updates-1

securesign · Aug 3, 2024 · df48e12 · df48e12
1 parent 7092e63
commit df48e12
Show file tree

Hide file tree

Showing 16 changed files with 48 additions and 94 deletions.
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -40,9 +40,9 @@ type CtlogService struct {
 	//+optional
 	Address string `json:"address,omitempty"`
 	// Port of Ctlog Log Server End point
-	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Minimum:=0
 	//+kubebuilder:validation:Maximum:=65535
-	//+kubebuilder:default:=80
+	//+kubebuilder:default:=0
 	//+optional
 	Port *int32 `json:"port,omitempty"`
 }

diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go
@@ -14,7 +14,6 @@ type FulcioSpec struct {
 	ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
 	// Ctlog service configuration
 	//+optional
-	//+kubebuilder:default:={port: 80}
 	Ctlog CtlogService `json:"ctlog,omitempty"`
 	// Fulcio Configuration
 	//+required

diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml
@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-04T14:29:12Z"
+    createdAt: "2024-08-03T09:05:31Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml
@@ -222,19 +222,17 @@ spec:
                   rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
                     (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
               ctlog:
-                default:
-                  port: 80
                 description: Ctlog service configuration
                 properties:
                   address:
                     description: Address to Ctlog Log Server End point
                     type: string
                   port:
-                    default: 80
+                    default: 0
                     description: Port of Ctlog Log Server End point
                     format: int32
                     maximum: 65535
-                    minimum: 1
+                    minimum: 0
                     type: integer
                 type: object
               externalAccess:

diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml
@@ -399,19 +399,17 @@ spec:
                       rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
                         || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
                   ctlog:
-                    default:
-                      port: 80
                     description: Ctlog service configuration
                     properties:
                       address:
                         description: Address to Ctlog Log Server End point
                         type: string
                       port:
-                        default: 80
+                        default: 0
                         description: Port of Ctlog Log Server End point
                         format: int32
                         maximum: 65535
-                        minimum: 1
+                        minimum: 0
                         type: integer
                     type: object
                   externalAccess:

diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml
@@ -222,19 +222,17 @@ spec:
                   rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
                     (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
               ctlog:
-                default:
-                  port: 80
                 description: Ctlog service configuration
                 properties:
                   address:
                     description: Address to Ctlog Log Server End point
                     type: string
                   port:
-                    default: 80
+                    default: 0
                     description: Port of Ctlog Log Server End point
                     format: int32
                     maximum: 65535
-                    minimum: 1
+                    minimum: 0
                     type: integer
                 type: object
               externalAccess:

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -399,19 +399,17 @@ spec:
                       rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
                         || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
                   ctlog:
-                    default:
-                      port: 80
                     description: Ctlog service configuration
                     properties:
                       address:
                         description: Address to Ctlog Log Server End point
                         type: string
                       port:
-                        default: 80
+                        default: 0
                         description: Port of Ctlog Log Server End point
                         format: int32
                         maximum: 65535
-                        minimum: 1
+                        minimum: 0
                         type: integer
                     type: object
                   externalAccess:

diff --git a/internal/controller/constants/images.go b/internal/controller/constants/images.go
@@ -8,16 +8,15 @@ var (
 	// TODO: remove and check the DB pod status
 	TrillianNetcatImage = "registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7"
 
-	FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:c4abc6342b39701d237ab3f0f25b75b677214b3ede00540b2488f524ad112179"
-
+	FulcioServerImage  = "quay.io/securesign/fulcio-server@sha256:67495de82e2fcd2ab4ad0e53442884c392da1aa3f5dd56d9488a1ed5df97f513"
 	RekorRedisImage    = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a"
 	RekorServerImage   = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526"
 	RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:5eabf561c0549d81862e521ddc1f0ab91a3f2c9d99dcd83ab5a2cf648a95dd19"
 	BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:5c7460ab3cd13b2ecf2b979f5061cb384174d6714b7630879e53d063e4cb69d2"
 
 	TufImage = "registry.redhat.io/rhtas/tuf-server-rhel9@sha256:8c229e2c7f9d6cc0ebf4f23dd944373d497be2ed31960f0383b1bb43f16de0db"
 
-	CTLogImage = "registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:44906b1e52b0b5e324f23cae088837caf15444fd34679e6d2f3cc018d4e093fe"
+	CTLogImage = "quay.io/securesign/certificate-transparency-go@sha256:a0c7d71fc8f4cb7530169a6b54dc3a67215c4058a45f84b87bb04fc62e6e8141"
 
 	ClientServerImage    = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee"
 	ClientServerImage_cg = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:046029a9a2028efa9dcbf8eff9b41fe5ac4e9ad64caf0241f5680a5cb36bf36b"

diff --git a/internal/controller/ctlog/actions/config_map.go b/internal/controller/ctlog/actions/config_map.go
@@ -29,7 +29,7 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result {

diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go
@@ -40,7 +40,9 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
-	dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels)
+	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
+	useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil)
+	dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, useHTTPS)
 	if err != nil {
 		if err != nil {
 			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
@@ -54,7 +56,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 	}
 
 	// TLS certificate
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil {
 		dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes,
 			corev1.Volume{
@@ -116,7 +117,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 							{
 								Secret: &corev1.SecretProjection{
 									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Name + "-tls-secret",
+										Name: instance.Name + "-ctlog-tls-secret",
 									},
 								},
 							},
@@ -150,7 +151,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 			})
 		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt")
 		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key")
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt")
+		// dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt")
 	}
 
 	if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {

diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go
@@ -41,11 +41,19 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 
 	labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name)
 
+	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
+	var port int32
+	if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil {
+		port = int32(443)
+	} else {
+		port = int32(80)
+	}
+	portName := fmt.Sprintf("%d-tcp", port)
 	svc := kubernetes.CreateService(instance.Namespace, ComponentName, MetricsPortName, MetricsPort, labels)
 	svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
-		Name:       "80-tcp",
+		Name:       portName,
 		Protocol:   corev1.ProtocolTCP,
-		Port:       80,
+		Port:       port,
 		TargetPort: intstr.FromInt32(6962),
 	})
 	if err = controllerutil.SetControllerReference(instance, svc, i.Client.Scheme()); err != nil {
@@ -62,12 +70,11 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 	}
 
 	//TLS: Annotate service
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil {
 		if svc.Annotations == nil {
 			svc.Annotations = make(map[string]string)
 		}
-		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret"
+		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-ctlog-tls-secret"
 		err := i.Client.Update(ctx, svc)
 		if err != nil {
 			return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance)

diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go
@@ -175,7 +175,7 @@ var _ = Describe("CTlog controller", func() {
 				return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service)
 			}).Should(Succeed())
 			Expect(service.Spec.Ports[0].Port).Should(Equal(int32(6963)))
-			Expect(service.Spec.Ports[1].Port).Should(Equal(int32(80)))
+			Expect(service.Spec.Ports[1].Port).Should(Equal(int32(443)))
 
 			By("Move to Ready phase")
 			// Workaround to succeed condition for Ready phase

diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go
@@ -12,11 +12,15 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
-func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string) (*appsv1.Deployment, error) {
+func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, useHTTPS bool) (*appsv1.Deployment, error) {
 	if instance.Status.ServerConfigRef == nil {
 		return nil, errors.New("server config name not specified")
 	}
 	replicas := int32(1)
+	scheme := corev1.URISchemeHTTP
+	if useHTTPS {
+		scheme = corev1.URISchemeHTTPS
+	}
 	// Define a new Deployment object
 	dep := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
@@ -48,8 +52,9 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string
 							LivenessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{
-										Path: "/healthz",
-										Port: intstr.FromInt32(6962),
+										Path:   "/healthz",
+										Port:   intstr.FromInt32(6962),
+										Scheme: scheme,
 									},
 								},
 								InitialDelaySeconds: 10,
@@ -61,8 +66,9 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string
 							ReadinessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{
-										Path: "/healthz",
-										Port: intstr.FromInt32(6962),
+										Path:   "/healthz",
+										Port:   intstr.FromInt32(6962),
+										Scheme: scheme,
 									},
 								},
 								InitialDelaySeconds: 10,

diff --git a/internal/controller/fulcio/actions/config_map.go b/internal/controller/fulcio/actions/config_map.go
@@ -29,7 +29,7 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result {

diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go
@@ -41,18 +41,17 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
 	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	switch {
-	case instance.Spec.Ctlog.Address == "":
+	if instance.Spec.Ctlog.Address == "" {
 		if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil {
 			instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace)
 		} else {
 			instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace)
 		}
-	case instance.Spec.Ctlog.Port == nil:
+	}
+	if instance.Spec.Ctlog.Port == nil || *instance.Spec.Ctlog.Port == 0 {
 		var port int32
 		if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil {
 			port = int32(443)
-
 		} else {
 			port = int32(80)
 		}
@@ -72,39 +71,13 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 	}
 
 	// TLS certificate
-	if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil {
+	if instance.Spec.TLSCertificate.CACertRef != nil {
 		dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes,
 			corev1.Volume{
 				Name: "tls-cert",
 				VolumeSource: corev1.VolumeSource{
 					Projected: &corev1.ProjectedVolumeSource{
 						Sources: []corev1.VolumeProjection{
-							{
-								Secret: &corev1.SecretProjection{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Spec.TLSCertificate.CertRef.Name,
-									},
-									Items: []corev1.KeyToPath{
-										{
-											Key:  instance.Spec.TLSCertificate.CertRef.Key,
-											Path: "tls.crt",
-										},
-									},
-								},
-							},
-							{
-								Secret: &corev1.SecretProjection{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Spec.TLSCertificate.PrivateKeyRef.Name,
-									},
-									Items: []corev1.KeyToPath{
-										{
-											Key:  instance.Spec.TLSCertificate.PrivateKeyRef.Key,
-											Path: "tls.key",
-										},
-									},
-								},
-							},
 							{
 								ConfigMap: &corev1.ConfigMapProjection{
 									LocalObjectReference: corev1.LocalObjectReference{
@@ -130,13 +103,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 				VolumeSource: corev1.VolumeSource{
 					Projected: &corev1.ProjectedVolumeSource{
 						Sources: []corev1.VolumeProjection{
-							{
-								Secret: &corev1.SecretProjection{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Name + "-tls-secret",
-									},
-								},
-							},
 							{
 								ConfigMap: &corev1.ConfigMapProjection{
 									LocalObjectReference: corev1.LocalObjectReference{
@@ -166,9 +132,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 				ReadOnly:  true,
 			})
 
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-certificate", "/etc/ssl/certs/tls.crt")
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-key", "/etc/ssl/certs/tls.key")
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-ca-cert", "/etc/ssl/certs/ca.crt")
+		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", "/etc/ssl/certs/ca.crt")
 	}
 
 	if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {

diff --git a/internal/controller/fulcio/actions/service.go b/internal/controller/fulcio/actions/service.go
@@ -7,7 +7,6 @@ import (
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
-	k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	"github.com/securesign/operator/internal/controller/constants"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -67,19 +66,6 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulci
 		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create service: %w", err), instance)
 	}
 
-	//TLS: Annotate service
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil {
-		if svc.Annotations == nil {
-			svc.Annotations = make(map[string]string)
-		}
-		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret"
-		err := i.Client.Update(ctx, svc)
-		if err != nil {
-			return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance)
-		}
-	}
-
 	if updated {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready,
 			Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "Service created"})