Add/update docs for new trust-manager features

Signed-off-by: Erik Godding Boye <egboye@gmail.com>

Author: erikgb

.spelling

@@ -447,6 +447,7 @@ thiscantbeserious
 tolerations
 tomasfreund
 treydock
+truststore
 ulrichgi
 uncomment
 unencrypted
@@ -458,6 +459,7 @@ upstream
 userinfo
 vhosakot
 v0.5.0
+v0.7.0
 v0.16
 v0.23.1
 v1

content/docs/trust/trust-manager/README.md

@@ -21,7 +21,7 @@ and enables cluster administrators to easily automate providing a secure bundle
 to worry about rebuilding containers to update trust stores.
 
 It's designed to complement cert-manager and works well when consuming CA certificates from a
-cert-manager `Issuer` or `ClusterIssuer` but can be used entirely independently from cert-manager
+cert-manager `Issuer` or `ClusterIssuer` but can be used entirely independently of cert-manager
 if needed.
 
 ## Usage
@@ -70,12 +70,15 @@ spec:
     # Sync the bundle to a ConfigMap called `my-org.com` in every namespace which
     # has the label "linkerd.io/inject=enabled"
     # All ConfigMaps will include a PEM-formatted bundle, here named "root-certs.pem"
-    # and in this case we also request a binary JKS formatted bundle, here named "bundle.jks"
+    # and in this case we also request binary formatted bundles in JKS and PKCS#12 formats,
+    # here named "bundle.jks" and "bundle.p12".
     configMap:
       key: "root-certs.pem"
     additionalFormats:
       jks:
         key: "bundle.jks"
+      pkcs12:
+        key: "bundle.p12"
     namespaceSelector:
       matchLabels:
         linkerd.io/inject: "enabled"
@@ -88,18 +91,27 @@ spec:
 - `inLine` - a manually specified string containing at least one certificate
 - `useDefaultCAs` - usually, a bundle of publicly trusted certificates
 
-These sources, along with the single currently supported target type (`configMap`)
-are documented in the trust-manager [API reference documentation](./api-reference.md).
+`ConfigMap` is the default target resource type, but trust-manager also supports `Secret` as targets
+(since trust-manager v0.7.0), but that feature has to be explicitly enabled on the controller.
+
+All sources and target options are documented in the trust-manager [API reference documentation](./api-reference.md).
 
 #### Targets
 
-All `Bundle` targets are written to `ConfigMap`s whose name matches that of the `Bundle`, and every
-target has a PEM-formatted bundle included.
+All `Bundle` targets are written to `ConfigMap`s (and/or `Secret`s) whose name matches that of the
+`Bundle`, and every target has a PEM-formatted bundle included.
+
+Users can also optionally choose to write JKS/PKCS#12 formatted binary truststore(s) to the target.
+JKS is supported since trust-manager v0.5.0, PKCS#12 since trust-manager v0.7.0.
 
-Users can also optionally - as of trust-manager v0.5.0 - choose to write a JKS formatted binary
-bundle to the target. We understand that most Java applications tend to require a password on JKS
-files (even though trust bundles don't contain secrets), so all trust-manager JKS bundles use the
-default password `changeit`.
+We understand that any binary truststore require a password, even though trust bundles don't contain
+secrets. Both JKS and PKCS#12 uses weak encryption primitives, so a truststore (or keystore) will NOT
+be protected by a password alone, and needs to be protected by additional measures.
+Please understand that trust-manager provides these binary truststore formats to support legacy
+applications which do not support other formats.
+At present passwords to truststores provided by trust-manager are hard-coded to `changeit` for JKS and
+`"""` (empty string; so called password-less) for PKCS#12 but this might be configurable on bundles
+in a future release of trust-manager.
 
 #### Namespace Selector
 
@@ -132,7 +144,16 @@ helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager --set install
 helm upgrade -i -n cert-manager trust-manager jetstack/trust-manager --wait
 ```
 
-### approver-policy Integration
+#### Enable Secret targets
+
+`Secret` targets are supported as of trust-manager v0.7.0, but needs to be explicitly enabled on the controller.
+The feature can be enabled with a Helm value `--set secretTargets.enabled=true`, but since the controller needs
+RBAC to secrets, you also need to set `secretTargets.authorizedSecretsAll` or `secretTargets.authorizedSecrets`.
+Please consult the
+[trust-manager Helm chart docs](https://github.com/cert-manager/trust-manager/blob/main/deploy/charts/trust-manager/README.md#values)
+for details and trade-offs.
+
+#### approver-policy Integration
 
 If you're running [approver-policy](../../policy/approval/approver-policy/README.md) then cert-manager's default approver will be disabled which will mean that
 trust-manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.