Merge pull request #67 from sgybas/x509_client_cert

Support X.509 client certificates from docker-commons plugin

docs/examples/README.md

@@ -94,6 +94,12 @@ Only AWS AccessKey and SecretKey:
 {% include_relative vault-token.yaml %}
 {% endhighlight %}
 
+## X.509 client certificate
+
+{% highlight yaml linenos %}
+{% include_relative x509-client-certificate.yaml %}
+{% endhighlight %}
+
 # Custom field mapping
 
 Sometimes you may want the secret to be able to be consumed by another tool as well that has a different requirement for the data fields.

docs/examples/x509-client-certificate.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Secret
+metadata:
+# this is the jenkins id.
+  name: "x509-client-certificate"
+  labels:
+# so we know what type it is.
+    "jenkins.io/credentials-type": "x509ClientCert"
+  annotations:
+# description - can not be a label as spaces are not allowed
+    "jenkins.io/credentials-description" : "credentials from Kubernetes"
+type: Opaque
+stringData:
+  clientCertificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIBYjCCAQygAwIBAgIJAKZlQzqGGWu9MA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV
+    BAYTAlhYMQswCQYDVQQIDAJYWDELMAkGA1UEBwwCWFgxCzAJBgNVBAoMAlhYMQsw
+    CQYDVQQDDAJjYTAeFw0yMjA5MjEwNzQzMzVaFw0yMjEwMjEwNzQzMzVaMBExDzAN
+    BgNVBAMMBmNsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDB/x6RULr5QOYl
+    ulbzZI+8wPZMnrDPwMpP3Kh1MzxJwm1E0LJcI1nY3ePsoIGGQVITNNnjfBbEuYU6
+    01sljo5/AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
+    BQUAA0EAVP35oeWUOiRaIv9zCDt+3VRMQd6eggmmsx5qyy6ee/mLPpdUWUSt8Ayf
+    AiwAD2dca4XziVtJYVK++VnFGG/5EQ==
+    -----END CERTIFICATE-----
+  clientKeySecret: |
+    -----BEGIN PRIVATE KEY-----
+    MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAwf8ekVC6+UDmJbpW
+    82SPvMD2TJ6wz8DKT9yodTM8ScJtRNCyXCNZ2N3j7KCBhkFSEzTZ43wWxLmFOtNb
+    JY6OfwIDAQABAkAU3CDmUT75pE/bCLFm1I5cJoeVb47ll/5pHfoDODIoYA5LnQy9
+    /z4PNYCyw3Cq9m3+nf+HSRs8JcWuU7u93BaBAiEA/9mPwDrTlDhpILnmbsbIxXkq
+    zeUgypmM1cxQnhtYS78CIQDCHEPgHCdWYCLPnMxUjwrzXtyrIlWJ89j04uOVyN1t
+    QQIhANI4mFYRv/Fk3HSIax+QdD1Vzub4opX1zvOI+qC+xTEPAiBiM/KS+ytbo594
+    8ZbeYM/leGSjn+cut9NXcUI6kTiVAQIgd/FTmiUryLcSUxzz6YqmU+wU1+ebSHmx
+    U87XDZwmb40=
+    -----END PRIVATE KEY-----
+  serverCaCertificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIBdDCCAR4CCQCgzKd3hWBmXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJY
+    WDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkGA1UE
+    AwwCY2EwHhcNMjIwOTIxMDc0MzM1WhcNMjIxMDIxMDc0MzM1WjBBMQswCQYDVQQG
+    EwJYWDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkG
+    A1UEAwwCY2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAruIT3of/2lUvYPY7Azsj
+    AtKZnV6gthB6K70AsgKPp63xdlBrMgg5CYH7Xe7VmLXb7xhHLBHBnRJ3vPbH/m7h
+    swIDAQABMA0GCSqGSIb3DQEBCwUAA0EAfWb62RJ21i7tlbSttmu7by/k4fML31FQ
+    XoR7JjrHmbI+f1BkwSbMVxxadAWpSkk/NNI1+SHR/nYSv/loQ3UjmA==
+    -----END CERTIFICATE-----

pom.xml

@@ -117,6 +117,21 @@
         <artifactId>aws-credentials</artifactId>
         <version>1.26</version>
       </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>docker-commons</artifactId>
+        <version>1.16</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkinsci.plugins</groupId>
+        <artifactId>pipeline-model-extensions</artifactId>
+        <version>1.3.8</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>scm-api</artifactId>
+        <version>2.2.6</version>
+      </dependency>
       <dependency>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>openstack-cloud</artifactId>
@@ -238,6 +253,12 @@
       <artifactId>hashicorp-vault-plugin</artifactId>
       <optional>true</optional>
     </dependency>
+    <!-- X.509 client certificate credentials -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>docker-commons</artifactId>
+      <optional>true</optional>
+    </dependency>
     <!-- test deps -->
     <dependency>
       <groupId>junit</groupId>

src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertor.java

@@ -0,0 +1,69 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc., @sgybas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors;
+
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.CredentialsConvertionException;
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.SecretToCredentialConverter;
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.SecretUtils;
+import io.fabric8.kubernetes.api.model.Secret;
+import org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials;
+import org.jenkinsci.plugins.variant.OptionalExtension;
+
+@OptionalExtension(requirePlugins = {"docker-commons"})
+public class DockerServerCredentialsConvertor extends SecretToCredentialConverter {
+
+    @Override
+    public boolean canConvert(String type) {
+        return "x509ClientCert".equals(type);
+    }
+
+    @Override
+    public DockerServerCredentials convert(Secret secret) throws CredentialsConvertionException {
+
+        SecretUtils.requireNonNull(secret.getData(), "X.509 client certificate definition contains no data");
+
+        String clientCertificateBase64 = SecretUtils.getNonNullSecretData(secret, "clientCertificate", "X.509 client certificate is missing the clientCertificate entry");
+        String clientCertificate = SecretUtils.requireNonNull(SecretUtils.base64DecodeToString(clientCertificateBase64), "X.509 client certificate has an invalid clientCertificate entry (must be base64 encoded UTF-8)");
+
+        String clientKeySecretBase64 = SecretUtils.getNonNullSecretData(secret, "clientKeySecret", "X.509 client certificate is missing the clientKeySecret entry");
+        String clientKeySecret = SecretUtils.requireNonNull(SecretUtils.base64DecodeToString(clientKeySecretBase64), "X.509 client certificate has an invalid clientKeySecret entry (must be base64 encoded UTF-8)");
+
+        String serverCaCertificateBase64 = SecretUtils.getNonNullSecretData(secret, "serverCaCertificate", "X.509 client certificate is missing the serverCaCertificate entry");
+        String serverCaCertificate = SecretUtils.requireNonNull(SecretUtils.base64DecodeToString(serverCaCertificateBase64), "X.509 client certificate has an invalid serverCaCertificate entry (must be base64 encoded UTF-8)");
+
+        return new DockerServerCredentials(
+                // scope
+                SecretUtils.getCredentialScope(secret),
+                // id
+                SecretUtils.getCredentialId(secret),
+                // description
+                SecretUtils.getCredentialDescription(secret),
+                // clientKeySecret
+                hudson.util.Secret.fromString(clientKeySecret),
+                // clientCertificate
+                clientCertificate,
+                // serverCaCertificate
+                serverCaCertificate);
+    }
+}

src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest.java

@@ -0,0 +1,145 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc., @sgybas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors;
+
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.CredentialsConvertionException;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import hudson.util.Secret;
+import org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials;
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+public class DockerServerCredentialsConvertorTest extends AbstractConverterTest {
+
+    private final String clientCertificate = "-----BEGIN CERTIFICATE-----\n" +
+            "MIIBYjCCAQygAwIBAgIJAKZlQzqGGWu9MA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV\n" +
+            "BAYTAlhYMQswCQYDVQQIDAJYWDELMAkGA1UEBwwCWFgxCzAJBgNVBAoMAlhYMQsw\n" +
+            "CQYDVQQDDAJjYTAeFw0yMjA5MjEwNzQzMzVaFw0yMjEwMjEwNzQzMzVaMBExDzAN\n" +
+            "BgNVBAMMBmNsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDB/x6RULr5QOYl\n" +
+            "ulbzZI+8wPZMnrDPwMpP3Kh1MzxJwm1E0LJcI1nY3ePsoIGGQVITNNnjfBbEuYU6\n" +
+            "01sljo5/AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB\n" +
+            "BQUAA0EAVP35oeWUOiRaIv9zCDt+3VRMQd6eggmmsx5qyy6ee/mLPpdUWUSt8Ayf\n" +
+            "AiwAD2dca4XziVtJYVK++VnFGG/5EQ==\n" +
+            "-----END CERTIFICATE-----";
+
+    private final String clientKeySecret = "-----BEGIN PRIVATE KEY-----\n" +
+            "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAwf8ekVC6+UDmJbpW\n" +
+            "82SPvMD2TJ6wz8DKT9yodTM8ScJtRNCyXCNZ2N3j7KCBhkFSEzTZ43wWxLmFOtNb\n" +
+            "JY6OfwIDAQABAkAU3CDmUT75pE/bCLFm1I5cJoeVb47ll/5pHfoDODIoYA5LnQy9\n" +
+            "/z4PNYCyw3Cq9m3+nf+HSRs8JcWuU7u93BaBAiEA/9mPwDrTlDhpILnmbsbIxXkq\n" +
+            "zeUgypmM1cxQnhtYS78CIQDCHEPgHCdWYCLPnMxUjwrzXtyrIlWJ89j04uOVyN1t\n" +
+            "QQIhANI4mFYRv/Fk3HSIax+QdD1Vzub4opX1zvOI+qC+xTEPAiBiM/KS+ytbo594\n" +
+            "8ZbeYM/leGSjn+cut9NXcUI6kTiVAQIgd/FTmiUryLcSUxzz6YqmU+wU1+ebSHmx\n" +
+            "U87XDZwmb40=\n" +
+            "-----END PRIVATE KEY-----\n";
+
+    private final String serverCaCertificate = "-----BEGIN CERTIFICATE-----\n" +
+            "MIIBdDCCAR4CCQCgzKd3hWBmXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJY\n" +
+            "WDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkGA1UE\n" +
+            "AwwCY2EwHhcNMjIwOTIxMDc0MzM1WhcNMjIxMDIxMDc0MzM1WjBBMQswCQYDVQQG\n" +
+            "EwJYWDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkG\n" +
+            "A1UEAwwCY2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAruIT3of/2lUvYPY7Azsj\n" +
+            "AtKZnV6gthB6K70AsgKPp63xdlBrMgg5CYH7Xe7VmLXb7xhHLBHBnRJ3vPbH/m7h\n" +
+            "swIDAQABMA0GCSqGSIb3DQEBCwUAA0EAfWb62RJ21i7tlbSttmu7by/k4fML31FQ\n" +
+            "XoR7JjrHmbI+f1BkwSbMVxxadAWpSkk/NNI1+SHR/nYSv/loQ3UjmA==\n" +
+            "-----END CERTIFICATE-----";
+
+    private DockerServerCredentialsConvertor convertor = new DockerServerCredentialsConvertor();
+
+    @Test
+    public void canConvert() throws Exception {
+        assertThat("correct registration of valid type", convertor.canConvert("x509ClientCert"), is(true));
+        assertThat("incorrect type is rejected", convertor.canConvert("somethingElse"), is(false));
+    }
+
+    @Test
+    public void canConvertAValidSecret() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("valid.yaml", "x509-valid", "Valid X.509 client certificate", CredentialsScope.GLOBAL);
+    }
+
+    @Test
+    public void canConvertAValidSecretWithNoDescription() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("validNoDescription.yaml", "x509-valid-no-description", "", CredentialsScope.GLOBAL);
+    }
+
+    @Test
+    public void canConvertAValidMappedSecret() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("validMapped.yaml", "x509-valid-mapped", "Valid mapped X.509 client certificate", CredentialsScope.GLOBAL);
+    }
+
+    @Test
+    public void canConvertAValidScopedSecret() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("validScoped.yaml", "x509-valid-scoped", "Valid scoped X.509 client certificate", CredentialsScope.SYSTEM);
+    }
+
+    @Test
+    public void failsToConvertWhenDataIsEmpty() throws IOException {
+        testNoData(convertor);
+    }
+
+    @Test
+    public void failsToConvertWhenClientCertificatIsCorrupt() throws IOException {
+        testCorruptField(convertor, "clientCertificate");
+    }
+
+    @Test
+    public void failsToConvertWhenClientKeySecretIsCorrupt() throws IOException {
+        testCorruptField(convertor, "clientKeySecret");
+    }
+
+    @Test
+    public void failsToConvertWhenServerCaCertificatIsCorrupt() throws IOException {
+        testCorruptField(convertor, "serverCaCertificate");
+    }
+
+    @Test
+    public void failsToConvertWhenClientCertificateIsMissing() throws IOException {
+        testMissingField(convertor, "clientCertificate");
+    }
+
+    @Test
+    public void failsToConvertWhenClientKeySecretIsMissing() throws IOException {
+        testMissingField(convertor, "clientKeySecret");
+    }
+
+    @Test
+    public void failsToConvertWhenServerCaCertificateIsMissing() throws IOException {
+        testMissingField(convertor, "serverCaCertificate");
+    }
+
+    private void testExpectedCredentials(String resource, String id, String description, CredentialsScope scope) throws CredentialsConvertionException, IOException {
+        DockerServerCredentials credential = convertor.convert(getSecret(resource));
+
+        assertThat("credential id is mapped correctly", credential.getId(), is(id));
+        assertThat("credential description is mapped correctly", credential.getDescription(), is(description));
+        assertThat("credential scope is mapped correctly", credential.getScope(), is(scope));
+        assertThat("credential clientCertificate is mapped correctly", credential.getClientCertificate(), is(clientCertificate));
+        assertThat("credential clientKeySecret is mapped correctly", Secret.toString(credential.getClientKeySecret()), is(clientKeySecret));
+        assertThat("credential serverCaCertificate is mapped correctly", credential.getServerCaCertificate(), is(serverCaCertificate));
+    }
+}

src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptClientCertificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-corrupt-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with corrupt field"
+type: Opaque
+data:
+  clientCertificate: "This is not base 64"
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptClientKeySecret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-corrupt-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with corrupt field"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: "This is not base 64"
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=