TrustStore
A TrustStore is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a SecretClass.
This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).
A TrustStore looks like this:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
name: truststore-pem (1)
spec:
secretClassName: tls (2)
format: tls-pem (3)
targetKind: ConfigMap (4)| 1 | Also used to name the created ConfigMap |
| 2 | Mandatory name of the SecretClass |
| 3 | Optional requested format |
| 4 | Optional Kubernetes resource kind, which should be used to output the requested information to.
Either ConfigMap or Secret, defaults to ConfigMap. |
This will create a ConfigMap (or Secret based on targetKind) named truststore-pem containing a ca.crt with the trust root certificates.
It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
Expired or retired (see Certificate Authority rotation) certificates will not be published, because they should not be needed and some products, e.g. OpenSearch, have problems if they are present at startup.
| Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate the autoTls certificate authority as needed, but all trust roots will require some form of update occasionally. |