Sync a certificate in a Kubernetes kubernetes.io/tls type secret with an Azure Key Vault instance, using a PushSecret #2589
Description
Is your feature request related to a problem? Please describe.
Hi team.
I would appreciate if someone could confirm whether or not this use case is currently supported, or if not, currently in consideration.
https://external-secrets.io/latest/provider/azure-key-vault/#pushing-to-a-certificate
In the example of the PushSecret provided in the documentation linked above, appears to be a normal, Opaque type Kubernetes secret.
apiVersion: v1
kind: Secret
metadata:
name: source-certificate
data:
cert.p12: {redacted}
# Alternatively, you could also do it like this:
#stringData:
# certPem: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN PRIVATE KEY-----
# ...
# -----END PRIVATEKEY-----
Is it possible to achieve this with a kubernetes.io/tls type secret?
Describe the solution you'd like
For example, I would like something like the following work and have the TLS cert sync with the Azure Key Vault instance.
apiVersion: v1
data:
tls.crt: {redacted}
tls.key: {redacted}
kind: Secret
metadata:
name: test-cert
type: kubernetes.io/tls
---
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: test-cert
spec:
refreshInterval: 10s # Refresh interval for which push secret will reconcile
deletionPolicy: Delete
secretStoreRefs: # A list of secret stores to push secrets to
- name: azure-backend
kind: ClusterSecretStore
selector:
secret:
name: test-secret # Source Kubernetes secret to be pushed
data:
- match:
certKey: tls.crt # Source Kubernetes secret key containing the certificate
remoteRef:
- remoteKey: cert/tls.crt
- match:
keyKey: tls.key
remoteRef:
- remoteKey: cert/tls.key
Describe alternatives you've considered
I have tried the following method of storing the cert and key in an Opaque type secret(Although this is not exactly what I wanted), but this resulted in the following error.
#stringData:
# certPem: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN PRIVATE KEY-----
# ...
# -----END PRIVATEKEY-----
Warning Errored 1s (x10 over 5s) pushsecret set secret failed: could not write remote ref certPem to target secretstore azure-backend: could not import certificate test-cert: keyvault.BaseClient#ImportCertificate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format."
I also got a similar error when uploading a PEM format file containing a cert and key via the Azure Key Vault web UI, so this may be an issue on Azure's side. Manually converting the PEM file into a PFX file solved the issue.
Thank you.