-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
public_key_fingerprint_x509_sha256 #203
base: main
Are you sure you want to change the base?
Conversation
Hello and thanks for providing this. Before I proceed further, I have to ask: why is this property https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key#public_key_fingerprint_sha256 not enough for your purpose? For clarity, the |
Hi there @detro. Unfortunately the ssh-format hash is not the same as used by kubernetes to calculate the Key Id during OIDC authentication. I am trying to use a tls_private_key to populate a jwks key set for my cluster, so the hash algorithm has to match. I have to agree that it doesn't feel quite right to have arbitrary hash methods in this resource, and I can't find any evidence that the kubernetes method is at all standard (other than by using similarly available go crypto functions), so if you have any suggestions about where else this could live I'd be happy to consider it. |
One potential way to address the issue here from what I can tell would be to return the base64 encoded value of the DER encoding. From there, Terraform would be able to base64 decode the value, sha256sum it, and base64 encode it back using built-in functions. Providing only the base64 encoded DER value is arguably more flexible for future use cases. For context, I'm trying to solve the same problem as @alanraison. |
I don't think providing the base64 of the DER would be enough, since when you go to base64decode it would decode it into a terraform string (utf8). Unless terraform provides function to sha256 base64 encoded content it would need to be done in provider. |
Resolves #202
I am a little concerned with the long name of this property, though it fits in with the other property names, and also whether the name is accurate.
I believe this is a good location for this fingerprint, rather than in a separate provider, since the key material is already available.