feat: Allow the specification of additional trust roots

siegfriedweber · siegfriedweber · commit a8dac723d4fa · 2025-03-18T16:00:42.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file.
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
 - Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
 - OLM deployment helper ([#546]).
+- Allow the specification of additional trust roots in autoTls SecretClasses ([#573]).
 
 ### Changed
 
diff --git a/rust/operator-binary/src/backend/dynamic.rs b/rust/operator-binary/src/backend/dynamic.rs
@@ -118,11 +118,13 @@ pub async fn from_class(
         }
         crd::SecretClassBackend::AutoTls(crd::AutoTlsBackend {
             ca,
+            additional_trust_roots,
             max_certificate_lifetime,
         }) => from(
             super::TlsGenerate::get_or_create_k8s_certificate(
                 client,
                 &ca,
+                &additional_trust_roots,
                 max_certificate_lifetime,
             )
             .await?,
diff --git a/rust/operator-binary/src/backend/tls/ca.rs b/rust/operator-binary/src/backend/tls/ca.rs
@@ -1,6 +1,6 @@
 //! Dynamically provisions and picks Certificate Authorities.
 
-use std::{collections::BTreeMap, fmt::Display};
+use std::{collections::BTreeMap, ffi::OsStr, fmt::Display, path::Path};
 
 use openssl::{
     asn1::{Asn1Integer, Asn1Time},
@@ -34,7 +34,7 @@ use tracing::{info, info_span, warn};
 
 use crate::{
     backend::SecretBackendError,
-    crd::CertificateKeyGeneration,
+    crd::{AdditionalTrustRoot, CertificateKeyGeneration},
     utils::{asn1time_to_offsetdatetime, Asn1TimeParseError, Unloggable},
 };
 
@@ -55,8 +55,8 @@ pub enum Error {
     #[snafu(display("failed to generate certificate key"))]
     GenerateKey { source: openssl::error::ErrorStack },
 
-    #[snafu(display("failed to load CA {secret}"))]
-    FindCa {
+    #[snafu(display("failed to load {secret}"))]
+    FindSecret {
         source: kube::Error,
         secret: ObjectRef<Secret>,
     },
@@ -77,6 +77,12 @@ pub enum Error {
         secret: ObjectRef<Secret>,
     },
 
+    #[snafu(display("unsupported certificate format in key {key:?} of {secret}; supported extensions: .cer, .cert, .crt, .pem"))]
+    UnsupportedCertificateFormat {
+        key: String,
+        secret: ObjectRef<Secret>,
+    },
+
     #[snafu(display("failed to parse CA lifetime from key {key:?} of {secret}"))]
     ParseLifetime {
         source: Asn1TimeParseError,
@@ -106,9 +112,10 @@ impl SecretBackendError for Error {
         match self {
             Error::GenerateKey { .. } => tonic::Code::Internal,
             Error::MissingCertificate { .. } => tonic::Code::FailedPrecondition,
-            Error::FindCa { .. } => tonic::Code::Unavailable,
+            Error::FindSecret { .. } => tonic::Code::Unavailable,
             Error::CaNotFoundAndGenDisabled { .. } => tonic::Code::FailedPrecondition,
             Error::LoadCertificate { .. } => tonic::Code::FailedPrecondition,
+            Error::UnsupportedCertificateFormat { .. } => tonic::Code::InvalidArgument,
             Error::ParseLifetime { .. } => tonic::Code::FailedPrecondition,
             Error::BuildCertificate { .. } => tonic::Code::FailedPrecondition,
             Error::SerializeCertificate { .. } => tonic::Code::FailedPrecondition,
@@ -293,20 +300,22 @@ impl CertificateAuthority {
 #[derive(Debug)]
 pub struct Manager {
     certificate_authorities: Vec<CertificateAuthority>,
+    additional_trusted_certificates: Vec<X509>,
 }
 
 impl Manager {
     pub async fn load_or_create(
         client: &stackable_operator::client::Client,
         secret_ref: &SecretReference,
+        additional_trust_roots: &[AdditionalTrustRoot],
         config: &Config,
     ) -> Result<Self> {
         // Use entry API rather than apply so that we crash and retry on conflicts (to avoid creating spurious certs that we throw away immediately)
         let secrets_api = &client.get_api::<Secret>(&secret_ref.namespace);
         let ca_secret = secrets_api
             .entry(&secret_ref.name)
             .await
-            .with_context(|_| FindCaSnafu { secret: secret_ref })?;
+            .with_context(|_| FindSecretSnafu { secret: secret_ref })?;
         let mut update_ca_secret = false;
         let mut certificate_authorities = match &ca_secret {
             Entry::Occupied(ca_secret) => {
@@ -441,11 +450,67 @@ impl Manager {
                 return SaveRequestedButForbiddenSnafu.fail();
             }
         }
+
+        let mut additional_trusted_certificates = vec![];
+        for AdditionalTrustRoot { secret } in additional_trust_roots {
+            additional_trusted_certificates
+                .extend(Self::read_certificates_from_secret(client, secret).await?);
+        }
+
         Ok(Self {
             certificate_authorities,
+            additional_trusted_certificates,
         })
     }
 
+    /// Read certificates from the given Secret
+    ///
+    /// The keys are assumed to be filenames and their extensions denote the expected format of the
+    /// certificate.
+    async fn read_certificates_from_secret(
+        client: &stackable_operator::client::Client,
+        secret_ref: &SecretReference,
+    ) -> Result<Vec<X509>> {
+        let mut certificates = vec![];
+
+        let secrets_api = &client.get_api::<Secret>(&secret_ref.namespace);
+        let secret = secrets_api
+            .get(&secret_ref.name)
+            .await
+            .with_context(|_| FindSecretSnafu { secret: secret_ref })?;
+
+        let secret_data = secret.data.unwrap_or_default();
+        for (key, ByteString(value)) in &secret_data {
+            let extension = Path::new(key).extension().and_then(OsStr::to_str);
+            let certs = match extension {
+                Some("pem") => X509::stack_from_pem(value),
+                Some("cer") | Some("cert") | Some("crt") => X509::from_der(value)
+                    .map(|cert| vec![cert])
+                    .or(X509::stack_from_pem(value)),
+                _ => {
+                    return UnsupportedCertificateFormatSnafu {
+                        key,
+                        secret: secret_ref,
+                    }
+                    .fail();
+                }
+            }
+            .context(LoadCertificateSnafu {
+                key,
+                secret: secret_ref,
+            })?;
+            info!(
+                "Add the certificate(s) {certs:?} from the key [{key}] of [{secret_ref}] to the additional trust roots.",
+                certs = certs,
+                secret_ref = secret_ref,
+                key = key,
+            );
+            certificates.extend(certs);
+        }
+
+        Ok(certificates)
+    }
+
     /// Get an appropriate [`CertificateAuthority`] for signing a given certificate.
     pub fn find_certificate_authority_for_signing(
         &self,
@@ -467,5 +532,6 @@ impl Manager {
         self.certificate_authorities
             .iter()
             .map(|ca| &ca.certificate)
+            .chain(&self.additional_trusted_certificates)
     }
 }
diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs
@@ -33,7 +33,7 @@ use super::{
     ScopeAddressesError, SecretBackend, SecretBackendError, SecretContents,
 };
 use crate::{
-    crd::{self, CertificateKeyGeneration},
+    crd::{self, AdditionalTrustRoot, CertificateKeyGeneration},
     format::{well_known, SecretData, WellKnownSecretData},
     utils::iterator_try_concat_bytes,
 };
@@ -149,12 +149,14 @@ impl TlsGenerate {
             ca_certificate_lifetime,
             key_generation,
         }: &crd::AutoTlsCa,
+        additional_trust_roots: &[AdditionalTrustRoot],
         max_cert_lifetime: Duration,
     ) -> Result<Self> {
         Ok(Self {
             ca_manager: ca::Manager::load_or_create(
                 client,
                 ca_secret,
+                additional_trust_roots,
                 &ca::Config {
                     manage_ca: *auto_generate_ca,
                     ca_certificate_lifetime: *ca_certificate_lifetime,
diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs
@@ -89,6 +89,10 @@ pub struct AutoTlsBackend {
     /// Configures the certificate authority used to issue Pod certificates.
     pub ca: AutoTlsCa,
 
+    /// Additional trust roots which are added to the provided `ca.crt` file.
+    #[serde(default)]
+    pub additional_trust_roots: Vec<AdditionalTrustRoot>,
+
     /// Maximum lifetime the created certificates are allowed to have.
     /// In case consumers request a longer lifetime than allowed by this setting,
     /// the lifetime will be the minimum of both, so this setting takes precedence.
@@ -137,6 +141,17 @@ impl AutoTlsCa {
     }
 }
 
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct AdditionalTrustRoot {
+    /// Reference (name and namespace) to a Kubernetes Secret object where additional certificates
+    /// are stored.
+    /// The extensions of the keys denote its contents: A key suffixed with `.pem` contains a stack
+    /// of base64 encoded DER certificates, a key suffixed with `.cer`, `.cert`, or `.crt` contains
+    /// either a binary DER certificate or a stack of base64 encoded DER certificates.
+    pub secret: SecretReference,
+}
+
 #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
 #[serde(rename_all = "camelCase")]
 pub enum CertificateKeyGeneration {
@@ -417,6 +432,7 @@ mod test {
                             length: CertificateKeyGeneration::RSA_KEY_LENGTH_3072
                         }
                     },
+                    additional_trust_roots: vec![],
                     max_certificate_lifetime: DEFAULT_MAX_CERT_LIFETIME,
                 })
             }
@@ -436,6 +452,10 @@ mod test {
                   namespace: default
                 autoGenerate: true
                 caCertificateLifetime: 100d
+              additionalTrustRoots:
+                - secret:
+                    name: tls-root-ca
+                    namespace: default
               maxCertificateLifetime: 31d
         "#;
         let deserializer = serde_yaml::Deserializer::from_str(input);
@@ -454,6 +474,12 @@ mod test {
                         ca_certificate_lifetime: Duration::from_days_unchecked(100),
                         key_generation: CertificateKeyGeneration::default()
                     },
+                    additional_trust_roots: vec![AdditionalTrustRoot {
+                        secret: SecretReference {
+                            name: "tls-root-ca".to_string(),
+                            namespace: "default".to_string(),
+                        }
+                    }],
                     max_certificate_lifetime: Duration::from_days_unchecked(31),
                 })
             }

Original file line number	Diff line number	Diff line change
`@@ -118,11 +118,13 @@ pub async fn from_class(`
`118`	`118`	`}`
`119`	`119`	`crd::SecretClassBackend::AutoTls(crd::AutoTlsBackend {`
`120`	`120`	`ca,`
	`121`	`+ additional_trust_roots,`
`121`	`122`	`max_certificate_lifetime,`
`122`	`123`	`}) => from(`
`123`	`124`	`super::TlsGenerate::get_or_create_k8s_certificate(`
`124`	`125`	`client,`
`125`	`126`	`&ca,`
	`127`	`+ &additional_trust_roots,`
`126`	`128`	`max_certificate_lifetime,`
`127`	`129`	`)`
`128`	`130`	`.await?,`