TrustStore CRD (#557)

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>
Co-authored-by: hjiayz <hjiayz@gmail.com>
Co-authored-by: hjiayz <hjiayz@163.com>
Co-authored-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
Co-authored-by: Patrick Amrein <amrein@ubique.ch>
Co-authored-by: Julius Michaelis <glitter@liftm.de>

Author: 7 people

CHANGELOG.md

@@ -17,6 +17,7 @@ All notable changes to this project will be documented in this file.
   - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept.
   - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation.
   - Use `--console-log-format` (or `CONSOLE_LOG_FORMAT`) to set the format to `plain` (default) or `json`.
+- Added TrustStore CRD for requesting CA certificate information ([#557]).
 
 ### Changed
 
@@ -38,6 +39,7 @@ All notable changes to this project will be documented in this file.
 
 - Use `json` file extension for log files ([#586]).
 
+[#557]: https://github.com/stackabletech/secret-operator/pull/557
 [#572]: https://github.com/stackabletech/secret-operator/pull/572
 [#581]: https://github.com/stackabletech/secret-operator/pull/581
 [#586]: https://github.com/stackabletech/secret-operator/pull/586

Cargo.lock

@@ -19,13 +19,14 @@ bindgen = "0.71"
 built = { version = "0.7", features = ["chrono", "git2"] }
 byteorder = "1.5"
 clap = "4.5"
+const_format = "0.2.34"
 futures = { version = "0.3", features = ["compat"] }
 h2 = "0.4"
+kube-runtime = { version = "0.99", features = ["unstable-runtime-stream-control"] }
 ldap3 = { version = "0.11", default-features = false, features = ["gssapi", "tls"] }
 libc = "0.2"
 native-tls = "0.2"
 openssl = "0.10"
-p12 = "0.6"
 pin-project = "1.1"
 pkg-config = "0.3"
 prost = "0.13"

Cargo.nix

@@ -218,6 +218,15 @@ spec:
                               description: The Secret objects are located in the same namespace as the Pod object. Should be used for Secrets that are provisioned by the application administrator.
                               type: object
                           type: object
+                        trustStoreConfigMapName:
+                          description: |-
+                            Name of a ConfigMap that contains the information required to validate against this SecretClass.
+
+                            Resolved relative to `search_namespace`.
+
+                            Required to request a TrustStore for this SecretClass.
+                          nullable: true
+                          type: string
                       required:
                         - searchNamespace
                       type: object
@@ -346,3 +355,53 @@ spec:
       served: true
       storage: true
       subresources: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: truststores.secrets.stackable.tech
+  annotations:
+    helm.sh/resource-policy: keep
+spec:
+  group: secrets.stackable.tech
+  names:
+    categories: []
+    kind: TrustStore
+    plural: truststores
+    shortNames: []
+    singular: truststore
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns: []
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Auto-generated derived type for TrustStoreSpec via `CustomResource`
+          properties:
+            spec:
+              description: |-
+                A [TrustStore](https://docs.stackable.tech/home/nightly/secret-operator/truststore) requests information about how to validate secrets issued by a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass).
+
+                The requested information is written to a ConfigMap with the same name as the TrustStore.
+              properties:
+                format:
+                  description: The [format](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#format) that the data should be converted into.
+                  enum:
+                    - tls-pem
+                    - tls-pkcs12
+                    - kerberos
+                  nullable: true
+                  type: string
+                secretClassName:
+                  description: The name of the SecretClass that the request concerns.
+                  type: string
+              required:
+                - secretClassName
+              type: object
+          required:
+            - spec
+          title: TrustStore
+          type: object
+      served: true
+      storage: true
+      subresources: {}

Cargo.toml

@@ -55,6 +55,16 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - patch
+      - get
+      - watch
+      - list
   - apiGroups:
       - ""
     resources:
@@ -96,8 +106,11 @@ rules:
       - secrets.stackable.tech
     resources:
       - secretclasses
+      - truststores
     verbs:
       - get
+      - watch
+      - list
   - apiGroups:
       - listeners.stackable.tech
     resources:
@@ -114,6 +127,13 @@ rules:
       - get
       - patch
       - create
+  - apiGroups:
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   - apiGroups:
       - security.openshift.io

deploy/helm/secret-operator/crds/crds.yaml

@@ -17,3 +17,4 @@ spec:
         pod: {}
         # or...
         name: my-namespace
+      trustStoreConfigMapName: tls-ca # <4>

deploy/helm/secret-operator/templates/roles.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: TrustStore
+metadata:
+  name: truststore-pem # <1>
+spec:
+  secretClassName: tls # <2>
+  format: tls-pem # <3>

docs/modules/secret-operator/examples/secretclass-tls.yaml

@@ -17,6 +17,7 @@ include::example$secretclass-tls.yaml[]
 <1> Backends are mutually exclusive, only one may be used by each SecretClass
 <2> Configures and selects the xref:#backend-autotls[] backend
 <3> Configures and selects the xref:#backend-k8ssearch[] backend
+<4> Provides a trust root to be requested by xref:truststore.adoc[]
 
 [#backend]
 == Backend
@@ -28,6 +29,8 @@ Each SecretClass is a associated with a single backend, which dictates the mecha
 
 *Format*: xref:#format-tls-pem[]
 
+*TrustStore*: Yes
+
 Issues a TLS certificate signed by the Secret Operator.
 The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator.
 
@@ -150,6 +153,8 @@ spec:
 
 *Format*: xref:#format-tls-pem[]
 
+*TrustStore*: No
+
 Injects a TLS certificate issued by {cert-manager}[Cert-Manager].
 
 WARNING: This backend is experimental, and subject to change.
@@ -213,6 +218,8 @@ spec:
 
 *Format*: xref:#format-kerberos[]
 
+*TrustStore*: No
+
 Creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator.
 
 IMPORTANT: Only MIT Kerberos (krb5) and Active Directory are currently supported.
@@ -368,6 +375,8 @@ spec:
 
 *Format*: Free-form
 
+*TrustStore*: If configured
+
 This backend can be used to mount `Secret` across namespaces into pods. The `Secret` object is selected based on two things:
 
 1. The xref:scope.adoc[scopes] specified on the `Volume` using the attribute `secrets.stackable.tech/scope`.
@@ -444,14 +453,16 @@ spec:
         pod: {}
         # or...
         name: my-namespace
+      trustStoreConfigMapName: tls-ca
 ----
 
 `k8sSearch`:: Declares that the `k8sSearch` backend is used.
-`k8sSearch.searchNamespace`:: Configures the namespace searched for `Secret` objects.
-`k8sSearch.searchNamespace.pod`:: The `Secret` objects are located in the same namespace as the `Pod` object. Should be used
+`k8sSearch.searchNamespace`:: Configures the namespace searched for Secrets.
+`k8sSearch.searchNamespace.pod`:: The Secret objects are located in the same namespace as the Pod. Should be used
                                   for secrets that are provisioned by the application administrator.
-`k8sSearch.searchNamespace.name`:: The `Secret` objects are located in a single global namespace. Should be used for secrets
+`k8sSearch.searchNamespace.name`:: The Secrets are located in a single global namespace. Should be used for secrets
                                    that are provisioned by the cluster administrator.
+`k8sSearch.trustStoreConfigMapName`:: ConfigMap used to provision xref:truststore.adoc[].
 
 ==== Format
 

docs/modules/secret-operator/examples/truststore-tls.yaml

@@ -0,0 +1,22 @@
+= TrustStore
+:description: A TrustStore in Kubernetes retrieves the trust anchors from a SecretClass.
+
+A _TrustStore_ is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a xref:secretclass.adoc[].
+
+This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).
+
+A TrustStore looks like this:
+
+[source,yaml]
+----
+include::example$truststore-tls.yaml[]
+----
+<1> Also used to name the created ConfigMap
+<2> The name of the xref:secretclass.adoc[]
+<3> The requested xref:secretclass.adoc#format[format]
+
+This will create a ConfigMap named `truststore-pem` containing a `ca.crt` with the trust root certificates.
+It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
+
+NOTE: Make sure to have a procedure for updating the retrieved certificates.
+      The Secret Operator will automatically rotate the xref:secretclass.adoc#backend-autotls[autoTls] certificate authority as needed, but all trust roots will require some form of update occasionally.

docs/modules/secret-operator/pages/secretclass.adoc

@@ -6,6 +6,7 @@
 ** xref:secret-operator:secretclass.adoc[]
 ** xref:secret-operator:scope.adoc[]
 ** xref:secret-operator:volume.adoc[]
+** xref:secret-operator:truststore.adoc[]
 * Guides
 ** xref:secret-operator:cert-manager.adoc[]
 * xref:secret-operator:security.adoc[]