From 26f36c4f7e5ab2629bfa4934f7a214f1ed5e6e65 Mon Sep 17 00:00:00 2001
From: Adriano Machado <>
Date: Thu, 14 Jul 2022 11:30:42 -0400
Subject: [PATCH 1/2] Typo

---
 .../secrettokeystore/secret_to_keystore_controller.go      | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/controllers/secrettokeystore/secret_to_keystore_controller.go b/controllers/secrettokeystore/secret_to_keystore_controller.go
index 21affe3..ff13945 100644
--- a/controllers/secrettokeystore/secret_to_keystore_controller.go
+++ b/controllers/secrettokeystore/secret_to_keystore_controller.go
@@ -27,7 +27,8 @@ import (
 
 const javaKeyStoresAnnotation = util.AnnotationBase + "/generate-java-keystores"
 const keystorepasswordAnnotation = util.AnnotationBase + "/java-keystore-password"
-const storesCreationTiemstamp = util.AnnotationBase + "/java-keystores-creation-timestamp"
+const storesCreationTimestamp = util.AnnotationBase + "/java-keystores-creation-timestamp"
+const javeKeyStroreAliasName = util.AnnotationBase + "/java-keystore-alias"
 const defaultpassword = "changeme"
 const keystoreName = "keystore.jks"
 const truststoreName = "truststore.jks"
@@ -324,7 +325,7 @@ func getPassword(secret *corev1.Secret) string {
 
 func (r *SecretToKeyStoreReconciler) getCreationTimestamp(secret *corev1.Secret) (time.Time, error) {
 
-	if timeStr, ok := secret.GetAnnotations()[storesCreationTiemstamp]; ok {
+	if timeStr, ok := secret.GetAnnotations()[storesCreationTimestamp]; ok {
 		creationTime, err := time.Parse(time.RFC3339, timeStr)
 		if err != nil {
 			r.Log.Error(err, "unable to parse creation time")
@@ -333,7 +334,7 @@ func (r *SecretToKeyStoreReconciler) getCreationTimestamp(secret *corev1.Secret)
 		return creationTime, nil
 	} else {
 		now := time.Now()
-		secret.GetAnnotations()[storesCreationTiemstamp] = now.Format(time.RFC3339)
+		secret.GetAnnotations()[storesCreationTimestamp] = now.Format(time.RFC3339)
 		return now, nil
 	}
 }

From d0d3117c79605ae987068539f156f3470d4de6ac Mon Sep 17 00:00:00 2001
From: Adriano Machado <>
Date: Thu, 14 Jul 2022 11:53:47 -0400
Subject: [PATCH 2/2] Adding annotation to change keystore/truststore alias

---
 README.md                                          | 11 +++++++++--
 .../configmap_to_keystore_controller.go            | 11 ++++++++++-
 .../secret_to_keystore_controller.go               | 14 +++++++++++---
 3 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index fec9f5f..a738caf 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,13 @@ A such annotated secret looks like the following:
 
 ![keystore](media/keystore.png)
 
-The default password for these keystores is `changeme`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: <password>`. The alias of the certificate inside the keystore is `alias`.
+The default password for these keystores is `changeme`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: <password>`. The alias of the certificate inside the keystore is `alias`, but can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-alias: <alias>`.
+
+| Annotation  | Default  | Description  |
+|:-|:-:|---|
+| `cert-utils-operator.redhat-cop.io/java-keystore-password` | changeit | The password to use when consuming the JKS trust store |
+| `cert-utils-operator.redhat-cop.io/generate-java-keystores` | false | Should the JKS keystore and truststore files be generated and attached to the secret |
+| `cert-utils-operator.redhat-cop.io/java-keystore-alias` | alias | The alias to use when consuming the JKS trust store |
 
 ### ConfigMaps
 
@@ -72,12 +78,13 @@ When this annotation is the following entry is added to the configmap as binaryD
 
 Note that Java Keystore require the key to be in [PKCS#8](https://en.wikipedia.org/wiki/PKCS_8) format. It is a responsibility of the certificate provisioner to make sure the key is in this format. No validation is currently performed by the cert-utils operator.
 
-The default password for these keystores is `changeit`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: <password>`. The alias of the certificate inside the keystore is `alias`.
+The default password for these keystores is `changeit`. The password can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-password: <password>`. The alias of the certificate inside the keystore is `alias`, but can be changed by adding the following optional annotation: `cert-utils-operator.redhat-cop.io/java-keystore-alias: <alias>`.
 
 | Annotation  | Default  | Description  |
 |:-|:-:|---|
 | `cert-utils-operator.redhat-cop.io/java-keystore-password` | changeit | The password to use when consuming the JKS trust store |
 | `cert-utils-operator.redhat-cop.io/generate-java-truststore` | false | Should the JKS file be generated and attached to the configmap |
+| `cert-utils-operator.redhat-cop.io/java-keystore-alias` | alias | The alias to use when consuming the JKS trust store |
 | `cert-utils-operator.redhat-cop.io/source-ca-key` | ca-bundle.crt | The key in the configmap which will be read to generate the truststore.jks |
 
 ## Showing info on the certificates
diff --git a/controllers/configmaptokeystore/configmap_to_keystore_controller.go b/controllers/configmaptokeystore/configmap_to_keystore_controller.go
index 97c2233..bc8a4a8 100644
--- a/controllers/configmaptokeystore/configmap_to_keystore_controller.go
+++ b/controllers/configmaptokeystore/configmap_to_keystore_controller.go
@@ -26,8 +26,10 @@ import (
 const javaTrustStoreAnnotation = util.AnnotationBase + "/generate-java-truststore"
 const javaTrustStoreSourceAnnotation = util.AnnotationBase + "/source-ca-key"
 const keystorepasswordAnnotation = util.AnnotationBase + "/java-keystore-password"
+const javeKeyStoreAliasName = util.AnnotationBase + "/java-keystore-alias"
 const defaultpassword = "changeme"
 const truststoreName = "truststore.jks"
+const defaultAlias = "alias"
 
 // ConfigMapToKeystoreReconciler reconciles a Namespace object
 type ConfigMapToKeystoreReconciler struct {
@@ -134,7 +136,7 @@ func (r *ConfigMapToKeystoreReconciler) getTrustStoreFromConfigMap(configMap *co
 	}
 	i := 0
 	for p, rest := pem.Decode([]byte(ca)); p != nil; p, rest = pem.Decode(rest) {
-		keyStore["alias"+strconv.Itoa(i)] = &keystore.TrustedCertificateEntry{
+		keyStore[getAlias(configMap)+strconv.Itoa(i)] = &keystore.TrustedCertificateEntry{
 			Entry: keystore.Entry{
 				CreationDate: time.Now(),
 			},
@@ -161,6 +163,13 @@ func getPassword(configMap *corev1.ConfigMap) string {
 	return defaultpassword
 }
 
+func getAlias(configMap *corev1.ConfigMap) string {
+	if alias, ok := configMap.GetAnnotations()[javeKeyStoreAliasName]; ok && alias != "" {
+		return alias
+	}
+	return defaultAlias
+}
+
 func getSourceKey(annotations map[string]string) string {
 	sourceKey, err := annotations[javaTrustStoreSourceAnnotation]
 
diff --git a/controllers/secrettokeystore/secret_to_keystore_controller.go b/controllers/secrettokeystore/secret_to_keystore_controller.go
index ff13945..6334ad5 100644
--- a/controllers/secrettokeystore/secret_to_keystore_controller.go
+++ b/controllers/secrettokeystore/secret_to_keystore_controller.go
@@ -28,8 +28,9 @@ import (
 const javaKeyStoresAnnotation = util.AnnotationBase + "/generate-java-keystores"
 const keystorepasswordAnnotation = util.AnnotationBase + "/java-keystore-password"
 const storesCreationTimestamp = util.AnnotationBase + "/java-keystores-creation-timestamp"
-const javeKeyStroreAliasName = util.AnnotationBase + "/java-keystore-alias"
+const javeKeyStoreAliasName = util.AnnotationBase + "/java-keystore-alias"
 const defaultpassword = "changeme"
+const defaultAlias = "alias"
 const keystoreName = "keystore.jks"
 const truststoreName = "truststore.jks"
 
@@ -259,7 +260,7 @@ func (r *SecretToKeyStoreReconciler) getKeyStoreFromSecret(secret *corev1.Secret
 	}
 	r.Log.Info("retrieved", "creation time", creationTime)
 
-	err = keyStore.SetPrivateKeyEntry("alias", keystore.PrivateKeyEntry{
+	err = keyStore.SetPrivateKeyEntry(getAlias(secret), keystore.PrivateKeyEntry{
 		CreationTime:     creationTime,
 		PrivateKey:       p.Bytes,
 		CertificateChain: certs,
@@ -293,7 +294,7 @@ func (r *SecretToKeyStoreReconciler) getTrustStoreFromSecret(secret *corev1.Secr
 	r.Log.Info("retrieved", "creation time", creationTime)
 	i := 0
 	for p, rest := pem.Decode(ca); p != nil; p, rest = pem.Decode(rest) {
-		err := keyStore.SetTrustedCertificateEntry("alias"+strconv.Itoa(i), keystore.TrustedCertificateEntry{
+		err := keyStore.SetTrustedCertificateEntry(getAlias(secret)+strconv.Itoa(i), keystore.TrustedCertificateEntry{
 			CreationTime: creationTime,
 			Certificate: keystore.Certificate{
 				Type:    "X.509",
@@ -323,6 +324,13 @@ func getPassword(secret *corev1.Secret) string {
 	return defaultpassword
 }
 
+func getAlias(secret *corev1.Secret) string {
+	if alias, ok := secret.GetAnnotations()[javeKeyStoreAliasName]; ok && alias != "" {
+		return alias
+	}
+	return defaultAlias
+}
+
 func (r *SecretToKeyStoreReconciler) getCreationTimestamp(secret *corev1.Secret) (time.Time, error) {
 
 	if timeStr, ok := secret.GetAnnotations()[storesCreationTimestamp]; ok {