TrustStore
A TrustStore is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a SecretClass.
This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).
A TrustStore looks like this:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
name: truststore-pem (1)
spec:
secretClassName: tls (2)
format: tls-pem (3)
targetKind: ConfigMap (4)
1 | Also used to name the created ConfigMap |
2 | Mandatory name of the SecretClass |
3 | Optional requested format |
4 | Optional Kubernetes resource kind, which should be used to output the requested information to.
Either ConfigMap or Secret , defaults to ConfigMap . |
This will create a ConfigMap (or Secret
based on targetKind
) named truststore-pem
containing a ca.crt
with the trust root certificates.
It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate the autoTls certificate authority as needed, but all trust roots will require some form of update occasionally. |