Add keystore config for routes that host HTTP servers over TLS

operator/controller/integrationroute-controller.yaml

@@ -50,7 +50,7 @@ spec:
     spec:
       containers:
         - name: webhook
-          image: ghcr.io/octoconsulting/keip/route-webhook:0.5.0
+          image: ghcr.io/octoconsulting/keip/route-webhook:0.6.0
           ports:
             - containerPort: 7080
               name: webhook-http

operator/crd/crd.yaml

@@ -89,22 +89,46 @@ spec:
                       - claimName
                       - mountPath
                 tls:
-                  description: "Configure client TLS connections using a JKS or PKCS12 truststore. A JKS truststore should have its password set to 'changeit', while a PKCS12 truststore should have an empty password."
+                  description: "Configure server and client TLS connections."
                   type: object
                   properties:
-                    configMapName:
-                      type: string
-                    key:
-                      type: string
-                    type:
-                      type: string
-                      enum:
-                        - jks
-                        - pkcs12
-                  required:
-                    - configMapName
-                    - key
-                    - type
+                    truststore:
+                      description: "Configure client TLS connections using a JKS or PKCS12 truststore. A JKS truststore should have its password set to 'changeit', while a PKCS12 truststore should have an empty password."
+                      type: object
+                      properties:
+                        configMapName:
+                          type: string
+                        key:
+                          type: string
+                        type:
+                          type: string
+                          enum:
+                            - jks
+                            - pkcs12
+                      required:
+                        - configMapName
+                        - key
+                        - type
+                    keystore:
+                      description: "Configure HTTP server TLS connections using a JKS or PKCS12 keystore. The keystore password should be stored in a secret and referenced in the route Custom Resource. The format of the secret should be `password=<password>`."
+                      type: object
+                      properties:
+                        secretName:
+                          type: string
+                        key:
+                          type: string
+                        type:
+                          type: string
+                          enum:
+                            - jks
+                            - pkcs12
+                        passwordSecretRef:
+                          type: string
+                      required:
+                        - secretName
+                        - key
+                        - type
+                        - passwordSecretRef
               required:
                 - routeConfigMap
           required:

operator/example/README.md

@@ -8,9 +8,18 @@ Prerequisites:
 - Metacontroller
 - Keip CRDs and controller
 - Access to a `keip-integration` image
+- Cert-Manager
 
-Run example:
-
+Running the example:
+1. Install Cert-Manager:
+```shell
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml
+```
+2. Create JKS password secret:
+```shell
+kubectl create secret generic --from-literal=password=password jks-password
+```
+3. Run example:
 ```shell
 kubectl apply -k example
 ```
@@ -24,6 +33,8 @@ This should result in the creation of the following resources:
 - ConfigMap `testroute-props`: Contains the application's configurable properties.
 - Secret `testroute-secret`: Confidential information that will be mounted as volume in the running
   pod.
+- Self-Signed Certificate `certificate.cert-manager.io/selfsigned-cert`: A certificate resource that creates the `test-keystore` secret using the `jks-password` secret
+- Cluster Issuer `clusterissuer.cert-manager.io/test-selfsigned`: A self-signed cluster issuer used to sign certificates.
 
 Check for the running `testroute` pod:
 
@@ -43,6 +54,11 @@ GenericMessage [payload=Hello. I have a secret to share: (pass123), headers={id=
 
 ```
 
+Port-forward the pod and verify `https://localhost:8443` returns the default Spring whitelabel error page.
+```shell
+kubectl port-forward testroute-74d574bf85-tbv9m 8443:8443
+```
+
 Clean up
 
 ```shell

operator/example/cert.yaml

@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: test-selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-cert
+  namespace: default
+spec:
+  secretName: test-keystore
+  dnsNames:
+    - test
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: test-selfsigned
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: jks-password
+        key: password
+  subject:
+    countries:
+      - US
+    localities:
+      - A Park
+    organizationalUnits:
+      - Parks and Recreation
+    provinces:
+      - FL

operator/example/kustomization.yaml

@@ -1,5 +1,6 @@
 resources:
   - testroute.yaml
+  - cert.yaml
 
 generatorOptions:
   disableNameSuffixHash: true

operator/example/testroute.yaml

@@ -11,3 +11,9 @@ spec:
     #     group: abc
   secretSources:
     - testroute-secret
+  tls:
+    keystore:
+      secretName: test-keystore
+      type: jks
+      key: keystore.jks
+      passwordSecretRef: jks-password

operator/webhook/Makefile

@@ -1,4 +1,4 @@
-VERSION ?= 0.5.0
+VERSION ?= 0.6.0
 HOST_PORT ?= 7080
 
 IMG_REGISTRY := ghcr.io/octoconsulting
@@ -27,7 +27,7 @@ start-dev-server:
 
 .PHONY: test
 test:
-	cd test && mkdir -p $(TEST_COVERAGE_DIR) && coverage run --data-file=$(TEST_COVERAGE_FILE) -m pytest
+	cd test && mkdir -p $(TEST_COVERAGE_DIR) && coverage run --data-file=$(TEST_COVERAGE_FILE) -m pytest -vv
 
 .PHONY: report-test-coverage
 report-test-coverage: test