TrustStore

A TrustStore is a Kubernetes resource that can be used to request the trust anchor information (such as the TLS certificate authorities) from a SecretClass.

This can be used to access a protected service from other services that do not require their own certificates (or from clients running outside of Kubernetes).

A TrustStore looks like this:

---
apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
  name: truststore-pem (1)
spec:
  secretClassName: tls (2)
  format: tls-pem (3)
  targetKind: ConfigMap (4)
  tlsPemCaName: ca.crt (5)

1	Also used to name the created ConfigMap
2	Mandatory name of the SecretClass
3	Optional requested format
4	Optional Kubernetes resource kind, which should be used to output the requested information to. Either `ConfigMap` or `Secret`, defaults to `ConfigMap`.
5	Optional name of the key in the ConfigMap/Secret, in which the PEM encoded CA certificate should be placed. Only takes effect in case the `format` is `tls-pem`. Defaults to `ca.crt`.

This will create a ConfigMap (or Secret based on targetKind) named truststore-pem containing a ca.crt with the trust root certificates. It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.

Expired or retired (see Certificate Authority rotation) certificates will not be published, because they should not be needed and some products, e.g. OpenSearch, have problems if they are present at startup.

Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate the autoTls certificate authority as needed, but all trust roots will require some form of update occasionally.

Integration with OpenShift Ingress

Sometimes you want to create an OpenShift Ingress to expose a stacklet that is secured using https. For the TLS re-encryption to work, you need to specify a Secret that contains a tls.crt key with the PEM ca certificate.

A concrete example is shown below:

apiVersion: secrets.stackable.tech/v1alpha1
kind: TrustStore
metadata:
  name: cluster-internal-ca
  namespace: my-trino-namespace
spec:
  secretClassName: tls # Or any other SecretClass you are using
  format: tls-pem # As expected by OpenShift
  targetKind: Secret # As expected by OpenShift
  tlsPemCaName: tls.crt # As expected by OpenShift
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: trino
  namespace: my-trino-namespace
  annotations:
    route.openshift.io/termination: "reencrypt"
    route.openshift.io/destination-ca-certificate-secret: cluster-internal-ca
spec:
  rules:
    - host: trino.example.com
      http:
        paths:
          - backend:
              service:
                name: trino-coordinator
                port:
                  name: https
            path: /
            pathType: Prefix
  tls:
    - {}