Merge pull request #460 from juliocamarero/all_data_keys

Support for including all certificates from a secret/configMap in bundle source
cert-manager · Oct 25, 2024 · d7b07e3 · d7b07e3
2 parents d779c0f + 223b7af
commit d7b07e3
Show file tree

Hide file tree

Showing 8 changed files with 456 additions and 48 deletions.
diff --git a/deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml b/deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml
@@ -72,9 +72,14 @@ spec:
                     properties:
                       configMap:
                         description: |-
-                          ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a
-                          list of ConfigMap's `data` key using label selector, in the trust Namespace.
+                          ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+                          list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
                         properties:
+                          includeAllKeys:
+                            description: |-
+                              IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
+                              This field must not be true when `Key` is set.
+                            type: boolean
                           key:
                             description: Key is the key of the entry in the object's `data` field to be used.
                             type: string
@@ -137,9 +142,14 @@ spec:
                         type: string
                       secret:
                         description: |-
-                          Secret is a reference (by name) to a Secret's `data` key, or to a
-                          list of Secret's `data` key using label selector, in the trust Namespace.
+                          Secret is a reference (by name) to a Secret's `data` key(s), or to a
+                          list of Secret's `data` key(s) using label selector, in the trust Namespace.
                         properties:
+                          includeAllKeys:
+                            description: |-
+                              IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
+                              This field must not be true when `Key` is set.
+                            type: boolean
                           key:
                             description: Key is the key of the entry in the object's `data` field to be used.
                             type: string

diff --git a/docs/api/api.md b/docs/api/api.md
@@ -206,7 +206,7 @@ func (in *Bundle) DeepCopyObject() runtime.Object
 DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
 
 <a name="BundleCondition"></a>
-## type [BundleCondition](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L200-L239>)
+## type [BundleCondition](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L206-L245>)
 
 BundleCondition contains condition information for a Bundle.
 
@@ -319,13 +319,13 @@ BundleSource is the set of sources whose data will be appended and synced to the
 
 ```go
 type BundleSource struct {
-    // ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a
-    // list of ConfigMap's `data` key using label selector, in the trust Namespace.
+    // ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+    // list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
     // +optional
     ConfigMap *SourceObjectKeySelector `json:"configMap,omitempty"`
 
-    // Secret is a reference (by name) to a Secret's `data` key, or to a
-    // list of Secret's `data` key using label selector, in the trust Namespace.
+    // Secret is a reference (by name) to a Secret's `data` key(s), or to a
+    // list of Secret's `data` key(s) using label selector, in the trust Namespace.
     // +optional
     Secret *SourceObjectKeySelector `json:"secret,omitempty"`
 
@@ -398,7 +398,7 @@ func (in *BundleSpec) DeepCopyInto(out *BundleSpec)
 DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.
 
 <a name="BundleStatus"></a>
-## type [BundleStatus](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L183-L197>)
+## type [BundleStatus](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L189-L203>)
 
 BundleStatus defines the observed state of the Bundle.
 
@@ -520,7 +520,7 @@ func (in *JKS) DeepCopyInto(out *JKS)
 DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.
 
 <a name="KeySelector"></a>
-## type [KeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L177-L180>)
+## type [KeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L183-L186>)
 
 KeySelector is a reference to a key for some map data object.
 
@@ -617,9 +617,9 @@ func (in *PKCS12) DeepCopyInto(out *PKCS12)
 DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.
 
 <a name="SourceObjectKeySelector"></a>
-## type [SourceObjectKeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L161-L174>)
+## type [SourceObjectKeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L161-L180>)
 
-SourceObjectKeySelector is a reference to a source object and its \`data\` key in the trust Namespace.
+SourceObjectKeySelector is a reference to a source object and its \`data\` key\(s\) in the trust Namespace.
 
 ```go
 type SourceObjectKeySelector struct {
@@ -634,7 +634,13 @@ type SourceObjectKeySelector struct {
     Selector *metav1.LabelSelector `json:"selector,omitempty"`
 
     // KeySelector is the key of the entry in the objects' `data` field to be referenced.
-    KeySelector `json:",inline"`
+    //+optional
+    KeySelector `json:",inline,omitempty"`
+
+    // IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
+    // This field must not be true when `Key` is set.
+    //+optional
+    IncludeAllKeys bool `json:"includeAllKeys,omitempty"`
 }
 ```
 

diff --git a/pkg/apis/trust/v1alpha1/types_bundle.go b/pkg/apis/trust/v1alpha1/types_bundle.go
@@ -68,13 +68,13 @@ type BundleSpec struct {
 // BundleSource is the set of sources whose data will be appended and synced to
 // the BundleTarget in all Namespaces.
 type BundleSource struct {
-	// ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a
-	// list of ConfigMap's `data` key using label selector, in the trust Namespace.
+	// ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+	// list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
 	// +optional
 	ConfigMap *SourceObjectKeySelector `json:"configMap,omitempty"`
 
-	// Secret is a reference (by name) to a Secret's `data` key, or to a
-	// list of Secret's `data` key using label selector, in the trust Namespace.
+	// Secret is a reference (by name) to a Secret's `data` key(s), or to a
+	// list of Secret's `data` key(s) using label selector, in the trust Namespace.
 	// +optional
 	Secret *SourceObjectKeySelector `json:"secret,omitempty"`
 
@@ -156,7 +156,7 @@ type NamespaceSelector struct {
 	MatchLabels map[string]string `json:"matchLabels,omitempty"`
 }
 
-// SourceObjectKeySelector is a reference to a source object and its `data` key
+// SourceObjectKeySelector is a reference to a source object and its `data` key(s)
 // in the trust Namespace.
 type SourceObjectKeySelector struct {
 	// Name is the name of the source object in the trust Namespace.
@@ -170,7 +170,13 @@ type SourceObjectKeySelector struct {
 	Selector *metav1.LabelSelector `json:"selector,omitempty"`
 
 	// KeySelector is the key of the entry in the objects' `data` field to be referenced.
-	KeySelector `json:",inline"`
+	//+optional
+	KeySelector `json:",inline,omitempty"`
+
+	// IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
+	// This field must not be true when `Key` is set.
+	//+optional
+	IncludeAllKeys bool `json:"includeAllKeys,omitempty"`
 }
 
 // KeySelector is a reference to a key for some map data object.

diff --git a/pkg/bundle/source.go b/pkg/bundle/source.go
@@ -36,6 +36,8 @@ type notFoundError struct{ error }
 
 type selectsNothingError struct{ error }
 
+type invalidSecretSourceError struct{ error }
+
 // bundleData holds the result of a call to buildSourceBundle. It contains the resulting PEM-encoded
 // certificate data from concatenating all the sources together, binary data for any additional formats and
 // any metadata from the sources which needs to be exposed on the Bundle resource's status field.
@@ -145,12 +147,19 @@ func (b *bundle) configMapBundle(ctx context.Context, ref *trustapi.SourceObject
 
 	var results strings.Builder
 	for _, cm := range configMaps {
-		data, ok := cm.Data[ref.Key]
-		if !ok {
-			return "", notFoundError{fmt.Errorf("no data found in ConfigMap %s/%s at key %q", cm.Namespace, cm.Name, ref.Key)}
+		if len(ref.Key) > 0 {
+			data, ok := cm.Data[ref.Key]
+			if !ok {
+				return "", notFoundError{fmt.Errorf("no data found in ConfigMap %s/%s at key %q", cm.Namespace, cm.Name, ref.Key)}
+			}
+			results.WriteString(data)
+			results.WriteByte('\n')
+		} else if ref.IncludeAllKeys {
+			for _, data := range cm.Data {
+				results.WriteString(data)
+				results.WriteByte('\n')
+			}
 		}
-		results.WriteString(data)
-		results.WriteByte('\n')
 	}
 	return results.String(), nil
 }
@@ -192,12 +201,24 @@ func (b *bundle) secretBundle(ctx context.Context, ref *trustapi.SourceObjectKey
 
 	var results strings.Builder
 	for _, secret := range secrets {
-		data, ok := secret.Data[ref.Key]
-		if !ok {
-			return "", notFoundError{fmt.Errorf("no data found in Secret %s/%s at key %q", secret.Namespace, secret.Name, ref.Key)}
+		if len(ref.Key) > 0 {
+			data, ok := secret.Data[ref.Key]
+			if !ok {
+				return "", notFoundError{fmt.Errorf("no data found in Secret %s/%s at key %q", secret.Namespace, secret.Name, ref.Key)}
+			}
+			results.Write(data)
+			results.WriteByte('\n')
+		} else if ref.IncludeAllKeys {
+			// This is done to prevent mistakes. All keys should never be included for a TLS secret, since that would include the private key.
+			if secret.Type == corev1.SecretTypeTLS {
+				return "", invalidSecretSourceError{fmt.Errorf("includeAllKeys is not supported for TLS Secrets such as %s/%s", secret.Namespace, secret.Name)}
+			}
+
+			for _, data := range secret.Data {
+				results.Write(data)
+				results.WriteByte('\n')
+			}
 		}
-		results.Write(data)
-		results.WriteByte('\n')
 	}
 	return results.String(), nil
 }