From cf629eb0b29060204394cb43d5eca148253768e5 Mon Sep 17 00:00:00 2001
From: Stefan Gybas <sgybas@users.noreply.github.com>
Date: Wed, 21 Sep 2022 11:12:23 +0200
Subject: [PATCH 1/2] Support X.509 client certificates from docker-commons
 plugin

---
 docs/examples/README.md                       |   6 +
 docs/examples/x509-client-certificate.yaml    |  46 ++++++
 pom.xml                                       |  27 ++++
 .../convertors/X509ClientCertConvertor.java   |  69 +++++++++
 .../X509ClientCertConvertorTest.java          | 145 ++++++++++++++++++
 .../corruptClientCertificate.yaml             |  13 ++
 .../corruptClientKeySecret.yaml               |  13 ++
 .../corruptServerCaCertificate.yaml           |  13 ++
 .../missingClientCertificate.yaml             |  12 ++
 .../missingClientKeySecret.yaml               |  12 ++
 .../missingServerCaCertificate.yaml           |  12 ++
 .../X509ClientCertConvertorTest/valid.yaml    |  13 ++
 .../validMapped.yaml                          |  16 ++
 .../validNoDescription.yaml                   |  11 ++
 .../validScoped.yaml                          |  14 ++
 .../X509ClientCertConvertorTest/void.yaml     |  10 ++
 16 files changed, 432 insertions(+)
 create mode 100644 docs/examples/x509-client-certificate.yaml
 create mode 100644 src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java
 create mode 100644 src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientCertificate.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientKeySecret.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptServerCaCertificate.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientCertificate.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientKeySecret.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingServerCaCertificate.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/valid.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validMapped.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validNoDescription.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validScoped.yaml
 create mode 100644 src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/void.yaml

diff --git a/docs/examples/README.md b/docs/examples/README.md
index 59e60b97..07dbd0e9 100644
--- a/docs/examples/README.md
+++ b/docs/examples/README.md
@@ -94,6 +94,12 @@ Only AWS AccessKey and SecretKey:
 {% include_relative vault-token.yaml %}
 {% endhighlight %}
 
+## X.509 client certificate
+
+{% highlight yaml linenos %}
+{% include_relative x509-client-certificate.yaml %}
+{% endhighlight %}
+
 # Custom field mapping
 
 Sometimes you may want the secret to be able to be consumed by another tool as well that has a different requirement for the data fields.
diff --git a/docs/examples/x509-client-certificate.yaml b/docs/examples/x509-client-certificate.yaml
new file mode 100644
index 00000000..8f16f144
--- /dev/null
+++ b/docs/examples/x509-client-certificate.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Secret
+metadata:
+# this is the jenkins id.
+  name: "x509-client-certificate"
+  labels:
+# so we know what type it is.
+    "jenkins.io/credentials-type": "x509ClientCert"
+  annotations:
+# description - can not be a label as spaces are not allowed
+    "jenkins.io/credentials-description" : "credentials from Kubernetes"
+type: Opaque
+stringData:
+  clientCertificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIBYjCCAQygAwIBAgIJAKZlQzqGGWu9MA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV
+    BAYTAlhYMQswCQYDVQQIDAJYWDELMAkGA1UEBwwCWFgxCzAJBgNVBAoMAlhYMQsw
+    CQYDVQQDDAJjYTAeFw0yMjA5MjEwNzQzMzVaFw0yMjEwMjEwNzQzMzVaMBExDzAN
+    BgNVBAMMBmNsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDB/x6RULr5QOYl
+    ulbzZI+8wPZMnrDPwMpP3Kh1MzxJwm1E0LJcI1nY3ePsoIGGQVITNNnjfBbEuYU6
+    01sljo5/AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
+    BQUAA0EAVP35oeWUOiRaIv9zCDt+3VRMQd6eggmmsx5qyy6ee/mLPpdUWUSt8Ayf
+    AiwAD2dca4XziVtJYVK++VnFGG/5EQ==
+    -----END CERTIFICATE-----
+  clientKeySecret: |
+    -----BEGIN PRIVATE KEY-----
+    MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAwf8ekVC6+UDmJbpW
+    82SPvMD2TJ6wz8DKT9yodTM8ScJtRNCyXCNZ2N3j7KCBhkFSEzTZ43wWxLmFOtNb
+    JY6OfwIDAQABAkAU3CDmUT75pE/bCLFm1I5cJoeVb47ll/5pHfoDODIoYA5LnQy9
+    /z4PNYCyw3Cq9m3+nf+HSRs8JcWuU7u93BaBAiEA/9mPwDrTlDhpILnmbsbIxXkq
+    zeUgypmM1cxQnhtYS78CIQDCHEPgHCdWYCLPnMxUjwrzXtyrIlWJ89j04uOVyN1t
+    QQIhANI4mFYRv/Fk3HSIax+QdD1Vzub4opX1zvOI+qC+xTEPAiBiM/KS+ytbo594
+    8ZbeYM/leGSjn+cut9NXcUI6kTiVAQIgd/FTmiUryLcSUxzz6YqmU+wU1+ebSHmx
+    U87XDZwmb40=
+    -----END PRIVATE KEY-----
+  serverCaCertificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIBdDCCAR4CCQCgzKd3hWBmXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJY
+    WDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkGA1UE
+    AwwCY2EwHhcNMjIwOTIxMDc0MzM1WhcNMjIxMDIxMDc0MzM1WjBBMQswCQYDVQQG
+    EwJYWDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkG
+    A1UEAwwCY2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAruIT3of/2lUvYPY7Azsj
+    AtKZnV6gthB6K70AsgKPp63xdlBrMgg5CYH7Xe7VmLXb7xhHLBHBnRJ3vPbH/m7h
+    swIDAQABMA0GCSqGSIb3DQEBCwUAA0EAfWb62RJ21i7tlbSttmu7by/k4fML31FQ
+    XoR7JjrHmbI+f1BkwSbMVxxadAWpSkk/NNI1+SHR/nYSv/loQ3UjmA==
+    -----END CERTIFICATE-----
diff --git a/pom.xml b/pom.xml
index 469103f5..88d4c5a7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -117,6 +117,21 @@
         <artifactId>aws-credentials</artifactId>
         <version>1.26</version>
       </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>docker-commons</artifactId>
+        <version>1.16</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkinsci.plugins</groupId>
+        <artifactId>pipeline-model-extensions</artifactId>
+        <version>1.3.8</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>scm-api</artifactId>
+        <version>2.2.6</version>
+      </dependency>
       <dependency>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>openstack-cloud</artifactId>
@@ -238,6 +253,18 @@
       <artifactId>hashicorp-vault-plugin</artifactId>
       <optional>true</optional>
     </dependency>
+    <!-- X.509 client certificate credentials -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>docker-commons</artifactId>
+      <optional>true</optional>
+    </dependency>
+    <dependency>
+      <!-- Marked as optional in docker-commons plugin, specify explicitly to update required version -->
+      <groupId>org.jenkinsci.plugins</groupId>
+      <artifactId>pipeline-model-extensions</artifactId>
+      <optional>true</optional>
+    </dependency>
     <!-- test deps -->
     <dependency>
       <groupId>junit</groupId>
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java b/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java
new file mode 100644
index 00000000..56fc688f
--- /dev/null
+++ b/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java
@@ -0,0 +1,69 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc., @sgybas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors;
+
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.CredentialsConvertionException;
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.SecretToCredentialConverter;
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.SecretUtils;
+import io.fabric8.kubernetes.api.model.Secret;
+import org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials;
+import org.jenkinsci.plugins.variant.OptionalExtension;
+
+@OptionalExtension(requirePlugins = {"docker-commons"})
+public class X509ClientCertConvertor extends SecretToCredentialConverter {
+
+    @Override
+    public boolean canConvert(String type) {
+        return "x509ClientCert".equals(type);
+    }
+
+    @Override
+    public DockerServerCredentials convert(Secret secret) throws CredentialsConvertionException {
+
+        SecretUtils.requireNonNull(secret.getData(), "X.509 client certificate definition contains no data");
+
+        String clientCertificateBase64 = SecretUtils.getNonNullSecretData(secret, "clientCertificate", "X.509 client certificate is missing the clientCertificate entry");
+        String clientCertificate = SecretUtils.requireNonNull(SecretUtils.base64DecodeToString(clientCertificateBase64), "X.509 client certificate has an invalid clientCertificate entry (must be base64 encoded UTF-8)");
+
+        String clientKeySecretBase64 = SecretUtils.getNonNullSecretData(secret, "clientKeySecret", "X.509 client certificate is missing the clientKeySecret entry");
+        String clientKeySecret = SecretUtils.requireNonNull(SecretUtils.base64DecodeToString(clientKeySecretBase64), "X.509 client certificate has an invalid clientKeySecret entry (must be base64 encoded UTF-8)");
+
+        String serverCaCertificateBase64 = SecretUtils.getNonNullSecretData(secret, "serverCaCertificate", "X.509 client certificate is missing the serverCaCertificate entry");
+        String serverCaCertificate = SecretUtils.requireNonNull(SecretUtils.base64DecodeToString(serverCaCertificateBase64), "X.509 client certificate has an invalid serverCaCertificate entry (must be base64 encoded UTF-8)");
+
+        return new DockerServerCredentials(
+                // scope
+                SecretUtils.getCredentialScope(secret),
+                // id
+                SecretUtils.getCredentialId(secret),
+                // description
+                SecretUtils.getCredentialDescription(secret),
+                // clientKeySecret
+                hudson.util.Secret.fromString(clientKeySecret),
+                // clientCertificate
+                clientCertificate,
+                // serverCaCertificate
+                serverCaCertificate);
+    }
+}
diff --git a/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java b/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java
new file mode 100644
index 00000000..91b8186f
--- /dev/null
+++ b/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java
@@ -0,0 +1,145 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc., @sgybas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors;
+
+import com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.CredentialsConvertionException;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import hudson.util.Secret;
+import org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials;
+import org.junit.Test;
+
+import java.io.IOException;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+public class X509ClientCertConvertorTest extends AbstractConverterTest {
+
+    private final String clientCertificate = "-----BEGIN CERTIFICATE-----\n" +
+            "MIIBYjCCAQygAwIBAgIJAKZlQzqGGWu9MA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV\n" +
+            "BAYTAlhYMQswCQYDVQQIDAJYWDELMAkGA1UEBwwCWFgxCzAJBgNVBAoMAlhYMQsw\n" +
+            "CQYDVQQDDAJjYTAeFw0yMjA5MjEwNzQzMzVaFw0yMjEwMjEwNzQzMzVaMBExDzAN\n" +
+            "BgNVBAMMBmNsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDB/x6RULr5QOYl\n" +
+            "ulbzZI+8wPZMnrDPwMpP3Kh1MzxJwm1E0LJcI1nY3ePsoIGGQVITNNnjfBbEuYU6\n" +
+            "01sljo5/AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB\n" +
+            "BQUAA0EAVP35oeWUOiRaIv9zCDt+3VRMQd6eggmmsx5qyy6ee/mLPpdUWUSt8Ayf\n" +
+            "AiwAD2dca4XziVtJYVK++VnFGG/5EQ==\n" +
+            "-----END CERTIFICATE-----";
+
+    private final String clientKeySecret = "-----BEGIN PRIVATE KEY-----\n" +
+            "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAwf8ekVC6+UDmJbpW\n" +
+            "82SPvMD2TJ6wz8DKT9yodTM8ScJtRNCyXCNZ2N3j7KCBhkFSEzTZ43wWxLmFOtNb\n" +
+            "JY6OfwIDAQABAkAU3CDmUT75pE/bCLFm1I5cJoeVb47ll/5pHfoDODIoYA5LnQy9\n" +
+            "/z4PNYCyw3Cq9m3+nf+HSRs8JcWuU7u93BaBAiEA/9mPwDrTlDhpILnmbsbIxXkq\n" +
+            "zeUgypmM1cxQnhtYS78CIQDCHEPgHCdWYCLPnMxUjwrzXtyrIlWJ89j04uOVyN1t\n" +
+            "QQIhANI4mFYRv/Fk3HSIax+QdD1Vzub4opX1zvOI+qC+xTEPAiBiM/KS+ytbo594\n" +
+            "8ZbeYM/leGSjn+cut9NXcUI6kTiVAQIgd/FTmiUryLcSUxzz6YqmU+wU1+ebSHmx\n" +
+            "U87XDZwmb40=\n" +
+            "-----END PRIVATE KEY-----\n";
+
+    private final String serverCaCertificate = "-----BEGIN CERTIFICATE-----\n" +
+            "MIIBdDCCAR4CCQCgzKd3hWBmXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJY\n" +
+            "WDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkGA1UE\n" +
+            "AwwCY2EwHhcNMjIwOTIxMDc0MzM1WhcNMjIxMDIxMDc0MzM1WjBBMQswCQYDVQQG\n" +
+            "EwJYWDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkG\n" +
+            "A1UEAwwCY2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAruIT3of/2lUvYPY7Azsj\n" +
+            "AtKZnV6gthB6K70AsgKPp63xdlBrMgg5CYH7Xe7VmLXb7xhHLBHBnRJ3vPbH/m7h\n" +
+            "swIDAQABMA0GCSqGSIb3DQEBCwUAA0EAfWb62RJ21i7tlbSttmu7by/k4fML31FQ\n" +
+            "XoR7JjrHmbI+f1BkwSbMVxxadAWpSkk/NNI1+SHR/nYSv/loQ3UjmA==\n" +
+            "-----END CERTIFICATE-----";
+
+    private X509ClientCertConvertor convertor = new X509ClientCertConvertor();
+
+    @Test
+    public void canConvert() throws Exception {
+        assertThat("correct registration of valid type", convertor.canConvert("x509ClientCert"), is(true));
+        assertThat("incorrect type is rejected", convertor.canConvert("somethingElse"), is(false));
+    }
+
+    @Test
+    public void canConvertAValidSecret() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("valid.yaml", "x509-valid", "Valid X.509 client certificate", CredentialsScope.GLOBAL);
+    }
+
+    @Test
+    public void canConvertAValidSecretWithNoDescription() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("validNoDescription.yaml", "x509-valid-no-description", "", CredentialsScope.GLOBAL);
+    }
+
+    @Test
+    public void canConvertAValidMappedSecret() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("validMapped.yaml", "x509-valid-mapped", "Valid mapped X.509 client certificate", CredentialsScope.GLOBAL);
+    }
+
+    @Test
+    public void canConvertAValidScopedSecret() throws CredentialsConvertionException, IOException {
+        testExpectedCredentials("validScoped.yaml", "x509-valid-scoped", "Valid scoped X.509 client certificate", CredentialsScope.SYSTEM);
+    }
+
+    @Test
+    public void failsToConvertWhenDataIsEmpty() throws IOException {
+        testNoData(convertor);
+    }
+
+    @Test
+    public void failsToConvertWhenClientCertificatIsCorrupt() throws IOException {
+        testCorruptField(convertor, "clientCertificate");
+    }
+
+    @Test
+    public void failsToConvertWhenClientKeySecretIsCorrupt() throws IOException {
+        testCorruptField(convertor, "clientKeySecret");
+    }
+
+    @Test
+    public void failsToConvertWhenServerCaCertificatIsCorrupt() throws IOException {
+        testCorruptField(convertor, "serverCaCertificate");
+    }
+
+    @Test
+    public void failsToConvertWhenClientCertificateIsMissing() throws IOException {
+        testMissingField(convertor, "clientCertificate");
+    }
+
+    @Test
+    public void failsToConvertWhenClientKeySecretIsMissing() throws IOException {
+        testMissingField(convertor, "clientKeySecret");
+    }
+
+    @Test
+    public void failsToConvertWhenServerCaCertificateIsMissing() throws IOException {
+        testMissingField(convertor, "serverCaCertificate");
+    }
+
+    private void testExpectedCredentials(String resource, String id, String description, CredentialsScope scope) throws CredentialsConvertionException, IOException {
+        DockerServerCredentials credential = convertor.convert(getSecret(resource));
+
+        assertThat("credential id is mapped correctly", credential.getId(), is(id));
+        assertThat("credential description is mapped correctly", credential.getDescription(), is(description));
+        assertThat("credential scope is mapped correctly", credential.getScope(), is(scope));
+        assertThat("credential clientCertificate is mapped correctly", credential.getClientCertificate(), is(clientCertificate));
+        assertThat("credential clientKeySecret is mapped correctly", Secret.toString(credential.getClientKeySecret()), is(clientKeySecret));
+        assertThat("credential serverCaCertificate is mapped correctly", credential.getServerCaCertificate(), is(serverCaCertificate));
+    }
+}
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientCertificate.yaml
new file mode 100644
index 00000000..c0bd9b2d
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientCertificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-corrupt-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with corrupt field"
+type: Opaque
+data:
+  clientCertificate: "This is not base 64"
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientKeySecret.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientKeySecret.yaml
new file mode 100644
index 00000000..5257cdc8
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientKeySecret.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-corrupt-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with corrupt field"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: "This is not base 64"
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptServerCaCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptServerCaCertificate.yaml
new file mode 100644
index 00000000..b7a73bd3
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptServerCaCertificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-corrupt-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with corrupt field"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: "This is not base 64"
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientCertificate.yaml
new file mode 100644
index 00000000..2d827ef3
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientCertificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-missing-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with missing field"
+type: Opaque
+data:
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientKeySecret.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientKeySecret.yaml
new file mode 100644
index 00000000..e2d13de3
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientKeySecret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-missing-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with missing field"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingServerCaCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingServerCaCertificate.yaml
new file mode 100644
index 00000000..3e4dda3a
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingServerCaCertificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-missing-field"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "X.509 client certificate with missing field"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/valid.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/valid.yaml
new file mode 100644
index 00000000..3c3864a8
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/valid.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-valid"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "Valid X.509 client certificate"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validMapped.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validMapped.yaml
new file mode 100644
index 00000000..c45f591d
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validMapped.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-valid-mapped"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "Valid mapped X.509 client certificate"
+    "jenkins.io/credentials-keybinding-clientCertificate": "cert"
+    "jenkins.io/credentials-keybinding-clientKeySecret": "key"
+    "jenkins.io/credentials-keybinding-serverCaCertificate": "ca"
+type: Opaque
+data:
+  cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validNoDescription.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validNoDescription.yaml
new file mode 100644
index 00000000..172f2422
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validNoDescription.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-valid-no-description"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validScoped.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validScoped.yaml
new file mode 100644
index 00000000..a7d8f527
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validScoped.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-valid-scoped"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+    jenkins.io/credentials-scope: "system"
+  annotations:
+    jenkins.io/credentials-description: "Valid scoped X.509 client certificate"
+type: Opaque
+data:
+  clientCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZakNDQVF5Z0F3SUJBZ0lKQUtabFF6cUdHV3U5TUEwR0NTcUdTSWIzRFFFQkJRVUFNRUV4Q3pBSkJnTlYKQkFZVEFsaFlNUXN3Q1FZRFZRUUlEQUpZV0RFTE1Ba0dBMVVFQnd3Q1dGZ3hDekFKQmdOVkJBb01BbGhZTVFzdwpDUVlEVlFRRERBSmpZVEFlRncweU1qQTVNakV3TnpRek16VmFGdzB5TWpFd01qRXdOelF6TXpWYU1CRXhEekFOCkJnTlZCQU1NQm1Oc2FXVnVkREJjTUEwR0NTcUdTSWIzRFFFQkFRVUFBMHNBTUVnQ1FRREIveDZSVUxyNVFPWWwKdWxielpJKzh3UFpNbnJEUHdNcFAzS2gxTXp4SndtMUUwTEpjSTFuWTNlUHNvSUdHUVZJVE5ObmpmQmJFdVlVNgowMXNsam81L0FnTUJBQUdqRnpBVk1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQTBHQ1NxR1NJYjNEUUVCCkJRVUFBMEVBVlAzNW9lV1VPaVJhSXY5ekNEdCszVlJNUWQ2ZWdnbW1zeDVxeXk2ZWUvbUxQcGRVV1VTdDhBeWYKQWl3QUQyZGNhNFh6aVZ0SllWSysrVm5GR0cvNUVRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  clientKeySecret: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUJWQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQVQ0d2dnRTZBZ0VBQWtFQXdmOGVrVkM2K1VEbUpicFcKODJTUHZNRDJUSjZ3ejhES1Q5eW9kVE04U2NKdFJOQ3lYQ05aMk4zajdLQ0Joa0ZTRXpUWjQzd1d4TG1GT3ROYgpKWTZPZndJREFRQUJBa0FVM0NEbVVUNzVwRS9iQ0xGbTFJNWNKb2VWYjQ3bGwvNXBIZm9ET0RJb1lBNUxuUXk5Ci96NFBOWUN5dzNDcTltMytuZitIU1JzOEpjV3VVN3U5M0JhQkFpRUEvOW1Qd0RyVGxEaHBJTG5tYnNiSXhYa3EKemVVZ3lwbU0xY3hRbmh0WVM3OENJUURDSEVQZ0hDZFdZQ0xQbk14VWp3cnpYdHlySWxXSjg5ajA0dU9WeU4xdApRUUloQU5JNG1GWVJ2L0ZrM0hTSWF4K1FkRDFWenViNG9wWDF6dk9JK3FDK3hURVBBaUJpTS9LUyt5dGJvNTk0CjhaYmVZTS9sZUdTam4rY3V0OU5YY1VJNmtUaVZBUUlnZC9GVG1pVXJ5TGNTVXh6ejZZcW1VK3dVMStlYlNIbXgKVTg3WERad21iNDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+  serverCaCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkRENDQVI0Q0NRQ2d6S2QzaFdCbVhUQU5CZ2txaGtpRzl3MEJBUXNGQURCQk1Rc3dDUVlEVlFRR0V3SlkKV0RFTE1Ba0dBMVVFQ0F3Q1dGZ3hDekFKQmdOVkJBY01BbGhZTVFzd0NRWURWUVFLREFKWVdERUxNQWtHQTFVRQpBd3dDWTJFd0hoY05Nakl3T1RJeE1EYzBNek0xV2hjTk1qSXhNREl4TURjME16TTFXakJCTVFzd0NRWURWUVFHCkV3SllXREVMTUFrR0ExVUVDQXdDV0ZneEN6QUpCZ05WQkFjTUFsaFlNUXN3Q1FZRFZRUUtEQUpZV0RFTE1Ba0cKQTFVRUF3d0NZMkV3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUFydUlUM29mLzJsVXZZUFk3QXpzagpBdEtablY2Z3RoQjZLNzBBc2dLUHA2M3hkbEJyTWdnNUNZSDdYZTdWbUxYYjd4aEhMQkhCblJKM3ZQYkgvbTdoCnN3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBMEVBZldiNjJSSjIxaTd0bGJTdHRtdTdieS9rNGZNTDMxRlEKWG9SN0pqckhtYkkrZjFCa3dTYk1WeHhhZEFXcFNray9OTkkxK1NIUi9uWVN2L2xvUTNVam1BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/void.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/void.yaml
new file mode 100644
index 00000000..0d46ec70
--- /dev/null
+++ b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/void.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "x509-void"
+  labels:
+    jenkins.io/credentials-type: "x509ClientCert"
+  annotations:
+    jenkins.io/credentials-description: "Void X.509 client certificate"
+type: Opaque
+data:

From bbaeba3a15474531a2f2bb10deea2a4cec95bdf3 Mon Sep 17 00:00:00 2001
From: Stefan Gybas <sgybas@users.noreply.github.com>
Date: Mon, 26 Sep 2022 17:31:04 +0200
Subject: [PATCH 2/2] Support X.509 client certificates from docker-commons
 plugin

---
 pom.xml                                                     | 6 ------
 ...Convertor.java => DockerServerCredentialsConvertor.java} | 2 +-
 ...rTest.java => DockerServerCredentialsConvertorTest.java} | 4 ++--
 .../corruptClientCertificate.yaml                           | 0
 .../corruptClientKeySecret.yaml                             | 0
 .../corruptServerCaCertificate.yaml                         | 0
 .../missingClientCertificate.yaml                           | 0
 .../missingClientKeySecret.yaml                             | 0
 .../missingServerCaCertificate.yaml                         | 0
 .../valid.yaml                                              | 0
 .../validMapped.yaml                                        | 0
 .../validNoDescription.yaml                                 | 0
 .../validScoped.yaml                                        | 0
 .../void.yaml                                               | 0
 14 files changed, 3 insertions(+), 9 deletions(-)
 rename src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertor.java => DockerServerCredentialsConvertor.java} (97%)
 rename src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest.java => DockerServerCredentialsConvertorTest.java} (97%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/corruptClientCertificate.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/corruptClientKeySecret.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/corruptServerCaCertificate.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/missingClientCertificate.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/missingClientKeySecret.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/missingServerCaCertificate.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/valid.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/validMapped.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/validNoDescription.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/validScoped.yaml (100%)
 rename src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/{X509ClientCertConvertorTest => DockerServerCredentialsConvertorTest}/void.yaml (100%)

diff --git a/pom.xml b/pom.xml
index 88d4c5a7..1062b430 100644
--- a/pom.xml
+++ b/pom.xml
@@ -259,12 +259,6 @@
       <artifactId>docker-commons</artifactId>
       <optional>true</optional>
     </dependency>
-    <dependency>
-      <!-- Marked as optional in docker-commons plugin, specify explicitly to update required version -->
-      <groupId>org.jenkinsci.plugins</groupId>
-      <artifactId>pipeline-model-extensions</artifactId>
-      <optional>true</optional>
-    </dependency>
     <!-- test deps -->
     <dependency>
       <groupId>junit</groupId>
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java b/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertor.java
similarity index 97%
rename from src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java
rename to src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertor.java
index 56fc688f..42f01db9 100644
--- a/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertor.java
+++ b/src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertor.java
@@ -31,7 +31,7 @@
 import org.jenkinsci.plugins.variant.OptionalExtension;
 
 @OptionalExtension(requirePlugins = {"docker-commons"})
-public class X509ClientCertConvertor extends SecretToCredentialConverter {
+public class DockerServerCredentialsConvertor extends SecretToCredentialConverter {
 
     @Override
     public boolean canConvert(String type) {
diff --git a/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java b/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest.java
similarity index 97%
rename from src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java
rename to src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest.java
index 91b8186f..33fa5baa 100644
--- a/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest.java
+++ b/src/test/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest.java
@@ -34,7 +34,7 @@
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
-public class X509ClientCertConvertorTest extends AbstractConverterTest {
+public class DockerServerCredentialsConvertorTest extends AbstractConverterTest {
 
     private final String clientCertificate = "-----BEGIN CERTIFICATE-----\n" +
             "MIIBYjCCAQygAwIBAgIJAKZlQzqGGWu9MA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV\n" +
@@ -69,7 +69,7 @@ public class X509ClientCertConvertorTest extends AbstractConverterTest {
             "XoR7JjrHmbI+f1BkwSbMVxxadAWpSkk/NNI1+SHR/nYSv/loQ3UjmA==\n" +
             "-----END CERTIFICATE-----";
 
-    private X509ClientCertConvertor convertor = new X509ClientCertConvertor();
+    private DockerServerCredentialsConvertor convertor = new DockerServerCredentialsConvertor();
 
     @Test
     public void canConvert() throws Exception {
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptClientCertificate.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientCertificate.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptClientCertificate.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientKeySecret.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptClientKeySecret.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptClientKeySecret.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptClientKeySecret.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptServerCaCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptServerCaCertificate.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/corruptServerCaCertificate.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/corruptServerCaCertificate.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/missingClientCertificate.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientCertificate.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/missingClientCertificate.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientKeySecret.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/missingClientKeySecret.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingClientKeySecret.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/missingClientKeySecret.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingServerCaCertificate.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/missingServerCaCertificate.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/missingServerCaCertificate.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/missingServerCaCertificate.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/valid.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/valid.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/valid.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/valid.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validMapped.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/validMapped.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validMapped.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/validMapped.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validNoDescription.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/validNoDescription.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validNoDescription.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/validNoDescription.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validScoped.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/validScoped.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/validScoped.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/validScoped.yaml
diff --git a/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/void.yaml b/src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/void.yaml
similarity index 100%
rename from src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/X509ClientCertConvertorTest/void.yaml
rename to src/test/resources/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/convertors/DockerServerCredentialsConvertorTest/void.yaml