Keystore Operator

A Kubernetes operator built with kubebuilder that monitors the pcf-vault-tls secret (updated by cert-manager) and automatically creates keystore and truststore secrets in the PCF namespace.

Overview

This operator:

• Watches the pcf-vault-tls secret in the source namespace
• Automatically triggers when cert-manager updates the secret
• Converts TLS certificates to Java keystore (JKS) format
• Creates/updates pcf-keystore and pcf-truststore secrets in the target namespace

Prerequisites

• Go 1.21+
• kubectl configured to access your Kubernetes cluster
• Docker (for building the container image)
• kubebuilder tools (optional, for regeneration - make will install them)
• Cert-manager installed in your cluster
• pcf-vault-tls secret created by cert-manager

Quick Start

1. Configure the Operator

Update the deployment arguments in config/manager/manager.yaml:

args:
- --source-secret-name=pcf-vault-tls          # Name of secret to watch
- --source-secret-namespace=default            # Namespace of source secret
- --target-namespace=pcf                       # Where to create keystore secrets
- --keystore-secret-name=pcf-keystore          # Name of keystore secret
- --truststore-secret-name=pcf-truststore      # Name of truststore secret

Set the keystore password via environment variable or secret:

env:
- name: KEYSTORE_PASSWORD
  valueFrom:
    secretKeyRef:
      name: keystore-credentials
      key: password

2. Create the Keystore Password Secret

kubectl create secret generic keystore-credentials \
  --from-literal=password=your-secure-password \
  -n system

3. Build and Deploy

# Build the Docker image
make docker-build

# Or with a custom image name
make docker-build IMG=your-registry/keystore-operator:v1.0.0

# Push to registry (if needed)
make docker-push IMG=your-registry/keystore-operator:v1.0.0

# Update the image in kustomize
cd config/manager
kustomize edit set image controller=your-registry/keystore-operator:v1.0.0

# Deploy to cluster
make deploy

4. Verify Deployment

# Check operator pod
kubectl get pods -n system -l control-plane=controller-manager

# Check logs
kubectl logs -n system -l control-plane=controller-manager

# Verify secrets were created
kubectl get secrets -n pcf | grep -E "pcf-keystore|pcf-truststore"

Development

Local Development

Run the operator locally (requires kubectl access to cluster):

make run

Testing

# Run tests
make test

# Check formatting
make fmt

# Run linter
make vet

Building

# Build binary
make build

# Build Docker image
make docker-build

How It Works

1. Reconciliation Loop: The operator uses controller-runtime to watch all Secret resources
2. Secret Filtering: The reconciler checks if the secret matches pcf-vault-tls in the source namespace
3. Certificate Extraction: Extracts tls.crt, tls.key, and optionally ca.crt from the secret
4. Keystore Creation:
   • Converts certificate and key to PKCS12 format using OpenSSL
   • Converts PKCS12 to JKS format using keytool
5. Truststore Creation:
   • Uses CA certificate if available
   • Falls back to server certificate if no CA is present
6. Secret Management: Creates or updates secrets in the target namespace

Configuration

Command Line Arguments

• --source-secret-name: Name of the source TLS secret (default: pcf-vault-tls)
• --source-secret-namespace: Namespace of the source secret (default: default)
• --target-namespace: Namespace where keystore secrets are created (default: pcf)
• --keystore-secret-name: Name of the keystore secret (default: pcf-keystore)
• --truststore-secret-name: Name of the truststore secret (default: pcf-truststore)
• --keystore-password: Password for keystores (or use KEYSTORE_PASSWORD env var)

Environment Variables

• KEYSTORE_PASSWORD: Password for keystore/truststore files

Output Secrets

The operator creates two secrets in the target namespace:

pcf-keystore

• Contains: keystore.jks
• Format: JKS (Java KeyStore)
• Includes: Server certificate and private key

pcf-truststore

• Contains: truststore.jks
• Format: JKS (Java KeyStore)
• Includes: CA certificate (or server certificate if no CA)

Troubleshooting

Check Operator Logs

kubectl logs -n system -l control-plane=controller-manager -f

Verify Source Secret

kubectl get secret pcf-vault-tls -n default -o yaml

Check RBAC Permissions

kubectl get clusterrole keystore-operator-manager-role
kubectl get clusterrolebinding keystore-operator-manager-rolebinding

Common Issues

1. Secret not found: Verify pcf-vault-tls exists in the source namespace
2. Permission denied: Check ClusterRole and ClusterRoleBinding
3. Invalid certificates: Verify cert-manager has issued valid certificates
4. Keystore creation fails: Check that OpenSSL and keytool are available in the container

Uninstall

make undeploy

Project Structure

project_operator/
├── api/                    # API definitions
│   └── v1alpha1/          # v1alpha1 API version
├── config/                 # Kubernetes manifests
│   ├── crd/               # Custom Resource Definitions
│   ├── manager/           # Manager deployment
│   ├── rbac/              # RBAC configurations
│   └── default/           # Kustomize default config
├── internal/               # Internal packages
│   └── controller/        # Controller implementation
├── hack/                   # Helper scripts
├── main.go                # Entry point
├── Dockerfile             # Container image
├── Makefile              # Build automation
└── go.mod                # Go dependencies

License

Copyright 2024. Licensed under the Apache License, Version 2.0.