diff --git a/README.md b/README.md index fec9f5f..a738caf 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,13 @@ A such annotated secret looks like the following: ![keystore](media/keystore.png) -The default password for these keystores is `changeme`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: `. The alias of the certificate inside the keystore is `alias`. +The default password for these keystores is `changeme`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: `. The alias of the certificate inside the keystore is `alias`, but can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-alias: `. + +| Annotation | Default | Description | +|:-|:-:|---| +| `cert-utils-operator.redhat-cop.io/java-keystore-password` | changeit | The password to use when consuming the JKS trust store | +| `cert-utils-operator.redhat-cop.io/generate-java-keystores` | false | Should the JKS keystore and truststore files be generated and attached to the secret | +| `cert-utils-operator.redhat-cop.io/java-keystore-alias` | alias | The alias to use when consuming the JKS trust store | ### ConfigMaps @@ -72,12 +78,13 @@ When this annotation is the following entry is added to the configmap as binaryD Note that Java Keystore require the key to be in [PKCS#8](https://en.wikipedia.org/wiki/PKCS_8) format. It is a responsibility of the certificate provisioner to make sure the key is in this format. No validation is currently performed by the cert-utils operator. -The default password for these keystores is `changeit`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: `. The alias of the certificate inside the keystore is `alias`. +The default password for these keystores is `changeit`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: `. The alias of the certificate inside the keystore is `alias`, but can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-alias: `. | Annotation | Default | Description | |:-|:-:|---| | `cert-utils-operator.redhat-cop.io/java-keystore-password` | changeit | The password to use when consuming the JKS trust store | | `cert-utils-operator.redhat-cop.io/generate-java-truststore` | false | Should the JKS file be generated and attached to the configmap | +| `cert-utils-operator.redhat-cop.io/java-keystore-alias` | alias | The alias to use when consuming the JKS trust store | | `cert-utils-operator.redhat-cop.io/source-ca-key` | ca-bundle.crt | The key in the configmap which will be read to generate the truststore.jks | ## Showing info on the certificates diff --git a/controllers/configmaptokeystore/configmap_to_keystore_controller.go b/controllers/configmaptokeystore/configmap_to_keystore_controller.go index 97c2233..bc8a4a8 100644 --- a/controllers/configmaptokeystore/configmap_to_keystore_controller.go +++ b/controllers/configmaptokeystore/configmap_to_keystore_controller.go @@ -26,8 +26,10 @@ import ( const javaTrustStoreAnnotation = util.AnnotationBase + "/generate-java-truststore" const javaTrustStoreSourceAnnotation = util.AnnotationBase + "/source-ca-key" const keystorepasswordAnnotation = util.AnnotationBase + "/java-keystore-password" +const javeKeyStoreAliasName = util.AnnotationBase + "/java-keystore-alias" const defaultpassword = "changeme" const truststoreName = "truststore.jks" +const defaultAlias = "alias" // ConfigMapToKeystoreReconciler reconciles a Namespace object type ConfigMapToKeystoreReconciler struct { @@ -134,7 +136,7 @@ func (r *ConfigMapToKeystoreReconciler) getTrustStoreFromConfigMap(configMap *co } i := 0 for p, rest := pem.Decode([]byte(ca)); p != nil; p, rest = pem.Decode(rest) { - keyStore["alias"+strconv.Itoa(i)] = &keystore.TrustedCertificateEntry{ + keyStore[getAlias(configMap)+strconv.Itoa(i)] = &keystore.TrustedCertificateEntry{ Entry: keystore.Entry{ CreationDate: time.Now(), }, @@ -161,6 +163,13 @@ func getPassword(configMap *corev1.ConfigMap) string { return defaultpassword } +func getAlias(configMap *corev1.ConfigMap) string { + if alias, ok := configMap.GetAnnotations()[javeKeyStoreAliasName]; ok && alias != "" { + return alias + } + return defaultAlias +} + func getSourceKey(annotations map[string]string) string { sourceKey, err := annotations[javaTrustStoreSourceAnnotation] diff --git a/controllers/secrettokeystore/secret_to_keystore_controller.go b/controllers/secrettokeystore/secret_to_keystore_controller.go index 21affe3..6334ad5 100644 --- a/controllers/secrettokeystore/secret_to_keystore_controller.go +++ b/controllers/secrettokeystore/secret_to_keystore_controller.go @@ -27,8 +27,10 @@ import ( const javaKeyStoresAnnotation = util.AnnotationBase + "/generate-java-keystores" const keystorepasswordAnnotation = util.AnnotationBase + "/java-keystore-password" -const storesCreationTiemstamp = util.AnnotationBase + "/java-keystores-creation-timestamp" +const storesCreationTimestamp = util.AnnotationBase + "/java-keystores-creation-timestamp" +const javeKeyStoreAliasName = util.AnnotationBase + "/java-keystore-alias" const defaultpassword = "changeme" +const defaultAlias = "alias" const keystoreName = "keystore.jks" const truststoreName = "truststore.jks" @@ -258,7 +260,7 @@ func (r *SecretToKeyStoreReconciler) getKeyStoreFromSecret(secret *corev1.Secret } r.Log.Info("retrieved", "creation time", creationTime) - err = keyStore.SetPrivateKeyEntry("alias", keystore.PrivateKeyEntry{ + err = keyStore.SetPrivateKeyEntry(getAlias(secret), keystore.PrivateKeyEntry{ CreationTime: creationTime, PrivateKey: p.Bytes, CertificateChain: certs, @@ -292,7 +294,7 @@ func (r *SecretToKeyStoreReconciler) getTrustStoreFromSecret(secret *corev1.Secr r.Log.Info("retrieved", "creation time", creationTime) i := 0 for p, rest := pem.Decode(ca); p != nil; p, rest = pem.Decode(rest) { - err := keyStore.SetTrustedCertificateEntry("alias"+strconv.Itoa(i), keystore.TrustedCertificateEntry{ + err := keyStore.SetTrustedCertificateEntry(getAlias(secret)+strconv.Itoa(i), keystore.TrustedCertificateEntry{ CreationTime: creationTime, Certificate: keystore.Certificate{ Type: "X.509", @@ -322,9 +324,16 @@ func getPassword(secret *corev1.Secret) string { return defaultpassword } +func getAlias(secret *corev1.Secret) string { + if alias, ok := secret.GetAnnotations()[javeKeyStoreAliasName]; ok && alias != "" { + return alias + } + return defaultAlias +} + func (r *SecretToKeyStoreReconciler) getCreationTimestamp(secret *corev1.Secret) (time.Time, error) { - if timeStr, ok := secret.GetAnnotations()[storesCreationTiemstamp]; ok { + if timeStr, ok := secret.GetAnnotations()[storesCreationTimestamp]; ok { creationTime, err := time.Parse(time.RFC3339, timeStr) if err != nil { r.Log.Error(err, "unable to parse creation time") @@ -333,7 +342,7 @@ func (r *SecretToKeyStoreReconciler) getCreationTimestamp(secret *corev1.Secret) return creationTime, nil } else { now := time.Now() - secret.GetAnnotations()[storesCreationTiemstamp] = now.Format(time.RFC3339) + secret.GetAnnotations()[storesCreationTimestamp] = now.Format(time.RFC3339) return now, nil } }