Updates truststore format in CRD (#33)

figliold · web-flow · commit 7ff5a202aa40 · 2025-04-16T14:17:52.000-07:00
diff --git a/operator/Makefile b/operator/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.10.1
+VERSION ?= 0.11.0
 GIT_TAG := operator_v$(VERSION)
 KEIP_INTEGRATION_IMAGE ?= ghcr.io/octoconsulting/keip/minimal-app:latest
 
diff --git a/operator/controller/core-controller.yaml b/operator/controller/core-controller.yaml
@@ -56,7 +56,7 @@ spec:
     spec:
       containers:
         - name: webhook
-          image: ghcr.io/octoconsulting/keip/route-webhook:0.13.1
+          image: ghcr.io/octoconsulting/keip/route-webhook:0.14.0
           ports:
             - containerPort: 7080
               name: webhook-http
diff --git a/operator/crd/crd.yaml b/operator/crd/crd.yaml
@@ -162,22 +162,40 @@ spec:
                   type: object
                   properties:
                     truststore:
-                      description: "Configure client TLS connections using a JKS or PKCS12 truststore. A JKS truststore should have its password set to 'changeit', while a PKCS12 truststore should have an empty password."
+                      description: "Configures client TLS connections using a JKS or PKCS12 truststore. A JKS truststore should have its password set to 'changeit', while a PKCS12 truststore should have an empty password."
                       type: object
                       properties:
-                        configMapName:
-                          type: string
-                        key:
-                          type: string
-                        type:
-                          type: string
-                          enum:
+                        jks:
+                          type: object
+                          properties:
+                            configMapName:
+                              description: "The name of the ConfigMap resource containing the truststore (truststore.jks)."
+                              type: string
+                            key:
+                              description: "The name of the key containing the truststore in the ConfigMap resource (configMapName)."
+                              type: string
+                          required:
+                            - configMapName
+                            - key
+                        pkcs12:
+                          type: object
+                          properties:
+                            configMapName:
+                              description: "The name of the ConfigMap resource containing the truststore (truststore.p12)."
+                              type: string
+                            key:
+                              description: "The name of the key containing the truststore in the ConfigMap resource (configMapName)."
+                              type: string
+                          required:
+                            - configMapName
+                            - key
+                      oneOf:
+                        - properties:
+                          required:
                             - jks
+                        - properties:
+                          required:
                             - pkcs12
-                      required:
-                        - configMapName
-                        - key
-                        - type
                     keystore:
                       description: "Configures HTTP server TLS connections using a JKS or PKCS12 keystore. The keystore password should be stored in a Secret resource and referenced in the route's Custom Resource. The format of the Secret is `password=<password>`."
                       type: object
@@ -192,7 +210,7 @@ spec:
                               description: "The name of the Secret resource containing the keystore (keystore.jks)."
                               type: string
                             key:
-                              description: "The name of the key, containing the keystore, in the Secret resource (secretName)."
+                              description: "The name of the key containing the keystore in the Secret resource (secretName)."
                               type: string
                             passwordSecretRef:
                               description: "The reference to the Secret resource containing the password used to encrypt the JKS keystore."
diff --git a/operator/webhook/Makefile b/operator/webhook/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.13.1
+VERSION ?= 0.14.0
 HOST_PORT ?= 7080
 GIT_TAG := webhook_v$(VERSION)
 
diff --git a/operator/webhook/core/sync.py b/operator/webhook/core/sync.py
@@ -81,15 +81,16 @@ def get_volumes(self) -> List[Mapping]:
         if self._tls_config:
             truststore = self._tls_config.get("truststore")
             if truststore:
+                truststore_type = _get_tls_cert_store_type(truststore)
                 volumes.append(
                     {
                         "name": self._tls_truststore_name,
                         "configMap": {
-                            "name": truststore["configMapName"],
+                            "name": truststore[truststore_type]["configMapName"],
                             "items": [
                                 {
-                                    "key": truststore["key"],
-                                    "path": truststore["key"],
+                                    "key": truststore[truststore_type]["key"],
+                                    "path": truststore[truststore_type]["key"],
                                 }
                             ],
                         },
@@ -98,7 +99,7 @@ def get_volumes(self) -> List[Mapping]:
 
             keystore = self._tls_config.get("keystore")
             if keystore:
-                keystore_type = _get_keystore_type(keystore)
+                keystore_type = _get_tls_cert_store_type(keystore)
                 volumes.append(
                     {
                         "name": self._tls_keystore_name,
@@ -227,8 +228,8 @@ def _service_name_env_var(parent) -> Mapping[str, str]:
     return {"name": "SERVICE_NAME", "value": parent["metadata"]["name"]}
 
 
-def _get_keystore_type(keystore) -> str:
-    return "jks" if "jks" in keystore else "pkcs12"
+def _get_tls_cert_store_type(tls_cert_store) -> str:
+    return "jks" if "jks" in tls_cert_store else "pkcs12"
 
 
 def _spring_app_config_env_var(parent) -> Optional[Mapping]:
@@ -261,7 +262,7 @@ def _get_keystore_password_env(tls) -> Mapping[str, Any]:
     if not keystore:
         return {}
 
-    keystore_type = _get_keystore_type(keystore)
+    keystore_type = _get_tls_cert_store_type(keystore)
 
     return {
         "name": "SERVER_SSL_KEYSTOREPASSWORD",
@@ -281,12 +282,12 @@ def _get_java_jdk_options(tls) -> Optional[Mapping[str, str]]:
     if not truststore:
         return None
 
-    tls_type = truststore["type"]
-    truststore_password = "changeit" if tls_type == "jks" else ""
+    truststore_type = _get_tls_cert_store_type(truststore)
+    truststore_password = "changeit" if truststore_type == "jks" else ""
 
     return {
         "name": "JDK_JAVA_OPTIONS",
-        "value": f"-Djavax.net.ssl.trustStore={str(PurePosixPath(TRUSTSTORE_PATH, truststore['key']))} -Djavax.net.ssl.trustStorePassword={truststore_password} -Djavax.net.ssl.trustStoreType={tls_type.upper()}",
+        "value": f"-Djavax.net.ssl.trustStore={str(PurePosixPath(TRUSTSTORE_PATH, truststore[truststore_type]['key']))} -Djavax.net.ssl.trustStorePassword={truststore_password} -Djavax.net.ssl.trustStoreType={truststore_type.upper()}",
     }
 
 
diff --git a/operator/webhook/core/test/json/full-iroute-request.json b/operator/webhook/core/test/json/full-iroute-request.json
@@ -71,9 +71,10 @@
           }
         },
         "truststore": {
-          "configMapName": "test-tls-cm",
-          "key": "test-truststore.p12",
-          "type": "pkcs12"
+          "pkcs12": {
+            "configMapName": "test-tls-cm",
+            "key": "test-truststore.p12"
+          }
         }
       },
       "configMaps": [
diff --git a/operator/webhook/core/test/test_sync.py b/operator/webhook/core/test/test_sync.py
@@ -212,8 +212,9 @@ def test_jdk_options_pkcs12_truststore_type(full_route):
 
 def test_jdk_options_jks_truststore_type(full_route):
     tls_config = full_route["parent"]["spec"]["tls"]
-    tls_config["truststore"]["type"] = "jks"
-    tls_config["truststore"]["key"] = "test-truststore.jks"
+    tls_config["truststore"] = {
+        "jks": {"configMapName": "test-tls-cm", "key": "test-truststore.jks"}
+    }
 
     options = _get_java_jdk_options(tls_config)
     assert options["name"] == JDK_OPTIONS_ENV_NAME
@@ -276,9 +277,7 @@ def test_volume_pkcs12_keystore_and_pkcs12_truststore(full_route):
 def test_volume_jks_keystore_and_jks_truststore(full_route):
     del full_route["parent"]["spec"]["tls"]["truststore"]
     full_route["parent"]["spec"]["tls"]["truststore"] = {
-        "configMapName": "test-tls-cm",
-        "key": "test-truststore.jks",
-        "type": "jks",
+        "jks": {"configMapName": "test-tls-cm", "key": "test-truststore.jks"}
     }
     expected_keystore_volume = {
         "name": "keystore",

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-VERSION ?= 0.10.1`
	`1`	`+VERSION ?= 0.11.0`
`2`	`2`	`GIT_TAG := operator_v$(VERSION)`
`3`	`3`	`KEIP_INTEGRATION_IMAGE ?= ghcr.io/octoconsulting/keip/minimal-app:latest`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-VERSION ?= 0.13.1`
	`1`	`+VERSION ?= 0.14.0`
`2`	`2`	`HOST_PORT ?= 7080`
`3`	`3`	`GIT_TAG := webhook_v$(VERSION)`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -71,9 +71,10 @@`
`71`	`71`	`}`
`72`	`72`	`},`
`73`	`73`	`"truststore": {`
`74`		`- "configMapName": "test-tls-cm",`
`75`		`- "key": "test-truststore.p12",`
`76`		`- "type": "pkcs12"`
	`74`	`+ "pkcs12": {`
	`75`	`+ "configMapName": "test-tls-cm",`
	`76`	`+ "key": "test-truststore.p12"`
	`77`	`+ }`
`77`	`78`	`}`
`78`	`79`	`},`
`79`	`80`	`"configMaps": [`