feat: Support putting TrustStore information in Secret (#597)

* Refactor tests

* feat: Support putting TrustStore information in Secret

* changelog

* outputResources -> targetKind

* update docs

* Add PascalCase attribute

* docs: Add to concepts page

* docs: Add crds link for TrustStore

* Update docs/modules/secret-operator/pages/truststore.adoc

Co-authored-by: Nick <[email protected]>

---------

Co-authored-by: Nick <[email protected]>

Author: sbernauer

CHANGELOG.md

@@ -4,10 +4,15 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Support exporting the TrustStore CA certificate information to Secrets or ConfigMaps ([#597]).
+
 ### Changed
 
 - Version CRD structs and enums as v1alpha1 ([#636]).
 
+[#597]: https://github.com/stackabletech/secret-operator/pull/597
 [#636]: https://github.com/stackabletech/secret-operator/pull/636
 
 ## [25.7.0] - 2025-07-23

deploy/helm/secret-operator/crds/crds.yaml

@@ -395,6 +395,18 @@ spec:
                 secretClassName:
                   description: The name of the SecretClass that the request concerns.
                   type: string
+                targetKind:
+                  default: ConfigMap
+                  description: |-
+                    Which Kubernetes kind should be used to output the requested information to.
+
+                    The trust information (such as a `ca.crt`) can be considered public information, so we put it in a `ConfigMap` by default. However, some tools might require it to be placed in a `Secret`, so we also support that.
+
+                    Can be either `ConfigMap` or `Secret`, defaults to `ConfigMap`.
+                  enum:
+                    - Secret
+                    - ConfigMap
+                  type: string
               required:
                 - secretClassName
               type: object

docs/modules/secret-operator/examples/truststore-tls.yaml

@@ -6,3 +6,4 @@ metadata:
 spec:
   secretClassName: tls # <2>
   format: tls-pem # <3>
+  targetKind: ConfigMap # <4>

docs/modules/secret-operator/pages/truststore.adoc

@@ -12,10 +12,12 @@ A TrustStore looks like this:
 include::example$truststore-tls.yaml[]
 ----
 <1> Also used to name the created ConfigMap
-<2> The name of the xref:secretclass.adoc[]
-<3> The requested xref:secretclass.adoc#format[format]
+<2> Mandatory name of the xref:secretclass.adoc[]
+<3> Optional requested xref:secretclass.adoc#format[format]
+<4> Optional Kubernetes resource kind, which should be used to output the requested information to.
+    Either `ConfigMap` or `Secret`, defaults to `ConfigMap`.
 
-This will create a ConfigMap named `truststore-pem` containing a `ca.crt` with the trust root certificates.
+This will create a ConfigMap (or `Secret` based on `targetKind`) named `truststore-pem` containing a `ca.crt` with the trust root certificates.
 It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
 
 NOTE: Make sure to have a procedure for updating the retrieved certificates.

docs/modules/secret-operator/partials/nav.adoc

@@ -13,5 +13,6 @@
 * xref:secret-operator:reference/index.adoc[]
 ** xref:secret-operator:reference/crds.adoc[]
 *** {crd-docs}/secrets.stackable.tech/secretclass/v1alpha1/[SecretClass {external-link-icon}^]
+*** {crd-docs}/secrets.stackable.tech/truststore/v1alpha1/[TrustStore {external-link-icon}^]
 ** xref:secret-operator:reference/commandline-parameters.adoc[]
 * xref:secret-operator:troubleshooting.adoc[]

rust/operator-binary/src/crd/mod.rs

@@ -314,9 +314,28 @@ pub mod versioned {
         /// The name of the SecretClass that the request concerns.
         pub secret_class_name: String,
 
+        /// Which Kubernetes kind should be used to output the requested information to.
+        ///
+        /// The trust information (such as a `ca.crt`) can be considered public information, so we put
+        /// it in a `ConfigMap` by default. However, some tools might require it to be placed in a
+        /// `Secret`, so we also support that.
+        ///
+        /// Can be either `ConfigMap` or `Secret`, defaults to `ConfigMap`.
+        #[serde(default)]
+        pub target_kind: TrustStoreOutputType,
+
         /// The [format](DOCS_BASE_URL_PLACEHOLDER/secret-operator/secretclass#format) that the data should be converted into.
         pub format: Option<SecretFormat>,
     }
+
+    #[derive(Clone, Debug, Default, PartialEq, JsonSchema, Serialize, Deserialize)]
+    #[serde(rename_all = "PascalCase")]
+    pub enum TrustStoreOutputType {
+        Secret,
+
+        #[default]
+        ConfigMap,
+    }
 }
 
 #[cfg(test)]

rust/operator-binary/src/truststore_controller.rs

@@ -85,6 +85,11 @@ pub async fn start(client: &stackable_operator::client::Client, watch_namespace:
             watch_namespace.get_api::<PartialObjectMeta<ConfigMap>>(client),
             watcher::Config::default(),
         )
+        // TODO: merge this into the other Secret watch
+        .owns(
+            watch_namespace.get_api::<PartialObjectMeta<Secret>>(client),
+            watcher::Config::default(),
+        )
         .watches(
             watch_namespace.get_api::<PartialObjectMeta<ConfigMap>>(client),
             watcher::Config::default(),
@@ -212,7 +217,14 @@ pub enum Error {
         source: stackable_operator::client::Error,
         config_map: ObjectRef<ConfigMap>,
     },
+
+    #[snafu(display("failed to apply target {secret} for the TrustStore"))]
+    ApplyTrustStoreSecret {
+        source: stackable_operator::client::Error,
+        secret: ObjectRef<Secret>,
+    },
 }
+
 type Result<T, E = Error> = std::result::Result<T, E>;
 impl ReconcilerError for Error {
     fn category(&self) -> &'static str {
@@ -229,6 +241,7 @@ impl ReconcilerError for Error {
             Error::FormatData { secret_class, .. } => Some(secret_class.clone().erase()),
             Error::BuildOwnerReference { .. } => None,
             Error::ApplyTrustStoreConfigMap { config_map, .. } => Some(config_map.clone().erase()),
+            Error::ApplyTrustStoreSecret { secret, .. } => Some(secret.clone().erase()),
         }
     }
 }
@@ -271,7 +284,7 @@ async fn reconcile(
         .get_trust_data(&selector)
         .await
         .context(BackendGetTrustDataSnafu)?;
-    let (Flattened(string_data), Flattened(binary_data)) = trust_data
+    let trust_file_contents = trust_data
         .data
         .into_files(
             truststore.spec.format,
@@ -280,30 +293,53 @@ async fn reconcile(
         )
         .context(FormatDataSnafu {
             secret_class: secret_class_ref,
-        })?
+        })?;
+    let (Flattened(string_data), Flattened(binary_data)) = trust_file_contents
         .into_iter()
-        // Try to put valid UTF-8 data into `data`, but fall back to `binary_data` otherwise
+        // Try to put valid UTF-8 data into `string_data`, but fall back to `binary_data` otherwise
         .map(|(k, v)| match String::from_utf8(v) {
             Ok(v) => (Some((k, v)), None),
             Err(v) => (None, Some((k, ByteString(v.into_bytes())))),
         })
         .collect();
-    let trust_cm = ConfigMap {
-        metadata: ObjectMetaBuilder::new()
-            .name_and_namespace(truststore)
-            .ownerreference_from_resource(truststore, None, Some(true))
-            .context(BuildOwnerReferenceSnafu)?
-            .build(),
-        data: Some(string_data),
-        binary_data: Some(binary_data),
-        ..Default::default()
-    };
-    ctx.client
-        .apply_patch(CONTROLLER_NAME, &trust_cm, &trust_cm)
-        .await
-        .context(ApplyTrustStoreConfigMapSnafu {
-            config_map: &trust_cm,
-        })?;
+
+    let trust_metadata = ObjectMetaBuilder::new()
+        .name_and_namespace(truststore)
+        .ownerreference_from_resource(truststore, None, Some(true))
+        .context(BuildOwnerReferenceSnafu)?
+        .build();
+
+    match truststore.spec.target_kind {
+        v1alpha1::TrustStoreOutputType::ConfigMap => {
+            let trust_cm = ConfigMap {
+                metadata: trust_metadata,
+                data: Some(string_data),
+                binary_data: Some(binary_data),
+                ..Default::default()
+            };
+            ctx.client
+                .apply_patch(CONTROLLER_NAME, &trust_cm, &trust_cm)
+                .await
+                .context(ApplyTrustStoreConfigMapSnafu {
+                    config_map: &trust_cm,
+                })?;
+        }
+        v1alpha1::TrustStoreOutputType::Secret => {
+            let trust_secret = Secret {
+                metadata: trust_metadata,
+                string_data: Some(string_data),
+                data: Some(binary_data),
+                ..Default::default()
+            };
+            ctx.client
+                .apply_patch(CONTROLLER_NAME, &trust_secret, &trust_secret)
+                .await
+                .context(ApplyTrustStoreSecretSnafu {
+                    secret: &trust_secret,
+                })?;
+        }
+    }
+
     Ok(controller::Action::await_change())
 }
 

tests/templates/kuttl/cert-manager-tls/02-create-secretclass.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: envsubst '$NAMESPACE' < 02_secretclass.yaml | kubectl apply -f -