Skip to content

feat: allow filtering of expired CA certs #633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

feat: allow filtering of expired CA certs #633

wants to merge 4 commits into from

Conversation

dervoeti
Copy link
Member

@dervoeti dervoeti commented Aug 21, 2025
edited
Loading

Description

Fixes #625

This PR introduces the ability to filter out expired or soon-to-expire CA certificates from TrustStores and secret volumes by specifying a threshold (a duration, like 1d). If a CA expires within this duration or is already expired it won't be published by secret-operator.
Currently, all CA certificates are published, even expired ones.

Features:

  • New caExpiryThreshold field: Added to TrustStore CRD spec to configure minimum remaining CA lifetime
  • Volume annotation support: Added secrets.stackable.tech/backend.autotls.ca.expiry-threshold annotation for controlling CA expiry filtering in volumes

If a threshold is not specified, all CAs (including expired ones) are published as before, so this change should be backwards compatible.

I also added a new integration test tls-ca-expiry-threshold for this feature.

CRD change decision: #632

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@dervoeti dervoeti force-pushed the feat/dont-publish-expired-ca-certs branch from fc1f938 to 13aa66d Compare August 21, 2025 14:47
@dervoeti dervoeti mentioned this pull request Aug 21, 2025
Open
@dervoeti dervoeti self-assigned this Aug 21, 2025
@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering Aug 21, 2025
@dervoeti dervoeti changed the title feat: don't publish expired CA certs feat: allow filtering of expired CA certs Aug 21, 2025
@dervoeti dervoeti force-pushed the feat/dont-publish-expired-ca-certs branch from 9a04bf9 to 0b4ed8a Compare August 22, 2025 08:11
@siegfriedweber siegfriedweber marked this pull request as draft September 22, 2025 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dervoeti dervoeti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not publish expired CA certificates
2 participants
@dervoeti @siegfriedweber