diff --git a/docs/api/api.md b/docs/api/api.md
index a3d999ed..de4bcc05 100644
--- a/docs/api/api.md
+++ b/docs/api/api.md
@@ -58,10 +58,19 @@ import "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
## Constants
-
+
```go
const (
+ // DefaultJKSPassword is the default password that Java uses; it's a Java convention to use this exact password.
+ // Since we're not storing anything secret in the JKS files we generate, this password is not a meaningful security measure
+ // but seems often to be expected by applications consuming JKS files
+ DefaultJKSPassword = "changeit"
+ // DefaultPKCS12Password is the empty string, that will create a password-less PKCS12 truststore.
+ // Password-less PKCS is the new default Java truststore from Java 18.
+ // By password-less, it means the certificates are not encrypted, and it contains no MacData for integrity check.
+ DefaultPKCS12Password = ""
+
// BundleConditionSynced indicates that the Bundle has successfully synced
// all source bundle data to the Bundle target in all Namespaces.
BundleConditionSynced string = "Synced"
diff --git a/pkg/apis/trust/v1alpha1/types_bundle.go b/pkg/apis/trust/v1alpha1/types_bundle.go
index ff0c0d4e..7e26a0d9 100644
--- a/pkg/apis/trust/v1alpha1/types_bundle.go
+++ b/pkg/apis/trust/v1alpha1/types_bundle.go
@@ -239,6 +239,15 @@ type BundleCondition struct {
}
const (
+ // DefaultJKSPassword is the default password that Java uses; it's a Java convention to use this exact password.
+ // Since we're not storing anything secret in the JKS files we generate, this password is not a meaningful security measure
+ // but seems often to be expected by applications consuming JKS files
+ DefaultJKSPassword = "changeit"
+ // DefaultPKCS12Password is the empty string, that will create a password-less PKCS12 truststore.
+ // Password-less PKCS is the new default Java truststore from Java 18.
+ // By password-less, it means the certificates are not encrypted, and it contains no MacData for integrity check.
+ DefaultPKCS12Password = ""
+
// BundleConditionSynced indicates that the Bundle has successfully synced
// all source bundle data to the Bundle target in all Namespaces.
BundleConditionSynced string = "Synced"
diff --git a/pkg/bundle/bundle_test.go b/pkg/bundle/bundle_test.go
index d184b2a6..b301faff 100644
--- a/pkg/bundle/bundle_test.go
+++ b/pkg/bundle/bundle_test.go
@@ -48,7 +48,7 @@ import (
func testEncodeJKS(t *testing.T, data string) []byte {
t.Helper()
- encoded, err := jksEncoder{password: DefaultJKSPassword}.encode(data)
+ encoded, err := jksEncoder{password: trustapi.DefaultJKSPassword}.encode(data)
if err != nil {
t.Error(err)
}
@@ -493,7 +493,7 @@ func Test_Reconcile(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: "target.jks",
},
- Password: ptr.To(DefaultJKSPassword),
+ Password: ptr.To(trustapi.DefaultJKSPassword),
},
}),
)},
@@ -566,7 +566,7 @@ func Test_Reconcile(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: "target.jks",
},
- Password: ptr.To(DefaultJKSPassword),
+ Password: ptr.To(trustapi.DefaultJKSPassword),
},
}),
),
diff --git a/pkg/bundle/source.go b/pkg/bundle/source.go
index fbb3eb0e..6e53e274 100644
--- a/pkg/bundle/source.go
+++ b/pkg/bundle/source.go
@@ -37,17 +37,6 @@ import (
"github.com/cert-manager/trust-manager/pkg/util"
)
-const (
- // DefaultJKSPassword is the default password that Java uses; it's a Java convention to use this exact password.
- // Since we're not storing anything secret in the JKS files we generate, this password is not a meaningful security measure
- // but seems often to be expected by applications consuming JKS files
- DefaultJKSPassword = "changeit"
- // DefaultPKCS12Password is the empty string, that will create a password-less PKCS12 truststore.
- // Password-less PKCS is the new default Java truststore from Java 18.
- // By password-less, it means the certificates are not encrypted, and it contains no MacData for integrity check.
- DefaultPKCS12Password = ""
-)
-
type notFoundError struct{ error }
// bundleData holds the result of a call to buildSourceBundle. It contains the resulting PEM-encoded
diff --git a/pkg/bundle/source_test.go b/pkg/bundle/source_test.go
index 053afb77..7e6755a0 100644
--- a/pkg/bundle/source_test.go
+++ b/pkg/bundle/source_test.go
@@ -230,7 +230,7 @@ func Test_buildSourceBundle(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: jksKey,
},
- Password: ptr.To(DefaultJKSPassword),
+ Password: ptr.To(trustapi.DefaultJKSPassword),
},
},
objects: []runtime.Object{&corev1.ConfigMap{
@@ -269,7 +269,7 @@ func Test_buildSourceBundle(t *testing.T) {
KeySelector: trustapi.KeySelector{
Key: pkcs12Key,
},
- Password: ptr.To(DefaultPKCS12Password),
+ Password: ptr.To(trustapi.DefaultPKCS12Password),
},
},
objects: []runtime.Object{&corev1.ConfigMap{
@@ -326,14 +326,14 @@ func Test_buildSourceBundle(t *testing.T) {
if test.expPassword != nil {
password = *test.expPassword
} else {
- password = DefaultJKSPassword
+ password = trustapi.DefaultJKSPassword
}
}
if test.expPKCS12 {
if test.expPassword != nil {
password = *test.expPassword
} else {
- password = DefaultPKCS12Password
+ password = trustapi.DefaultPKCS12Password
}
}
@@ -398,7 +398,7 @@ func Test_encodeJKSAliases(t *testing.T) {
// Using different dummy certs would allow this test to pass but wouldn't actually test anything useful!
bundle := dummy.JoinCerts(dummy.TestCertificate1, dummy.TestCertificate2)
- jksFile, err := jksEncoder{password: DefaultJKSPassword}.encode(bundle)
+ jksFile, err := jksEncoder{password: trustapi.DefaultJKSPassword}.encode(bundle)
if err != nil {
t.Fatalf("didn't expect an error but got: %s", err)
}
@@ -407,7 +407,7 @@ func Test_encodeJKSAliases(t *testing.T) {
ks := jks.New()
- err = ks.Load(reader, []byte(DefaultJKSPassword))
+ err = ks.Load(reader, []byte(trustapi.DefaultJKSPassword))
if err != nil {
t.Fatalf("failed to parse generated JKS file: %s", err)
}
diff --git a/test/integration/bundle/suite.go b/test/integration/bundle/suite.go
index f6acd944..8de93702 100644
--- a/test/integration/bundle/suite.go
+++ b/test/integration/bundle/suite.go
@@ -352,7 +352,7 @@ var _ = Describe("Integration", func() {
jksData, exists := configMap.BinaryData["myfile.jks"]
Expect(exists).To(BeTrue(), "should find an entry called myfile.jks")
- Expect(testenv.CheckJKSFileSynced(jksData, bundle.DefaultJKSPassword, dummy.DefaultJoinedCerts())).ToNot(HaveOccurred())
+ Expect(testenv.CheckJKSFileSynced(jksData, trustapi.DefaultJKSPassword, dummy.DefaultJoinedCerts())).ToNot(HaveOccurred())
}
})