From 97e06d1c528e5b46f0d1e23d3e90494f9b084f4b Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Fri, 5 Jul 2024 16:08:17 +0200 Subject: [PATCH 01/18] Add TLS to Rekor and Trillian services --- api/v1alpha1/common.go | 15 +++ api/v1alpha1/ctlog_types.go | 4 + api/v1alpha1/ctlog_types_test.go | 9 ++ api/v1alpha1/fulcio_types.go | 4 + api/v1alpha1/fulcio_types_test.go | 17 +++ api/v1alpha1/zz_generated.deepcopy.go | 40 ++++++ bundle/manifests/rhtas.redhat.com_ctlogs.yaml | 111 +++++++++++++++++ .../manifests/rhtas.redhat.com_fulcios.yaml | 111 +++++++++++++++++ .../rhtas.redhat.com_securesigns.yaml | 112 +++++++++++++++++ config/crd/bases/rhtas.redhat.com_ctlogs.yaml | 111 +++++++++++++++++ .../crd/bases/rhtas.redhat.com_fulcios.yaml | 111 +++++++++++++++++ .../bases/rhtas.redhat.com_securesigns.yaml | 112 +++++++++++++++++ .../controller/ctlog/actions/config_map.go | 79 ++++++++++++ .../controller/ctlog/actions/deployment.go | 102 +++++++++++++++ internal/controller/ctlog/actions/service.go | 14 +++ internal/controller/ctlog/ctlog_controller.go | 3 +- .../controller/ctlog/ctlog_controller_test.go | 11 ++ .../controller/fulcio/actions/config_map.go | 79 ++++++++++++ .../controller/fulcio/actions/deployment.go | 117 +++++++++++++++++- internal/controller/fulcio/actions/service.go | 14 +++ .../controller/fulcio/fulcio_controller.go | 2 + .../fulcio/fulcio_controller_test.go | 11 ++ 22 files changed, 1186 insertions(+), 3 deletions(-) create mode 100644 internal/controller/ctlog/actions/config_map.go create mode 100644 internal/controller/fulcio/actions/config_map.go diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index 301334fe4..8c2232e3c 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -107,6 +107,7 @@ type Pvc struct { AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty"` } +<<<<<<< HEAD type Auth struct { // Environmental variables used to define authentication parameters //+optional @@ -114,6 +115,20 @@ type Auth struct { // Secret ref to be mounted inside a pod, Mount path defaults to /var/run/secrets/tas/auth //+optional SecretMount []SecretKeySelector `json:"secretMount,omitempty"` +======= +// TLSCert defines fields for TLS certificate +// +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty +type TLSCert struct { + // Reference to the private key + //+optional + PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"` + // Reference to service certificate + //+optional + CertRef *SecretKeySelector `json:"certRef,omitempty"` + // Reference to CA certificate + //+optional + CACertRef *LocalObjectReference `json:"CACertRef,omitempty"` +>>>>>>> 8dc3af9 (Add TLS to Rekor and Trillian services) } // TLS (Transport Layer Security) Configuration for enabling service encryption. diff --git a/api/v1alpha1/ctlog_types.go b/api/v1alpha1/ctlog_types.go index 04a559038..c51b1fe0d 100644 --- a/api/v1alpha1/ctlog_types.go +++ b/api/v1alpha1/ctlog_types.go @@ -48,6 +48,9 @@ type CTlogSpec struct { // publicKeyRef, rootCertificates and trillian will be overridden. //+optional ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` + // Reference to TLS server certificate, private key and CA certificate + //+optional + TLSCertificate TLSCert `json:"tls"` } // CTlogStatus defines the observed state of CTlog component @@ -57,6 +60,7 @@ type CTlogStatus struct { PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"` PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"` RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"` + TLSCertificate *TLSCert `json:"tls,omitempty"` // The ID of a Trillian tree that stores the log data. TreeID *int64 `json:"treeID,omitempty"` // +listType=map diff --git a/api/v1alpha1/ctlog_types_test.go b/api/v1alpha1/ctlog_types_test.go index 3026af7d8..542904fe7 100644 --- a/api/v1alpha1/ctlog_types_test.go +++ b/api/v1alpha1/ctlog_types_test.go @@ -135,6 +135,15 @@ var _ = Describe("CTlog", func() { Trillian: TrillianService{ Address: "trillian-system.default.svc", Port: &port, + TLSCertificate: TLSCert{ + CertRef: &SecretKeySelector{ + Key: "cert", + LocalObjectReference: LocalObjectReference{Name: "secret"}, + }, + PrivateKeyRef: &SecretKeySelector{ + Key: "key", + LocalObjectReference: LocalObjectReference{Name: "secret"}, + }, }, }, } diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index b9e05dec4..9d4521ac9 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -26,6 +26,9 @@ type FulcioSpec struct { // ConfigMap with additional bundle of trusted CA //+optional TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"` + // Reference to TLS server certificate, private key and CA certificate + //+optional + TLSCertificate TLSCert `json:"tls"` } // FulcioCert defines fields for system-generated certificate @@ -101,6 +104,7 @@ type OIDCIssuer struct { type FulcioStatus struct { ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` Certificate *FulcioCert `json:"certificate,omitempty"` + TLSCertificate *TLSCert `json:"tls,omitempty"` Url string `json:"url,omitempty"` // +listType=map // +listMapKey=type diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index 648ce6c17..7fd94eb90 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -229,11 +229,17 @@ var _ = Describe("Fulcio", func() { PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, }, + Ctlog: CtlogService{ Address: "ctlog.default.svc", Port: ptr.To(int32(80)), Prefix: "trusted-artifact-signer", }, + TLSCertificate: TLSCert{ + CertRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, + PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, + CACertRef: &LocalObjectReference{Name: "ca-configmap"}, + }, }, } @@ -286,6 +292,17 @@ func generateFulcioObject(name string) *Fulcio { Port: ptr.To(int32(80)), Prefix: "trusted-artifact-signer", }, + TLSCertificate: TLSCert{ + CertRef: &SecretKeySelector{ + Key: "cert", + LocalObjectReference: LocalObjectReference{Name: "secret"}, + }, + PrivateKeyRef: &SecretKeySelector{ + Key: "key", + LocalObjectReference: LocalObjectReference{Name: "secret"}, + }, + CACertRef: &LocalObjectReference{Name: "ca-configmap"}, + }, }, } } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index c22c5ddad..18097afe7 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -167,6 +167,7 @@ func (in *CTlogSpec) DeepCopyInto(out *CTlogSpec) { *out = new(LocalObjectReference) **out = **in } + in.TLSCertificate.DeepCopyInto(&out.TLSCertificate) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CTlogSpec. @@ -207,6 +208,11 @@ func (in *CTlogStatus) DeepCopyInto(out *CTlogStatus) { *out = make([]SecretKeySelector, len(*in)) copy(*out, *in) } + if in.TLSCertificate != nil { + in, out := &in.TLSCertificate, &out.TLSCertificate + *out = new(TLSCert) + (*in).DeepCopyInto(*out) + } if in.TreeID != nil { in, out := &in.TreeID, &out.TreeID *out = new(int64) @@ -454,6 +460,7 @@ func (in *FulcioSpec) DeepCopyInto(out *FulcioSpec) { *out = new(LocalObjectReference) **out = **in } + in.TLSCertificate.DeepCopyInto(&out.TLSCertificate) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioSpec. @@ -479,6 +486,11 @@ func (in *FulcioStatus) DeepCopyInto(out *FulcioStatus) { *out = new(FulcioCert) (*in).DeepCopyInto(*out) } + if in.TLSCertificate != nil { + in, out := &in.TLSCertificate, &out.TLSCertificate + *out = new(TLSCert) + (*in).DeepCopyInto(*out) + } if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions *out = make([]metav1.Condition, len(*in)) @@ -1211,6 +1223,34 @@ func (in *Tink) DeepCopy() *Tink { in.DeepCopyInto(out) return out } +func (in *TLSCert) DeepCopyInto(out *TLSCert) { + *out = *in + if in.PrivateKeyRef != nil { + in, out := &in.PrivateKeyRef, &out.PrivateKeyRef + *out = new(SecretKeySelector) + **out = **in + } + if in.CertRef != nil { + in, out := &in.CertRef, &out.CertRef + *out = new(SecretKeySelector) + **out = **in + } + if in.CACertRef != nil { + in, out := &in.CACertRef, &out.CACertRef + *out = new(LocalObjectReference) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCert. +func (in *TLSCert) DeepCopy() *TLSCert { + if in == nil { + return nil + } + out := new(TLSCert) + in.DeepCopyInto(out) + return out +} // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Trillian) DeepCopyInto(out *Trillian) { diff --git a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml index 3faa3285f..0ecf6f14d 100644 --- a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml +++ b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml @@ -152,6 +152,62 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: Reference to TLS server certificate, private key and + CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -343,6 +399,61 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: TLSCert defines fields for TLS certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) treeID: description: The ID of a Trillian tree that stores the log data. format: int64 diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index 118bea8b2..591d1052a 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -281,6 +281,62 @@ spec: required: - enabled type: object + tls: + description: Reference to TLS server certificate, private key and + CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: @@ -458,6 +514,61 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: TLSCert defines fields for TLS certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) url: type: string type: object diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index e09499ed1..7ba42eead 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -168,6 +168,62 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: Reference to TLS server certificate, private key + and CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -434,6 +490,62 @@ spec: required: - enabled type: object + tls: + description: Reference to TLS server certificate, private key + and CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml index 71a3e21c8..394eea356 100644 --- a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml +++ b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml @@ -152,6 +152,62 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: Reference to TLS server certificate, private key and + CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -343,6 +399,61 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: TLSCert defines fields for TLS certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) treeID: description: The ID of a Trillian tree that stores the log data. format: int64 diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index 00f495721..5ae0c5aef 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -281,6 +281,62 @@ spec: required: - enabled type: object + tls: + description: Reference to TLS server certificate, private key and + CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: @@ -458,6 +514,61 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: TLSCert defines fields for TLS certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) url: type: string type: object diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index d42cb6dcb..ce4641870 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -168,6 +168,62 @@ spec: - name type: object x-kubernetes-map-type: atomic + tls: + description: Reference to TLS server certificate, private key + and CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -434,6 +490,62 @@ spec: required: - enabled type: object + tls: + description: Reference to TLS server certificate, private key + and CA certificate + properties: + CACertRef: + description: Reference to CA certificate + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - name + type: object + x-kubernetes-map-type: atomic + certRef: + description: Reference to service certificate + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + privateKeyRef: + description: Reference to the private key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + pattern: ^[-._a-zA-Z0-9]+$ + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-validations: + - message: privateKeyRef cannot be empty + rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: diff --git a/internal/controller/ctlog/actions/config_map.go b/internal/controller/ctlog/actions/config_map.go new file mode 100644 index 000000000..e6ee19d33 --- /dev/null +++ b/internal/controller/ctlog/actions/config_map.go @@ -0,0 +1,79 @@ +package actions + +import ( + "context" + "fmt" + + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/controller/common/action" + k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" + "github.com/securesign/operator/internal/controller/constants" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" +) + +func NewCAConfigMapAction() action.Action[*rhtasv1alpha1.CTlog] { + return &configMapAction{} +} + +type configMapAction struct { + action.BaseAction +} + +func (i configMapAction) Name() string { + return "create CA configMap" +} + +func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool { + c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) + cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") + return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil +} + +func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { + var ( + err error + updated bool + ) + + labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + + configMap := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ca-configmap", + Namespace: instance.Namespace, + Labels: labels, + }, + Data: map[string]string{}, + } + + if err = controllerutil.SetControllerReference(instance, configMap, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controller reference for configMap: %w", err)) + } + if updated, err = i.Ensure(ctx, configMap); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create configMap: %w", err), instance) + } + + //TLS: Annotate configMap + configMap.Annotations = map[string]string{"service.beta.openshift.io/inject-cabundle": "true"} + err = i.Client.Update(ctx, configMap) + if err != nil { + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate configMap: %w", err), instance) + } + + if updated { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, + Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "ConfigMap created"}) + return i.StatusUpdate(ctx, instance) + } else { + return i.Continue() + } +} diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index ad6462398..fdd798501 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -8,9 +8,11 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" + k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" "github.com/securesign/operator/internal/controller/ctlog/utils" trillian "github.com/securesign/operator/internal/controller/trillian/actions" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -61,6 +63,106 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) return i.Failed(err) } + // TLS certificate + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { + dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, + corev1.Volume{ + Name: "tls-cert", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{ + { + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Spec.TLSCertificate.CertRef.Name, + }, + Items: []corev1.KeyToPath{ + { + Key: instance.Spec.TLSCertificate.CertRef.Key, + Path: "tls.crt", + }, + }, + }, + }, + { + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Spec.TLSCertificate.PrivateKeyRef.Name, + }, + Items: []corev1.KeyToPath{ + { + Key: instance.Spec.TLSCertificate.PrivateKeyRef.Key, + Path: "tls.key", + }, + }, + }, + }, + { + ConfigMap: &corev1.ConfigMapProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Spec.TLSCertificate.CACertRef.Name, + }, + Items: []corev1.KeyToPath{ + { + Key: "ca.crt", // User should use this key. + Path: "ca.crt", + }, + }, + }, + }, + }, + }, + }, + }) + } else if signingKeySecret != nil { + i.Logger.V(1).Info("TLS: Using secrets/signing-key secret") + dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, + corev1.Volume{ + Name: "tls-cert", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{ + { + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Name + "-tls-secret", + }, + }, + }, + { + ConfigMap: &corev1.ConfigMapProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "ca-configmap", + }, + Items: []corev1.KeyToPath{ + { + Key: "service-ca.crt", + Path: "ca.crt", + }, + }, + }, + }, + }, + }, + }, + }) + } else { + i.Logger.V(1).Info("Communication between services is insecure") + } + + if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts, + corev1.VolumeMount{ + Name: "tls-cert", + MountPath: "/etc/ssl/certs", + ReadOnly: true, + }) + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt") + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key") + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") + } + if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err)) } diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index b1f35e895..9ac903bb4 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -7,6 +7,7 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" + k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -62,6 +63,19 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create service: %w", err), instance) } + //TLS: Annotate service + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { + if svc.Annotations == nil { + svc.Annotations = make(map[string]string) + } + svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret" + err := i.Client.Update(ctx, svc) + if err != nil { + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) + } + } + if updated { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "Service created"}) diff --git a/internal/controller/ctlog/ctlog_controller.go b/internal/controller/ctlog/ctlog_controller.go index f4a7052fc..e26172526 100644 --- a/internal/controller/ctlog/ctlog_controller.go +++ b/internal/controller/ctlog/ctlog_controller.go @@ -92,7 +92,7 @@ func (r *CTlogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl return []string{actions.CertCondition} }), transitions.NewToCreatePhaseAction[*rhtasv1alpha1.CTlog](), - + actions.NewCAConfigMapAction(), actions.NewHandleFulcioCertAction(), actions.NewHandleKeysAction(), actions.NewResolveTreeAction(), @@ -155,6 +155,7 @@ func (r *CTlogReconciler) SetupWithManager(mgr ctrl.Manager) error { For(&rhtasv1alpha1.CTlog{}). Owns(&v1.Deployment{}). Owns(&v12.Service{}). + Owns(&v12.ConfigMap{}). WatchesMetadata(partialSecret, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, object client.Object) []reconcile.Request { val, ok := object.GetLabels()["app.kubernetes.io/instance"] if ok { diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go index 54d60daa7..da228f858 100644 --- a/internal/controller/ctlog/ctlog_controller_test.go +++ b/internal/controller/ctlog/ctlog_controller_test.go @@ -96,6 +96,17 @@ var _ = Describe("CTlog controller", func() { Spec: v1alpha1.CTlogSpec{ TreeID: &ptr, + TLSCertificate: v1alpha1.TLSCert{ + CertRef: &v1alpha1.SecretKeySelector{ + Key: "cert", + LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-crt"}, + }, + PrivateKeyRef: &v1alpha1.SecretKeySelector{ + Key: "key", + LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-key"}, + }, + CACertRef: &v1alpha1.LocalObjectReference{Name: "ca-configmap"}, + }, }, } err = k8sClient.Create(ctx, instance) diff --git a/internal/controller/fulcio/actions/config_map.go b/internal/controller/fulcio/actions/config_map.go new file mode 100644 index 000000000..1084ebb5d --- /dev/null +++ b/internal/controller/fulcio/actions/config_map.go @@ -0,0 +1,79 @@ +package actions + +import ( + "context" + "fmt" + + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/controller/common/action" + k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" + "github.com/securesign/operator/internal/controller/constants" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" +) + +func NewCAConfigMapAction() action.Action[*rhtasv1alpha1.Fulcio] { + return &configMapAction{} +} + +type configMapAction struct { + action.BaseAction +} + +func (i configMapAction) Name() string { + return "create CA configMap" +} + +func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool { + c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) + cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") + return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil +} + +func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result { + var ( + err error + updated bool + ) + + labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + + configMap := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ca-configmap", + Namespace: instance.Namespace, + Labels: labels, + }, + Data: map[string]string{}, + } + + if err = controllerutil.SetControllerReference(instance, configMap, i.Client.Scheme()); err != nil { + return i.Failed(fmt.Errorf("could not set controller reference for configMap: %w", err)) + } + if updated, err = i.Ensure(ctx, configMap); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create configMap: %w", err), instance) + } + + //TLS: Annotate configMap + configMap.Annotations = map[string]string{"service.beta.openshift.io/inject-cabundle": "true"} + err = i.Client.Update(ctx, configMap) + if err != nil { + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate configMap: %w", err), instance) + } + + if updated { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, + Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "ConfigMap created"}) + return i.StatusUpdate(ctx, instance) + } else { + return i.Continue() + } +} diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index d0aea6334..9b461d689 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -6,8 +6,10 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" + k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" futils "github.com/securesign/operator/internal/controller/fulcio/utils" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -38,11 +40,22 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") switch { case instance.Spec.Ctlog.Address == "": - instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) + if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace) + } else { + instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) + } case instance.Spec.Ctlog.Port == nil: - port := int32(80) + var port int32 + if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + port = int32(443) + + } else { + port = int32(80) + } instance.Spec.Ctlog.Port = &port } dp, err := futils.CreateDeployment(instance, DeploymentName, RBACName, labels) @@ -58,6 +71,106 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } } + // TLS certificate + if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { + dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, + corev1.Volume{ + Name: "tls-cert", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{ + { + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Spec.TLSCertificate.CertRef.Name, + }, + Items: []corev1.KeyToPath{ + { + Key: instance.Spec.TLSCertificate.CertRef.Key, + Path: "tls.crt", + }, + }, + }, + }, + { + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Spec.TLSCertificate.PrivateKeyRef.Name, + }, + Items: []corev1.KeyToPath{ + { + Key: instance.Spec.TLSCertificate.PrivateKeyRef.Key, + Path: "tls.key", + }, + }, + }, + }, + { + ConfigMap: &corev1.ConfigMapProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Spec.TLSCertificate.CACertRef.Name, + }, + Items: []corev1.KeyToPath{ + { + Key: "ca.crt", // User should use this key. + Path: "ca.crt", + }, + }, + }, + }, + }, + }, + }, + }) + } else if signingKeySecret != nil { + i.Logger.V(1).Info("TLS: Using secrets/signing-key secret") + dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, + corev1.Volume{ + Name: "tls-cert", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{ + { + Secret: &corev1.SecretProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: instance.Name + "-tls-secret", + }, + }, + }, + { + ConfigMap: &corev1.ConfigMapProjection{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "ca-configmap", + }, + Items: []corev1.KeyToPath{ + { + Key: "service-ca.crt", + Path: "ca.crt", + }, + }, + }, + }, + }, + }, + }, + }) + } else { + i.Logger.V(1).Info("Communication between services is insecure") + } + + if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts, + corev1.VolumeMount{ + Name: "tls-cert", + MountPath: "/etc/ssl/certs", + ReadOnly: true, + }) + + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-certificate", "/etc/ssl/certs/tls.crt") + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-key", "/etc/ssl/certs/tls.key") + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-ca-cert", "/etc/ssl/certs/ca.crt") + } + if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err)) } diff --git a/internal/controller/fulcio/actions/service.go b/internal/controller/fulcio/actions/service.go index b12a37af4..30f8e8daf 100644 --- a/internal/controller/fulcio/actions/service.go +++ b/internal/controller/fulcio/actions/service.go @@ -7,6 +7,7 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" + k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -70,6 +71,19 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulci return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create service: %w", err), instance) } + //TLS: Annotate service + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { + if svc.Annotations == nil { + svc.Annotations = make(map[string]string) + } + svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret" + err := i.Client.Update(ctx, svc) + if err != nil { + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) + } + } + if updated { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "Service created"}) diff --git a/internal/controller/fulcio/fulcio_controller.go b/internal/controller/fulcio/fulcio_controller.go index e7a44da40..82e2ac71f 100644 --- a/internal/controller/fulcio/fulcio_controller.go +++ b/internal/controller/fulcio/fulcio_controller.go @@ -96,6 +96,7 @@ func (r *FulcioReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr }), actions.NewHandleCertAction(), transitions.NewToCreatePhaseAction[*rhtasv1alpha1.Fulcio](), + actions.NewCAConfigMapAction(), actions.NewRBACAction(), actions.NewServerConfigAction(), actions.NewDeployAction(), @@ -135,6 +136,7 @@ func (r *FulcioReconciler) SetupWithManager(mgr ctrl.Manager) error { For(&rhtasv1alpha1.Fulcio{}). Owns(&v1.Deployment{}). Owns(&v12.Service{}). + Owns(&v12.ConfigMap{}). Owns(&v13.Ingress{}). Complete(r) } diff --git a/internal/controller/fulcio/fulcio_controller_test.go b/internal/controller/fulcio/fulcio_controller_test.go index f7fc850cd..63de11497 100644 --- a/internal/controller/fulcio/fulcio_controller_test.go +++ b/internal/controller/fulcio/fulcio_controller_test.go @@ -122,6 +122,17 @@ var _ = Describe("Fulcio controller", func() { TrustedCA: &v1alpha1.LocalObjectReference{ Name: "trusted-ca-bundle", }, + TLSCertificate: v1alpha1.TLSCert{ + CertRef: &v1alpha1.SecretKeySelector{ + Key: "cert", + LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-crt"}, + }, + PrivateKeyRef: &v1alpha1.SecretKeySelector{ + Key: "key", + LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-key"}, + }, + CACertRef: &v1alpha1.LocalObjectReference{Name: "ca-configmap"}, + }, }, } err = k8sClient.Create(ctx, instance) From 3100639c9ea5e2b58c972cb5f9a21c41dbbe709e Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Sat, 3 Aug 2024 11:06:36 +0200 Subject: [PATCH 02/18] updates-1 --- api/v1alpha1/common.go | 4 +- .../manifests/rhtas.redhat.com_fulcios.yaml | 4 +- .../rhtas.redhat.com_securesigns.yaml | 4 +- .../crd/bases/rhtas.redhat.com_fulcios.yaml | 4 +- .../bases/rhtas.redhat.com_securesigns.yaml | 4 +- .../controller/ctlog/actions/config_map.go | 2 +- .../controller/ctlog/actions/deployment.go | 11 +++-- internal/controller/ctlog/actions/service.go | 21 ++++++++- .../controller/ctlog/ctlog_controller_test.go | 5 ++ .../ctlog/utils/ctlog_deployment.go | 22 +++++++++ .../controller/fulcio/actions/config_map.go | 2 +- .../controller/fulcio/actions/deployment.go | 46 ++----------------- internal/controller/fulcio/actions/service.go | 14 ------ 13 files changed, 71 insertions(+), 72 deletions(-) diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index 8c2232e3c..d9ad110f7 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -43,9 +43,9 @@ type CtlogService struct { //+optional Address string `json:"address,omitempty"` // Port of Ctlog Log Server End point - //+kubebuilder:validation:Minimum:=1 + //+kubebuilder:validation:Minimum:=0 //+kubebuilder:validation:Maximum:=65535 - //+kubebuilder:default:=80 + //+kubebuilder:default:=0 //+optional Port *int32 `json:"port,omitempty"` // Prefix is the name of the log. The prefix cannot be empty and can diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index 591d1052a..fabbf5412 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -231,11 +231,11 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer prefix: default: trusted-artifact-signer diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 7ba42eead..8fe22b99b 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -439,11 +439,11 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer prefix: default: trusted-artifact-signer diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index 5ae0c5aef..0d55b94ce 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -231,11 +231,11 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer prefix: default: trusted-artifact-signer diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index ce4641870..3d9a6acb8 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -439,11 +439,11 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer prefix: default: trusted-artifact-signer diff --git a/internal/controller/ctlog/actions/config_map.go b/internal/controller/ctlog/actions/config_map.go index e6ee19d33..354b76878 100644 --- a/internal/controller/ctlog/actions/config_map.go +++ b/internal/controller/ctlog/actions/config_map.go @@ -29,7 +29,7 @@ func (i configMapAction) Name() string { func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool { c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil } func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index fdd798501..8e92fe620 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -43,12 +43,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) +<<<<<<< HEAD switch { case instance.Spec.Trillian.Address == "": instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) } dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort) +======= + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) + dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, useHTTPS) +>>>>>>> df48e12 (updates-1) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, @@ -64,7 +70,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) } // TLS certificate - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, corev1.Volume{ @@ -126,7 +131,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) { Secret: &corev1.SecretProjection{ LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Name + "-tls-secret", + Name: instance.Name + "-ctlog-tls-secret", }, }, }, @@ -160,7 +165,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) }) dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt") dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") + // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") } if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index 9ac903bb4..0ce31d7b0 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -41,6 +41,7 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name) +<<<<<<< HEAD svc := kubernetes.CreateService(instance.Namespace, ComponentName, ServerPortName, ServerPort, ServerTargetPort, labels) if instance.Spec.Monitoring.Enabled { svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ @@ -50,6 +51,23 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog TargetPort: intstr.FromInt32(MetricsPort), }) } +======= + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + var port int32 + if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil { + port = int32(443) + } else { + port = int32(80) + } + portName := fmt.Sprintf("%d-tcp", port) + svc := kubernetes.CreateService(instance.Namespace, ComponentName, MetricsPortName, MetricsPort, labels) + svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ + Name: portName, + Protocol: corev1.ProtocolTCP, + Port: port, + TargetPort: intstr.FromInt32(6962), + }) +>>>>>>> df48e12 (updates-1) if err = controllerutil.SetControllerReference(instance, svc, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Service: %w", err)) } @@ -64,12 +82,11 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog } //TLS: Annotate service - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { if svc.Annotations == nil { svc.Annotations = make(map[string]string) } - svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret" + svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-ctlog-tls-secret" err := i.Client.Update(ctx, svc) if err != nil { return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go index da228f858..eb6250dcc 100644 --- a/internal/controller/ctlog/ctlog_controller_test.go +++ b/internal/controller/ctlog/ctlog_controller_test.go @@ -168,7 +168,12 @@ var _ = Describe("CTlog controller", func() { Eventually(func() error { return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service) }).Should(Succeed()) +<<<<<<< HEAD Expect(service.Spec.Ports[0].Port).Should(Equal(int32(80))) +======= + Expect(service.Spec.Ports[0].Port).Should(Equal(int32(6963))) + Expect(service.Spec.Ports[1].Port).Should(Equal(int32(443))) +>>>>>>> df48e12 (updates-1) By("Move to Ready phase") // Workaround to succeed condition for Ready phase diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go index e8af3ba9e..c029ed7e5 100644 --- a/internal/controller/ctlog/utils/ctlog_deployment.go +++ b/internal/controller/ctlog/utils/ctlog_deployment.go @@ -13,6 +13,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) +<<<<<<< HEAD func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32) (*appsv1.Deployment, error) { switch { case instance.Status.ServerConfigRef == nil: @@ -23,8 +24,17 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianAddressNotSpecified) case instance.Spec.Trillian.Port == nil: return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianPortNotSpecified) +======= +func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, useHTTPS bool) (*appsv1.Deployment, error) { + if instance.Status.ServerConfigRef == nil { + return nil, errors.New("server config name not specified") +>>>>>>> df48e12 (updates-1) } replicas := int32(1) + scheme := corev1.URISchemeHTTP + if useHTTPS { + scheme = corev1.URISchemeHTTPS + } // Define a new Deployment object containerPorts := []corev1.ContainerPort{ @@ -73,8 +83,14 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ +<<<<<<< HEAD Path: "/healthz", Port: intstr.FromInt32(serverPort), +======= + Path: "/healthz", + Port: intstr.FromInt32(6962), + Scheme: scheme, +>>>>>>> df48e12 (updates-1) }, }, InitialDelaySeconds: 10, @@ -86,8 +102,14 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ +<<<<<<< HEAD Path: "/healthz", Port: intstr.FromInt32(serverPort), +======= + Path: "/healthz", + Port: intstr.FromInt32(6962), + Scheme: scheme, +>>>>>>> df48e12 (updates-1) }, }, InitialDelaySeconds: 10, diff --git a/internal/controller/fulcio/actions/config_map.go b/internal/controller/fulcio/actions/config_map.go index 1084ebb5d..272b42a82 100644 --- a/internal/controller/fulcio/actions/config_map.go +++ b/internal/controller/fulcio/actions/config_map.go @@ -29,7 +29,7 @@ func (i configMapAction) Name() string { func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool { c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil } func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result { diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 9b461d689..7e17f98e1 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -41,18 +41,17 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - switch { - case instance.Spec.Ctlog.Address == "": + if instance.Spec.Ctlog.Address == "" { if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace) } else { instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) } - case instance.Spec.Ctlog.Port == nil: + } + if instance.Spec.Ctlog.Port == nil || *instance.Spec.Ctlog.Port == 0 { var port int32 if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { port = int32(443) - } else { port = int32(80) } @@ -72,39 +71,13 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } // TLS certificate - if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { + if instance.Spec.TLSCertificate.CACertRef != nil { dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "tls-cert", VolumeSource: corev1.VolumeSource{ Projected: &corev1.ProjectedVolumeSource{ Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.CertRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TLSCertificate.CertRef.Key, - Path: "tls.crt", - }, - }, - }, - }, - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.PrivateKeyRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TLSCertificate.PrivateKeyRef.Key, - Path: "tls.key", - }, - }, - }, - }, { ConfigMap: &corev1.ConfigMapProjection{ LocalObjectReference: corev1.LocalObjectReference{ @@ -130,13 +103,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio VolumeSource: corev1.VolumeSource{ Projected: &corev1.ProjectedVolumeSource{ Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Name + "-tls-secret", - }, - }, - }, { ConfigMap: &corev1.ConfigMapProjection{ LocalObjectReference: corev1.LocalObjectReference{ @@ -166,9 +132,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio ReadOnly: true, }) - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-certificate", "/etc/ssl/certs/tls.crt") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-key", "/etc/ssl/certs/tls.key") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-ca-cert", "/etc/ssl/certs/ca.crt") + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", "/etc/ssl/certs/ca.crt") } if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { diff --git a/internal/controller/fulcio/actions/service.go b/internal/controller/fulcio/actions/service.go index 30f8e8daf..b12a37af4 100644 --- a/internal/controller/fulcio/actions/service.go +++ b/internal/controller/fulcio/actions/service.go @@ -7,7 +7,6 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -71,19 +70,6 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulci return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create service: %w", err), instance) } - //TLS: Annotate service - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { - if svc.Annotations == nil { - svc.Annotations = make(map[string]string) - } - svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret" - err := i.Client.Update(ctx, svc) - if err != nil { - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) - } - } - if updated { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "Service created"}) From 0e8373f0795876168acc9d3ddffc92b19b36d953 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Sat, 3 Aug 2024 12:33:38 +0200 Subject: [PATCH 03/18] fix conflicts --- api/v1alpha1/ctlog_types_test.go | 1 + .../controller/ctlog/actions/constants.go | 16 +++++----- .../controller/ctlog/actions/deployment.go | 10 ++----- internal/controller/ctlog/actions/service.go | 30 +++++++------------ .../controller/ctlog/ctlog_controller_test.go | 7 +---- .../ctlog/utils/ctlog_deployment.go | 22 ++------------ 6 files changed, 28 insertions(+), 58 deletions(-) diff --git a/api/v1alpha1/ctlog_types_test.go b/api/v1alpha1/ctlog_types_test.go index 542904fe7..55ad7618b 100644 --- a/api/v1alpha1/ctlog_types_test.go +++ b/api/v1alpha1/ctlog_types_test.go @@ -135,6 +135,7 @@ var _ = Describe("CTlog", func() { Trillian: TrillianService{ Address: "trillian-system.default.svc", Port: &port, + }, TLSCertificate: TLSCert{ CertRef: &SecretKeySelector{ Key: "cert", diff --git a/internal/controller/ctlog/actions/constants.go b/internal/controller/ctlog/actions/constants.go index 5ead8d88d..9e1a264d7 100644 --- a/internal/controller/ctlog/actions/constants.go +++ b/internal/controller/ctlog/actions/constants.go @@ -8,13 +8,15 @@ const ( RBACName = "ctlog" MonitoringRoleName = "prometheus-k8s-ctlog" - CertCondition = "FulcioCertAvailable" - ServerPortName = "http" - ServerPort = 80 - ServerTargetPort = 6962 - MetricsPortName = "metrics" - MetricsPort = 6963 - ServerCondition = "ServerAvailable" + CertCondition = "FulcioCertAvailable" + ServerPortName = "http" + ServerPort = 80 + HttpsServerPortName = "https" + HttpsServerPort = 443 + ServerTargetPort = 6962 + MetricsPortName = "metrics" + MetricsPort = 6963 + ServerCondition = "ServerAvailable" CTLPubLabel = constants.LabelNamespace + "/ctfe.pub" ) diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index 8e92fe620..b632d3448 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -43,18 +43,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) -<<<<<<< HEAD + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) switch { case instance.Spec.Trillian.Address == "": instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) } - dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort) -======= - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) - dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, useHTTPS) ->>>>>>> df48e12 (updates-1) + dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort, useHTTPS) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index 0ce31d7b0..7c0232658 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -41,8 +41,17 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name) -<<<<<<< HEAD - svc := kubernetes.CreateService(instance.Namespace, ComponentName, ServerPortName, ServerPort, ServerTargetPort, labels) + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + var port int + var portName string + if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil { + port = HttpsServerPort + portName = HttpsServerPortName + } else { + port = ServerPort + portName = ServerPortName + } + svc := kubernetes.CreateService(instance.Namespace, ComponentName, portName, port, ServerTargetPort, labels) if instance.Spec.Monitoring.Enabled { svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ Name: MetricsPortName, @@ -51,23 +60,6 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog TargetPort: intstr.FromInt32(MetricsPort), }) } -======= - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - var port int32 - if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil { - port = int32(443) - } else { - port = int32(80) - } - portName := fmt.Sprintf("%d-tcp", port) - svc := kubernetes.CreateService(instance.Namespace, ComponentName, MetricsPortName, MetricsPort, labels) - svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ - Name: portName, - Protocol: corev1.ProtocolTCP, - Port: port, - TargetPort: intstr.FromInt32(6962), - }) ->>>>>>> df48e12 (updates-1) if err = controllerutil.SetControllerReference(instance, svc, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Service: %w", err)) } diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go index eb6250dcc..a7e67eb5c 100644 --- a/internal/controller/ctlog/ctlog_controller_test.go +++ b/internal/controller/ctlog/ctlog_controller_test.go @@ -168,12 +168,7 @@ var _ = Describe("CTlog controller", func() { Eventually(func() error { return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service) }).Should(Succeed()) -<<<<<<< HEAD - Expect(service.Spec.Ports[0].Port).Should(Equal(int32(80))) -======= - Expect(service.Spec.Ports[0].Port).Should(Equal(int32(6963))) - Expect(service.Spec.Ports[1].Port).Should(Equal(int32(443))) ->>>>>>> df48e12 (updates-1) + Expect(service.Spec.Ports[0].Port).Should(Equal(int32(443))) By("Move to Ready phase") // Workaround to succeed condition for Ready phase diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go index c029ed7e5..5abb646f3 100644 --- a/internal/controller/ctlog/utils/ctlog_deployment.go +++ b/internal/controller/ctlog/utils/ctlog_deployment.go @@ -13,8 +13,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -<<<<<<< HEAD -func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32) (*appsv1.Deployment, error) { +func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32, useHTTPS bool) (*appsv1.Deployment, error) { switch { case instance.Status.ServerConfigRef == nil: return nil, fmt.Errorf("CreateCTLogDeployment: %w", ServerConfigNotSpecified) @@ -24,11 +23,6 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianAddressNotSpecified) case instance.Spec.Trillian.Port == nil: return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianPortNotSpecified) -======= -func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, useHTTPS bool) (*appsv1.Deployment, error) { - if instance.Status.ServerConfigRef == nil { - return nil, errors.New("server config name not specified") ->>>>>>> df48e12 (updates-1) } replicas := int32(1) scheme := corev1.URISchemeHTTP @@ -83,14 +77,9 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ -<<<<<<< HEAD - Path: "/healthz", - Port: intstr.FromInt32(serverPort), -======= Path: "/healthz", - Port: intstr.FromInt32(6962), + Port: intstr.FromInt32(serverPort), Scheme: scheme, ->>>>>>> df48e12 (updates-1) }, }, InitialDelaySeconds: 10, @@ -102,14 +91,9 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ -<<<<<<< HEAD - Path: "/healthz", - Port: intstr.FromInt32(serverPort), -======= Path: "/healthz", - Port: intstr.FromInt32(6962), + Port: intstr.FromInt32(serverPort), Scheme: scheme, ->>>>>>> df48e12 (updates-1) }, }, InitialDelaySeconds: 10, From 4dd44add83ba145237ca2e40ac097d378c7894a3 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Sat, 17 Aug 2024 12:34:37 +0200 Subject: [PATCH 04/18] resolve conflicts+updates --- api/v1alpha1/fulcio_types.go | 2 +- bundle/manifests/rhtas-operator.clusterserviceversion.yaml | 6 +++--- bundle/manifests/rhtas.redhat.com_fulcios.yaml | 1 - bundle/manifests/rhtas.redhat.com_securesigns.yaml | 1 - config/crd/bases/rhtas.redhat.com_fulcios.yaml | 1 - config/crd/bases/rhtas.redhat.com_securesigns.yaml | 1 - 6 files changed, 4 insertions(+), 8 deletions(-) diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index 9d4521ac9..521fe4bca 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -14,7 +14,7 @@ type FulcioSpec struct { ExternalAccess ExternalAccess `json:"externalAccess,omitempty"` // Ctlog service configuration //+optional - //+kubebuilder:default:={port: 80, prefix: trusted-artifact-signer} + //+kubebuilder:default:={prefix: trusted-artifact-signer} Ctlog CtlogService `json:"ctlog,omitempty"` // Fulcio Configuration //+required diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 2d895b4d4..f843bd3c1 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -92,8 +92,8 @@ metadata: "OIDCIssuers": [ { "ClientID": "trusted-artifact-signer", - "Issuer": "https://your-oidc-issuer-url", - "IssuerURL": "https://your-oidc-issuer-url", + "Issuer": "https://keycloak-keycloak-system.apps.rosa.ebh6v-tpwpi-a4f.ohpr.p3.openshiftapps.com/auth/realms/trusted-artifact-signer", + "IssuerURL": "https://keycloak-keycloak-system.apps.rosa.ebh6v-tpwpi-a4f.ohpr.p3.openshiftapps.com/auth/realms/trusted-artifact-signer", "Type": "email" } ] @@ -309,7 +309,7 @@ metadata: features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' - operators.operatorframework.io/builder: operator-sdk-v1.34.2 + operators.operatorframework.io/builder: operator-sdk-v1.34.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/securesign/secure-sign-operator support: Red Hat diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index fabbf5412..374781447 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -223,7 +223,6 @@ spec: (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: default: - port: 80 prefix: trusted-artifact-signer description: Ctlog service configuration properties: diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 8fe22b99b..31ed5eb69 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -431,7 +431,6 @@ spec: || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: default: - port: 80 prefix: trusted-artifact-signer description: Ctlog service configuration properties: diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index 0d55b94ce..f80d4bf12 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -223,7 +223,6 @@ spec: (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: default: - port: 80 prefix: trusted-artifact-signer description: Ctlog service configuration properties: diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index 3d9a6acb8..d1a075a19 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -431,7 +431,6 @@ spec: || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: default: - port: 80 prefix: trusted-artifact-signer description: Ctlog service configuration properties: From 194366400e249e1dddea78a60b6c206e4132cb6a Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Sat, 17 Aug 2024 12:36:14 +0200 Subject: [PATCH 05/18] updates --- api/v1alpha1/common.go | 5 ++--- bundle/manifests/rhtas-operator.clusterserviceversion.yaml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index d9ad110f7..05aa845a3 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -107,7 +107,6 @@ type Pvc struct { AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty"` } -<<<<<<< HEAD type Auth struct { // Environmental variables used to define authentication parameters //+optional @@ -115,7 +114,8 @@ type Auth struct { // Secret ref to be mounted inside a pod, Mount path defaults to /var/run/secrets/tas/auth //+optional SecretMount []SecretKeySelector `json:"secretMount,omitempty"` -======= +} + // TLSCert defines fields for TLS certificate // +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty type TLSCert struct { @@ -128,7 +128,6 @@ type TLSCert struct { // Reference to CA certificate //+optional CACertRef *LocalObjectReference `json:"CACertRef,omitempty"` ->>>>>>> 8dc3af9 (Add TLS to Rekor and Trillian services) } // TLS (Transport Layer Security) Configuration for enabling service encryption. diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index f843bd3c1..7950bb27f 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -92,8 +92,8 @@ metadata: "OIDCIssuers": [ { "ClientID": "trusted-artifact-signer", - "Issuer": "https://keycloak-keycloak-system.apps.rosa.ebh6v-tpwpi-a4f.ohpr.p3.openshiftapps.com/auth/realms/trusted-artifact-signer", - "IssuerURL": "https://keycloak-keycloak-system.apps.rosa.ebh6v-tpwpi-a4f.ohpr.p3.openshiftapps.com/auth/realms/trusted-artifact-signer", + "Issuer": "https://your-oidc-issuer-url", + "IssuerURL": "https://your-oidc-issuer-url", "Type": "email" } ] From 73a3ee41acce49eadad8e83759b48cd626eab592 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 13:16:17 +0200 Subject: [PATCH 06/18] refactor code --- api/v1alpha1/common.go | 14 -- api/v1alpha1/ctlog_types.go | 6 +- api/v1alpha1/ctlog_types_test.go | 10 -- api/v1alpha1/fulcio_types.go | 4 - api/v1alpha1/fulcio_types_test.go | 16 -- api/v1alpha1/zz_generated.deepcopy.go | 42 +----- .../rhtas-operator.clusterserviceversion.yaml | 2 +- bundle/manifests/rhtas.redhat.com_ctlogs.yaml | 51 ++----- .../manifests/rhtas.redhat.com_fulcios.yaml | 111 -------------- .../rhtas.redhat.com_securesigns.yaml | 82 +---------- config/crd/bases/rhtas.redhat.com_ctlogs.yaml | 51 ++----- .../crd/bases/rhtas.redhat.com_fulcios.yaml | 111 -------------- .../bases/rhtas.redhat.com_securesigns.yaml | 82 +---------- config/samples/rhtas_v1alpha1_securesign.yaml | 14 +- .../controller/ctlog/actions/config_map.go | 79 ---------- .../controller/ctlog/actions/deployment.go | 138 +++++------------- internal/controller/ctlog/actions/service.go | 24 ++- internal/controller/ctlog/ctlog_controller.go | 2 - .../controller/ctlog/ctlog_controller_test.go | 13 +- .../ctlog/utils/ctlog_deployment.go | 22 ++- internal/controller/ctlog/utils/tls.go | 20 +++ .../controller/fulcio/actions/config_map.go | 79 ---------- .../controller/fulcio/actions/deployment.go | 80 ++-------- .../controller/fulcio/fulcio_controller.go | 2 - .../fulcio/fulcio_controller_test.go | 12 +- internal/controller/fulcio/utils/tls.go | 46 ++++++ 26 files changed, 201 insertions(+), 912 deletions(-) delete mode 100644 internal/controller/ctlog/actions/config_map.go create mode 100644 internal/controller/ctlog/utils/tls.go delete mode 100644 internal/controller/fulcio/actions/config_map.go create mode 100644 internal/controller/fulcio/utils/tls.go diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index 05aa845a3..be2150422 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -116,20 +116,6 @@ type Auth struct { SecretMount []SecretKeySelector `json:"secretMount,omitempty"` } -// TLSCert defines fields for TLS certificate -// +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty -type TLSCert struct { - // Reference to the private key - //+optional - PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"` - // Reference to service certificate - //+optional - CertRef *SecretKeySelector `json:"certRef,omitempty"` - // Reference to CA certificate - //+optional - CACertRef *LocalObjectReference `json:"CACertRef,omitempty"` -} - // TLS (Transport Layer Security) Configuration for enabling service encryption. // +kubebuilder:validation:XValidation:rule=(!has(self.certificateRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty type TLS struct { diff --git a/api/v1alpha1/ctlog_types.go b/api/v1alpha1/ctlog_types.go index c51b1fe0d..bbe27f883 100644 --- a/api/v1alpha1/ctlog_types.go +++ b/api/v1alpha1/ctlog_types.go @@ -48,9 +48,9 @@ type CTlogSpec struct { // publicKeyRef, rootCertificates and trillian will be overridden. //+optional ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` - // Reference to TLS server certificate, private key and CA certificate + // Configuration for enabling TLS (Transport Layer Security) encryption for manged database. //+optional - TLSCertificate TLSCert `json:"tls"` + TLS TLS `json:"tls,omitempty"` } // CTlogStatus defines the observed state of CTlog component @@ -60,7 +60,7 @@ type CTlogStatus struct { PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"` PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"` RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"` - TLSCertificate *TLSCert `json:"tls,omitempty"` + TLS TLS `json:"tls,omitempty"` // The ID of a Trillian tree that stores the log data. TreeID *int64 `json:"treeID,omitempty"` // +listType=map diff --git a/api/v1alpha1/ctlog_types_test.go b/api/v1alpha1/ctlog_types_test.go index 55ad7618b..3026af7d8 100644 --- a/api/v1alpha1/ctlog_types_test.go +++ b/api/v1alpha1/ctlog_types_test.go @@ -136,16 +136,6 @@ var _ = Describe("CTlog", func() { Address: "trillian-system.default.svc", Port: &port, }, - TLSCertificate: TLSCert{ - CertRef: &SecretKeySelector{ - Key: "cert", - LocalObjectReference: LocalObjectReference{Name: "secret"}, - }, - PrivateKeyRef: &SecretKeySelector{ - Key: "key", - LocalObjectReference: LocalObjectReference{Name: "secret"}, - }, - }, }, } diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index 521fe4bca..b5fc53163 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -26,9 +26,6 @@ type FulcioSpec struct { // ConfigMap with additional bundle of trusted CA //+optional TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"` - // Reference to TLS server certificate, private key and CA certificate - //+optional - TLSCertificate TLSCert `json:"tls"` } // FulcioCert defines fields for system-generated certificate @@ -104,7 +101,6 @@ type OIDCIssuer struct { type FulcioStatus struct { ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` Certificate *FulcioCert `json:"certificate,omitempty"` - TLSCertificate *TLSCert `json:"tls,omitempty"` Url string `json:"url,omitempty"` // +listType=map // +listMapKey=type diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index 7fd94eb90..eb58e0bb7 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -235,11 +235,6 @@ var _ = Describe("Fulcio", func() { Port: ptr.To(int32(80)), Prefix: "trusted-artifact-signer", }, - TLSCertificate: TLSCert{ - CertRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, - PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, - CACertRef: &LocalObjectReference{Name: "ca-configmap"}, - }, }, } @@ -292,17 +287,6 @@ func generateFulcioObject(name string) *Fulcio { Port: ptr.To(int32(80)), Prefix: "trusted-artifact-signer", }, - TLSCertificate: TLSCert{ - CertRef: &SecretKeySelector{ - Key: "cert", - LocalObjectReference: LocalObjectReference{Name: "secret"}, - }, - PrivateKeyRef: &SecretKeySelector{ - Key: "key", - LocalObjectReference: LocalObjectReference{Name: "secret"}, - }, - CACertRef: &LocalObjectReference{Name: "ca-configmap"}, - }, }, } } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 18097afe7..6b6005505 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -167,7 +167,7 @@ func (in *CTlogSpec) DeepCopyInto(out *CTlogSpec) { *out = new(LocalObjectReference) **out = **in } - in.TLSCertificate.DeepCopyInto(&out.TLSCertificate) + in.TLS.DeepCopyInto(&out.TLS) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CTlogSpec. @@ -208,11 +208,7 @@ func (in *CTlogStatus) DeepCopyInto(out *CTlogStatus) { *out = make([]SecretKeySelector, len(*in)) copy(*out, *in) } - if in.TLSCertificate != nil { - in, out := &in.TLSCertificate, &out.TLSCertificate - *out = new(TLSCert) - (*in).DeepCopyInto(*out) - } + in.TLS.DeepCopyInto(&out.TLS) if in.TreeID != nil { in, out := &in.TreeID, &out.TreeID *out = new(int64) @@ -460,7 +456,6 @@ func (in *FulcioSpec) DeepCopyInto(out *FulcioSpec) { *out = new(LocalObjectReference) **out = **in } - in.TLSCertificate.DeepCopyInto(&out.TLSCertificate) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioSpec. @@ -486,11 +481,6 @@ func (in *FulcioStatus) DeepCopyInto(out *FulcioStatus) { *out = new(FulcioCert) (*in).DeepCopyInto(*out) } - if in.TLSCertificate != nil { - in, out := &in.TLSCertificate, &out.TLSCertificate - *out = new(TLSCert) - (*in).DeepCopyInto(*out) - } if in.Conditions != nil { in, out := &in.Conditions, &out.Conditions *out = make([]metav1.Condition, len(*in)) @@ -1223,34 +1213,6 @@ func (in *Tink) DeepCopy() *Tink { in.DeepCopyInto(out) return out } -func (in *TLSCert) DeepCopyInto(out *TLSCert) { - *out = *in - if in.PrivateKeyRef != nil { - in, out := &in.PrivateKeyRef, &out.PrivateKeyRef - *out = new(SecretKeySelector) - **out = **in - } - if in.CertRef != nil { - in, out := &in.CertRef, &out.CertRef - *out = new(SecretKeySelector) - **out = **in - } - if in.CACertRef != nil { - in, out := &in.CACertRef, &out.CACertRef - *out = new(LocalObjectReference) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCert. -func (in *TLSCert) DeepCopy() *TLSCert { - if in == nil { - return nil - } - out := new(TLSCert) - in.DeepCopyInto(out) - return out -} // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Trillian) DeepCopyInto(out *Trillian) { diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 7950bb27f..53747aab7 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -297,7 +297,7 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:028b6eec7f821b18cf710237a7613ef76d2bacdeff56462368e4e186f26627cc - createdAt: "2024-09-11T13:45:32Z" + createdAt: "2024-09-12T09:06:03Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" diff --git a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml index 0ecf6f14d..a1e63613b 100644 --- a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml +++ b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml @@ -153,23 +153,12 @@ spec: type: object x-kubernetes-map-type: atomic tls: - description: Reference to TLS server certificate, private key and - CA certificate + description: Configuration for enabling TLS (Transport Layer Security) + encryption for manged database. properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate + certificateRef: + description: Reference to the certificate secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -187,7 +176,8 @@ spec: type: object x-kubernetes-map-type: atomic privateKeyRef: - description: Reference to the private key + description: Reference to the private key secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -207,7 +197,7 @@ spec: type: object x-kubernetes-validations: - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) + rule: (!has(self.certificateRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -400,22 +390,12 @@ spec: type: object x-kubernetes-map-type: atomic tls: - description: TLSCert defines fields for TLS certificate + description: TLS (Transport Layer Security) Configuration for enabling + service encryption. properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate + certificateRef: + description: Reference to the certificate secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -433,7 +413,8 @@ spec: type: object x-kubernetes-map-type: atomic privateKeyRef: - description: Reference to the private key + description: Reference to the private key secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -453,7 +434,7 @@ spec: type: object x-kubernetes-validations: - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) + rule: (!has(self.certificateRef) || has(self.privateKeyRef)) treeID: description: The ID of a Trillian tree that stores the log data. format: int64 diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index 374781447..bf9ea19e5 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -280,62 +280,6 @@ spec: required: - enabled type: object - tls: - description: Reference to TLS server certificate, private key and - CA certificate - properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: @@ -513,61 +457,6 @@ spec: - name type: object x-kubernetes-map-type: atomic - tls: - description: TLSCert defines fields for TLS certificate - properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) url: type: string type: object diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 31ed5eb69..c74b8d769 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -169,23 +169,12 @@ spec: type: object x-kubernetes-map-type: atomic tls: - description: Reference to TLS server certificate, private key - and CA certificate + description: Configuration for enabling TLS (Transport Layer Security) + encryption for manged database. properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate + certificateRef: + description: Reference to the certificate secret used for + TLS encryption. properties: key: description: The key of the secret to select from. Must @@ -203,7 +192,8 @@ spec: type: object x-kubernetes-map-type: atomic privateKeyRef: - description: Reference to the private key + description: Reference to the private key secret used for + TLS encryption. properties: key: description: The key of the secret to select from. Must @@ -223,7 +213,7 @@ spec: type: object x-kubernetes-validations: - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) + rule: (!has(self.certificateRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -489,62 +479,6 @@ spec: required: - enabled type: object - tls: - description: Reference to TLS server certificate, private key - and CA certificate - properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml index 394eea356..6a307b962 100644 --- a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml +++ b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml @@ -153,23 +153,12 @@ spec: type: object x-kubernetes-map-type: atomic tls: - description: Reference to TLS server certificate, private key and - CA certificate + description: Configuration for enabling TLS (Transport Layer Security) + encryption for manged database. properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate + certificateRef: + description: Reference to the certificate secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -187,7 +176,8 @@ spec: type: object x-kubernetes-map-type: atomic privateKeyRef: - description: Reference to the private key + description: Reference to the private key secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -207,7 +197,7 @@ spec: type: object x-kubernetes-validations: - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) + rule: (!has(self.certificateRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -400,22 +390,12 @@ spec: type: object x-kubernetes-map-type: atomic tls: - description: TLSCert defines fields for TLS certificate + description: TLS (Transport Layer Security) Configuration for enabling + service encryption. properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate + certificateRef: + description: Reference to the certificate secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -433,7 +413,8 @@ spec: type: object x-kubernetes-map-type: atomic privateKeyRef: - description: Reference to the private key + description: Reference to the private key secret used for TLS + encryption. properties: key: description: The key of the secret to select from. Must be @@ -453,7 +434,7 @@ spec: type: object x-kubernetes-validations: - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) + rule: (!has(self.certificateRef) || has(self.privateKeyRef)) treeID: description: The ID of a Trillian tree that stores the log data. format: int64 diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index f80d4bf12..5c682e21c 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -280,62 +280,6 @@ spec: required: - enabled type: object - tls: - description: Reference to TLS server certificate, private key and - CA certificate - properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: @@ -513,61 +457,6 @@ spec: - name type: object x-kubernetes-map-type: atomic - tls: - description: TLSCert defines fields for TLS certificate - properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) url: type: string type: object diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index d1a075a19..3fd113a17 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -169,23 +169,12 @@ spec: type: object x-kubernetes-map-type: atomic tls: - description: Reference to TLS server certificate, private key - and CA certificate + description: Configuration for enabling TLS (Transport Layer Security) + encryption for manged database. properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate + certificateRef: + description: Reference to the certificate secret used for + TLS encryption. properties: key: description: The key of the secret to select from. Must @@ -203,7 +192,8 @@ spec: type: object x-kubernetes-map-type: atomic privateKeyRef: - description: Reference to the private key + description: Reference to the private key secret used for + TLS encryption. properties: key: description: The key of the secret to select from. Must @@ -223,7 +213,7 @@ spec: type: object x-kubernetes-validations: - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) + rule: (!has(self.certificateRef) || has(self.privateKeyRef)) treeID: description: |- The ID of a Trillian tree that stores the log data. @@ -489,62 +479,6 @@ spec: required: - enabled type: object - tls: - description: Reference to TLS server certificate, private key - and CA certificate - properties: - CACertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) trustedCA: description: ConfigMap with additional bundle of trusted CA properties: diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index 6c8d360fe..1cf210edf 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -40,13 +40,13 @@ spec: - name: ctfe.pub - name: fulcio_v1.crt.pem - name: tsa.certchain.pem - rootKeySecretRef: - name: tuf-root-keys - pvc: - accessModes: - - ReadWriteOnce - retain: true - size: 100Mi + # rootKeySecretRef: + # name: tuf-root-keys + # pvc: + # accessModes: + # - ReadWriteOnce + # retain: true + # size: 100Mi ctlog: tsa: externalAccess: diff --git a/internal/controller/ctlog/actions/config_map.go b/internal/controller/ctlog/actions/config_map.go deleted file mode 100644 index 354b76878..000000000 --- a/internal/controller/ctlog/actions/config_map.go +++ /dev/null @@ -1,79 +0,0 @@ -package actions - -import ( - "context" - "fmt" - - rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" - "github.com/securesign/operator/internal/controller/common/action" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" - "github.com/securesign/operator/internal/controller/constants" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/meta" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" -) - -func NewCAConfigMapAction() action.Action[*rhtasv1alpha1.CTlog] { - return &configMapAction{} -} - -type configMapAction struct { - action.BaseAction -} - -func (i configMapAction) Name() string { - return "create CA configMap" -} - -func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool { - c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) - cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil -} - -func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { - var ( - err error - updated bool - ) - - labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - - configMap := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "ca-configmap", - Namespace: instance.Namespace, - Labels: labels, - }, - Data: map[string]string{}, - } - - if err = controllerutil.SetControllerReference(instance, configMap, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controller reference for configMap: %w", err)) - } - if updated, err = i.Ensure(ctx, configMap); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: constants.Ready, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create configMap: %w", err), instance) - } - - //TLS: Annotate configMap - configMap.Annotations = map[string]string{"service.beta.openshift.io/inject-cabundle": "true"} - err = i.Client.Update(ctx, configMap) - if err != nil { - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate configMap: %w", err), instance) - } - - if updated { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, - Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "ConfigMap created"}) - return i.StatusUpdate(ctx, instance) - } else { - return i.Continue() - } -} diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index b632d3448..b5d57144c 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -8,11 +8,10 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" + "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" "github.com/securesign/operator/internal/controller/ctlog/utils" trillian "github.com/securesign/operator/internal/controller/trillian/actions" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -41,16 +40,35 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) err error ) + // TLS + switch { + case instance.Spec.TLS.CertRef != nil: + instance.Status.TLS = instance.Spec.TLS + case kubernetes.IsOpenShift(): + instance.Status.TLS = rhtasv1alpha1.TLS{ + CertRef: &rhtasv1alpha1.SecretKeySelector{ + LocalObjectReference: rhtasv1alpha1.LocalObjectReference{Name: instance.Name + "-ctlog-tls"}, + Key: "tls.crt", + }, + PrivateKeyRef: &rhtasv1alpha1.SecretKeySelector{ + LocalObjectReference: rhtasv1alpha1.LocalObjectReference{Name: instance.Name + "-ctlog-tls"}, + Key: "tls.key", + }, + } + default: + i.Logger.V(1).Info("Communication to trillian log server is insecure") + } + labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) + // signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + // useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) switch { case instance.Spec.Trillian.Address == "": instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) } - dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort, useHTTPS) + dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, @@ -65,104 +83,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) return i.Failed(err) } - // TLS certificate - if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { - dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, - corev1.Volume{ - Name: "tls-cert", - VolumeSource: corev1.VolumeSource{ - Projected: &corev1.ProjectedVolumeSource{ - Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.CertRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TLSCertificate.CertRef.Key, - Path: "tls.crt", - }, - }, - }, - }, - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.PrivateKeyRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TLSCertificate.PrivateKeyRef.Key, - Path: "tls.key", - }, - }, - }, - }, - { - ConfigMap: &corev1.ConfigMapProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.CACertRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: "ca.crt", // User should use this key. - Path: "ca.crt", - }, - }, - }, - }, - }, - }, - }, - }) - } else if signingKeySecret != nil { - i.Logger.V(1).Info("TLS: Using secrets/signing-key secret") - dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, - corev1.Volume{ - Name: "tls-cert", - VolumeSource: corev1.VolumeSource{ - Projected: &corev1.ProjectedVolumeSource{ - Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Name + "-ctlog-tls-secret", - }, - }, - }, - { - ConfigMap: &corev1.ConfigMapProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "ca-configmap", - }, - Items: []corev1.KeyToPath{ - { - Key: "service-ca.crt", - Path: "ca.crt", - }, - }, - }, - }, - }, - }, - }, - }) - } else { - i.Logger.V(1).Info("Communication between services is insecure") - } - - if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { - dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts, - corev1.VolumeMount{ - Name: "tls-cert", - MountPath: "/etc/ssl/certs", - ReadOnly: true, - }) - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key") - // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") - } + //TLS + // if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + // dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts, + // corev1.VolumeMount{ + // Name: "tls-cert", + // MountPath: "/etc/ssl/certs", + // ReadOnly: true, + // }) + // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt") + // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key") + // // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") + // } if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err)) diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index 7c0232658..54e278a6d 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -41,10 +41,9 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name) - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") var port int var portName string - if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil { + if instance.Spec.TLS.CertRef != nil || k8sutils.IsOpenShift() { // TODO: replace with useTLS port = HttpsServerPort portName = HttpsServerPortName } else { @@ -60,6 +59,15 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog TargetPort: intstr.FromInt32(MetricsPort), }) } + + //TLS: Annotate service + if k8sutils.IsOpenShift() && instance.Spec.TLS.CertRef == nil { + if svc.Annotations == nil { + svc.Annotations = make(map[string]string) + } + svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-ctlog-tls" + } + if err = controllerutil.SetControllerReference(instance, svc, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Service: %w", err)) } @@ -73,18 +81,6 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create service: %w", err), instance) } - //TLS: Annotate service - if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { - if svc.Annotations == nil { - svc.Annotations = make(map[string]string) - } - svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-ctlog-tls-secret" - err := i.Client.Update(ctx, svc) - if err != nil { - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) - } - } - if updated { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "Service created"}) diff --git a/internal/controller/ctlog/ctlog_controller.go b/internal/controller/ctlog/ctlog_controller.go index e26172526..d7c7c1dff 100644 --- a/internal/controller/ctlog/ctlog_controller.go +++ b/internal/controller/ctlog/ctlog_controller.go @@ -92,7 +92,6 @@ func (r *CTlogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl return []string{actions.CertCondition} }), transitions.NewToCreatePhaseAction[*rhtasv1alpha1.CTlog](), - actions.NewCAConfigMapAction(), actions.NewHandleFulcioCertAction(), actions.NewHandleKeysAction(), actions.NewResolveTreeAction(), @@ -155,7 +154,6 @@ func (r *CTlogReconciler) SetupWithManager(mgr ctrl.Manager) error { For(&rhtasv1alpha1.CTlog{}). Owns(&v1.Deployment{}). Owns(&v12.Service{}). - Owns(&v12.ConfigMap{}). WatchesMetadata(partialSecret, handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, object client.Object) []reconcile.Request { val, ok := object.GetLabels()["app.kubernetes.io/instance"] if ok { diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go index a7e67eb5c..54d60daa7 100644 --- a/internal/controller/ctlog/ctlog_controller_test.go +++ b/internal/controller/ctlog/ctlog_controller_test.go @@ -96,17 +96,6 @@ var _ = Describe("CTlog controller", func() { Spec: v1alpha1.CTlogSpec{ TreeID: &ptr, - TLSCertificate: v1alpha1.TLSCert{ - CertRef: &v1alpha1.SecretKeySelector{ - Key: "cert", - LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-crt"}, - }, - PrivateKeyRef: &v1alpha1.SecretKeySelector{ - Key: "key", - LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-key"}, - }, - CACertRef: &v1alpha1.LocalObjectReference{Name: "ca-configmap"}, - }, }, } err = k8sClient.Create(ctx, instance) @@ -168,7 +157,7 @@ var _ = Describe("CTlog controller", func() { Eventually(func() error { return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service) }).Should(Succeed()) - Expect(service.Spec.Ports[0].Port).Should(Equal(int32(443))) + Expect(service.Spec.Ports[0].Port).Should(Equal(int32(80))) By("Move to Ready phase") // Workaround to succeed condition for Ready phase diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go index 5abb646f3..2fa3a6978 100644 --- a/internal/controller/ctlog/utils/ctlog_deployment.go +++ b/internal/controller/ctlog/utils/ctlog_deployment.go @@ -1,6 +1,7 @@ package utils import ( + "errors" "fmt" "strconv" @@ -13,7 +14,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32, useHTTPS bool) (*appsv1.Deployment, error) { +func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32) (*appsv1.Deployment, error) { switch { case instance.Status.ServerConfigRef == nil: return nil, fmt.Errorf("CreateCTLogDeployment: %w", ServerConfigNotSpecified) @@ -25,24 +26,23 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianPortNotSpecified) } replicas := int32(1) - scheme := corev1.URISchemeHTTP - if useHTTPS { - scheme = corev1.URISchemeHTTPS - } - // Define a new Deployment object - containerPorts := []corev1.ContainerPort{ { ContainerPort: serverPort, Protocol: corev1.ProtocolTCP, }, } - + scheme := corev1.URISchemeHTTP appArgs := []string{ "--http_endpoint=0.0.0.0:" + strconv.Itoa(int(serverPort)), "--log_config=/ctfe-keys/config", "--alsologtostderr", } + if UseTLS(instance) { + scheme = corev1.URISchemeHTTPS + appArgs = append(appArgs, "--tls_certificate", "/var/run/secrets/tas/tls.crt") + appArgs = append(appArgs, "--tls_key", "/var/run/secrets/tas/tls.key") + } if instance.Spec.Monitoring.Enabled { appArgs = append(appArgs, "--metrics_endpoint=0.0.0.0:"+strconv.Itoa(int(metricsPort))) @@ -52,6 +52,7 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string }) } + // Define a new Deployment object dep := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: deploymentName, @@ -127,5 +128,10 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string }, } utils.SetProxyEnvs(dep) + + if err := utils.SetTLS(&dep.Spec.Template, instance.Status.TLS); err != nil { + return nil, errors.New("could not set TLS: " + err.Error()) + } + return dep, nil } diff --git a/internal/controller/ctlog/utils/tls.go b/internal/controller/ctlog/utils/tls.go new file mode 100644 index 000000000..58615a3de --- /dev/null +++ b/internal/controller/ctlog/utils/tls.go @@ -0,0 +1,20 @@ +package utils + +import ( + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/controller/common/utils/kubernetes" +) + +func UseTLS(instance *rhtasv1alpha1.CTlog) bool { + + if instance == nil { + return false + } + + // TLS enabled on Ctlog + if instance.Spec.TLS.CertRef != nil || kubernetes.IsOpenShift() { + return true + } + + return false +} diff --git a/internal/controller/fulcio/actions/config_map.go b/internal/controller/fulcio/actions/config_map.go deleted file mode 100644 index 272b42a82..000000000 --- a/internal/controller/fulcio/actions/config_map.go +++ /dev/null @@ -1,79 +0,0 @@ -package actions - -import ( - "context" - "fmt" - - rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" - "github.com/securesign/operator/internal/controller/common/action" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" - "github.com/securesign/operator/internal/controller/constants" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/meta" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" -) - -func NewCAConfigMapAction() action.Action[*rhtasv1alpha1.Fulcio] { - return &configMapAction{} -} - -type configMapAction struct { - action.BaseAction -} - -func (i configMapAction) Name() string { - return "create CA configMap" -} - -func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool { - c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) - cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil -} - -func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result { - var ( - err error - updated bool - ) - - labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - - configMap := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "ca-configmap", - Namespace: instance.Namespace, - Labels: labels, - }, - Data: map[string]string{}, - } - - if err = controllerutil.SetControllerReference(instance, configMap, i.Client.Scheme()); err != nil { - return i.Failed(fmt.Errorf("could not set controller reference for configMap: %w", err)) - } - if updated, err = i.Ensure(ctx, configMap); err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: constants.Ready, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create configMap: %w", err), instance) - } - - //TLS: Annotate configMap - configMap.Annotations = map[string]string{"service.beta.openshift.io/inject-cabundle": "true"} - err = i.Client.Update(ctx, configMap) - if err != nil { - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate configMap: %w", err), instance) - } - - if updated { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, - Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "ConfigMap created"}) - return i.StatusUpdate(ctx, instance) - } else { - return i.Continue() - } -} diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 7e17f98e1..f43cdbf9b 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -6,10 +6,8 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" futils "github.com/securesign/operator/internal/controller/fulcio/utils" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -40,9 +38,8 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") if instance.Spec.Ctlog.Address == "" { - if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + if futils.UseTLS(instance) { instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace) } else { instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) @@ -50,7 +47,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } if instance.Spec.Ctlog.Port == nil || *instance.Spec.Ctlog.Port == 0 { var port int32 - if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { + if futils.UseTLS(instance) { port = int32(443) } else { port = int32(80) @@ -70,69 +67,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } } - // TLS certificate - if instance.Spec.TLSCertificate.CACertRef != nil { - dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, - corev1.Volume{ - Name: "tls-cert", - VolumeSource: corev1.VolumeSource{ - Projected: &corev1.ProjectedVolumeSource{ - Sources: []corev1.VolumeProjection{ - { - ConfigMap: &corev1.ConfigMapProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.CACertRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: "ca.crt", // User should use this key. - Path: "ca.crt", - }, - }, - }, - }, - }, - }, - }, - }) - } else if signingKeySecret != nil { - i.Logger.V(1).Info("TLS: Using secrets/signing-key secret") - dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, - corev1.Volume{ - Name: "tls-cert", - VolumeSource: corev1.VolumeSource{ - Projected: &corev1.ProjectedVolumeSource{ - Sources: []corev1.VolumeProjection{ - { - ConfigMap: &corev1.ConfigMapProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "ca-configmap", - }, - Items: []corev1.KeyToPath{ - { - Key: "service-ca.crt", - Path: "ca.crt", - }, - }, - }, - }, - }, - }, - }, - }) - } else { - i.Logger.V(1).Info("Communication between services is insecure") - } - - if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { - dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts, - corev1.VolumeMount{ - Name: "tls-cert", - MountPath: "/etc/ssl/certs", - ReadOnly: true, + if futils.UseTLS(instance) { + caPath, err := futils.CAPath(ctx, i.Client, instance) + if err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), }) - - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", "/etc/ssl/certs/ca.crt") + return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance) + } + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath) } if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { diff --git a/internal/controller/fulcio/fulcio_controller.go b/internal/controller/fulcio/fulcio_controller.go index 82e2ac71f..e7a44da40 100644 --- a/internal/controller/fulcio/fulcio_controller.go +++ b/internal/controller/fulcio/fulcio_controller.go @@ -96,7 +96,6 @@ func (r *FulcioReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr }), actions.NewHandleCertAction(), transitions.NewToCreatePhaseAction[*rhtasv1alpha1.Fulcio](), - actions.NewCAConfigMapAction(), actions.NewRBACAction(), actions.NewServerConfigAction(), actions.NewDeployAction(), @@ -136,7 +135,6 @@ func (r *FulcioReconciler) SetupWithManager(mgr ctrl.Manager) error { For(&rhtasv1alpha1.Fulcio{}). Owns(&v1.Deployment{}). Owns(&v12.Service{}). - Owns(&v12.ConfigMap{}). Owns(&v13.Ingress{}). Complete(r) } diff --git a/internal/controller/fulcio/fulcio_controller_test.go b/internal/controller/fulcio/fulcio_controller_test.go index 63de11497..47b1725a2 100644 --- a/internal/controller/fulcio/fulcio_controller_test.go +++ b/internal/controller/fulcio/fulcio_controller_test.go @@ -122,19 +122,9 @@ var _ = Describe("Fulcio controller", func() { TrustedCA: &v1alpha1.LocalObjectReference{ Name: "trusted-ca-bundle", }, - TLSCertificate: v1alpha1.TLSCert{ - CertRef: &v1alpha1.SecretKeySelector{ - Key: "cert", - LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-crt"}, - }, - PrivateKeyRef: &v1alpha1.SecretKeySelector{ - Key: "key", - LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-key"}, - }, - CACertRef: &v1alpha1.LocalObjectReference{Name: "ca-configmap"}, - }, }, } + Expect(k8sClient.Create(ctx, kubernetes.CreateConfigmap(Namespace, "trusted-ca-bundle", map[string]string{}, map[string]string{"ca-cert": "ca-cert-data"}))).To(Succeed()) err = k8sClient.Create(ctx, instance) Expect(err).To(Not(HaveOccurred())) } diff --git a/internal/controller/fulcio/utils/tls.go b/internal/controller/fulcio/utils/tls.go new file mode 100644 index 000000000..41470a5b0 --- /dev/null +++ b/internal/controller/fulcio/utils/tls.go @@ -0,0 +1,46 @@ +package utils + +import ( + "context" + "fmt" + + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/controller/common/utils/kubernetes" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +func UseTLS(instance *rhtasv1alpha1.Fulcio) bool { + + if instance == nil { + return false + } + + // TLS enabled on Ctlog + if instance.Spec.TrustedCA != nil || kubernetes.IsOpenShift() { + return true + } + + return false +} + +func CAPath(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Fulcio) (string, error) { + if instance.Spec.TrustedCA != nil { + cfgTrust, err := kubernetes.GetConfigMap(ctx, cli, instance.Namespace, instance.Spec.TrustedCA.Name) + if err != nil { + return "", err + } + if len(cfgTrust.Data) != 1 { + err = fmt.Errorf("%s ConfigMap can contain only 1 record", instance.Spec.TrustedCA.Name) + return "", err + } + for key := range cfgTrust.Data { + return "/var/run/configs/tas/ca-trust/" + key, nil + } + } + + if instance.Spec.TrustedCA == nil && kubernetes.IsOpenShift() { + return "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt", nil + } + + return "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", nil +} From 2bd778428541afc5a0dcf5aaca325e186943f62c Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 13:17:28 +0200 Subject: [PATCH 07/18] revert v1alpha1_securesign.yaml --- config/samples/rhtas_v1alpha1_securesign.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index 1cf210edf..6c8d360fe 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -40,13 +40,13 @@ spec: - name: ctfe.pub - name: fulcio_v1.crt.pem - name: tsa.certchain.pem - # rootKeySecretRef: - # name: tuf-root-keys - # pvc: - # accessModes: - # - ReadWriteOnce - # retain: true - # size: 100Mi + rootKeySecretRef: + name: tuf-root-keys + pvc: + accessModes: + - ReadWriteOnce + retain: true + size: 100Mi ctlog: tsa: externalAccess: From 35065b218392a79c818e6ee0aba71163bb1bce03 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 13:18:27 +0200 Subject: [PATCH 08/18] update --- api/v1alpha1/fulcio_types_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index eb58e0bb7..648ce6c17 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -229,7 +229,6 @@ var _ = Describe("Fulcio", func() { PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, }, - Ctlog: CtlogService{ Address: "ctlog.default.svc", Port: ptr.To(int32(80)), From 65ebbc7972b71c94fa56c640ad052fb2376df817 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 13:19:22 +0200 Subject: [PATCH 09/18] update --- internal/controller/ctlog/actions/deployment.go | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index b5d57144c..824342ea4 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -61,8 +61,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - // signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - // useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) switch { case instance.Spec.Trillian.Address == "": instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) @@ -83,19 +81,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) return i.Failed(err) } - //TLS - // if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { - // dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts, - // corev1.VolumeMount{ - // Name: "tls-cert", - // MountPath: "/etc/ssl/certs", - // ReadOnly: true, - // }) - // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt") - // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key") - // // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") - // } - if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err)) } From e4003315be3d7690152b91d01f766635a9d1a765 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 13:21:48 +0200 Subject: [PATCH 10/18] update --- internal/controller/ctlog/ctlog_controller.go | 1 + internal/controller/ctlog/utils/ctlog_deployment.go | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/controller/ctlog/ctlog_controller.go b/internal/controller/ctlog/ctlog_controller.go index d7c7c1dff..f4a7052fc 100644 --- a/internal/controller/ctlog/ctlog_controller.go +++ b/internal/controller/ctlog/ctlog_controller.go @@ -92,6 +92,7 @@ func (r *CTlogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl return []string{actions.CertCondition} }), transitions.NewToCreatePhaseAction[*rhtasv1alpha1.CTlog](), + actions.NewHandleFulcioCertAction(), actions.NewHandleKeysAction(), actions.NewResolveTreeAction(), diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go index 2fa3a6978..8d50e07bc 100644 --- a/internal/controller/ctlog/utils/ctlog_deployment.go +++ b/internal/controller/ctlog/utils/ctlog_deployment.go @@ -26,6 +26,8 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianPortNotSpecified) } replicas := int32(1) + // Define a new Deployment object + containerPorts := []corev1.ContainerPort{ { ContainerPort: serverPort, @@ -52,7 +54,6 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string }) } - // Define a new Deployment object dep := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Name: deploymentName, From ba8516c90ccb51f0f3153da7560a197491f5532f Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 15:37:04 +0200 Subject: [PATCH 11/18] fix comments --- api/v1alpha1/ctlog_types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/v1alpha1/ctlog_types.go b/api/v1alpha1/ctlog_types.go index bbe27f883..9d03fb5e9 100644 --- a/api/v1alpha1/ctlog_types.go +++ b/api/v1alpha1/ctlog_types.go @@ -48,7 +48,7 @@ type CTlogSpec struct { // publicKeyRef, rootCertificates and trillian will be overridden. //+optional ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` - // Configuration for enabling TLS (Transport Layer Security) encryption for manged database. + // Configuration for enabling TLS (Transport Layer Security) encryption for CTlog. //+optional TLS TLS `json:"tls,omitempty"` } From 9baa3a1848ccc0a2c1a8beef6eaecd5069416bd4 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Thu, 12 Sep 2024 15:55:55 +0200 Subject: [PATCH 12/18] update manifests --- bundle/manifests/rhtas-operator.clusterserviceversion.yaml | 2 +- bundle/manifests/rhtas.redhat.com_ctlogs.yaml | 2 +- bundle/manifests/rhtas.redhat.com_securesigns.yaml | 2 +- config/crd/bases/rhtas.redhat.com_ctlogs.yaml | 2 +- config/crd/bases/rhtas.redhat.com_securesigns.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 53747aab7..60c112d90 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -297,7 +297,7 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:028b6eec7f821b18cf710237a7613ef76d2bacdeff56462368e4e186f26627cc - createdAt: "2024-09-12T09:06:03Z" + createdAt: "2024-09-12T13:55:45Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" diff --git a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml index a1e63613b..0be687d4e 100644 --- a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml +++ b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml @@ -154,7 +154,7 @@ spec: x-kubernetes-map-type: atomic tls: description: Configuration for enabling TLS (Transport Layer Security) - encryption for manged database. + encryption for CTlog. properties: certificateRef: description: Reference to the certificate secret used for TLS diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index c74b8d769..48d8134fa 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -170,7 +170,7 @@ spec: x-kubernetes-map-type: atomic tls: description: Configuration for enabling TLS (Transport Layer Security) - encryption for manged database. + encryption for CTlog. properties: certificateRef: description: Reference to the certificate secret used for diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml index 6a307b962..1560534b2 100644 --- a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml +++ b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml @@ -154,7 +154,7 @@ spec: x-kubernetes-map-type: atomic tls: description: Configuration for enabling TLS (Transport Layer Security) - encryption for manged database. + encryption for CTlog. properties: certificateRef: description: Reference to the certificate secret used for TLS diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index 3fd113a17..4f871230c 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -170,7 +170,7 @@ spec: x-kubernetes-map-type: atomic tls: description: Configuration for enabling TLS (Transport Layer Security) - encryption for manged database. + encryption for CTlog. properties: certificateRef: description: Reference to the certificate secret used for From 93104c1090c9c5c604163bcaa5229d31cb8e329b Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Fri, 13 Sep 2024 13:34:09 +0200 Subject: [PATCH 13/18] updates: review --- api/v1alpha1/common.go | 3 +-- bundle/manifests/rhtas.redhat.com_fulcios.yaml | 3 +-- .../manifests/rhtas.redhat.com_securesigns.yaml | 3 +-- config/crd/bases/rhtas.redhat.com_fulcios.yaml | 3 +-- .../crd/bases/rhtas.redhat.com_securesigns.yaml | 3 +-- .../common/utils/kubernetes/service.go | 14 ++++++++++++++ internal/controller/ctlog/actions/service.go | 3 ++- .../controller/fulcio/actions/deployment.go | 13 +++++++++---- internal/controller/fulcio/utils/tls.go | 17 +++++++++++------ 9 files changed, 41 insertions(+), 21 deletions(-) diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index be2150422..d78b63929 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -43,9 +43,8 @@ type CtlogService struct { //+optional Address string `json:"address,omitempty"` // Port of Ctlog Log Server End point - //+kubebuilder:validation:Minimum:=0 + //+kubebuilder:validation:Minimum:=1 //+kubebuilder:validation:Maximum:=65535 - //+kubebuilder:default:=0 //+optional Port *int32 `json:"port,omitempty"` // Prefix is the name of the log. The prefix cannot be empty and can diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index bf9ea19e5..f949883cd 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -230,11 +230,10 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 0 + minimum: 1 type: integer prefix: default: trusted-artifact-signer diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 48d8134fa..eeb880259 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -428,11 +428,10 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 0 + minimum: 1 type: integer prefix: default: trusted-artifact-signer diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index 5c682e21c..6643f450e 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -230,11 +230,10 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 0 + minimum: 1 type: integer prefix: default: trusted-artifact-signer diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index 4f871230c..79bd6a6d8 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -428,11 +428,10 @@ spec: description: Address to Ctlog Log Server End point type: string port: - default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 0 + minimum: 1 type: integer prefix: default: trusted-artifact-signer diff --git a/internal/controller/common/utils/kubernetes/service.go b/internal/controller/common/utils/kubernetes/service.go index 1a68b549d..30f699953 100644 --- a/internal/controller/common/utils/kubernetes/service.go +++ b/internal/controller/common/utils/kubernetes/service.go @@ -51,3 +51,17 @@ func GetInternalUrl(ctx context.Context, cli client.Client, namespace, serviceNa } return fmt.Sprintf("%s.%s.svc.cluster.local", svc.Name, svc.Namespace), nil } + +func GetService(client client.Client, namespace, serviceName string) (*corev1.Service, error) { + var service corev1.Service + + err := client.Get(context.TODO(), types.NamespacedName{ + Name: serviceName, + Namespace: namespace, + }, &service) + + if err != nil { + return nil, err + } + return &service, nil +} diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index 54e278a6d..5bec77935 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -9,6 +9,7 @@ import ( "github.com/securesign/operator/internal/controller/common/utils/kubernetes" k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + "github.com/securesign/operator/internal/controller/ctlog/utils" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -43,7 +44,7 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog var port int var portName string - if instance.Spec.TLS.CertRef != nil || k8sutils.IsOpenShift() { // TODO: replace with useTLS + if utils.UseTLS(instance) { port = HttpsServerPort portName = HttpsServerPortName } else { diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index f43cdbf9b..9c1f10243 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -8,6 +8,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/constants" futils "github.com/securesign/operator/internal/controller/fulcio/utils" + "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -37,17 +38,21 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio ) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + useTLS, err := futils.UseTLS(ctx, i.Client, instance) + if err != nil { + return i.Requeue() + } if instance.Spec.Ctlog.Address == "" { - if futils.UseTLS(instance) { + if useTLS { instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace) } else { instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) } } - if instance.Spec.Ctlog.Port == nil || *instance.Spec.Ctlog.Port == 0 { + if instance.Spec.Ctlog.Port == nil { var port int32 - if futils.UseTLS(instance) { + if useTLS { port = int32(443) } else { port = int32(80) @@ -67,7 +72,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } } - if futils.UseTLS(instance) { + if useTLS { caPath, err := futils.CAPath(ctx, i.Client, instance) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ diff --git a/internal/controller/fulcio/utils/tls.go b/internal/controller/fulcio/utils/tls.go index 41470a5b0..d229ce561 100644 --- a/internal/controller/fulcio/utils/tls.go +++ b/internal/controller/fulcio/utils/tls.go @@ -9,18 +9,23 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -func UseTLS(instance *rhtasv1alpha1.Fulcio) bool { +func UseTLS(ctx context.Context, client client.Client, instance *rhtasv1alpha1.Fulcio) (bool, error) { if instance == nil { - return false + return false, nil } - // TLS enabled on Ctlog - if instance.Spec.TrustedCA != nil || kubernetes.IsOpenShift() { - return true + service, err := kubernetes.GetService(client, instance.Namespace, "ctlog") + if err != nil { + return false, fmt.Errorf("failed to get ctlog service: %w", err) } - return false + for _, port := range service.Spec.Ports { + if port.Name == "https" || port.Port == 443 { + return true, nil + } + } + return kubernetes.IsOpenShift(), nil } func CAPath(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Fulcio) (string, error) { From c0abda645e64ea59bfc5a55133f33893e3ec86f4 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Fri, 13 Sep 2024 13:35:24 +0200 Subject: [PATCH 14/18] revert operator-sdk version --- bundle/manifests/rhtas-operator.clusterserviceversion.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 60c112d90..9e2e425a2 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -309,7 +309,7 @@ metadata: features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' - operators.operatorframework.io/builder: operator-sdk-v1.34.1 + operators.operatorframework.io/builder: operator-sdk-v1.34.2 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/securesign/secure-sign-operator support: Red Hat From ed50271abed5a20c2c6f0c36f52a9c05b2fda8ad Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Fri, 13 Sep 2024 14:24:32 +0200 Subject: [PATCH 15/18] fix fulcio tests --- internal/controller/fulcio/fulcio_controller_test.go | 2 ++ internal/controller/fulcio/fulcio_hot_update_test.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/internal/controller/fulcio/fulcio_controller_test.go b/internal/controller/fulcio/fulcio_controller_test.go index 47b1725a2..58134693b 100644 --- a/internal/controller/fulcio/fulcio_controller_test.go +++ b/internal/controller/fulcio/fulcio_controller_test.go @@ -32,6 +32,7 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + actions2 "github.com/securesign/operator/internal/controller/ctlog/actions" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -125,6 +126,7 @@ var _ = Describe("Fulcio controller", func() { }, } Expect(k8sClient.Create(ctx, kubernetes.CreateConfigmap(Namespace, "trusted-ca-bundle", map[string]string{}, map[string]string{"ca-cert": "ca-cert-data"}))).To(Succeed()) + Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, actions2.ComponentName, actions2.ServerPortName, actions2.ServerPort, actions2.ServerPort, map[string]string{}))).To(Succeed()) err = k8sClient.Create(ctx, instance) Expect(err).To(Not(HaveOccurred())) } diff --git a/internal/controller/fulcio/fulcio_hot_update_test.go b/internal/controller/fulcio/fulcio_hot_update_test.go index 43b686ea4..e0a03a11f 100644 --- a/internal/controller/fulcio/fulcio_hot_update_test.go +++ b/internal/controller/fulcio/fulcio_hot_update_test.go @@ -25,6 +25,7 @@ import ( "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + actions2 "github.com/securesign/operator/internal/controller/ctlog/actions" "github.com/securesign/operator/internal/controller/fulcio/actions" "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/errors" @@ -114,6 +115,7 @@ var _ = Describe("Fulcio hot update", func() { Monitoring: v1alpha1.MonitoringConfig{Enabled: false}, }, } + Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, actions2.ComponentName, actions2.ServerPortName, actions2.ServerPort, actions2.ServerPort, map[string]string{}))).To(Succeed()) err = k8sClient.Create(ctx, instance) Expect(err).To(Not(HaveOccurred())) } From 67edfb8f3573181ba0cc4acedda9ac838f9620a5 Mon Sep 17 00:00:00 2001 From: Jan Bouska Date: Mon, 16 Sep 2024 11:10:04 +0200 Subject: [PATCH 16/18] jbouska - test --- .../rhtas-operator.clusterserviceversion.yaml | 2 +- .../common/utils/kubernetes/service.go | 48 +++++------ internal/controller/constants/images.go | 30 +++---- .../controller/ctlog/actions/constants.go | 22 ----- .../controller/ctlog/actions/deployment.go | 8 +- .../ctlog/actions/handle_fulcio_root.go | 5 +- .../ctlog/actions/handle_fulcio_root_test.go | 9 +- .../controller/ctlog/actions/handle_keys.go | 7 +- .../controller/ctlog/actions/initialize.go | 3 +- .../controller/ctlog/actions/monitoring.go | 15 ++-- internal/controller/ctlog/actions/rbac.go | 13 +-- .../controller/ctlog/actions/resolve_tree.go | 3 +- .../controller/ctlog/actions/server_config.go | 3 +- internal/controller/ctlog/actions/service.go | 18 ++-- .../controller/ctlog/constants/constants.go | 21 +++++ internal/controller/ctlog/ctlog_controller.go | 3 +- .../controller/ctlog/ctlog_controller_test.go | 10 +-- .../controller/ctlog/ctlog_hot_update_test.go | 14 ++-- .../controller/fulcio/actions/deployment.go | 84 +++++++++++-------- .../fulcio/utils/fulcio_deployment.go | 33 ++++---- internal/controller/fulcio/utils/tls.go | 51 ----------- .../securesign/actions/ensure_ctlog.go | 4 +- internal/controller/tuf/actions/deployment.go | 1 - .../controller/tuf/tuf_controller_test.go | 2 +- test/e2e/support/tas/ctlog/ctlog.go | 6 +- test/e2e/update/ctlog_test.go | 2 +- test/e2e/update/fulcio_test.go | 2 +- test/e2e/upgrade_test.go | 2 +- 28 files changed, 189 insertions(+), 232 deletions(-) delete mode 100644 internal/controller/ctlog/actions/constants.go create mode 100644 internal/controller/ctlog/constants/constants.go delete mode 100644 internal/controller/fulcio/utils/tls.go diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 9e2e425a2..06eb08dbd 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -297,7 +297,7 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:028b6eec7f821b18cf710237a7613ef76d2bacdeff56462368e4e186f26627cc - createdAt: "2024-09-12T13:55:45Z" + createdAt: "2024-09-16T09:07:25Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" diff --git a/internal/controller/common/utils/kubernetes/service.go b/internal/controller/common/utils/kubernetes/service.go index 30f699953..1c50fa953 100644 --- a/internal/controller/common/utils/kubernetes/service.go +++ b/internal/controller/common/utils/kubernetes/service.go @@ -2,14 +2,14 @@ package kubernetes import ( "context" - "fmt" + "errors" corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/client" - + "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/intstr" + "sigs.k8s.io/controller-runtime/pkg/client" ) func CreateService(namespace string, name string, portName string, port int, targetPort int32, labels map[string]string) *corev1.Service { @@ -33,35 +33,25 @@ func CreateService(namespace string, name string, portName string, port int, tar } } -func GetInternalUrl(ctx context.Context, cli client.Client, namespace, serviceName string) (string, error) { - svc := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: serviceName, - Namespace: namespace, - }, - } - - err := cli.Get(ctx, types.NamespacedName{ - Name: serviceName, - Namespace: namespace, - }, svc) +func FindService(ctx context.Context, c client.Client, namespace string, labels map[string]string) (*corev1.Service, error) { - if err != nil { - return "", err - } - return fmt.Sprintf("%s.%s.svc.cluster.local", svc.Name, svc.Namespace), nil -} - -func GetService(client client.Client, namespace, serviceName string) (*corev1.Service, error) { - var service corev1.Service + list := &corev1.ServiceList{} - err := client.Get(context.TODO(), types.NamespacedName{ - Name: serviceName, - Namespace: namespace, - }, &service) + err := c.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels(labels)) if err != nil { return nil, err } - return &service, nil + if len(list.Items) > 1 { + return nil, errors.New("duplicate resource") + } + + if len(list.Items) == 1 { + return &list.Items[0], nil + } + + return nil, apierrors.NewNotFound(schema.GroupResource{ + Group: list.GetObjectKind().GroupVersionKind().Group, + Resource: list.GetObjectKind().GroupVersionKind().Kind, + }, "") } diff --git a/internal/controller/constants/images.go b/internal/controller/constants/images.go index aa491eaa0..205ee3173 100644 --- a/internal/controller/constants/images.go +++ b/internal/controller/constants/images.go @@ -1,28 +1,28 @@ package constants var ( - TrillianLogSignerImage = "registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:3a73910e112cb7b8ad04c4063e3840fb70f97ed07fc3eb907573a46b2f8f6b7b" - TrillianServerImage = "registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:23579db8db307a14cad37f5cb1bdf759611decd72d875241184549e31353387f" - TrillianDbImage = "registry.redhat.io/rhtas/trillian-database-rhel9@sha256:310ecbd9247a2af587dd6bca1b262cf5d753938409fb74c59a53622e22eb1c31" + TrillianLogSignerImage = "quay.io/securesign/trillian-logsigner@sha256:3a73910e112cb7b8ad04c4063e3840fb70f97ed07fc3eb907573a46b2f8f6b7b" + TrillianServerImage = "quay.io/securesign/trillian-logserver@sha256:23579db8db307a14cad37f5cb1bdf759611decd72d875241184549e31353387f" + TrillianDbImage = "quay.io/securesign/trillian-database@sha256:310ecbd9247a2af587dd6bca1b262cf5d753938409fb74c59a53622e22eb1c31" // TODO: remove and check the DB pod status TrillianNetcatImage = "registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7" - FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:a384c19951fb77813cdefb8057bbe3670ef489eb61172d8fd2dde47b23aecebc" + FulcioServerImage = "quay.io/securesign/fulcio-server@sha256:a384c19951fb77813cdefb8057bbe3670ef489eb61172d8fd2dde47b23aecebc" - RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:c936589847e5658e3be01bf7251da6372712bf98f4d100024a18ea59cfec5975" - RekorServerImage = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:96efc463b5f5fa631cca2e1a2195bb0abbd72da0c5083a9d90371d245d01387d" - RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:8ed9d49539e2305c2c41e2ad6b9f5763a53e93ab7590de1c413d846544091009" - BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:22016378cf4a312ac7b15067e560ea42805c168ddf2ae64adb2fcc784bb9ba15" + RekorRedisImage = "quay.io/securesign/trillian-redis@sha256:c936589847e5658e3be01bf7251da6372712bf98f4d100024a18ea59cfec5975" + RekorServerImage = "quay.io/securesign/rekor-server@sha256:96efc463b5f5fa631cca2e1a2195bb0abbd72da0c5083a9d90371d245d01387d" + RekorSearchUiImage = "quay.io/securesign/rekor-search-ui@sha256:8ed9d49539e2305c2c41e2ad6b9f5763a53e93ab7590de1c413d846544091009" + BackfillRedisImage = "quay.io/securesign/rekor-backfill-redis@sha256:22016378cf4a312ac7b15067e560ea42805c168ddf2ae64adb2fcc784bb9ba15" - TufImage = "registry.redhat.io/rhtas/tuffer@sha256:fc0160028b0bcbc03c69156584ead3dfec6d517dab305386ee238cc0e87433de" + TufImage = "quay.io/securesign/tuffer@sha256:fc0160028b0bcbc03c69156584ead3dfec6d517dab305386ee238cc0e87433de" - CTLogImage = "registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:671c5ea4de7184f0dcdd6c6583d74dc8b0b039799c57efb5e8a31981cd9b415e" + CTLogImage = "quay.io/securesign/certificate-transparency-go@sha256:671c5ea4de7184f0dcdd6c6583d74dc8b0b039799c57efb5e8a31981cd9b415e" HttpServerImage = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee" - ClientServerImage_cg = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:0469bef1617c60481beda30947f279a0b106d0e54c600e823064a2b5b89bc120" - ClientServerImage_re = "registry.redhat.io/rhtas/client-server-re-rhel9@sha256:7990157e558dc5ff6e315c84a107bbadc7aeb3aaed39a9171e751671be5d89f0" - ClientServerImage_f = "registry.redhat.io/rhtas/client-server-f-rhel9@sha256:aca918e6994ad5f95c71f725428fc3f2865299b1860c2740d1c18f03324cc3c9" - SegmentBackupImage = "registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:625b5beef8b97d0e9fdf1d92bacd31a51de6b8c172e9aac2c98167253738bb61" - TimestampAuthorityImage = "registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:788f298596b5c0c70e06ac210f8e68ce7bf3348c56b7f36eb6b84cdd85f0d01d" + ClientServerImage_cg = "quay.io/securesign/cli-client-server-cg@sha256:0469bef1617c60481beda30947f279a0b106d0e54c600e823064a2b5b89bc120" + ClientServerImage_re = "quay.io/securesign/client-server-re@sha256:7990157e558dc5ff6e315c84a107bbadc7aeb3aaed39a9171e751671be5d89f0" + ClientServerImage_f = "quay.io/securesign/client-server-f@sha256:aca918e6994ad5f95c71f725428fc3f2865299b1860c2740d1c18f03324cc3c9" + SegmentBackupImage = "quay.io/securesign/segment-backup-job@sha256:625b5beef8b97d0e9fdf1d92bacd31a51de6b8c172e9aac2c98167253738bb61" + TimestampAuthorityImage = "quay.io/securesign/timestamp-authority@sha256:788f298596b5c0c70e06ac210f8e68ce7bf3348c56b7f36eb6b84cdd85f0d01d" ) diff --git a/internal/controller/ctlog/actions/constants.go b/internal/controller/ctlog/actions/constants.go deleted file mode 100644 index 9e1a264d7..000000000 --- a/internal/controller/ctlog/actions/constants.go +++ /dev/null @@ -1,22 +0,0 @@ -package actions - -import "github.com/securesign/operator/internal/controller/constants" - -const ( - DeploymentName = "ctlog" - ComponentName = "ctlog" - RBACName = "ctlog" - MonitoringRoleName = "prometheus-k8s-ctlog" - - CertCondition = "FulcioCertAvailable" - ServerPortName = "http" - ServerPort = 80 - HttpsServerPortName = "https" - HttpsServerPort = 443 - ServerTargetPort = 6962 - MetricsPortName = "metrics" - MetricsPort = 6963 - ServerCondition = "ServerAvailable" - - CTLPubLabel = constants.LabelNamespace + "/ctfe.pub" -) diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index 824342ea4..32efd2789 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -4,12 +4,12 @@ import ( "context" "fmt" - cutils "github.com/securesign/operator/internal/controller/common/utils" - rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" + cutils "github.com/securesign/operator/internal/controller/common/utils" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/internal/controller/ctlog/utils" trillian "github.com/securesign/operator/internal/controller/trillian/actions" "k8s.io/apimachinery/pkg/api/meta" @@ -59,14 +59,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) i.Logger.V(1).Info("Communication to trillian log server is insecure") } - labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + labels := constants.LabelsFor(constants2.ComponentName, constants2.DeploymentName, instance.Name) switch { case instance.Spec.Trillian.Address == "": instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) } - dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort) + dp, err := utils.CreateDeployment(instance, constants2.DeploymentName, constants2.RBACName, labels, constants2.ServerTargetPort, constants2.MetricsPort) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, diff --git a/internal/controller/ctlog/actions/handle_fulcio_root.go b/internal/controller/ctlog/actions/handle_fulcio_root.go index 672d61a8c..ca710d771 100644 --- a/internal/controller/ctlog/actions/handle_fulcio_root.go +++ b/internal/controller/ctlog/actions/handle_fulcio_root.go @@ -8,6 +8,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/internal/controller/fulcio/actions" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" @@ -75,7 +76,7 @@ func (g handleFulcioCert) Handle(ctx context.Context, instance *v1alpha1.CTlog) } meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: CertCondition, + Type: constants2.CertCondition, Status: metav1.ConditionFalse, Reason: constants.Failure, Message: "Cert not found", @@ -111,7 +112,7 @@ func (g handleFulcioCert) Handle(ctx context.Context, instance *v1alpha1.CTlog) } meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: CertCondition, + Type: constants2.CertCondition, Status: metav1.ConditionTrue, Reason: "Resolved", }, diff --git a/internal/controller/ctlog/actions/handle_fulcio_root_test.go b/internal/controller/ctlog/actions/handle_fulcio_root_test.go index 33c522d68..899a57c94 100644 --- a/internal/controller/ctlog/actions/handle_fulcio_root_test.go +++ b/internal/controller/ctlog/actions/handle_fulcio_root_test.go @@ -4,6 +4,7 @@ import ( "context" "testing" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" testAction "github.com/securesign/operator/internal/testing/action" . "github.com/onsi/gomega" @@ -58,7 +59,7 @@ func Test_HandleFulcioCert_Autodiscover(t *testing.T) { g.Expect(i.Status.RootCertificates[0].Key).Should(Equal("key")) g.Expect(i.Status.RootCertificates[0].Name).Should(Equal("secret")) - g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue()) + g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, constants2.CertCondition)).To(BeTrue()) } func Test_HandleFulcioCert_Empty(t *testing.T) { @@ -150,7 +151,7 @@ func Test_HandleFulcioCert_Configured(t *testing.T) { g.Expect(i.Status.RootCertificates[1].Key).Should(Equal("key")) g.Expect(i.Status.RootCertificates[1].Name).Should(Equal("secret-2")) - g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue()) + g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, constants2.CertCondition)).To(BeTrue()) } func Test_HandleFulcioCert_Configured_Priority(t *testing.T) { @@ -201,7 +202,7 @@ func Test_HandleFulcioCert_Configured_Priority(t *testing.T) { g.Expect(i.Status.RootCertificates[0].Key).Should(Equal("key")) g.Expect(i.Status.RootCertificates[0].Name).Should(Equal("my-secret")) - g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue()) + g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, constants2.CertCondition)).To(BeTrue()) } func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) { @@ -246,7 +247,7 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) { g.Expect(a.CanHandle(context.TODO(), i)).To(BeTrue()) _ = a.Handle(context.TODO(), i) - g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue()) + g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, constants2.CertCondition)).To(BeTrue()) g.Expect(i.Status.ServerConfigRef).To(BeNil()) g.Expect(c.Get(context.TODO(), types.NamespacedName{Name: "ctlog-config", Namespace: instance.GetNamespace()}, &v1.Secret{})).To(HaveOccurred()) diff --git a/internal/controller/ctlog/actions/handle_keys.go b/internal/controller/ctlog/actions/handle_keys.go index 9e655e476..09e17e2de 100644 --- a/internal/controller/ctlog/actions/handle_keys.go +++ b/internal/controller/ctlog/actions/handle_keys.go @@ -8,6 +8,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/internal/controller/ctlog/utils" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/equality" @@ -107,8 +108,8 @@ func (g handleKeys) Handle(ctx context.Context, instance *v1alpha1.CTlog) *actio data = map[string][]byte{"public": config.PublicKey} } - labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - labels[CTLPubLabel] = "public" + labels := constants.LabelsFor(constants2.ComponentName, constants2.DeploymentName, instance.Name) + labels[constants2.CTLPubLabel] = "public" secret := k8sutils.CreateImmutableSecret(fmt.Sprintf(KeySecretNameFormat, instance.Name), instance.Namespace, data, labels) @@ -117,7 +118,7 @@ func (g handleKeys) Handle(ctx context.Context, instance *v1alpha1.CTlog) *actio } // ensure that only new key is exposed - if err := g.Client.DeleteAllOf(ctx, &v1.Secret{}, client.InNamespace(instance.Namespace), client.MatchingLabels(constants.LabelsFor(ComponentName, DeploymentName, instance.Name)), client.HasLabels{CTLPubLabel}); err != nil { + if err := g.Client.DeleteAllOf(ctx, &v1.Secret{}, client.InNamespace(instance.Namespace), client.MatchingLabels(constants.LabelsFor(constants2.ComponentName, constants2.DeploymentName, instance.Name)), client.HasLabels{constants2.CTLPubLabel}); err != nil { return g.Failed(err) } diff --git a/internal/controller/ctlog/actions/initialize.go b/internal/controller/ctlog/actions/initialize.go index 48510d43c..150f7dbf3 100644 --- a/internal/controller/ctlog/actions/initialize.go +++ b/internal/controller/ctlog/actions/initialize.go @@ -8,6 +8,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" commonUtils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -34,7 +35,7 @@ func (i initializeAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CT ok bool err error ) - labels := constants.LabelsForComponent(ComponentName, instance.Name) + labels := constants.LabelsForComponent(constants2.ComponentName, instance.Name) ok, err = commonUtils.DeploymentIsRunning(ctx, i.Client, instance.Namespace, labels) switch { case errors.Is(err, commonUtils.ErrDeploymentNotReady): diff --git a/internal/controller/ctlog/actions/monitoring.go b/internal/controller/ctlog/actions/monitoring.go index 4e60affa7..3f36c5f6b 100644 --- a/internal/controller/ctlog/actions/monitoring.go +++ b/internal/controller/ctlog/actions/monitoring.go @@ -9,6 +9,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" v1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -37,11 +38,11 @@ func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CT err error ) - monitoringLabels := constants.LabelsFor(ComponentName, MonitoringRoleName, instance.Name) + monitoringLabels := constants.LabelsFor(constants2.ComponentName, constants2.MonitoringRoleName, instance.Name) role := kubernetes.CreateRole( instance.Namespace, - MonitoringRoleName, + constants2.MonitoringRoleName, monitoringLabels, []v1.PolicyRule{ { @@ -68,12 +69,12 @@ func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CT roleBinding := kubernetes.CreateRoleBinding( instance.Namespace, - MonitoringRoleName, + constants2.MonitoringRoleName, monitoringLabels, v1.RoleRef{ APIGroup: v1.SchemeGroupVersion.Group, Kind: "Role", - Name: MonitoringRoleName, + Name: constants2.MonitoringRoleName, }, []v1.Subject{ {Kind: "ServiceAccount", Name: "prometheus-k8s", Namespace: "openshift-monitoring"}, @@ -95,16 +96,16 @@ func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CT serviceMonitor := kubernetes.CreateServiceMonitor( instance.Namespace, - DeploymentName, + constants2.DeploymentName, monitoringLabels, []monitoringv1.Endpoint{ { Interval: monitoringv1.Duration("30s"), - Port: MetricsPortName, + Port: constants2.MetricsPortName, Scheme: "http", }, }, - constants.LabelsForComponent(ComponentName, instance.Name), + constants.LabelsForComponent(constants2.ComponentName, instance.Name), ) if err = controllerutil.SetControllerReference(instance, serviceMonitor, i.Client.Scheme()); err != nil { diff --git a/internal/controller/ctlog/actions/rbac.go b/internal/controller/ctlog/actions/rbac.go index b5d0028e3..4d1a1461f 100644 --- a/internal/controller/ctlog/actions/rbac.go +++ b/internal/controller/ctlog/actions/rbac.go @@ -8,6 +8,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -36,11 +37,11 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) * var ( err error ) - labels := constants.LabelsFor(ComponentName, RBACName, instance.Name) + labels := constants.LabelsFor(constants2.ComponentName, constants2.RBACName, instance.Name) sa := &v1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Name: RBACName, + Name: constants2.RBACName, Namespace: instance.Namespace, Labels: labels, }, @@ -60,7 +61,7 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) * }) return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create SA: %w", err), instance) } - role := kubernetes.CreateRole(instance.Namespace, RBACName, labels, []rbacv1.PolicyRule{ + role := kubernetes.CreateRole(instance.Namespace, constants2.RBACName, labels, []rbacv1.PolicyRule{ { APIGroups: []string{""}, Resources: []string{"configmaps"}, @@ -86,13 +87,13 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) * }) return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Role: %w", err), instance) } - rb := kubernetes.CreateRoleBinding(instance.Namespace, RBACName, labels, rbacv1.RoleRef{ + rb := kubernetes.CreateRoleBinding(instance.Namespace, constants2.RBACName, labels, rbacv1.RoleRef{ APIGroup: v1.SchemeGroupVersion.Group, Kind: "Role", - Name: RBACName, + Name: constants2.RBACName, }, []rbacv1.Subject{ - {Kind: "ServiceAccount", Name: RBACName, Namespace: instance.Namespace}, + {Kind: "ServiceAccount", Name: constants2.RBACName, Namespace: instance.Namespace}, }) if err = ctrl.SetControllerReference(instance, rb, i.Client.Scheme()); err != nil { diff --git a/internal/controller/ctlog/actions/resolve_tree.go b/internal/controller/ctlog/actions/resolve_tree.go index 0c885551a..d7cf6a3a2 100644 --- a/internal/controller/ctlog/actions/resolve_tree.go +++ b/internal/controller/ctlog/actions/resolve_tree.go @@ -9,6 +9,7 @@ import ( "github.com/securesign/operator/internal/controller/common" "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/internal/controller/ctlog/utils" actions2 "github.com/securesign/operator/internal/controller/trillian/actions" v1 "k8s.io/api/core/v1" @@ -80,7 +81,7 @@ func (i resolveTreeAction) Handle(ctx context.Context, instance *rhtasv1alpha1.C tree, err = i.createTree(ctx, "ctlog-tree", trillUrl, constants.CreateTreeDeadline) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: ServerCondition, + Type: constants2.ServerCondition, Status: metav1.ConditionFalse, Reason: constants.Failure, Message: err.Error(), diff --git a/internal/controller/ctlog/actions/server_config.go b/internal/controller/ctlog/actions/server_config.go index 384102e1e..9f416a523 100644 --- a/internal/controller/ctlog/actions/server_config.go +++ b/internal/controller/ctlog/actions/server_config.go @@ -8,6 +8,7 @@ import ( "github.com/securesign/operator/internal/controller/common/action" utils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" ctlogUtils "github.com/securesign/operator/internal/controller/ctlog/utils" trillian "github.com/securesign/operator/internal/controller/trillian/actions" corev1 "k8s.io/api/core/v1" @@ -70,7 +71,7 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) } - labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + labels := constants.LabelsFor(constants2.ComponentName, constants2.DeploymentName, instance.Name) trillianService := instance.DeepCopy().Spec.Trillian diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index 5bec77935..726efb38a 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -9,6 +9,7 @@ import ( "github.com/securesign/operator/internal/controller/common/utils/kubernetes" k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/internal/controller/ctlog/utils" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -40,24 +41,21 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog updated bool ) - labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name) + labels := constants.LabelsFor(constants2.ComponentName, constants2.ComponentName, instance.Name) var port int - var portName string if utils.UseTLS(instance) { - port = HttpsServerPort - portName = HttpsServerPortName + port = constants2.HttpsServerPort } else { - port = ServerPort - portName = ServerPortName + port = constants2.ServerPort } - svc := kubernetes.CreateService(instance.Namespace, ComponentName, portName, port, ServerTargetPort, labels) + svc := kubernetes.CreateService(instance.Namespace, constants2.ComponentName, constants2.ServerPortName, port, constants2.ServerTargetPort, labels) if instance.Spec.Monitoring.Enabled { svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ - Name: MetricsPortName, + Name: constants2.MetricsPortName, Protocol: corev1.ProtocolTCP, - Port: MetricsPort, - TargetPort: intstr.FromInt32(MetricsPort), + Port: constants2.MetricsPort, + TargetPort: intstr.FromInt32(constants2.MetricsPort), }) } diff --git a/internal/controller/ctlog/constants/constants.go b/internal/controller/ctlog/constants/constants.go new file mode 100644 index 000000000..625ee451d --- /dev/null +++ b/internal/controller/ctlog/constants/constants.go @@ -0,0 +1,21 @@ +package constants + +import "github.com/securesign/operator/internal/controller/constants" + +const ( + DeploymentName = "ctlog" + ComponentName = "ctlog" + RBACName = "ctlog" + MonitoringRoleName = "prometheus-k8s-ctlog" + + CertCondition = "FulcioCertAvailable" + ServerPortName = "ctlog-server" + HttpsServerPort = 443 + ServerPort = 80 + ServerTargetPort = 6962 + MetricsPortName = "metrics" + MetricsPort = 6963 + ServerCondition = "ServerAvailable" + + CTLPubLabel = constants.LabelNamespace + "/ctfe.pub" +) diff --git a/internal/controller/ctlog/ctlog_controller.go b/internal/controller/ctlog/ctlog_controller.go index f4a7052fc..0802ecfea 100644 --- a/internal/controller/ctlog/ctlog_controller.go +++ b/internal/controller/ctlog/ctlog_controller.go @@ -22,6 +22,7 @@ import ( olpredicate "github.com/operator-framework/operator-lib/predicate" "github.com/securesign/operator/internal/controller/annotations" "github.com/securesign/operator/internal/controller/common/action/transitions" + "github.com/securesign/operator/internal/controller/ctlog/constants" "k8s.io/apimachinery/pkg/runtime/schema" "github.com/securesign/operator/internal/controller/ctlog/actions" @@ -89,7 +90,7 @@ func (r *CTlogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl target := instance.DeepCopy() acs := []action.Action[*rhtasv1alpha1.CTlog]{ transitions.NewToPendingPhaseAction[*rhtasv1alpha1.CTlog](func(_ *rhtasv1alpha1.CTlog) []string { - return []string{actions.CertCondition} + return []string{constants.CertCondition} }), transitions.NewToCreatePhaseAction[*rhtasv1alpha1.CTlog](), diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go index 54d60daa7..d9de4062b 100644 --- a/internal/controller/ctlog/ctlog_controller_test.go +++ b/internal/controller/ctlog/ctlog_controller_test.go @@ -23,7 +23,7 @@ import ( "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" - "github.com/securesign/operator/internal/controller/ctlog/actions" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" fulcio "github.com/securesign/operator/internal/controller/fulcio/actions" trillian "github.com/securesign/operator/internal/controller/trillian/actions" k8sTest "github.com/securesign/operator/internal/testing/kubernetes" @@ -149,13 +149,13 @@ var _ = Describe("CTlog controller", func() { deployment := &appsv1.Deployment{} By("Checking if Deployment was successfully created in the reconciliation") Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, deployment) + return k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, deployment) }).Should(Succeed()) By("Checking if Service was successfully created in the reconciliation") service := &corev1.Service{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service) + return k8sClient.Get(ctx, types.NamespacedName{Name: constants2.ComponentName, Namespace: Namespace}, service) }).Should(Succeed()) Expect(service.Spec.Ports[0].Port).Should(Equal(int32(80))) @@ -173,14 +173,14 @@ var _ = Describe("CTlog controller", func() { By("Checking if controller will return deployment to desired state") deployment = &appsv1.Deployment{} Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, deployment) + return k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, deployment) }).Should(Succeed()) replicas := int32(99) deployment.Spec.Replicas = &replicas Expect(k8sClient.Status().Update(ctx, deployment)).Should(Succeed()) Eventually(func(g Gomega) int32 { deployment = &appsv1.Deployment{} - g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, deployment)).Should(Succeed()) + g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, deployment)).Should(Succeed()) return *deployment.Spec.Replicas }).Should(Equal(int32(1))) }) diff --git a/internal/controller/ctlog/ctlog_hot_update_test.go b/internal/controller/ctlog/ctlog_hot_update_test.go index be59556e5..6e1ec4e02 100644 --- a/internal/controller/ctlog/ctlog_hot_update_test.go +++ b/internal/controller/ctlog/ctlog_hot_update_test.go @@ -20,6 +20,7 @@ import ( "context" "time" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" k8sTest "github.com/securesign/operator/internal/testing/kubernetes" "github.com/securesign/operator/internal/controller/ctlog/utils" @@ -27,7 +28,6 @@ import ( "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" - "github.com/securesign/operator/internal/controller/ctlog/actions" fulcio "github.com/securesign/operator/internal/controller/fulcio/actions" trillian "github.com/securesign/operator/internal/controller/trillian/actions" "k8s.io/apimachinery/pkg/api/equality" @@ -125,7 +125,7 @@ var _ = Describe("CTlog update test", func() { deployment := &appsv1.Deployment{} By("Checking if Deployment was successfully created in the reconciliation") Eventually(func() error { - return k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, deployment) + return k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, deployment) }).Should(Succeed()) By("Move to Ready phase") @@ -160,22 +160,22 @@ var _ = Describe("CTlog update test", func() { By("CTL deployment is updated") Eventually(func() bool { updated := &appsv1.Deployment{} - Expect(k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, updated)).To(Succeed()) + Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, updated)).To(Succeed()) return equality.Semantic.DeepDerivative(deployment.Spec.Template.Spec.Volumes, updated.Spec.Template.Spec.Volumes) }).Should(BeFalse()) By("Move to Ready phase") deployment = &appsv1.Deployment{} - Expect(k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, deployment)).To(Succeed()) + Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, deployment)).To(Succeed()) Expect(k8sTest.SetDeploymentToReady(ctx, k8sClient, deployment)).To(Succeed()) By("Private key has changed") key, err := utils.CreatePrivateKey() Expect(err).To(Not(HaveOccurred())) Expect(k8sClient.Create(ctx, kubernetes.CreateSecret("key-secret", Namespace, - map[string][]byte{"private": key.PrivateKey}, constants.LabelsFor(actions.ComponentName, Name, instance.Name)))).To(Succeed()) + map[string][]byte{"private": key.PrivateKey}, constants.LabelsFor(constants2.ComponentName, Name, instance.Name)))).To(Succeed()) - Expect(k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, deployment)).To(Succeed()) + Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, deployment)).To(Succeed()) found := &v1alpha1.CTlog{} Eventually(func(g Gomega) error { g.Expect(k8sClient.Get(ctx, typeNamespaceName, found)).Should(Succeed()) @@ -198,7 +198,7 @@ var _ = Describe("CTlog update test", func() { By("CTL deployment is updated") Eventually(func(g Gomega) bool { updated := &appsv1.Deployment{} - g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: actions.DeploymentName, Namespace: Namespace}, updated)).To(Succeed()) + g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: constants2.DeploymentName, Namespace: Namespace}, updated)).To(Succeed()) return equality.Semantic.DeepDerivative(deployment.Spec.Template.Spec.Volumes, updated.Spec.Template.Spec.Volumes) }).Should(BeFalse()) }) diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 9c1f10243..6b6980bc3 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -2,12 +2,16 @@ package actions import ( "context" + "errors" "fmt" rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" + "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" + ctlogAction "github.com/securesign/operator/internal/controller/ctlog/constants" futils "github.com/securesign/operator/internal/controller/fulcio/utils" + "sigs.k8s.io/controller-runtime/pkg/client" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -37,29 +41,21 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio err error ) - labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - useTLS, err := futils.UseTLS(ctx, i.Client, instance) - if err != nil { + instanceCopy := instance.DeepCopy() + if err = resolveCtlAddress(ctx, i.Client, instanceCopy); err != nil { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: constants.Ready, + Status: metav1.ConditionFalse, + Reason: constants.Creating, + Message: "Resolving CTLog address", + }) + i.StatusUpdate(ctx, instance) return i.Requeue() } - if instance.Spec.Ctlog.Address == "" { - if useTLS { - instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace) - } else { - instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) - } - } - if instance.Spec.Ctlog.Port == nil { - var port int32 - if useTLS { - port = int32(443) - } else { - port = int32(80) - } - instance.Spec.Ctlog.Port = &port - } - dp, err := futils.CreateDeployment(instance, DeploymentName, RBACName, labels) + labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + + dp, err := futils.CreateDeployment(instanceCopy, DeploymentName, RBACName, labels) if err != nil { if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ @@ -72,20 +68,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } } - if useTLS { - caPath, err := futils.CAPath(ctx, i.Client, instance) - if err != nil { - meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ - Type: constants.Ready, - Status: metav1.ConditionFalse, - Reason: constants.Failure, - Message: err.Error(), - }) - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance) - } - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath) - } - if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err)) } @@ -108,3 +90,37 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio return i.Continue() } } + +func resolveCtlAddress(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Fulcio) error { + if instance.Spec.Ctlog.Prefix == "" { + return futils.CtlogPrefixNotSpecified + } + + if instance.Spec.Ctlog.Address != "" { + if instance.Spec.Ctlog.Port == nil { + return futils.CtlogPortNotSpecified + } + return nil + } + + svc, err := kubernetes.FindService(ctx, cli, instance.Namespace, constants.LabelsForComponent(ctlogAction.ComponentName, instance.Name)) + if err != nil { + return err + } + + for _, port := range svc.Spec.Ports { + if port.Name == ctlogAction.ServerPortName { + var protocol string + instance.Spec.Ctlog.Port = &port.Port + switch port.Port { + case 443: + protocol = "https://" + case 80: + protocol = "http://" + } + instance.Spec.Ctlog.Address = fmt.Sprintf("%s%s.%s.svc", protocol, svc.Name, svc.Namespace) + return nil + } + } + return errors.New("protocol name not found") +} diff --git a/internal/controller/fulcio/utils/fulcio_deployment.go b/internal/controller/fulcio/utils/fulcio_deployment.go index a38544abd..b59caa2fb 100644 --- a/internal/controller/fulcio/utils/fulcio_deployment.go +++ b/internal/controller/fulcio/utils/fulcio_deployment.go @@ -29,6 +29,20 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin return nil, errors.New("CA secret is not specified") } + var err error + switch { + case instance.Spec.Ctlog.Address == "": + err = fmt.Errorf("CreateDeployment: %w", CtlogAddressNotSpecified) + case instance.Spec.Ctlog.Port == nil: + err = fmt.Errorf("CreateDeployment: %w", CtlogPortNotSpecified) + case instance.Spec.Ctlog.Prefix == "": + err = fmt.Errorf("CreateDeployment: %w", CtlogPrefixNotSpecified) + } + + if err != nil { + return nil, err + } + containerPorts := []corev1.ContainerPort{ { Protocol: corev1.ProtocolTCP, @@ -56,26 +70,9 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin "/var/run/fulcio-secrets/key.pem", "--fileca-cert", "/var/run/fulcio-secrets/cert.pem", + fmt.Sprintf("--ct-log-url=%s:%d/%s", instance.Spec.Ctlog.Address, *instance.Spec.Ctlog.Port, instance.Spec.Ctlog.Prefix), } - var err error - var ctlogUrl string - switch { - case instance.Spec.Ctlog.Address == "": - err = fmt.Errorf("CreateDeployment: %w", CtlogAddressNotSpecified) - case instance.Spec.Ctlog.Port == nil: - err = fmt.Errorf("CreateDeployment: %w", CtlogPortNotSpecified) - case instance.Spec.Ctlog.Prefix == "": - err = fmt.Errorf("CreateDeployment: %w", CtlogPrefixNotSpecified) - default: - ctlogUrl = fmt.Sprintf("%s:%d/%s", instance.Spec.Ctlog.Address, *instance.Spec.Ctlog.Port, instance.Spec.Ctlog.Prefix) - } - - if err != nil { - return nil, err - } - args = append(args, fmt.Sprintf("--ct-log-url=%s", ctlogUrl)) - env := make([]corev1.EnvVar, 0) if instance.Status.Certificate.PrivateKeyPasswordRef != nil { env = append(env, corev1.EnvVar{ diff --git a/internal/controller/fulcio/utils/tls.go b/internal/controller/fulcio/utils/tls.go deleted file mode 100644 index d229ce561..000000000 --- a/internal/controller/fulcio/utils/tls.go +++ /dev/null @@ -1,51 +0,0 @@ -package utils - -import ( - "context" - "fmt" - - rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" - "github.com/securesign/operator/internal/controller/common/utils/kubernetes" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -func UseTLS(ctx context.Context, client client.Client, instance *rhtasv1alpha1.Fulcio) (bool, error) { - - if instance == nil { - return false, nil - } - - service, err := kubernetes.GetService(client, instance.Namespace, "ctlog") - if err != nil { - return false, fmt.Errorf("failed to get ctlog service: %w", err) - } - - for _, port := range service.Spec.Ports { - if port.Name == "https" || port.Port == 443 { - return true, nil - } - } - return kubernetes.IsOpenShift(), nil -} - -func CAPath(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Fulcio) (string, error) { - if instance.Spec.TrustedCA != nil { - cfgTrust, err := kubernetes.GetConfigMap(ctx, cli, instance.Namespace, instance.Spec.TrustedCA.Name) - if err != nil { - return "", err - } - if len(cfgTrust.Data) != 1 { - err = fmt.Errorf("%s ConfigMap can contain only 1 record", instance.Spec.TrustedCA.Name) - return "", err - } - for key := range cfgTrust.Data { - return "/var/run/configs/tas/ca-trust/" + key, nil - } - } - - if instance.Spec.TrustedCA == nil && kubernetes.IsOpenShift() { - return "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt", nil - } - - return "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", nil -} diff --git a/internal/controller/securesign/actions/ensure_ctlog.go b/internal/controller/securesign/actions/ensure_ctlog.go index 539adfeeb..9fc7fc786 100644 --- a/internal/controller/securesign/actions/ensure_ctlog.go +++ b/internal/controller/securesign/actions/ensure_ctlog.go @@ -4,11 +4,11 @@ import ( "context" "github.com/securesign/operator/internal/controller/annotations" + ctlogConstants "github.com/securesign/operator/internal/controller/ctlog/constants" rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/constants" - "github.com/securesign/operator/internal/controller/ctlog/actions" "k8s.io/apimachinery/pkg/api/meta" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -40,7 +40,7 @@ func (i ctlogAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Secures ctlog.Name = instance.Name ctlog.Namespace = instance.Namespace - ctlog.Labels = constants.LabelsFor(actions.ComponentName, ctlog.Name, instance.Name) + ctlog.Labels = constants.LabelsFor(ctlogConstants.ComponentName, ctlog.Name, instance.Name) ctlog.Annotations = annotations.FilterInheritable(instance.Annotations) ctlog.Spec = instance.Spec.Ctlog diff --git a/internal/controller/tuf/actions/deployment.go b/internal/controller/tuf/actions/deployment.go index d7cace5a1..4d00bbbab 100644 --- a/internal/controller/tuf/actions/deployment.go +++ b/internal/controller/tuf/actions/deployment.go @@ -37,7 +37,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Tuf) * ) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - dp := tufutils.CreateTufDeployment(instance, DeploymentName, RBACName, labels) if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { diff --git a/internal/controller/tuf/tuf_controller_test.go b/internal/controller/tuf/tuf_controller_test.go index a3992ad4d..ecf5de53f 100644 --- a/internal/controller/tuf/tuf_controller_test.go +++ b/internal/controller/tuf/tuf_controller_test.go @@ -21,12 +21,12 @@ import ( "maps" "time" + actions2 "github.com/securesign/operator/internal/controller/ctlog/constants" k8sTest "github.com/securesign/operator/internal/testing/kubernetes" "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" - actions2 "github.com/securesign/operator/internal/controller/ctlog/actions" "github.com/securesign/operator/internal/controller/tuf/actions" batchv1 "k8s.io/api/batch/v1" v1 "k8s.io/api/networking/v1" diff --git a/test/e2e/support/tas/ctlog/ctlog.go b/test/e2e/support/tas/ctlog/ctlog.go index 0f7b4e969..de77973e0 100644 --- a/test/e2e/support/tas/ctlog/ctlog.go +++ b/test/e2e/support/tas/ctlog/ctlog.go @@ -3,6 +3,7 @@ package ctlog import ( "context" + constants2 "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/test/e2e/support" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -10,7 +11,6 @@ import ( "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" - "github.com/securesign/operator/internal/controller/ctlog/actions" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/types" @@ -25,7 +25,7 @@ func Verify(ctx context.Context, cli client.Client, namespace string, name strin Eventually(func(g Gomega) (bool, error) { return kubernetes.DeploymentIsRunning(ctx, cli, namespace, map[string]string{ - kubernetes.ComponentLabel: actions.ComponentName, + kubernetes.ComponentLabel: constants2.ComponentName, }) }).Should(BeTrue()) } @@ -33,7 +33,7 @@ func Verify(ctx context.Context, cli client.Client, namespace string, name strin func GetServerPod(ctx context.Context, cli client.Client, ns string) func() *v1.Pod { return func() *v1.Pod { list := &v1.PodList{} - _ = cli.List(ctx, list, client.InNamespace(ns), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName, kubernetes.NameLabel: "ctlog"}) + _ = cli.List(ctx, list, client.InNamespace(ns), client.MatchingLabels{kubernetes.ComponentLabel: constants2.ComponentName, kubernetes.NameLabel: "ctlog"}) if len(list.Items) != 1 { return nil } diff --git a/test/e2e/update/ctlog_test.go b/test/e2e/update/ctlog_test.go index ea8da81d1..34634d791 100644 --- a/test/e2e/update/ctlog_test.go +++ b/test/e2e/update/ctlog_test.go @@ -6,6 +6,7 @@ import ( "context" "time" + ctlogAction "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/test/e2e/support/tas" "github.com/securesign/operator/test/e2e/support/tas/ctlog" @@ -15,7 +16,6 @@ import ( . "github.com/onsi/gomega" "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/constants" - ctlogAction "github.com/securesign/operator/internal/controller/ctlog/actions" tufAction "github.com/securesign/operator/internal/controller/tuf/actions" "github.com/securesign/operator/test/e2e/support" v1 "k8s.io/api/core/v1" diff --git a/test/e2e/update/fulcio_test.go b/test/e2e/update/fulcio_test.go index 7e2ac7b76..f0ff4fd2d 100644 --- a/test/e2e/update/fulcio_test.go +++ b/test/e2e/update/fulcio_test.go @@ -7,6 +7,7 @@ import ( "encoding/json" "time" + ctlogAction "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/test/e2e/support/tas" fulcioAction "github.com/securesign/operator/internal/controller/fulcio/actions" @@ -18,7 +19,6 @@ import ( . "github.com/onsi/gomega" "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/constants" - ctlogAction "github.com/securesign/operator/internal/controller/ctlog/actions" tufAction "github.com/securesign/operator/internal/controller/tuf/actions" "github.com/securesign/operator/test/e2e/support" v1 "k8s.io/api/core/v1" diff --git a/test/e2e/upgrade_test.go b/test/e2e/upgrade_test.go index a7975cf6a..a7f9a3e94 100644 --- a/test/e2e/upgrade_test.go +++ b/test/e2e/upgrade_test.go @@ -10,6 +10,7 @@ import ( "strings" "time" + ctl "github.com/securesign/operator/internal/controller/ctlog/constants" "github.com/securesign/operator/test/e2e/support/tas/ctlog" "github.com/securesign/operator/test/e2e/support/tas/fulcio" "github.com/securesign/operator/test/e2e/support/tas/rekor" @@ -25,7 +26,6 @@ import ( tasv1alpha "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils" "github.com/securesign/operator/internal/controller/constants" - ctl "github.com/securesign/operator/internal/controller/ctlog/actions" fulcioAction "github.com/securesign/operator/internal/controller/fulcio/actions" rekorAction "github.com/securesign/operator/internal/controller/rekor/actions" "github.com/securesign/operator/internal/controller/securesign/actions" From ef028561ac2946773eb28ab3c13620f0bc50f9f7 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Mon, 16 Sep 2024 17:45:19 +0200 Subject: [PATCH 17/18] updates --- internal/controller/constants/images.go | 30 +++++++++---------- .../fulcio/fulcio_controller_test.go | 4 +-- .../fulcio/fulcio_hot_update_test.go | 4 +-- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/internal/controller/constants/images.go b/internal/controller/constants/images.go index 205ee3173..aa491eaa0 100644 --- a/internal/controller/constants/images.go +++ b/internal/controller/constants/images.go @@ -1,28 +1,28 @@ package constants var ( - TrillianLogSignerImage = "quay.io/securesign/trillian-logsigner@sha256:3a73910e112cb7b8ad04c4063e3840fb70f97ed07fc3eb907573a46b2f8f6b7b" - TrillianServerImage = "quay.io/securesign/trillian-logserver@sha256:23579db8db307a14cad37f5cb1bdf759611decd72d875241184549e31353387f" - TrillianDbImage = "quay.io/securesign/trillian-database@sha256:310ecbd9247a2af587dd6bca1b262cf5d753938409fb74c59a53622e22eb1c31" + TrillianLogSignerImage = "registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:3a73910e112cb7b8ad04c4063e3840fb70f97ed07fc3eb907573a46b2f8f6b7b" + TrillianServerImage = "registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:23579db8db307a14cad37f5cb1bdf759611decd72d875241184549e31353387f" + TrillianDbImage = "registry.redhat.io/rhtas/trillian-database-rhel9@sha256:310ecbd9247a2af587dd6bca1b262cf5d753938409fb74c59a53622e22eb1c31" // TODO: remove and check the DB pod status TrillianNetcatImage = "registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7" - FulcioServerImage = "quay.io/securesign/fulcio-server@sha256:a384c19951fb77813cdefb8057bbe3670ef489eb61172d8fd2dde47b23aecebc" + FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:a384c19951fb77813cdefb8057bbe3670ef489eb61172d8fd2dde47b23aecebc" - RekorRedisImage = "quay.io/securesign/trillian-redis@sha256:c936589847e5658e3be01bf7251da6372712bf98f4d100024a18ea59cfec5975" - RekorServerImage = "quay.io/securesign/rekor-server@sha256:96efc463b5f5fa631cca2e1a2195bb0abbd72da0c5083a9d90371d245d01387d" - RekorSearchUiImage = "quay.io/securesign/rekor-search-ui@sha256:8ed9d49539e2305c2c41e2ad6b9f5763a53e93ab7590de1c413d846544091009" - BackfillRedisImage = "quay.io/securesign/rekor-backfill-redis@sha256:22016378cf4a312ac7b15067e560ea42805c168ddf2ae64adb2fcc784bb9ba15" + RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:c936589847e5658e3be01bf7251da6372712bf98f4d100024a18ea59cfec5975" + RekorServerImage = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:96efc463b5f5fa631cca2e1a2195bb0abbd72da0c5083a9d90371d245d01387d" + RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:8ed9d49539e2305c2c41e2ad6b9f5763a53e93ab7590de1c413d846544091009" + BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:22016378cf4a312ac7b15067e560ea42805c168ddf2ae64adb2fcc784bb9ba15" - TufImage = "quay.io/securesign/tuffer@sha256:fc0160028b0bcbc03c69156584ead3dfec6d517dab305386ee238cc0e87433de" + TufImage = "registry.redhat.io/rhtas/tuffer@sha256:fc0160028b0bcbc03c69156584ead3dfec6d517dab305386ee238cc0e87433de" - CTLogImage = "quay.io/securesign/certificate-transparency-go@sha256:671c5ea4de7184f0dcdd6c6583d74dc8b0b039799c57efb5e8a31981cd9b415e" + CTLogImage = "registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:671c5ea4de7184f0dcdd6c6583d74dc8b0b039799c57efb5e8a31981cd9b415e" HttpServerImage = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee" - ClientServerImage_cg = "quay.io/securesign/cli-client-server-cg@sha256:0469bef1617c60481beda30947f279a0b106d0e54c600e823064a2b5b89bc120" - ClientServerImage_re = "quay.io/securesign/client-server-re@sha256:7990157e558dc5ff6e315c84a107bbadc7aeb3aaed39a9171e751671be5d89f0" - ClientServerImage_f = "quay.io/securesign/client-server-f@sha256:aca918e6994ad5f95c71f725428fc3f2865299b1860c2740d1c18f03324cc3c9" - SegmentBackupImage = "quay.io/securesign/segment-backup-job@sha256:625b5beef8b97d0e9fdf1d92bacd31a51de6b8c172e9aac2c98167253738bb61" - TimestampAuthorityImage = "quay.io/securesign/timestamp-authority@sha256:788f298596b5c0c70e06ac210f8e68ce7bf3348c56b7f36eb6b84cdd85f0d01d" + ClientServerImage_cg = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:0469bef1617c60481beda30947f279a0b106d0e54c600e823064a2b5b89bc120" + ClientServerImage_re = "registry.redhat.io/rhtas/client-server-re-rhel9@sha256:7990157e558dc5ff6e315c84a107bbadc7aeb3aaed39a9171e751671be5d89f0" + ClientServerImage_f = "registry.redhat.io/rhtas/client-server-f-rhel9@sha256:aca918e6994ad5f95c71f725428fc3f2865299b1860c2740d1c18f03324cc3c9" + SegmentBackupImage = "registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:625b5beef8b97d0e9fdf1d92bacd31a51de6b8c172e9aac2c98167253738bb61" + TimestampAuthorityImage = "registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:788f298596b5c0c70e06ac210f8e68ce7bf3348c56b7f36eb6b84cdd85f0d01d" ) diff --git a/internal/controller/fulcio/fulcio_controller_test.go b/internal/controller/fulcio/fulcio_controller_test.go index 58134693b..3fe67d463 100644 --- a/internal/controller/fulcio/fulcio_controller_test.go +++ b/internal/controller/fulcio/fulcio_controller_test.go @@ -32,7 +32,7 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - actions2 "github.com/securesign/operator/internal/controller/ctlog/actions" + ctlogAction "github.com/securesign/operator/internal/controller/ctlog/constants" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -126,7 +126,7 @@ var _ = Describe("Fulcio controller", func() { }, } Expect(k8sClient.Create(ctx, kubernetes.CreateConfigmap(Namespace, "trusted-ca-bundle", map[string]string{}, map[string]string{"ca-cert": "ca-cert-data"}))).To(Succeed()) - Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, actions2.ComponentName, actions2.ServerPortName, actions2.ServerPort, actions2.ServerPort, map[string]string{}))).To(Succeed()) + Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, ctlogAction.ComponentName, ctlogAction.ServerPortName, ctlogAction.ServerPort, ctlogAction.ServerPort, constants.LabelsForComponent(ctlogAction.ComponentName, instance.Name)))).To(Succeed()) err = k8sClient.Create(ctx, instance) Expect(err).To(Not(HaveOccurred())) } diff --git a/internal/controller/fulcio/fulcio_hot_update_test.go b/internal/controller/fulcio/fulcio_hot_update_test.go index e0a03a11f..4062fd812 100644 --- a/internal/controller/fulcio/fulcio_hot_update_test.go +++ b/internal/controller/fulcio/fulcio_hot_update_test.go @@ -25,7 +25,6 @@ import ( "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" - actions2 "github.com/securesign/operator/internal/controller/ctlog/actions" "github.com/securesign/operator/internal/controller/fulcio/actions" "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/errors" @@ -33,6 +32,7 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + ctlogAction "github.com/securesign/operator/internal/controller/ctlog/constants" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -115,7 +115,7 @@ var _ = Describe("Fulcio hot update", func() { Monitoring: v1alpha1.MonitoringConfig{Enabled: false}, }, } - Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, actions2.ComponentName, actions2.ServerPortName, actions2.ServerPort, actions2.ServerPort, map[string]string{}))).To(Succeed()) + Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, ctlogAction.ComponentName, ctlogAction.ServerPortName, ctlogAction.ServerPort, ctlogAction.ServerPort, constants.LabelsForComponent(ctlogAction.ComponentName, instance.Name)))).To(Succeed()) err = k8sClient.Create(ctx, instance) Expect(err).To(Not(HaveOccurred())) } From 17aeae099d78b132121b684686a57663c7a2b88c Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Mon, 16 Sep 2024 17:49:17 +0200 Subject: [PATCH 18/18] fix golangci-lint --- internal/controller/fulcio/actions/deployment.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 6b6980bc3..dc22a2086 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -111,7 +111,8 @@ func resolveCtlAddress(ctx context.Context, cli client.Client, instance *rhtasv1 for _, port := range svc.Spec.Ports { if port.Name == ctlogAction.ServerPortName { var protocol string - instance.Spec.Ctlog.Port = &port.Port + portCopy := port + instance.Spec.Ctlog.Port = &portCopy.Port switch port.Port { case 443: protocol = "https://"