{"id":16861962,"url":"https://github.com/maelvls/secret-transform","last_synced_at":"2025-07-15T12:44:50.313Z","repository":{"id":45638483,"uuid":"407102206","full_name":"maelvls/secret-transform","owner":"maelvls","description":"Renames and transforms the tls.crt, tls.key, and ca.crt keys from your Kubernetes Secret resources.","archived":false,"fork":false,"pushed_at":"2025-06-15T11:46:06.000Z","size":94,"stargazers_count":10,"open_issues_count":2,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-15T12:20:44.137Z","etag":null,"topics":["cert-manager","certificate","tls","x509"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/maelvls.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-09-16T09:24:59.000Z","updated_at":"2025-06-15T11:48:56.000Z","dependencies_parsed_at":"2025-05-30T10:32:17.245Z","dependency_job_id":"02b2c310-8bae-44a2-8e56-bafcffc49b94","html_url":"https://github.com/maelvls/secret-transform","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/maelvls/secret-transform","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maelvls%2Fsecret-transform","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maelvls%2Fsecret-transform/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maelvls%2Fsecret-transform/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maelvls%2Fsecret-transform/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/maelvls","download_url":"https://codeload.github.com/maelvls/secret-transform/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maelvls%2Fsecret-transform/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265437294,"owners_count":23765119,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert-manager","certificate","tls","x509"],"created_at":"2024-10-13T14:34:06.186Z","updated_at":"2025-07-15T12:44:50.305Z","avatar_url":"https://github.com/maelvls.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secret Transform\n\nCopy and transform the contents of your Kubernetes Secrets that contain TLS key\nmaterial. When a Secret is changed, secret-transform automatically re-copies or\nre-transforms the Secret.\n\n- [Installation \\\u0026 Quick Start](#installation--quick-start)\n- [Debugging](#debugging)\n- [Renaming the key of a Secret](#renaming-the-key-of-a-secret)\n- [Renaming of optional keystore keys](#renaming-of-optional-keystore-keys)\n  - [Use-case: Redis Enterprise for Kubernetes](#use-case-redis-enterprise-for-kubernetes)\n  - [Use-case: FluxCD](#use-case-fluxcd)\n- [Combined PEM bundle](#combined-pem-bundle)\n  - [Use-case: MongoDB](#use-case-mongodb)\n  - [Use-case: HAProxy Community Edition and HAProxy Enterprise Edition](#use-case-haproxy-community-edition-and-haproxy-enterprise-edition)\n  - [Use-case: Hitch](#use-case-hitch)\n  - [Use-case: Postgres JDBC driver (lower than 42.2.9)](#use-case-postgres-jdbc-driver-lower-than-4229)\n  - [Use-case: Ejabberd](#use-case-ejabberd)\n  - [Use-case: Elasticsearch (Elastic's and Open Distro's)](#use-case-elasticsearch-elastics-and-open-distros)\n  - [Use-case: Dovecot](#use-case-dovecot)\n- [Cut a New Release](#cut-a-new-release)\n\n## Installation \u0026 Quick Start\n\nA Helm chart is available as well as container images. To install\nsecret-transform, run:\n\n```bash\nhelm upgrade --install secret-transform -n secret-transform --create-namespace \\\n  oci://ghcr.io/maelvls/charts/secret-transform\n```\n\nThen, annotate a Secret:\n\n```bash\nkubectl annotate secret cert-1 secret-transform/secret-copy-tls.crt=tlsCert\n```\n\nYou will see that the value for the key `tls.crt` has been copied to the\n`tlsCert` key.\n\n## Debugging\n\nIf you want to know why one of the Secrets you have annotated hasn't been processed by secret-transform, you can run the following command:\n\n```bash\nkubectl events -n default --for secret/cert-1\n```\n\nIf everything went well, you should see:\n\n```text\nLAST SEEN   TYPE     REASON      OBJECT          MESSAGE\n0s          Normal   CopiedKey   Secret/cert-1   Copied the contents of \"tls.crt\" into key \"cert\"\n```\n\nIf you would like to check whether both values are the same, you can run:\n\n```bash\ndiff -u \\\n  \u003c(kubectl get secret cert-1 -ojson | jq '.data.\"tls.crt\"' -r | base64 -d | openssl x509 -text -noout) \\\n  \u003c(kubectl get secret cert-1 -ojson | jq '.data.\"cert\"' -r | base64 -d | openssl x509 -text -noout)\n```\n\nIf the output is empty, then secret-transform is working well.\n\n## Renaming the key of a Secret\n\ncert-manager doesn't support customizing the name of the keys used in the\nSecrets. The keys are fixed to `tls.crt`, `tls.key`, and `ca.crt`.\n\nYou can use the three annotations below to \"rename\" (or rather copy) the keys of\na Secret. Let's imagine you want the Secret to have the private key stored in\nthe key `keyFile`, the certificate in the key `certFile`, and the CA certificate\nin the key `caFile`. You can annotate your Secret with the following\nannotations:\n\n```yaml\nkind: Secret\nmetadata:\n  annotations:\n    secret-transform/secret-copy-ca.crt: caFile    # ✨ \"ca.crt\" to be renamed to \"caFile\"\n    secret-transform/secret-copy-tls.crt: certFile # ✨ \"tls.crt\" to be renamed to \"certFile\"\n    secret-transform/secret-copy-tls.key: keyFile  # ✨ \"tls.key\" to be renamed to \"keyFile\"\nstringData:\n  tls.crt: \u003cthe PEM-encoded contents of the certificate\u003e\n  tls.key: \u003cthe PEM-encoded contents of the private key\u003e\n  ca.crt: \u003cthe PEM-encoded contents of the CA certificate\u003e\n```\n\nAfter adding the annotations, you will see the new keys appear in the Secret:\n\n```diff\n kind: Secret\n metadata:\n   annotations:\n     secret-transform/secret-copy-ca.crt: caFile\n     secret-transform/secret-copy-tls.crt: certFile\n     secret-transform/secret-copy-tls.key: keyFile\n data:\n    tls.crt: \u003cthe PEM-encoded contents of the certificate\u003e\n    tls.key: \u003cthe PEM-encoded contents of the private key\u003e\n    ca.crt: \u003cthe PEM-encoded contents of the CA certificate\u003e\n+   certFile: \u003ccopied from tls.crt\u003e\n+   keyFile: \u003ccopied from tls.key\u003e\n+   caFile: \u003ccopied from ca.crt\u003e\n```\n\n## Renaming of optional keystore keys\n\ncert-manager is able to optionally provide keystores in JKS or/and PKCS#12 format.\nSimilar to renaming the default Keys you can use it to rename your keystore keys.\n\n**JKS:**\n\n```yaml\nkind: Secret\nmetadata:\n  annotations:\n    secret-transform/secret-copy-keystore.jks: keystore      # ✨ \"keystore.jks\" to be renamed to \"keystore\"\n    secret-transform/secret-copy-truststore.jks: truststore  # ✨ \"truststore.jks\" to be renamed to \"truststore\"\nstringData:\n  tls.crt: \u003cthe PEM-encoded contents of the certificate\u003e\n  tls.key: \u003cthe PEM-encoded contents of the private key\u003e\n  ca.crt: \u003cthe PEM-encoded contents of the CA certificate\u003e\n  keystore.jks: \u003ckeystore that holds the certificate and the private key\u003e\n  truststore.jks: \u003ctruststore that holds the CA certificate\u003e\n```\n\nAfter adding the annotations, you will see the new keys appear in the Secret:\n\n```diff\n kind: Secret\n metadata:\n   annotations:\n    secret-transform/secret-copy-keystore.jks: keystore\n    secret-transform/secret-copy-truststore.jks: truststore\n data:\n    tls.crt: \u003cthe PEM-encoded contents of the certificate\u003e\n    tls.key: \u003cthe PEM-encoded contents of the private key\u003e\n    ca.crt: \u003cthe PEM-encoded contents of the CA certificate\u003e\n    keystore.jks: \u003ckeystore that holds the certificate and the private key\u003e\n    truststore.jks: \u003ctruststore that holds the CA certificate\u003e\n+   keystore: \u003ccopied from keystore.jks\u003e\n+   truststore: \u003ccopied from truststore.jks\u003e\n```\n\n**PKCS#12:**\n\n```yaml\nkind: Secret\nmetadata:\n  annotations:\n    secret-transform/secret-copy-keystore.p12: keystore      # ✨ \"keystore.p12\" to be renamed to \"keystore\"\n    secret-transform/secret-copy-truststore.p12: truststore  # ✨ \"truststore.p12\" to be renamed to \"truststore\"\nstringData:\n  tls.crt: \u003cthe PEM-encoded contents of the certificate\u003e\n  tls.key: \u003cthe PEM-encoded contents of the private key\u003e\n  ca.crt: \u003cthe PEM-encoded contents of the CA certificate\u003e\n  keystore.p12: \u003ckeystore that holds the certificate and the private key\u003e\n  truststore.p12: \u003ctruststore that holds the CA certificate\u003e\n```\n\nAfter adding the annotations, you will see the new keys appear in the Secret:\n\n```diff\n kind: Secret\n metadata:\n   annotations:\n    secret-transform/secret-copy-keystore.p12: keystore\n    secret-transform/secret-copy-truststore.p12: truststore\n data:\n    tls.crt: \u003cthe PEM-encoded contents of the certificate\u003e\n    tls.key: \u003cthe PEM-encoded contents of the private key\u003e\n    ca.crt: \u003cthe PEM-encoded contents of the CA certificate\u003e\n    keystore.p12: \u003ckeystore that holds the certificate and the private key\u003e\n    truststore.p12: \u003ctruststore that holds the CA certificate\u003e\n+   keystore: \u003ccopied from keystore.p12\u003e\n+   truststore: \u003ccopied from truststore.p12\u003e\n```\n\n### Use-case: Redis Enterprise for Kubernetes\n\nIf you are using Redis Enterprise for Kubernetes, the page [Manage Redis\nEnterprise cluster (REC)\ncertificates](https://docs.redis.com/latest/kubernetes/security/manage-rec-certificates/)\nwill ask you to create a Secret with the following keys:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nstringData:\n  name: proxy # \u003cproxy | api | cm | syncer | metrics_exporter\u003e\n  key: \u003cthe PEM-encoded contents of the private key\u003e\n  certificate: \u003cthe PEM-encoded contents of the certificate\u003e\n```\n\nYou can use secret-transform in combination with cert-manager to obtain this\nSecret.\n\nThe Secret needs to be created beforehand so that `name: proxy` shows correctly.\nWhen a Secret already exists, cert-manager doesn't create a new one: it simply\nupdates `tls.crt`, `tls.key`, and `ca.crt`.\n\nThe pre-created Secret I suggest is:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nmetadata:\n  name: redis-cert1\n  annotations:\n    secret-transform/secret-copy-tls.crt: certificate\n    secret-transform/secret-copy-tls.key: key\ndata:\n  name: proxy\n```\n\nAfter cert-manager has filled in `tls.crt` and `tls.key`, secret-manager will\ncopy these two fields into `certificate` and `key`. The resulting Secret will\nlook like this:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nmetadata:\n  name: redis-cert1\n  annotations:\n    secret-transform/secret-copy-tls.crt: certificate\n    secret-transform/secret-copy-tls.key: key\ndata:\n  tls.crt: LS0tLCR...UdJ0tC7g==\n  tls.key: CRUdJTo...Ci0tLS0t==\n  ca.crt: ...\n  certificate: LS0tLCR...UdJ0tC7g==\n  key: CRUdJTo...Ci0tLS0t==\n  name: proxy\n```\n\n### Use-case: FluxCD\n\nFluxCD expects the keys `caFile`, `certFile`, and `keyFile`. The\n`secret-transform` controller can be used to create a copy of the standard keys\nso that you can use them from FluxCD.\n\nFor example, if you annotate your Secret with the following annotation:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nmetadata:\n  annotations:\n    secret-transform/secret-copy-ca.crt: caFile\n    secret-transform/secret-copy-tls.crt: certFile\n    secret-transform/secret-copy-tls.key: keyFile\ndata:\n  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==\n  tls.key: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg==\n  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==\n```\n\nThe Secret will be transformed to:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nmetadata:\n  annotations:\n    secret-transform/secret-copy-ca.crt: caFile\n    secret-transform/secret-copy-tls.crt: certFile\n    secret-transform/secret-copy-tls.key: keyFile\ndata:\n  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==\n  tls.key: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg==\n  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==\n  certFile: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg== # ✨\n  keyFile: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg== # ✨\n  caFile: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg== # ✨\n```\n\n## Combined PEM bundle\n\n\u003e [!IMPORTANT]\n\u003e The combined PEM feature provided by this addon has been added to\n\u003e cert-manager 1.7 with the field `additionalOutputFormats: CombinedPEM`.\n\u003e Since the feature is still in alpha (as of Sept 2023), you will need to use the feature\n\u003e flag `--feature-gates=AdditionalCertificateOutputFormats=true`. You can read more in the cert-manager documentation page\n\u003e [Additional Certificate Output Formats](https://secret-transform/docs/usage/certificate/#additional-certificate-output-formats).\n\nAnother common request reported in the cert-manager issue\n[#843](https://github.com/jetstack/cert-manager/issues/843) is to create a PEM\nbundle containing both the key and certificate for easier use with software that\nrequire a unified PEM bundle, such as\n\n- HAProxy,\n- Hitch,\n- OpenDistro for Elasticsearch.\n\nYou can run the `secret-transform` controller (right now, it has to be run\nout-of-cluster since I did not write any manifest) and if you annotate your\nSecret with the following annotation:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nmetadata:\n  annotations:\n    secret-transform/secret-transform: tls.pem\ndata:\n  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==\n  tls.key: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg==\n```\n\nthen a new data key will be created with the name `tls.pem` and the value\ncontains the key and certificate concatenated:\n\n```yaml\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/tls\nmetadata:\n  annotations:\n    secret-transform/secret-transform: tls.pem\ndata:\n  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...CBDRVJUSUZJQ0FURS0tLS0tCg==\n  tls.key: LS0tLS1CRUdJToCi0tLS0tRU5EIF...SBQUklWQVRFIEtFWS0tLS0tCg==\n  tls.pem: LS0tLS1CRUdJTiBSUXc0ZHk3NTNl...kQgQ0VSVElGSUNBVEUtLS0tLQo= # ✨\n```\n\nThe updated Secret looks like this:\n\n```sh\n$ kubectl get secret example -ojsonpath='{.data.tls\\.pem}' | base64 -d\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAzmuXe0BSZqjh7V94wfTifk/5hKS/V1RjyBa4RVdFBBHNGsUb\nu+8UhhRgadS+R5ZrcErpt1YIchNuliqaZbXEW0BpWtRc3NmqDRzh\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIFXTCCBEWgAwIBAgISBP8i8Bm2p/jl6yxMoLrrJlQkMA0GCSqGSIb3DQEBCwUA\ntBpwpdCVsgQqdy69SIU4AYKejVC4nJK9mwAsJi41/W+M\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----\n```\n\n\u003ca id=\"use-case-mongodb\"/\u003e\n\n### Use-case: MongoDB\n\nhttps://github.com/jetstack/cert-manager/issues/843\n\nIn order to configure mTLS, the `mongod` and `mongos` require a combined PEM file using the key [`certificateKeyFile`](https://docs.mongodb.com/manual/tutorial/configure-ssl/). The PEM file must contain the PKCS#8 PEM-encoded private key followed by the chain of PEM-encoded X.509 certificates. The configuration looks like this:\n\n```yaml\nnet:\n  tls:\n    mode: requireTLS\n    certificateKeyFile: /etc/ssl/mongodb.pem\n```\n\n\u003e :heavy_check_mark: secret-transform should be able to get around this.\n\n\u003ca id=\"use-case-haproxy-community-edition-and-haproxy-enterprise-edition\"/\u003e\n\n### Use-case: HAProxy Community Edition and HAProxy Enterprise Edition\n\nThe [`crt`](https://cbonte.github.io/haproxy-dconv/2.5/configuration.html#5.1-crt) parameter requires a PEM bundle containing the PKCS#8 private key followed by the X.509 certificate chain. An example of configuration looks like this:\n\n```haproxy\nfrontend www\n   bind :443 ssl crt /etc/certs/ssl.pem\n```\n\n\u003e :heavy_check_mark: secret-transform should be able to get around this.\n\n\u003ca id=\"use-case-hitch\"/\u003e\n\n### Use-case: Hitch\n\nHitch, a reverse-proxy that aims at terminating TLS connections, requires the use of a combined PEM bundle using the configuration key [`pem-file`](https://github.com/varnish/hitch/blob/master/docs/configuration.md). The bundle must be comprised of a PKCS#8-encode private key followed by the X.509 certificate leaf followed by intermediate certificates. An example of configuration looks like this:\n\n```hitch\npem-file = \"/etc/tls/combined.pem\"\n```\n\nor\n\n```hitch\npem-file = {\n    cert = \"/etc/tls/combined.pem\"\n}\n```\n\n\u003e :heavy_check_mark: secret-transform should be able to get around this.\n\n\u003ca id=\"use-case-postgres-jdbc-driver-lower-than-4229\"/\u003e\n\n### Use-case: Postgres JDBC driver (lower than 42.2.9)\n\nIf you are stuck with a version of the Postgres JDBC driver older than 42.2.9 (released before Dec 2019), [`sslkey`](https://jdbc.postgresql.org/documentation/head/ssl-client.html) refers to a file containing the PKCS#8-formated DER-encoded private key.\n\n```java\nprops.setProperty(\"sslkey\",\"/etc/ssl/postgres/postgresql.key\");\n```\n\n\u003e ❌ secret-transform is not able to work around this issue yet.\n\n\u003ca id=\"use-case-ejabberd\"/\u003e\n\n### Use-case: Ejabberd\n\nRelated issue in the cert-manager repository: [Add ca.crt to TLS secret generated by ACME issuers](https://github.com/jetstack/cert-manager/issues/1571).\n\n[Ejabberd](https://github.com/processone/ejabberd), an open-source Erlang-based XMPP server, requires all file paths given with [`certfiles`](https://docs.ejabberd.im/admin/configuration/toplevel/#certfiles) to be \"valid\" (i.e., not empty). The pain point is that Ejabberd fails when the `ca.crt` file is empty on disk. This makes it difficult to use Ejabberd with cert-manager, for example with the following Ejabberd configuration:\n\n```yaml\ncertfiles:\n  - /etc/ssl/ejabberd/tls.crt\n  - /etc/ssl/ejabberd/tls.key\n  - /etc/ssl/ejabberd/ca.crt # May be empty with the ACME Issuer.\n```\n\n\u003e ❌ secret-transform is not able to work around this issue yet.\n\n\u003ca id=\"use-case-elasticsearch-elastics-and-open-distros\"/\u003e\n\n### Use-case: Elasticsearch (Elastic's and Open Distro's)\n\nRelated to the issue on the cloud-on-k8s project: [fleet and elastic agent doesn't work without a ca.crt](https://github.com/elastic/cloud-on-k8s/issues/4790).\n\nElasticsearch cannot start when the `ca.crt` file is empty on disk, which may happen for ACME issued certificates. A \"possible\" workaround for these empty `ca.crt` could be to set [`pemtrustedcas_filepath`](https://opensearch.org/docs/latest/security-plugin/configuration/tls/#x509-pem-certificates-and-pkcs-8-keys) to the existing system CA bundle. For example, on REHL, that could be `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` or `/etc/ssl/cert.pem` on Alpine Linux. But Elasticsearch expects this file to exist within its config path (i.e., `/usr/share/elasticsearch/config`).\n\n\u003e ❌ secret-transform is not able to work around this issue yet.\n\n### Use-case: Dovecot\n\nSource: https://github.com/jetstack/cert-manager/issues/843#issuecomment-691693003\n\nDovecot is an IMAP and POP3 server. It requires separate PEM files for the certificate and private key. One person is asking for \"PEM format\" but I don't quite understand why. See: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/\n\n\u003e ❌ secret-transform is not able to work around this issue yet.\n\n## Cut a New Release\n\nWe use `goreleaser`. To cut a new release:\n\n```sh\nexport VERSION=v0.5.0\ngit tag --annotate --message=\"Release ${VERSION}\" \"${VERSION}\"\ngit push origin \"${VERSION}\"\n```\n\nThe GitHub Action will push the new Helm chart and Docker images, and a draft\nGitHub release will be created.\n\nThen, edit the draft GitHub release by rewriting the commit messages into\nuser-focused messages.\n\nFinally, click \"Publish\" to announce the release to everyone who is watching the\nrepository!\n\n\u003e **Note:** It is also possible to run `goreleaser` locally. First, install\n\u003e Goreleaser and Helm 3.12 (or above) since we need the annotation\n\u003e `org.opencontainers.image.source`. Then, run:\n\u003e\n\u003e ```bash\n\u003e # This is a dry-run just to see if the Helm chart and the images can be build.\n\u003e goreleaser --snapshot --clean\n\u003e ```\n\u003e\n\u003e I often don't have the time to wait for GitHub Actions to run goreleaser, so I\n\u003e often run it myself:\n\u003e\n\u003e ```bash\n\u003e # This is the real deal.\n\u003e export GITHUB_TOKEN=...\n\u003e goreleaser\n\u003e ```\n\u003e\n\u003e But it is preferable to let the GitHub Action do it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaelvls%2Fsecret-transform","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaelvls%2Fsecret-transform","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaelvls%2Fsecret-transform/lists"}