When creating a trust bundle with additionalFormats/pkcs12, no pkcs12 is produced

[brendan-hofmann]

As the title says, I have the below Bundle, attempting to create from an existing secret containing a CA I would like to trust. The Bundle's ConfigMaps are created successfully, but they only contain the trust-bundle.pem field. I tried upping trust-manager's logging to level 5 and attached the output below as well.

I have this issue with v0.20.2 and v0.19.0 so far (tried rolling back a few versions just as an experiment). I am deploying onto Rancher Desktop 1.20.1.

I assume I am missing something, as from the documentation it looks like this is all that should be required. Thanks in advance for your time!

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: test-bundle
spec:
  sources:
    - secret:
        name: "test-root-secret"
        key: "tls.crt"
  target:
    configMap:
      key: "trust-bundle.pem"
    additionalFormats:
      pkcs12:
        key: "truststore.p12"
        password: "test"

time=2025-12-03T15:47:42.732Z level=DEBUG+2 msg="syncing bundle" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle
time=2025-12-03T15:47:42.758Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=cert-manager/test-bundle
time=2025-12-03T15:47:42.786Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=default/test-bundle
time=2025-12-03T15:47:42.846Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=ingress-nginx/test-bundle
time=2025-12-03T15:47:42.864Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=kube-node-lease/test-bundle
time=2025-12-03T15:47:42.899Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=kube-public/test-bundle
time=2025-12-03T15:47:42.922Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=kube-system/test-bundle
time=2025-12-03T15:47:42.936Z level=DEBUG+2 msg="applied bundle to namespace" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle target=test/test-bundle
time=2025-12-03T15:47:42.937Z level=DEBUG+2 msg="successfully synced bundle" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e bundle=test-bundle
time=2025-12-03T15:47:42.937Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:test-bundle UID:b7da889e-0e23-4734-9d7a-61e3b3cac24e APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:1373 FieldPath:}" reason=Synced
time=2025-12-03T15:47:42.949Z level=DEBUG-1 msg="Reconcile successful" controller=bundles namespace="" name=test-bundle reconcileID=62a2403d-e10f-4bd6-a737-2d5ab7d07a2e
time=2025-12-03T15:47:42.949Z level=DEBUG-1 msg=Reconciling controller=bundles namespace="" name=test-bundle reconcileID=ef49d900-a9eb-481f-8fa3-9c41c678789b
time=2025-12-03T15:47:42.949Z level=DEBUG+2 msg="syncing bundle" controller=bundles namespace="" name=test-bundle reconcileID=ef49d900-a9eb-481f-8fa3-9c41c678789b bundle=test-bundle
time=2025-12-03T15:47:42.950Z level=DEBUG+2 msg="successfully synced bundle" controller=bundles namespace="" name=test-bundle reconcileID=ef49d900-a9eb-481f-8fa3-9c41c678789b bundle=test-bundle
time=2025-12-03T15:47:42.951Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:test-bundle UID:b7da889e-0e23-4734-9d7a-61e3b3cac24e APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:1373 FieldPath:}" reason=Synced
time=2025-12-03T15:47:42.964Z level=DEBUG-1 msg="Reconcile successful" controller=bundles namespace="" name=test-bundle reconcileID=ef49d900-a9eb-481f-8fa3-9c41c678789b
time=2025-12-03T15:47:42.964Z level=DEBUG-1 msg=Reconciling controller=bundles namespace="" name=test-bundle reconcileID=defc5676-2ec5-43eb-aa51-cbd4efda112f
time=2025-12-03T15:47:42.964Z level=DEBUG+2 msg="syncing bundle" controller=bundles namespace="" name=test-bundle reconcileID=defc5676-2ec5-43eb-aa51-cbd4efda112f bundle=test-bundle
time=2025-12-03T15:47:42.965Z level=DEBUG-1 msg="Reconcile successful" controller=bundles namespace="" name=test-bundle reconcileID=defc5676-2ec5-43eb-aa51-cbd4efda112f

[kobin23]

Have the same problem on version 0.21.1, and same problem for JKS format

[erikgb]

Anything in the logs that could indicate the cause of this misbehavior?

[kobin23]

Anything in the logs that could indicate the cause of this misbehavior?

No errors or warnings, only message about successful sync of bundle every time I update CR Bundle
I can provide logs later, if it can help investigate problem