feat: Support configuring the name of the ca.crt in the TrustStore

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Support configuring the name of the key in the ConfigMap/Secret, in which the PEM encoded CA certificate of the Truststore should be placed.
+  This is e.g. needed to be able to use the generated Secret within an OpenShift Ingress ([#679]).
+
 ### Changed
 
 - Gracefully shutdown all concurrent tasks by forwarding the SIGTERM signal ([#674]).
@@ -38,6 +43,7 @@ All notable changes to this project will be documented in this file.
 [#670]: https://github.com/stackabletech/secret-operator/pull/670
 [#671]: https://github.com/stackabletech/secret-operator/pull/671
 [#674]: https://github.com/stackabletech/secret-operator/pull/674
+[#679]: https://github.com/stackabletech/secret-operator/pull/679
 
 ## [25.11.0] - 2025-11-07
 

docs/modules/secret-operator/examples/truststore-tls.yaml

@@ -7,3 +7,4 @@ spec:
   secretClassName: tls # <2>
   format: tls-pem # <3>
   targetKind: ConfigMap # <4>
+  tlsPemCaName: ca.crt # <5>

docs/modules/secret-operator/pages/truststore.adoc

@@ -16,6 +16,9 @@ include::example$truststore-tls.yaml[]
 <3> Optional requested xref:secretclass.adoc#format[format]
 <4> Optional Kubernetes resource kind, which should be used to output the requested information to.
     Either `ConfigMap` or `Secret`, defaults to `ConfigMap`.
+<6> Optional name of the key in the ConfigMap/Secret, in which the PEM encoded CA certificate should be placed.
+    Only takes effect in case the `format` is `tls-pem`.
+    Defaults to `ca.crt`.
 
 This will create a ConfigMap (or `Secret` based on `targetKind`) named `truststore-pem` containing a `ca.crt` with the trust root certificates.
 It can then either be mounted into a Pod or retrieved and used from outside of Kubernetes.
@@ -24,3 +27,47 @@ Expired or retired (see xref:secretclass.adoc#ca-rotation[Certificate Authority
 
 NOTE: Make sure to have a procedure for updating the retrieved certificates.
       The Secret Operator will automatically rotate the xref:secretclass.adoc#backend-autotls[autoTls] certificate authority as needed, but all trust roots will require some form of update occasionally.
+
+== Integration with OpenShift Ingress
+
+Sometimes you want to create an OpenShift Ingress to expose a stacklet that is secured using `https`.
+For TLS re-encryption to work you need to specify a Secret that contains a `tls.crt` key with the PEM ca certificate.
+
+A concrete example is shown below:
+
+[source,yaml]
+----
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: TrustStore
+metadata:
+  name: cluster-internal-ca
+  namespace: my-trino-namespace
+spec:
+  secretClassName: tls # Or any other SecretClass you are using
+  format: tls-pem # As expected by OpenShift
+  targetKind: Secret # As expected by OpenShift
+  tlsPemCaName: tls.crt # As expected by OpenShift
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: trino
+  namespace: my-trino-namespace
+  annotations:
+    route.openshift.io/termination: "reencrypt"
+    route.openshift.io/destination-ca-certificate-secret: cluster-internal-ca
+spec:
+  rules:
+    - host: trino.example.com
+      http:
+        paths:
+          - backend:
+              service:
+                name: trino-coordinator
+                port:
+                  name: https
+            path: /
+            pathType: Prefix
+  tls:
+    - {}
+----

extra/crds.yaml

@@ -920,6 +920,14 @@ spec:
                 - Secret
                 - ConfigMap
                 type: string
+              tlsPemCaName:
+                default: ca.crt
+                description: |-
+                  Name of the key in the ConfigMap/Secret, in which the PEM encoded CA certificate should be placed.
+
+                  Only takes effect in case the `format` is `tls-pem`.
+                  Defaults to `ca.crt`.
+                type: string
             required:
             - secretClassName
             type: object

rust/operator-binary/src/crd/trust_store/mod.rs

@@ -5,7 +5,7 @@ use stackable_operator::{
     versioned::versioned,
 };
 
-use crate::format::SecretFormat;
+use crate::format::{SecretFormat, well_known::FILE_PEM_CERT_CA};
 
 #[versioned(
     version(name = "v1alpha1"),
@@ -41,6 +41,13 @@ pub mod versioned {
 
         /// The [format](DOCS_BASE_URL_PLACEHOLDER/secret-operator/secretclass#format) that the data should be converted into.
         pub format: Option<SecretFormat>,
+
+        /// Name of the key in the ConfigMap/Secret, in which the PEM encoded CA certificate should be placed.
+        ///
+        /// Only takes effect in case the `format` is `tls-pem`.
+        /// Defaults to `ca.crt`.
+        #[serde(default = "TrustStoreSpec::default_tls_pem_ca_name")]
+        pub tls_pem_ca_name: String,
     }
 
     #[derive(Clone, Debug, Default, PartialEq, JsonSchema, Serialize, Deserialize)]
@@ -52,3 +59,9 @@ pub mod versioned {
         ConfigMap,
     }
 }
+
+impl v1alpha1::TrustStoreSpec {
+    fn default_tls_pem_ca_name() -> String {
+        FILE_PEM_CERT_CA.to_owned()
+    }
+}

rust/operator-binary/src/format/well_known.rs

@@ -7,7 +7,7 @@ use super::{ConvertError, SecretFiles, convert};
 
 const FILE_PEM_CERT_CERT: &str = "tls.crt";
 const FILE_PEM_CERT_KEY: &str = "tls.key";
-const FILE_PEM_CERT_CA: &str = "ca.crt";
+pub const FILE_PEM_CERT_CA: &str = "ca.crt";
 
 const FILE_PKCS12_CERT_KEYSTORE: &str = "keystore.p12";
 const FILE_PKCS12_CERT_TRUSTSTORE: &str = "truststore.p12";

rust/operator-binary/src/truststore_controller.rs

@@ -285,11 +285,15 @@ async fn reconcile(
         .get_trust_data(&selector)
         .await
         .context(BackendGetTrustDataSnafu)?;
+    let naming_options = NamingOptions {
+        tls_pem_ca_name: truststore.spec.tls_pem_ca_name.clone(),
+        ..Default::default()
+    };
     let trust_file_contents = trust_data
         .data
         .into_files(
             truststore.spec.format,
-            NamingOptions::default(),
+            naming_options,
             CompatibilityOptions::default(),
         )
         .context(FormatDataSnafu {