Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Proposed API changes for ClusterBundle migration #486

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

WIP: Proposed API changes for ClusterBundle migration #486

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 62 additions & 56 deletions deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,60 +229,41 @@ spec:
target:
description: Target is the target location in all namespaces to sync source data to.
properties:
additionalFormats:
description: AdditionalFormats specifies any additional formats to write to the target
properties:
jks:
description: |-
JKS requests a JKS-formatted binary trust bundle to be written to the target.
The bundle has "changeit" as the default password.
For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
default: changeit
description: Password for JKS trust store
maxLength: 128
minLength: 1
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
pkcs12:
description: |-
PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target.
The bundle is by default created without a password.
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
default: ""
description: Password for PKCS12 trust store
maxLength: 128
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
configMap:
description: |-
ConfigMap is the target ConfigMap in Namespaces that all Bundle source
data will be synced to.
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
required:
items:
description: TargetKey is the specification of a key in a target configmap/secret.
properties:
format:
default: PEM
description: Format defines the bundle format
enum:
- PEM
- JKS
- PKCS12
type: string
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
description: |-
Password used to encrypt truststore if Format is JKS or PKCS12.
Default password for JKS truststore is `changeit`.
For PKCS#12 the truststore is by default created without a password.
maxLength: 128
minLength: 1
type: string
required:
- key
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- key
type: object
x-kubernetes-list-type: map
namespaceSelector:
description: |-
NamespaceSelector will, if set, only sync the target resource in
Expand Down Expand Up @@ -334,14 +315,39 @@ spec:
Secret is the target Secret that all Bundle source data will be synced to.
Using Secrets as targets is only supported if enabled at trust-manager startup.
By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace.
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
required:
items:
description: TargetKey is the specification of a key in a target configmap/secret.
properties:
format:
default: PEM
description: Format defines the bundle format
enum:
- PEM
- JKS
- PKCS12
type: string
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
description: |-
Password used to encrypt truststore if Format is JKS or PKCS12.
Default password for JKS truststore is `changeit`.
For PKCS#12 the truststore is by default created without a password.
maxLength: 128
minLength: 1
type: string
required:
- key
type: object
minItems: 1
type: array
x-kubernetes-list-map-keys:
- key
type: object
x-kubernetes-list-type: map
required:
- namespaceSelector
type: object
required:
- sources
Expand Down
74 changes: 26 additions & 48 deletions pkg/apis/trust/v1alpha1/types_bundle.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,60 +104,18 @@ type BundleTarget struct {
// ConfigMap is the target ConfigMap in Namespaces that all Bundle source
// data will be synced to.
// +optional
ConfigMap *KeySelector `json:"configMap,omitempty"`
ConfigMap Target `json:"configMap,omitempty"`

// Secret is the target Secret that all Bundle source data will be synced to.
// Using Secrets as targets is only supported if enabled at trust-manager startup.
// By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace.
// +optional
Secret *KeySelector `json:"secret,omitempty"`

// AdditionalFormats specifies any additional formats to write to the target
// +optional
AdditionalFormats *AdditionalFormats `json:"additionalFormats,omitempty"`
Secret Target `json:"secret,omitempty"`

// NamespaceSelector will, if set, only sync the target resource in
// Namespaces which match the selector.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}

// AdditionalFormats specifies any additional formats to write to the target
type AdditionalFormats struct {
// JKS requests a JKS-formatted binary trust bundle to be written to the target.
// The bundle has "changeit" as the default password.
// For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords
// +optional
JKS *JKS `json:"jks,omitempty"`
// PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target.
// The bundle is by default created without a password.
// +optional
PKCS12 *PKCS12 `json:"pkcs12,omitempty"`
}

// JKS specifies additional target JKS files
// +structType=atomic
type JKS struct {
KeySelector `json:",inline"`

// Password for JKS trust store
//+optional
//+kubebuilder:validation:MinLength=1
//+kubebuilder:validation:MaxLength=128
//+kubebuilder:default=changeit
Password *string `json:"password"`
}

// PKCS12 specifies additional target PKCS#12 files
// +structType=atomic
type PKCS12 struct {
KeySelector `json:",inline"`

// Password for PKCS12 trust store
//+optional
//+kubebuilder:validation:MaxLength=128
//+kubebuilder:default=""
Password *string `json:"password,omitempty"`
// +required
NamespaceSelector metav1.LabelSelector `json:"namespaceSelector"`
}

// SourceObjectKeySelector is a reference to a source object and its `data` key(s)
Expand Down Expand Up @@ -186,11 +144,31 @@ type SourceObjectKeySelector struct {
IncludeAllKeys bool `json:"includeAllKeys,omitempty"`
}

// KeySelector is a reference to a key for some map data object.
type KeySelector struct {
// Target is the specification of target key(s)
// +listType=map
// +listMapKey=key
// +kubebuilder:validation:MinItems=1
type Target []TargetKey

// TargetKey is the specification of a key in a target configmap/secret.
type TargetKey struct {
// Key is the key of the entry in the object's `data` field to be used.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`

// Format defines the bundle format
// +kubebuilder:validation:Enum=PEM;JKS;PKCS12
// +kubebuilder:default=PEM
//+optional
Format *string `json:"format,omitempty"`

// Password used to encrypt truststore if Format is JKS or PKCS12.
// Default password for JKS truststore is `changeit`.
// For PKCS#12 the truststore is by default created without a password.
//+optional
//+kubebuilder:validation:MinLength=1
//+kubebuilder:validation:MaxLength=128
Password *string `json:"password"`
}

// BundleStatus defines the observed state of the Bundle.
Expand Down