Make it possible to upload cert-manager generated certs to azure key vault certificates

[Haskell-fmap]

Is your feature request related to a problem? Please describe.
Currently, some azure services require the certificate to be stored under certificates in the keyvault, they will not accept certificate in secrets. It also has to be in PKCS12 format.

Currently, the best way to generate certificates on kubernetes it to use cert-manager + let's encrypt. The issue is that cert-manager does not allow for creation of passwordless pkcs12 certs, and external-secrets does not support pkcs12 with passwords.

In theory, ESO gives us template and "pemToPkcs12", which can be used like so pemToPkcs12 (index . "tls.crt" ) ( index . "tls.key" ). The issue is that this won't actually work with azure keyvault certificates. It will error out with "Could not parse certificate value as PKCS#12, DER or PEM".

Furthermore, even if it were to be stored as a secret, it will only ever be uploaded as base64, not raw p12, even if b64dec is added at the end.

Describe the solution you'd like
Make it possible to upload the certificate to azure keyvault certificates, or at the very least give us ability to store the secret as a raw p12 instead of base64. Maybe with something like pemToRawPkcs12 template function.

[HauptJ]

K8s requires binary secret data to be stored as text, either as base64 (data), or stringData, however raw PKCS12 itself is a binary file format. This request runs into a limitation of K8s itself.

https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets

[evrardjp]

What do you think the plan should be then?

Cause I don't see why Pushing needs to be at the same info as kubernetes, because we template in other places.
But at the same time, I wonder if all of this makes sense for ESO to handle.

certificate management and its lifecycle is best handled by cert-manager, and I do not see why cert-manager could not work directly with keyvault API for management of certificates...

Is there a use case I am missing?

[evrardj-roche]

Isn't it also a duplicate of #2589 ?

[marevers]

What do you think the plan should be then?

Cause I don't see why Pushing needs to be at the same info as kubernetes, because we template in other places. But at the same time, I wonder if all of this makes sense for ESO to handle.

certificate management and its lifecycle is best handled by cert-manager, and I do not see why cert-manager could not work directly with keyvault API for management of certificates...

Is there a use case I am missing?

I think this is very much part of what ESO should be responsible for as ESO's main purpose is synchronising data from/to vaults. cert-manager is aimed at generation of certificates, not storage of them in anything other than Kubernetes AFAIK. So it would be good if this usecase could be supported by ESO.