Skip to content

Commit

Permalink
WIP: Proposed API changes for ClusterBundle migration
Browse files Browse the repository at this point in the history
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
  • Loading branch information
erikgb committed Nov 24, 2024
1 parent b1a0474 commit 6427cfa
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 104 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -229,60 +229,40 @@ spec:
target:
description: Target is the target location in all namespaces to sync source data to.
properties:
additionalFormats:
description: AdditionalFormats specifies any additional formats to write to the target
properties:
jks:
description: |-
JKS requests a JKS-formatted binary trust bundle to be written to the target.
The bundle has "changeit" as the default password.
For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
default: changeit
description: Password for JKS trust store
maxLength: 128
minLength: 1
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
pkcs12:
description: |-
PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target.
The bundle is by default created without a password.
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
default: ""
description: Password for PKCS12 trust store
maxLength: 128
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
configMap:
description: |-
ConfigMap is the target ConfigMap in Namespaces that all Bundle source
data will be synced to.
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
required:
items:
description: TargetKey is the specification of a key in a target configmap/secret.
properties:
format:
default: PEM
description: Format defines the bundle format
enum:
- PEM
- JKS
- PKCS12
type: string
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
description: |-
Password used to encrypt truststore if Format is JKS or PKCS12.
Default password for JKS truststore is `changeit`.
For PKCS#12 the truststore is by default created without a password.
maxLength: 128
minLength: 1
type: string
required:
- key
type: object
type: array
x-kubernetes-list-map-keys:
- key
type: object
x-kubernetes-list-type: map
namespaceSelector:
description: |-
NamespaceSelector will, if set, only sync the target resource in
Expand Down Expand Up @@ -334,14 +314,38 @@ spec:
Secret is the target Secret that all Bundle source data will be synced to.
Using Secrets as targets is only supported if enabled at trust-manager startup.
By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace.
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
required:
items:
description: TargetKey is the specification of a key in a target configmap/secret.
properties:
format:
default: PEM
description: Format defines the bundle format
enum:
- PEM
- JKS
- PKCS12
type: string
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
description: |-
Password used to encrypt truststore if Format is JKS or PKCS12.
Default password for JKS truststore is `changeit`.
For PKCS#12 the truststore is by default created without a password.
maxLength: 128
minLength: 1
type: string
required:
- key
type: object
type: array
x-kubernetes-list-map-keys:
- key
type: object
x-kubernetes-list-type: map
required:
- namespaceSelector
type: object
required:
- sources
Expand Down
73 changes: 25 additions & 48 deletions pkg/apis/trust/v1alpha1/types_bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,60 +104,18 @@ type BundleTarget struct {
// ConfigMap is the target ConfigMap in Namespaces that all Bundle source
// data will be synced to.
// +optional
ConfigMap *KeySelector `json:"configMap,omitempty"`
ConfigMap Target `json:"configMap,omitempty"`

// Secret is the target Secret that all Bundle source data will be synced to.
// Using Secrets as targets is only supported if enabled at trust-manager startup.
// By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace.
// +optional
Secret *KeySelector `json:"secret,omitempty"`

// AdditionalFormats specifies any additional formats to write to the target
// +optional
AdditionalFormats *AdditionalFormats `json:"additionalFormats,omitempty"`
Secret Target `json:"secret,omitempty"`

// NamespaceSelector will, if set, only sync the target resource in
// Namespaces which match the selector.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}

// AdditionalFormats specifies any additional formats to write to the target
type AdditionalFormats struct {
// JKS requests a JKS-formatted binary trust bundle to be written to the target.
// The bundle has "changeit" as the default password.
// For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords
// +optional
JKS *JKS `json:"jks,omitempty"`
// PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target.
// The bundle is by default created without a password.
// +optional
PKCS12 *PKCS12 `json:"pkcs12,omitempty"`
}

// JKS specifies additional target JKS files
// +structType=atomic
type JKS struct {
KeySelector `json:",inline"`

// Password for JKS trust store
//+optional
//+kubebuilder:validation:MinLength=1
//+kubebuilder:validation:MaxLength=128
//+kubebuilder:default=changeit
Password *string `json:"password"`
}

// PKCS12 specifies additional target PKCS#12 files
// +structType=atomic
type PKCS12 struct {
KeySelector `json:",inline"`

// Password for PKCS12 trust store
//+optional
//+kubebuilder:validation:MaxLength=128
//+kubebuilder:default=""
Password *string `json:"password,omitempty"`
// +required
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"`
}

// SourceObjectKeySelector is a reference to a source object and its `data` key(s)
Expand Down Expand Up @@ -186,11 +144,30 @@ type SourceObjectKeySelector struct {
IncludeAllKeys bool `json:"includeAllKeys,omitempty"`
}

// KeySelector is a reference to a key for some map data object.
type KeySelector struct {
// Target is the specification of target key(s)
// +listType=map
// +listMapKey=key
type Target []TargetKey

// TargetKey is the specification of a key in a target configmap/secret.
type TargetKey struct {
// Key is the key of the entry in the object's `data` field to be used.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`

// Format defines the bundle format
// +kubebuilder:validation:Enum=PEM;JKS;PKCS12
// +kubebuilder:default=PEM
//+optional
Format *string `json:"format,omitempty"`

// Password used to encrypt truststore if Format is JKS or PKCS12.
// Default password for JKS truststore is `changeit`.
// For PKCS#12 the truststore is by default created without a password.
//+optional
//+kubebuilder:validation:MinLength=1
//+kubebuilder:validation:MaxLength=128
Password *string `json:"password"`
}

// BundleStatus defines the observed state of the Bundle.
Expand Down

0 comments on commit 6427cfa

Please sign in to comment.