Hey @sgran, It does work to distribute anything you feed it, but this is not first-class support as you still need to whip out keytool to create the java trust store. I assume first-class support means you can feed it a PEM as input and it would generate the JKS and PKCS12 trust store, similarly to how cert-manager can now generate JKS and pkCS12 keystores in the certificate secret.

SpectralHiss avatar Sep 28 '22 16:09 SpectralHiss

@SpectralHiss I implemented a webhook that is capable to transform pem files into a truststore and add it to the same configmap. https://github.com/bakito/java-truststore-injection-webhook

bakito avatar Sep 30 '22 14:09 bakito