Skip to content

feat: add centralized trust bundle cert management #2167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
joelmccoy wants to merge 16 commits into
base: main
Choose a base branch
from
Open

feat: add centralized trust bundle cert management #2167

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
f73205f
feat: add ca trust bundle management
joelmccoy Nov 21, 2025
37b6de7
chore: more tests and update private-pki test
joelmccoy Nov 21, 2025
ea88d5d
fix: don't skip initial startup
joelmccoy Dec 2, 2025
2494c98
chore: update kfc/crds/tsdocs
joelmccoy Dec 2, 2025
a11fbb9
fix: update kfc/proper crds
joelmccoy Dec 2, 2025
dc3551a
chore: add e2e test for trust-bundle-management
joelmccoy Dec 3, 2025
787b366
Merge branch 'main' into ca-trust-bundle
joelmccoy Dec 3, 2025
c95b13f
fix: testing issues
joelmccoy Dec 3, 2025
b67855a
chore: add docs
joelmccoy Dec 3, 2025
939b48c
chore: update tsdocs
joelmccoy Dec 3, 2025
e69385c
chore: address pr feedback
joelmccoy Dec 3, 2025
ee48af0
fix: proper typing
joelmccoy Dec 3, 2025
5e879ea
chore: address PR feedback
joelmccoy Dec 8, 2025
c8ade8b
chore: refactor to not create empty configmaps
joelmccoy Dec 9, 2025
f4d6436
Merge branch 'main' into ca-trust-bundle
joelmccoy Dec 9, 2025
c037e91
chore: update docs links & crd schema
joelmccoy Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions bundles/k3d-standard/uds-private-pki-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

variables:
core:
# CA certificate for Authservice
CA_CERT: "PLACEHOLDER_CA_CERT"
Copy link
Contributor

@slaskawi slaskawi Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we call this out as a breaking change?

Copy link
Contributor

@mjnagel mjnagel Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're leaving CA_CERT around, just deprecated so I don't think we need to. This removal is just in a CI only config file so not a downstream breaking change here.

# CA_CERTS
CA_BUNDLE_CERTS: "PLACEHOLDER_CA_BUNDLE_CERTS"

# Admin Gateway TLS certificate and key
ADMIN_TLS_CERT: "PLACEHOLDER_ADMIN_TLS_CERT"
Expand All @@ -18,9 +18,9 @@ variables:
GRAFANA_EXTRA_CONFIGMAP_MOUNTS:
- name: ca-certs
mountPath: /etc/ssl/certs/ca.pem
configMap: private-ca
configMap: uds-trust-bundle
readOnly: true
subPath: ca.pem
subPath: ca-bundle.pem

# Keycloak private PKI configuration
KEYCLOAK_EXTRA_VOLUME_MOUNTS:
Expand All @@ -30,6 +30,6 @@ variables:
KEYCLOAK_EXTRA_VOLUMES:
- name: ca-certs
configMap:
name: private-ca
name: uds-trust-bundle
KEYCLOAK_TRUSTSTORE_PATHS:
- "/tmp/ca-certs"
22 changes: 11 additions & 11 deletions docs/reference/configuration/custom-resources/clusterconfig-v1alpha1-cr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,15 @@ sidebar:
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">metadata</td><td style="white-space: nowrap;"><a href="#Metadata">Metadata</a></td><td></td></tr><tr><td style="white-space: nowrap;">spec</td><td style="white-space: nowrap;"><a href="#Spec">Spec</a></td><td></td></tr>
<tr><td style="white-space: nowrap;">spec</td><td style="white-space: nowrap;"><a href="#Spec">Spec</a></td><td></td></tr>
</tbody>
</table>
</div>

<a id="Metadata"></a>
<a id="Spec"></a>
<div style="margin-left: 40px; padding-top: 30px;">

## Metadata
## Spec
<table style="width: 100%; table-layout: fixed;">
<thead>
<tr>
Expand All @@ -36,15 +36,15 @@ sidebar:
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">name</td><td style="white-space: nowrap;">string (enum):<ul><li><code>uds-cluster-config</code></li></ul></td><td></td></tr>
<tr><td style="white-space: nowrap;">attributes</td><td style="white-space: nowrap;"><a href="#Attributes">Attributes</a></td><td></td></tr><tr><td style="white-space: nowrap;">caBundle</td><td style="white-space: nowrap;"><a href="#CaBundle">CaBundle</a></td><td></td></tr><tr><td style="white-space: nowrap;">expose</td><td style="white-space: nowrap;"><a href="#Expose">Expose</a></td><td></td></tr><tr><td style="white-space: nowrap;">networking</td><td style="white-space: nowrap;"><a href="#Networking">Networking</a></td><td></td></tr><tr><td style="white-space: nowrap;">policy</td><td style="white-space: nowrap;"><a href="#Policy">Policy</a></td><td></td></tr>
</tbody>
</table>
</div>

<a id="Spec"></a>
<div style="margin-left: 40px; padding-top: 30px;">
<a id="Attributes"></a>
<div style="margin-left: 60px; padding-top: 30px;">

## Spec
### Attributes
<table style="width: 100%; table-layout: fixed;">
<thead>
<tr>
Expand All @@ -54,15 +54,15 @@ sidebar:
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">attributes</td><td style="white-space: nowrap;"><a href="#Attributes">Attributes</a></td><td></td></tr><tr><td style="white-space: nowrap;">expose</td><td style="white-space: nowrap;"><a href="#Expose">Expose</a></td><td></td></tr><tr><td style="white-space: nowrap;">networking</td><td style="white-space: nowrap;"><a href="#Networking">Networking</a></td><td></td></tr><tr><td style="white-space: nowrap;">policy</td><td style="white-space: nowrap;"><a href="#Policy">Policy</a></td><td></td></tr>
<tr><td style="white-space: nowrap;">clusterName</td><td style="white-space: nowrap;">string</td><td>Friendly name to associate with your UDS cluster</td></tr><tr><td style="white-space: nowrap;">tags</td><td style="white-space: nowrap;">string[]</td><td>Tags to apply to your UDS cluster</td></tr>
</tbody>
</table>
</div>

<a id="Attributes"></a>
<a id="CaBundle"></a>
<div style="margin-left: 60px; padding-top: 30px;">

### Attributes
### CaBundle
<table style="width: 100%; table-layout: fixed;">
<thead>
<tr>
Expand All @@ -72,7 +72,7 @@ sidebar:
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">clusterName</td><td style="white-space: nowrap;">string</td><td>Friendly name to associate with your UDS cluster</td></tr><tr><td style="white-space: nowrap;">tags</td><td style="white-space: nowrap;">string[]</td><td>Tags to apply to your UDS cluster</td></tr>
<tr><td style="white-space: nowrap;">certs</td><td style="white-space: nowrap;">string</td><td>Contents of user provided CA bundle certificates</td></tr><tr><td style="white-space: nowrap;">includeDoDCerts</td><td style="white-space: nowrap;">boolean</td><td>Include DoD CA certificates in the bundle</td></tr><tr><td style="white-space: nowrap;">includePublicCerts</td><td style="white-space: nowrap;">boolean</td><td>Include public CA certificates in the bundle</td></tr>
</tbody>
</table>
</div>
Expand Down
38 changes: 37 additions & 1 deletion docs/reference/configuration/custom-resources/packages-v1alpha1-cr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,43 @@ sidebar:
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">monitor</td><td style="white-space: nowrap;"><a href="#Monitor">Monitor[]</a></td><td>Create Service or Pod Monitor configurations</td></tr><tr><td style="white-space: nowrap;">network</td><td style="white-space: nowrap;"><a href="#Network">Network</a></td><td>Network configuration for the package</td></tr><tr><td style="white-space: nowrap;">sso</td><td style="white-space: nowrap;"><a href="#Sso">Sso[]</a></td><td>Create SSO client configurations</td></tr>
<tr><td style="white-space: nowrap;">caBundle</td><td style="white-space: nowrap;"><a href="#CaBundle">CaBundle</a></td><td>CA bundle configuration for the package</td></tr><tr><td style="white-space: nowrap;">monitor</td><td style="white-space: nowrap;"><a href="#Monitor">Monitor[]</a></td><td>Create Service or Pod Monitor configurations</td></tr><tr><td style="white-space: nowrap;">network</td><td style="white-space: nowrap;"><a href="#Network">Network</a></td><td>Network configuration for the package</td></tr><tr><td style="white-space: nowrap;">sso</td><td style="white-space: nowrap;"><a href="#Sso">Sso[]</a></td><td>Create SSO client configurations</td></tr>
</tbody>
</table>
</div>

<a id="CaBundle"></a>
<div style="margin-left: 60px; padding-top: 30px;">

### CaBundle
<table style="width: 100%; table-layout: fixed;">
<thead>
<tr>
<th style="width: 20%; white-space: nowrap;">Field</th>
<th style="width: 25%; white-space: nowrap;">Type</th>
<th style="width: 55%; white-space: nowrap;">Description</th>
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">configMap</td><td style="white-space: nowrap;"><a href="#ConfigMap">ConfigMap</a></td><td>ConfigMap configuration for CA bundle</td></tr>
</tbody>
</table>
</div>

<a id="ConfigMap"></a>
<div style="margin-left: 80px; padding-top: 30px;">

#### ConfigMap
<table style="width: 100%; table-layout: fixed;">
<thead>
<tr>
<th style="width: 20%; white-space: nowrap;">Field</th>
<th style="width: 25%; white-space: nowrap;">Type</th>
<th style="width: 55%; white-space: nowrap;">Description</th>
</tr>
</thead>
<tbody>
<tr><td style="white-space: nowrap;">annotations</td><td style="white-space: nowrap;"></td><td>Additional annotations to apply to the generated ConfigMap (default: {})</td></tr><tr><td style="white-space: nowrap;">key</td><td style="white-space: nowrap;">string</td><td>The key name inside the ConfigMap (default: ca-bundle.pem)</td></tr><tr><td style="white-space: nowrap;">labels</td><td style="white-space: nowrap;"></td><td>Additional labels to apply to the generated ConfigMap (default: {})</td></tr><tr><td style="white-space: nowrap;">name</td><td style="white-space: nowrap;">string</td><td>The name of the ConfigMap to create (default: uds-trust-bundle)</td></tr>
</tbody>
</table>
</div>
Expand Down
4 changes: 4 additions & 0 deletions hack/dev-manifests/cluster-config-init.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ spec:
attributes:
clusterName: ""
tags: []
caBundle:
certs: ""
includeDoDCerts: true
includePublicCerts: true
expose:
adminDomain: ""
caCert: ""
Expand Down
11 changes: 11 additions & 0 deletions hack/dev-manifests/uds-ca-certs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Copyright 2025 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

apiVersion: v1
kind: ConfigMap
metadata:
name: uds-ca-certs
namespace: pepr-system
data:
dodCACerts: ""
Copy link
Contributor

@slaskawi slaskawi Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ConfigMap has a limitation to 1 MB. I did some quick math and for a Base64 encoded certs that are quite large (2 KB, 2.72 KB after encoding), we can store around 370 of these.

Even though it appears quite large, shall we mention somewhere in the docs that there is certain ceiling there and administrators should be aware of it?

Copy link
Contributor Author

@joelmccoy joelmccoy Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, we did some math in the design doc around this. Realistically, we don't imagine users hitting the upper limit on the configmap. We could put a callout in the docs about the upper limit, but I feel it is adding a caution to something that most likely won't happen? I lean towards leaving it out but could be convinced to put it in

publicCACerts: ""
63 changes: 46 additions & 17 deletions schemas/clusterconfig-v1alpha1.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,28 @@
"type": "object",
"additionalProperties": {},
"properties": {
"metadata": {
"$ref": "#/definitions/Metadata"
},
"spec": {
"$ref": "#/definitions/Spec"
},
"status": {
"$ref": "#/definitions/Status"
}
},
"required": [
"spec"
],
"title": "ClusterConfig"
},
"Metadata": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"$ref": "#/definitions/Name"
}
},
"required": [],
"title": "Metadata"
},
"Spec": {
"type": "object",
"additionalProperties": false,
"properties": {
"attributes": {
"$ref": "#/definitions/Attributes"
},
"caBundle": {
"$ref": "#/definitions/CABundle"
},
"expose": {
"$ref": "#/definitions/Expose"
},
Expand All @@ -47,6 +39,7 @@
}
},
"required": [
"caBundle",
"expose",
"policy"
],
Expand All @@ -71,6 +64,26 @@
"required": [],
"title": "Attributes"
},
"CABundle": {
"type": "object",
"additionalProperties": false,
"properties": {
"certs": {
"type": "string",
"description": "Contents of user provided CA bundle certificates"
},
"includeDoDCerts": {
"type": "boolean",
"description": "Include DoD CA certificates in the bundle"
},
"includePublicCerts": {
"type": "boolean",
"description": "Include public CA certificates in the bundle"
}
},
"required": [],
"title": "CABundle"
},
"Expose": {
"type": "object",
"additionalProperties": false,
Expand Down Expand Up @@ -126,12 +139,28 @@
],
"title": "Policy"
},
"Name": {
"Status": {
"type": "object",
"additionalProperties": false,
"properties": {
"observedGeneration": {
"type": "integer"
},
"phase": {
"$ref": "#/definitions/Phase"
}
},
"required": [],
"title": "Status"
},
"Phase": {
"type": "string",
"enum": [
"uds-cluster-config"
"Pending",
"Ready",
"Failed"
],
"title": "Name"
"title": "Phase"
}
}
}
Loading
Loading