TrustStore
A TrustStore is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a SecretClass.
This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).
A TrustStore looks like this:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
name: truststore-pem (1)
spec:
secretClassName: tls (2)
format: tls-pem (3)
1 | Also used to name the created ConfigMap |
2 | The name of the SecretClass |
3 | The requested format |
This will create a ConfigMap named truststore-pem
containing a ca.crt
with the trust root certificates.
It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate the autoTls certificate authority as needed, but all trust roots will require some form of update occasionally. |