Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8SSAND-1828 ⁃ Make keystore-password, keystore, trustore keys in secret configurable #718

Closed
dnugmanov opened this issue Oct 14, 2022 · 0 comments · Fixed by #727
Closed

K8SSAND-1828 ⁃ Make keystore-password, keystore, trustore keys in secret configurable #718

dnugmanov opened this issue Oct 14, 2022 · 0 comments · Fixed by #727
Labels
enhancement New feature or request

Comments

@dnugmanov
Copy link
Contributor

dnugmanov commented Oct 14, 2022
edited by sync-by-unito bot
Loading

Hi, i want to use client encryption in cassandra, and implement it via cert-manager+k8ssandra-operator. I create certificate via cert-manager and enable following options

spec:
  secretName: ssl-test-jks-keystore
  keystores:
    jks:
      create: true
      passwordSecretRef:
        key: keystore-pass
        name: jks-password

Then cert-manager add in secret ssl-test-jks-keystore with key keystore.jks/truststore.jks, i use this secret in k8ssandraCluster spec, to define my keystore/trustore via clientEncryptionStores section. But k8ssandra-operator and cert-manager hard-coded key name in secret. K8ssandra-operator expect - keystore,trustore, but cert-manager used keystore.jks,trustore.jks .

Could you change default constants according default key of cert-manager or make key name configurable?

https://github.com/cert-manager/cert-manager/blob/2db62c21c337cb5af3ea9dce1cbc0b69cfc7c509/pkg/controller/certificates/issuing/internal/keystore.go#L46

https://github.com/k8ssandra/k8ssandra-operator/blob/32c4fcfdebc5b28b9c731bca8ada9ab79e3910a8/pkg/encryption/encryption_stores.go#L30

Second problem, that keystore-password also hardcoded and expected in the same secret as keystore, cert-manager store it different secret, password secret managed by user, keystore secret managed by cert-managed. According above code keystore will be in secreet ssl-test-jks-keystore secret, password will be in jks-password secret

Could you extend of API encyption.Store to fix following cases and change defaults according cert-manager(or make native support of cert-manager via Certificate resources instead of Secret)?

┆Issue is synchronized with this Jira Task by Unito
┆friendlyId: K8SSAND-1828
┆priority: Medium
@dnugmanov dnugmanov added the enhancement New feature or request label Oct 14, 2022
@sync-by-unito sync-by-unito bot changed the title Make keystore-password, keystore, trustore keys in secret configurable K8SSAND-1828 ⁃ Make keystore-password, keystore, trustore keys in secret configurable Oct 14, 2022
This was referenced Oct 14, 2022
Closed
Merged
@adejanovski adejanovski added zh:In-Progress Issues in the ZenHub pipeline 'In-Progress' zh:Ready-For-Review Issues in the ZenHub pipeline 'Ready-For-Review' and removed zh:In-Progress Issues in the ZenHub pipeline 'In-Progress' labels Oct 18, 2022
@adejanovski adejanovski removed the zh:Ready-For-Review Issues in the ZenHub pipeline 'Ready-For-Review' label Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make keystore-password, keystore, trustore keys in secret configurable dnugmanov/k8ssandra-operator
2 participants
@adejanovski @dnugmanov