Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TrustStore CRD #557

Open
wants to merge 85 commits into
base: main
Choose a base branch
from
Open

TrustStore CRD #557

wants to merge 85 commits into from

Conversation

nightkr
Copy link
Member

@nightkr nightkr commented Jan 29, 2025
edited by siegfriedweber
Loading

Description

Fixes #410.

rust/p12 is imported from hjiayz/p12@9983420 (fff63d1), can't really do much about CLA failures from before that point (and beyond that I've kept the changes fairly minimal to enable our use case). Discussed at https://stackable-workspace.slack.com/archives/C033A863YPL/p1741869321744189.

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author
Preview Give feedback

Reviewer
Preview Give feedback

Acceptance
Preview Give feedback

hjiayz and others added 30 commits April 11, 2020 09:46
first commit
f44e0f1
first commit
9ab36c8
allow parse not support type
157460f
allow parse not support type
ed6fdd0
allow parse not support type
8762bd0
allow parse not support type
3585bc3
0.1.2
4be4e3c
update pbepkcs12
55f4ead
update pbepkcs12
810faa0
sdsi cert
49c79c1
0.1.3
88a4226
@hjiayz
fix
e2a7503
@Keruspe
switch to RustCrypto HmacSha1
d750eae 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
switch to getrandom
5ef132e 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
update RustCrypto deps
464e982 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
drop unused block-cipher-trait
de4272f 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
block-modes: update to 0.5.0
b5e2e50 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
rustfmt
2e8a35a 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
update rustcrypto
017b50e 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
Merge pull request #1 from Keruspe/master
6ad0857 
Drop ring dependency and update RustCrypto
@hjiayz
version 0.2.0
f48e223
@Keruspe
update crypto dependencies
02c5c97 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
update crypto dependencies
e372089 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
update yasna
f30063c 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
rename to pkcs-12
1c6f637 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
version 0.3.0
1d3fbd9 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
require yasna with std feature
5c0018e 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
version 0.3.1
885484a 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@Keruspe
add CI
dc0fad4 
Signed-off-by: Marc-Antoine Perennou <[email protected]>
@hjiayz
Merge pull request #2 from Keruspe/crypto
5e3179a 
update crypto dependencies
@stackable-bot
Copy link
Contributor

stackable-bot commented Mar 13, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 4 committers have signed the CLA.

❌ Keruspe
❌ ubamrein
❌ jcaesar
❌ hjiayz

hjiayz seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@nightkr nightkr marked this pull request as ready for review March 17, 2025 15:12
@nightkr nightkr requested a review from a team March 17, 2025 15:23
siegfriedweber
siegfriedweber requested changes Mar 27, 2025
View reviewed changes
Copy link
Member

@siegfriedweber siegfriedweber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following questions are open:

I did not review the complete p12 directory, but only the changes to v0.6.3.

docs/modules/secret-operator/examples/secretclass-tls.yaml
@@ -17,3 +17,4 @@ spec:
pod: {}
# or...
name: my-namespace
trustStoreConfigMapName: tls-ca # <4>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This example is used as introduction to SecretClasses, so I would not show special cases. Using k8sSearch for trust stores is not the main use case. I would leave it out. If not, then I would at least mention that this property is optional.

docs/modules/secret-operator/pages/secretclass.adoc
@@ -426,14 +435,16 @@ spec:
pod: {}
# or...
name: my-namespace
trustStoreConfigMapName: tls-ca # <4>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
trustStoreConfigMapName: tls-ca # <4>
trustStoreConfigMapName: tls-ca

docs/modules/secret-operator/pages/truststore.adoc
Comment on lines +21 to +23
NOTE: Make sure to have a procedure for updating the retrieved certificates. The Secret Operator will automatically rotate
the xref:secretclass.adoc#backend-autotls[autoTls] certificate authority as needed, but all trust roots will require
some form of update occasionally.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The style guide proposes one sentence per line (https://docs.stackable.tech/home/nightly/contributor/docs/style-guide/#_overall_structure_asciidoc_recommended_practices).

rust/operator-binary/src/truststore_controller.rs
};

const CONTROLLER_NAME: &str = "truststore";
const FULL_CONTROLLER_NAME: &str = "truststore.secrets.stackable.tech";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: In other operators, const_format is used to avoid duplication (concatcp!(CONTROLLER_NAME, ".", OPERATOR_NAME)).

rust/operator-binary/src/truststore_controller.rs
async move {
report_controller_reconciled(
&event_recorder,
&format!("{CONTROLLER_NAME}.{OPERATOR_NAME}"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Use FULL_CONTROLLER_NAME instead.

rust/operator-binary/src/truststore_controller.rs
}
},
)
// TODO: merge this into the other ConfigMap watch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Just remove this comment if you do not plan to implement it.

rust/operator-binary/src/truststore_controller.rs
Comment on lines +213 to +214
// TODO
None
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Matching each error (and returning None) would be better, so that future errors with secondary objects are not forgotten.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@siegfriedweber siegfriedweber siegfriedweber requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow customers to request CA cert (e.g. for external clients)
7 participants
@nightkr @stackable-bot @siegfriedweber @hjiayz @Keruspe @ubamrein @jcaesar