Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEAT] Encode the ca certificate to base64. Instead of having the world dealing with it. #561

Open
snooops opened this issue Jul 30, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@snooops
Copy link

snooops commented Jul 30, 2024

Is your feature request related to a problem? Please describe.

As already discussed in #452#issuecomment-1767121354 the implementation is not good for no real reason, just because it is implemented by some dependency.

Describe the solution you'd like

The Vault-action should expect a pem formatted certificate and encode it if needed. The problem i see is, that everyone needs to implement the base64 encoding during runtime or during bootstrapping of the environment. Makes documentation and usage more cumbersome. In some cases it could even make the reusability of the ca certificate during the runtime more complicated to decode the certificate again for other steps in the workflow.

Describe alternatives you've considered

To not have a breaking change, maybe it would make sense to check if the file is base64 encoded or not and do necessary conversion if needed. For example it could be checked if the first line matches the pem format string -----BEGIN CERTIFICATE-----.

@snooops snooops added the enhancement New feature or request label Jul 30, 2024
@kim0
Copy link

kim0 commented Aug 7, 2024

Very much this!

It's a speed bump having to figure out exactly how to get this done even. At first I thought this is what's needed

openssl x509 -in my.cert -outform der | base64

Interestingly, it seems PEM format, is already base64 formatted. So this changes nothing except stripping the header and footer (BEGIN and END lines), and putting all the base64 data on a single line!

But turns out, what is actually needed is a double-base64 encoded file. i.e. We simply need to encode the cert AGAIN to base64 like so

base64 -i my.cert

And use the resulting string in github secrets. I do not think this is needed for any real reason. I'm guessing the developer thought GH secrets do not support multi-line secrets, but they do. IMO, this is confusing and should be removed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants