stackabletech · nightkr · Apr 11, 2020 · Apr 11, 2020 · Apr 14, 2020 · Apr 14, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file.
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
 - Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
 - OLM deployment helper ([#546]).
+- Added TrustStore CRD for requesting CA certificate information ([#557]).
 
 ### Changed
 
@@ -33,6 +34,7 @@ All notable changes to this project will be documented in this file.
 [#546]: https://github.com/stackabletech/secret-operator/pull/546
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
 [#552]: https://github.com/stackabletech/secret-operator/pull/552
+[#557]: https://github.com/stackabletech/secret-operator/pull/557
 [#563]: https://github.com/stackabletech/secret-operator/pull/563
 [#564]: https://github.com/stackabletech/secret-operator/pull/564
 [#566]: https://github.com/stackabletech/secret-operator/pull/566

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.nix b/Cargo.nix
diff --git a/Cargo.toml b/Cargo.toml
@@ -19,14 +19,14 @@ byteorder = "1.5"
 clap = "4.5"
 futures = { version = "0.3", features = ["compat"] }
 h2 = "0.4"
+kube-runtime = { version = "0.98", features = ["unstable-runtime-stream-control"] }
 ldap3 = { version = "0.11", default-features = false, features = [
   "gssapi",
   "tls",
 ] }
 libc = "0.2"
 native-tls = "0.2"
 openssl = "0.10"
-p12 = "0.6"
 pin-project = "1.1"
 pkg-config = "0.3"
 prost = "0.13"

diff --git a/deny.toml b/deny.toml
@@ -29,6 +29,15 @@ ignore = [
     #
     # TODO: Remove after https://github.com/kube-rs/kube/pull/1652 is merged
     "RUSTSEC-2024-0384",
+
+    # https://rustsec.org/advisories/RUSTSEC-2025-0012
+    # "backoff" is unmainted.
+    #
+    # Upstream (kube) has switched to backon in 0.99.0, and an upgrade is scheduled on our end. In the meantime,
+    # this is a very low-severity problem.
+    #
+    # TODO: Remove after upgrading to kube 0.99.
+    "RUSTSEC-2025-0012",
 ]
 
 [bans]

diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml
@@ -180,6 +180,15 @@ spec:
                               description: The Secret objects are located in the same namespace as the Pod object. Should be used for Secrets that are provisioned by the application administrator.
                               type: object
                           type: object
+                        trustStoreConfigMapName:
+                          description: |-
+                            Name of a ConfigMap that contains the information required to validate against this SecretClass.
+
+                            Resolved relative to `search_namespace`.
+
+                            Required to request a TrustStore for this SecretClass.
+                          nullable: true
+                          type: string
                       required:
                         - searchNamespace
                       type: object
@@ -308,3 +317,53 @@ spec:
       served: true
       storage: true
       subresources: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: truststores.secrets.stackable.tech
+  annotations:
+    helm.sh/resource-policy: keep
+spec:
+  group: secrets.stackable.tech
+  names:
+    categories: []
+    kind: TrustStore
+    plural: truststores
+    shortNames: []
+    singular: truststore
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns: []
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: Auto-generated derived type for TrustStoreSpec via `CustomResource`
+          properties:
+            spec:
+              description: |-
+                A [TrustStore](https://docs.stackable.tech/home/nightly/secret-operator/truststore) requests information about how to validate secrets issued by a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass).
+
+                The requested information is written to a ConfigMap with the same name as the TrustStore.
+              properties:
+                format:
+                  description: The [format](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#format) that the data should be converted into.
+                  enum:
+                    - tls-pem
+                    - tls-pkcs12
+                    - kerberos
+                  nullable: true
+                  type: string
+                secretClassName:
+                  description: The name of the SecretClass that the request concerns.
+                  type: string
+              required:
+                - secretClassName
+              type: object
+          required:
+            - spec
+          title: TrustStore
+          type: object
+      served: true
+      storage: true
+      subresources: {}
diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml
@@ -55,6 +55,16 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - patch
+      - get
+      - watch
+      - list
   - apiGroups:
       - ""
     resources:
@@ -95,8 +105,11 @@ rules:
       - secrets.stackable.tech
     resources:
       - secretclasses
+      - truststores
     verbs:
       - get
+      - watch
+      - list
   - apiGroups:
       - listeners.stackable.tech
     resources:
@@ -113,6 +126,13 @@ rules:
       - get
       - patch
       - create
+  - apiGroups:
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
   - apiGroups:
       - security.openshift.io

diff --git a/docs/modules/secret-operator/examples/secretclass-tls.yaml b/docs/modules/secret-operator/examples/secretclass-tls.yaml
@@ -17,3 +17,4 @@ spec:
         pod: {}
         # or...
         name: my-namespace
+      trustStoreConfigMapName: tls-ca # <4>
diff --git a/docs/modules/secret-operator/examples/truststore-tls.yaml b/docs/modules/secret-operator/examples/truststore-tls.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: TrustStore
+metadata:
+  name: truststore-pem # <1>
+spec:
+  secretClassName: tls # <2>
+  format: tls-pem # <3>
diff --git a/docs/modules/secret-operator/pages/secretclass.adoc b/docs/modules/secret-operator/pages/secretclass.adoc
@@ -17,6 +17,7 @@ include::example$secretclass-tls.yaml[]
 <1> Backends are mutually exclusive, only one may be used by each SecretClass
 <2> Configures and selects the xref:#backend-autotls[] backend
 <3> Configures and selects the xref:#backend-k8ssearch[] backend
+<4> Provides a trust root to be requested by xref:truststore.adoc[]
 
 [#backend]
 == Backend
@@ -28,6 +29,8 @@ Each SecretClass is a associated with a single backend, which dictates the mecha
 
 *Format*: xref:#format-tls-pem[]
 
+*TrustStore*: Yes
+
 Issues a TLS certificate signed by the Secret Operator.
 The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator.
 
@@ -132,6 +135,8 @@ spec:
 
 *Format*: xref:#format-tls-pem[]
 
+*TrustStore*: No
+
 Injects a TLS certificate issued by {cert-manager}[Cert-Manager].
 
 WARNING: This backend is experimental, and subject to change.
@@ -195,6 +200,8 @@ spec:
 
 *Format*: xref:#format-kerberos[]
 
+*TrustStore*: No
+
 Creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator.
 
 IMPORTANT: Only MIT Kerberos (krb5) and Active Directory are currently supported.
@@ -350,6 +357,8 @@ spec:
 
 *Format*: Free-form
 
+*TrustStore*: If configured
+
 This backend can be used to mount `Secret` across namespaces into pods. The `Secret` object is selected based on two things:
 
 1. The xref:scope.adoc[scopes] specified on the `Volume` using the attribute `secrets.stackable.tech/scope`.
@@ -426,14 +435,16 @@ spec:
         pod: {}
         # or...
         name: my-namespace
+      trustStoreConfigMapName: tls-ca # <4>
-      trustStoreConfigMapName: tls-ca # <4>
+      trustStoreConfigMapName: tls-ca
-      trustStoreConfigMapName: tls-ca # <4>
+      trustStoreConfigMapName: tls-ca
 ----
 
 `k8sSearch`:: Declares that the `k8sSearch` backend is used.
-`k8sSearch.searchNamespace`:: Configures the namespace searched for `Secret` objects.
-`k8sSearch.searchNamespace.pod`:: The `Secret` objects are located in the same namespace as the `Pod` object. Should be used
+`k8sSearch.searchNamespace`:: Configures the namespace searched for Secrets.
+`k8sSearch.searchNamespace.pod`:: The Secret objects are located in the same namespace as the Pod. Should be used
                                   for secrets that are provisioned by the application administrator.
-`k8sSearch.searchNamespace.name`:: The `Secret` objects are located in a single global namespace. Should be used for secrets
+`k8sSearch.searchNamespace.name`:: The Secrets are located in a single global namespace. Should be used for secrets
                                    that are provisioned by the cluster administrator.
+`k8sSearch.trustStoreConfigMapName`:: ConfigMap used to provision xref:truststore.adoc[].
 
 ==== Format
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,3 +17,4 @@ spec: @@
             pod: {}
             # or...
             name: my-namespace
+          trustStoreConfigMapName: tls-ca # <4>