TrustStore

A TrustStore is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a SecretClass.

This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).

A TrustStore looks like this:

---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
  name: truststore-pem (1)
spec:
  secretClassName: tls (2)
  format: tls-pem (3)
1 Also used to name the created ConfigMap
2 The name of the SecretClass
3 The requested format

This will create a ConfigMap named truststore-pem containing a ca.crt with the trust root certificates. It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.

Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate the autoTls certificate authority as needed, but all trust roots will require some form of update occasionally.