From 6427cfa0ef18a5815f29bfd83af5e777049afd4d Mon Sep 17 00:00:00 2001 From: Erik Godding Boye Date: Sun, 24 Nov 2024 22:23:19 +0100 Subject: [PATCH] WIP: Proposed API changes for ClusterBundle migration Signed-off-by: Erik Godding Boye --- .../crd-trust.cert-manager.io_bundles.yaml | 116 +++++++++--------- pkg/apis/trust/v1alpha1/types_bundle.go | 73 ++++------- 2 files changed, 85 insertions(+), 104 deletions(-) diff --git a/deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml b/deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml index 0c68c60d..6768d552 100644 --- a/deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml +++ b/deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml @@ -229,60 +229,40 @@ spec: target: description: Target is the target location in all namespaces to sync source data to. properties: - additionalFormats: - description: AdditionalFormats specifies any additional formats to write to the target - properties: - jks: - description: |- - JKS requests a JKS-formatted binary trust bundle to be written to the target. - The bundle has "changeit" as the default password. - For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords - properties: - key: - description: Key is the key of the entry in the object's `data` field to be used. - minLength: 1 - type: string - password: - default: changeit - description: Password for JKS trust store - maxLength: 128 - minLength: 1 - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - pkcs12: - description: |- - PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target. - The bundle is by default created without a password. - properties: - key: - description: Key is the key of the entry in the object's `data` field to be used. - minLength: 1 - type: string - password: - default: "" - description: Password for PKCS12 trust store - maxLength: 128 - type: string - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object configMap: description: |- ConfigMap is the target ConfigMap in Namespaces that all Bundle source data will be synced to. - properties: - key: - description: Key is the key of the entry in the object's `data` field to be used. - minLength: 1 - type: string - required: + items: + description: TargetKey is the specification of a key in a target configmap/secret. + properties: + format: + default: PEM + description: Format defines the bundle format + enum: + - PEM + - JKS + - PKCS12 + type: string + key: + description: Key is the key of the entry in the object's `data` field to be used. + minLength: 1 + type: string + password: + description: |- + Password used to encrypt truststore if Format is JKS or PKCS12. + Default password for JKS truststore is `changeit`. + For PKCS#12 the truststore is by default created without a password. + maxLength: 128 + minLength: 1 + type: string + required: + - key + type: object + type: array + x-kubernetes-list-map-keys: - key - type: object + x-kubernetes-list-type: map namespaceSelector: description: |- NamespaceSelector will, if set, only sync the target resource in @@ -334,14 +314,38 @@ spec: Secret is the target Secret that all Bundle source data will be synced to. Using Secrets as targets is only supported if enabled at trust-manager startup. By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace. - properties: - key: - description: Key is the key of the entry in the object's `data` field to be used. - minLength: 1 - type: string - required: + items: + description: TargetKey is the specification of a key in a target configmap/secret. + properties: + format: + default: PEM + description: Format defines the bundle format + enum: + - PEM + - JKS + - PKCS12 + type: string + key: + description: Key is the key of the entry in the object's `data` field to be used. + minLength: 1 + type: string + password: + description: |- + Password used to encrypt truststore if Format is JKS or PKCS12. + Default password for JKS truststore is `changeit`. + For PKCS#12 the truststore is by default created without a password. + maxLength: 128 + minLength: 1 + type: string + required: + - key + type: object + type: array + x-kubernetes-list-map-keys: - key - type: object + x-kubernetes-list-type: map + required: + - namespaceSelector type: object required: - sources diff --git a/pkg/apis/trust/v1alpha1/types_bundle.go b/pkg/apis/trust/v1alpha1/types_bundle.go index e8e9d1cc..7f6b812a 100644 --- a/pkg/apis/trust/v1alpha1/types_bundle.go +++ b/pkg/apis/trust/v1alpha1/types_bundle.go @@ -104,60 +104,18 @@ type BundleTarget struct { // ConfigMap is the target ConfigMap in Namespaces that all Bundle source // data will be synced to. // +optional - ConfigMap *KeySelector `json:"configMap,omitempty"` + ConfigMap Target `json:"configMap,omitempty"` // Secret is the target Secret that all Bundle source data will be synced to. // Using Secrets as targets is only supported if enabled at trust-manager startup. // By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace. // +optional - Secret *KeySelector `json:"secret,omitempty"` - - // AdditionalFormats specifies any additional formats to write to the target - // +optional - AdditionalFormats *AdditionalFormats `json:"additionalFormats,omitempty"` + Secret Target `json:"secret,omitempty"` // NamespaceSelector will, if set, only sync the target resource in // Namespaces which match the selector. - // +optional - NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` -} - -// AdditionalFormats specifies any additional formats to write to the target -type AdditionalFormats struct { - // JKS requests a JKS-formatted binary trust bundle to be written to the target. - // The bundle has "changeit" as the default password. - // For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords - // +optional - JKS *JKS `json:"jks,omitempty"` - // PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target. - // The bundle is by default created without a password. - // +optional - PKCS12 *PKCS12 `json:"pkcs12,omitempty"` -} - -// JKS specifies additional target JKS files -// +structType=atomic -type JKS struct { - KeySelector `json:",inline"` - - // Password for JKS trust store - //+optional - //+kubebuilder:validation:MinLength=1 - //+kubebuilder:validation:MaxLength=128 - //+kubebuilder:default=changeit - Password *string `json:"password"` -} - -// PKCS12 specifies additional target PKCS#12 files -// +structType=atomic -type PKCS12 struct { - KeySelector `json:",inline"` - - // Password for PKCS12 trust store - //+optional - //+kubebuilder:validation:MaxLength=128 - //+kubebuilder:default="" - Password *string `json:"password,omitempty"` + // +required + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"` } // SourceObjectKeySelector is a reference to a source object and its `data` key(s) @@ -186,11 +144,30 @@ type SourceObjectKeySelector struct { IncludeAllKeys bool `json:"includeAllKeys,omitempty"` } -// KeySelector is a reference to a key for some map data object. -type KeySelector struct { +// Target is the specification of target key(s) +// +listType=map +// +listMapKey=key +type Target []TargetKey + +// TargetKey is the specification of a key in a target configmap/secret. +type TargetKey struct { // Key is the key of the entry in the object's `data` field to be used. // +kubebuilder:validation:MinLength=1 Key string `json:"key"` + + // Format defines the bundle format + // +kubebuilder:validation:Enum=PEM;JKS;PKCS12 + // +kubebuilder:default=PEM + //+optional + Format *string `json:"format,omitempty"` + + // Password used to encrypt truststore if Format is JKS or PKCS12. + // Default password for JKS truststore is `changeit`. + // For PKCS#12 the truststore is by default created without a password. + //+optional + //+kubebuilder:validation:MinLength=1 + //+kubebuilder:validation:MaxLength=128 + Password *string `json:"password"` } // BundleStatus defines the observed state of the Bundle.