Emissary fails to validate a private secret key

[alexgervais]

Describe the bug
In an mTLS scenario, Emissary fails to validate (and discards) an otherwise valid TLS Secret Key:

2022-02-23 16:08:13 diagd 2.2.1 [P27TAEW] INFO: demo-prod-f72afbf7-ed13-4b17-b021-0c8999367e43-client.kubeception.1: <RichStatus BAD error='K8sSecret secret demo-prod-f72afbf7-ed13-4b17-b021-0c8999367e43-client.kubeception tls.key cannot be parsed as PKCS1 or PKCS8: x509: failed to parse private key (use ParseECPrivateKey instead for this key format)

To Reproduce
TBD

Expected behavior
Emissary should use the provided private TLS Key and pass it to Envoy to configure mTLS.

Versions (please complete the following information):

• Emissary-ingress: 2.2.0, 2.2.1
• Edge Stack: 2.2.0, 2.2.1

Additional context
Users of Emissary-ingress and Edge Stack 2.2.0+ using Hosts and TLSContexts with EC (Elliptic Curve) Private Keys are affected. TLS private keys PKCS1 and PKCS8 are supported.

Example rejected secret (the sample public key was deleted):

apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrRENDQVRlZ0F3SUJBZ0lJWEVoem4rSlJMd2t3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOalExTmpRek5URTVNQjRYRFRJeU1ESXlNekU1TVRFMU9Wb1hEVEl6TURJeQpNekU1TVRFMU9Wb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLVVJwSUs2K3VEWWppVTgKSjZwR2o2ZG9uNjh0UHNRY29TQU5sVnExQzZCSlk5ZW5lNFRpRmtLN05nSy9tbzFpUGx2aWtENnRxVXRpVUlwSQp2SWcvL0QralNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUk40U1g4MHMvQXpkMTJsSVlVaXYwZTVPcG1JakFLQmdncWhrak9QUVFEQWdOSEFEQkUKQWlBenZuWUYzRHVCK0pqcHNJSDdwZDltbVJjam1EdVZURGtJK1JNUVhCa3BGUUlnWFF3cm9SVTlMWmpxTEFiVwo4cnhLV0NwVm1QUHNWaHFabzNrTU9tNnpHN1k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUyTkRVMk5ETTFNVGt3SGhjTk1qSXdNakl6TVRreE1UVTVXaGNOTXpJd01qSXhNVGt4TVRVNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUyTkRVMk5ETTFNVGt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSazhMMkdMVEdIaDJpcGV4YlhsUUpxYmRjZXU3WTdtR0lzdk5SSmNFS2IKUXAyendHb1VNNlNIQ25CZVFxRCtTelFqcE1mODR4eHFleDFYRnhyTHRyeXRvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVRlRWwvTkxQd00zZGRwU0dGSXI5Ckh1VHFaaUl3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUt3Skd4cjFsOFdwaC80UitRazZGTkRNSmV4OUFFdHEKbGY2L3QreXpDYW01QWlFQWtKSnA0dEpnV0xIT3pyeklxVmxsd1AxWUQvcCt3K3N3YkZ4b0R6ZU4xRDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURackt5SExTZXlMUXJUWUswOXNFcm5HRTNhMkhRVEpqeEU3QUxrOXFISERvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcFJHa2dycjY0TmlPSlR3bnFrYVBwMmlmcnkwK3hCeWhJQTJWV3JVTG9FbGoxNmQ3aE9JVwpRcnMyQXIrYWpXSStXK0tRUHEycFMySlFpa2k4aUQvOFB3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  name: test-cluster-client
type: kubernetes.io/tls

[khussey]

This is fixed in Emissary-ingress 2.2.2, which is now available.