add API CA certs only feature

Signed-off-by: Oleksandr Krutko <[email protected]>

Author: arsenalzp

deploy/charts/trust-manager/templates/crd-trust.cert-manager.io_bundles.yaml

@@ -391,6 +391,9 @@ spec:
                         - key
                       type: object
                   type: object
+                useCACertsOnly:
+                  description: Use only CAs certificates in a resulting Bundle
+                  type: boolean
               required:
                 - sources
               type: object

deploy/crds/trust-manager.io_clusterbundles.yaml

@@ -419,6 +419,9 @@ spec:
                 - message: 'any of the following fields must be provided: [configMap,
                     secret]'
                   rule: '[has(self.configMap), has(self.secret)].exists(x,x)'
+              useCACertsOnly:
+                description: Use only CAs certificates in a resulting Bundle
+                type: boolean
             type: object
           status:
             description: Status of the Bundle. This is set and managed automatically.

deploy/crds/trust.cert-manager.io_bundles.yaml

@@ -409,6 +409,9 @@ spec:
                     - key
                     type: object
                 type: object
+              useCACertsOnly:
+                description: Use only CAs certificates in a resulting Bundle
+                type: boolean
             required:
             - sources
             type: object

pkg/apis/trust/v1alpha1/types_bundle.go

@@ -68,6 +68,10 @@ type BundleSpec struct {
 	// Target is the target location in all namespaces to sync source data to.
 	// +optional
 	Target BundleTarget `json:"target,omitzero"`
+
+	// Use only CAs certificates in a resulting Bundle
+	// +optional
+	UseCACertsOnly bool `json:"useCACertsOnly"`
 }
 
 // BundleSource is the set of sources whose data will be appended and synced to

pkg/apis/trust/v1alpha1/zz_generated.conversion.go

@@ -84,6 +84,10 @@ type BundleSpec struct {
 	// Target is the target location in all namespaces to sync source data to.
 	// +optional
 	Target BundleTarget `json:"target,omitzero"`
+
+	// Use only CAs certificates in a resulting Bundle
+	// +optional
+	UseCACertsOnly bool `json:"useCACertsOnly"`
 }
 
 // BundleSource is the set of sources whose data will be appended and synced to

pkg/apis/trustmanager/v1alpha2/types_cluster_bundle.go

@@ -105,7 +105,7 @@ func (b *bundle) reconcileBundle(ctx context.Context, req ctrl.Request) (statusP
 	statusPatch = &trustapi.BundleStatus{
 		DefaultCAPackageVersion: bundle.Status.DefaultCAPackageVersion,
 	}
-	resolvedBundle, err := b.bundleBuilder.BuildBundle(ctx, bundle.Spec.Sources)
+	resolvedBundle, err := b.bundleBuilder.BuildBundle(ctx, bundle.Spec)
 
 	if err != nil {
 		var reason, message string

pkg/applyconfigurations/trust/v1alpha1/bundlespec.go

@@ -55,14 +55,19 @@ type BundleBuilder struct {
 	DefaultPackage *fspkg.Package
 
 	controller.Options
+
+	// Use only CAs certificates
+	UseCACertsOnly bool
 }
 
 // BuildBundle retrieves and concatenates all source bundle data for this Bundle object.
 // Each source data is validated and pruned to ensure that all certificates within are valid.
-func (b *BundleBuilder) BuildBundle(ctx context.Context, sources []trustapi.BundleSource) (BundleData, error) {
+func (b *BundleBuilder) BuildBundle(ctx context.Context, bundle trustapi.BundleSpec) (BundleData, error) {
 	var resolvedBundle BundleData
+	var sources = bundle.Sources
 	resolvedBundle.CertPool = util.NewCertPool(
 		util.WithFilteredExpiredCerts(b.FilterExpiredCerts),
+		util.WithCACertsOnly(bundle.UseCACertsOnly),
 		util.WithLogger(logf.FromContext(ctx).WithName("cert-pool")),
 	)