TrustStore
A TrustStore is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a SecretClass.
This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).
A TrustStore looks like this:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
name: truststore-pem (1)
spec:
secretClassName: tls (2)
format: tls-pem (3)
targetKind: ConfigMap (4)| 1 | Also used to name the created ConfigMap |
| 2 | Mandatory name of the SecretClass |
| 3 | Optional requested format |
| 4 | Optional Kubernetes resource kind, which should be used to output the requested information to.
Either ConfigMap or Secret, defaults to ConfigMap. |
This will create a ConfigMap (or Secret based on targetKind) named truststore-pem containing a ca.crt with the trust root certificates.
It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
| Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate the autoTls certificate authority as needed, but all trust roots will require some form of update occasionally. |