From 1d832da56a6b256733ec7cb992152613dacb9113 Mon Sep 17 00:00:00 2001 From: Erik Godding Boye Date: Mon, 27 Nov 2023 10:44:15 +0100 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Ashley Davis Signed-off-by: Erik Godding Boye --- content/docs/trust/trust-manager/README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/content/docs/trust/trust-manager/README.md b/content/docs/trust/trust-manager/README.md index ba206ecf31..a15ae90cd0 100644 --- a/content/docs/trust/trust-manager/README.md +++ b/content/docs/trust/trust-manager/README.md @@ -91,8 +91,9 @@ spec: - `inLine` - a manually specified string containing at least one certificate - `useDefaultCAs` - usually, a bundle of publicly trusted certificates -`ConfigMap` is the default target resource type, but trust-manager also supports `Secret` as targets -(since trust-manager v0.7.0), but that feature has to be explicitly enabled on the controller. +`ConfigMap` is the default target type, but as of v0.7.0 trust-manager also supports `Secret` resources as targets. + +Support for `Secret` targets must be explicitly enabled in the trust-manager controller; see details below under "Enable Secret targets". All sources and target options are documented in the trust-manager [API reference documentation](./api-reference.md). @@ -101,17 +102,15 @@ All sources and target options are documented in the trust-manager [API referenc All `Bundle` targets are written to `ConfigMap`s (and/or `Secret`s) whose name matches that of the `Bundle`, and every target has a PEM-formatted bundle included. -Users can also optionally choose to write JKS/PKCS#12 formatted binary trust store(s) to the target. -JKS is supported since trust-manager v0.5.0, while v0.7.0 add support for PKCS#12. +Users can also optionally choose to write JKS/PKCS#12 formatted binary trust store(s) to targets. +JKS has been supported since v0.5.0, and PKCS#12 since v0.7.0. We understand that any binary trust store require a password, even though trust bundles don't contain secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a trust store (or keystore) will NOT be protected by a password alone, and needs to be protected by additional measures. Please understand that trust-manager provides these binary trust store formats to support legacy applications which do not support other formats. -At present passwords to trust stores provided by trust-manager are hard-coded to `changeit` for JKS and -`"""` (empty string; so called password-less) for PKCS#12 but this might be configurable on bundles -in a future release of trust-manager. +At present, passwords for trust stores are hard-coded to `changeit` for JKS and `""` (the empty string or "passwordless") for PKCS#12. Future releases of trust-manager may make this configurable. #### Namespace Selector