You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.
Describe the request
I'd like the original PFX file to be imported into KVM volume, in case "secret" type is specified.
Explain why Key Vault FlexVolume needs it
The documentation says:
The AKV-secret provides a way to export the full X.509 certificate, including its private key (if its policy allows for private key exporting). Specifying secret in keyvaultobjecttypes will fetch the base64-encoded certificate bundle.
This is incompatible with existing solutions, as no app expects BASE-64 encoded PFX file. I don't understand why the plain PFX file cannot be imported into KVM volume? Is there any security reason?
Describe the solution you'd like
Perhaps adding new keyvaultobjecttypes: pfx would do the job without introducing a braking change.
Describe alternatives you've considered
For now I'd change the code of my app to decode BASE64 file but it's definetly not something I'd expect (changing the code to fit it into k8s).
Additional context
Actually I'm facing a lot of difficulities with fiting the project into k8s. The installation was simple and it's easy to use, but for instance I cannot use it with nginx, which supports loading certs only from secrets. Same for my existing apps, which expect to be configured via ENV variables (which I can populate from secrets, but can't populete from KVM volume). I'd love KVM to behave more like a secret provider and to be more transparent (for instance allow me to download plain .pfx file, without base64 encoding it). Fingers crossed for this project :)
The text was updated successfully, but these errors were encountered:
Describe the request
I'd like the original PFX file to be imported into KVM volume, in case "secret" type is specified.
Explain why Key Vault FlexVolume needs it
The documentation says:
This is incompatible with existing solutions, as no app expects BASE-64 encoded PFX file. I don't understand why the plain PFX file cannot be imported into KVM volume? Is there any security reason?
Describe the solution you'd like
Perhaps adding new keyvaultobjecttypes: pfx would do the job without introducing a braking change.
Describe alternatives you've considered
For now I'd change the code of my app to decode BASE64 file but it's definetly not something I'd expect (changing the code to fit it into k8s).
Additional context
Actually I'm facing a lot of difficulities with fiting the project into k8s. The installation was simple and it's easy to use, but for instance I cannot use it with nginx, which supports loading certs only from secrets. Same for my existing apps, which expect to be configured via ENV variables (which I can populate from secrets, but can't populete from KVM volume). I'd love KVM to behave more like a secret provider and to be more transparent (for instance allow me to download plain .pfx file, without base64 encoding it). Fingers crossed for this project :)
The text was updated successfully, but these errors were encountered: