external-secrets/kubernetes-external-secrets

Can't access TLS certificates in GCP secrets

rozdestvenskiy opened this issue · 1 comments

I'm using GCP secret manager to store TLS certificates and keys for my project. And I want to use external-secrets to easy share them to pods. But when I try to get access from my Ingress pods, I've got this error:
Error while creating certificate store: failed to load X509 key pair: tls: failed to find any PEM data in certificate input
I checked this secret in kubectl and it cant get access to secret data, as I think:

Name:         my-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====

But If i use another data in secret (not pem certificate) all is fine:

Name:        creds
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
password:  16 bytes
username:  8 bytes

Here is the manifest for external secret:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: my-cert # name of the k8s external secret and the k8s secret
spec:
  backendType: gcpSecretsManager
  projectId: my-project-id
  data:
    - key: secret
      property: tls.crt
      name: tls.crt
    - key: secret
      property: tls.key
      name: tls.key

Here is how my secret in GCP looks like:

{
    "tls.crt":"here-is-my-cert",
    "tls.key":"here-is-my-private-key"
}

Can somebody help me? Maybe it is kind of bug?

Looks like I fixed it by myself. Now I store key and cert in two different GCP secrets and here is manifest for external secret:
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
name: my-cert # name of the k8s external secret and the k8s secret
spec:
backendType: gcpSecretsManager
projectId: my-project-id
data:
- key: ssl-cert
name: tls.crt
- key: ssl-key
name: tls.key