Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURESIGN-994] Add TLS to Fulcio and CTlog services #492

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Next Next commit
Add TLS to Rekor and Trillian services
fghanmi committed Sep 12, 2024
commit 97e06d1c528e5b46f0d1e23d3e90494f9b084f4b
15 changes: 15 additions & 0 deletions api/v1alpha1/common.go
Original file line number Diff line number Diff line change
@@ -107,13 +107,28 @@ type Pvc struct {
AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty"`
}

<<<<<<< HEAD
type Auth struct {
// Environmental variables used to define authentication parameters
//+optional
Env []core.EnvVar `json:"env,omitempty"`
// Secret ref to be mounted inside a pod, Mount path defaults to /var/run/secrets/tas/auth
//+optional
SecretMount []SecretKeySelector `json:"secretMount,omitempty"`
=======
// TLSCert defines fields for TLS certificate
// +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty
type TLSCert struct {
// Reference to the private key
//+optional
PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"`
// Reference to service certificate
//+optional
CertRef *SecretKeySelector `json:"certRef,omitempty"`
// Reference to CA certificate
//+optional
CACertRef *LocalObjectReference `json:"CACertRef,omitempty"`
>>>>>>> 8dc3af9 (Add TLS to Rekor and Trillian services)
}

// TLS (Transport Layer Security) Configuration for enabling service encryption.
4 changes: 4 additions & 0 deletions api/v1alpha1/ctlog_types.go
Original file line number Diff line number Diff line change
@@ -48,6 +48,9 @@ type CTlogSpec struct {
// publicKeyRef, rootCertificates and trillian will be overridden.
//+optional
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
// Reference to TLS server certificate, private key and CA certificate
//+optional
TLSCertificate TLSCert `json:"tls"`
}

// CTlogStatus defines the observed state of CTlog component
@@ -57,6 +60,7 @@ type CTlogStatus struct {
PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"`
PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"`
RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"`
TLSCertificate *TLSCert `json:"tls,omitempty"`
// The ID of a Trillian tree that stores the log data.
TreeID *int64 `json:"treeID,omitempty"`
// +listType=map
9 changes: 9 additions & 0 deletions api/v1alpha1/ctlog_types_test.go
Original file line number Diff line number Diff line change
@@ -135,6 +135,15 @@ var _ = Describe("CTlog", func() {
Trillian: TrillianService{
Address: "trillian-system.default.svc",
Port: &port,
TLSCertificate: TLSCert{
CertRef: &SecretKeySelector{
Key: "cert",
LocalObjectReference: LocalObjectReference{Name: "secret"},
},
PrivateKeyRef: &SecretKeySelector{
Key: "key",
LocalObjectReference: LocalObjectReference{Name: "secret"},
},
},
},
}
4 changes: 4 additions & 0 deletions api/v1alpha1/fulcio_types.go
Original file line number Diff line number Diff line change
@@ -26,6 +26,9 @@ type FulcioSpec struct {
// ConfigMap with additional bundle of trusted CA
//+optional
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
// Reference to TLS server certificate, private key and CA certificate
//+optional
TLSCertificate TLSCert `json:"tls"`
}

// FulcioCert defines fields for system-generated certificate
@@ -101,6 +104,7 @@ type OIDCIssuer struct {
type FulcioStatus struct {
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
Certificate *FulcioCert `json:"certificate,omitempty"`
TLSCertificate *TLSCert `json:"tls,omitempty"`
Url string `json:"url,omitempty"`
// +listType=map
// +listMapKey=type
17 changes: 17 additions & 0 deletions api/v1alpha1/fulcio_types_test.go
Original file line number Diff line number Diff line change
@@ -229,11 +229,17 @@ var _ = Describe("Fulcio", func() {
PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
},

Ctlog: CtlogService{
Address: "ctlog.default.svc",
Port: ptr.To(int32(80)),
Prefix: "trusted-artifact-signer",
},
TLSCertificate: TLSCert{
CertRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
CACertRef: &LocalObjectReference{Name: "ca-configmap"},
},
},
}

@@ -286,6 +292,17 @@ func generateFulcioObject(name string) *Fulcio {
Port: ptr.To(int32(80)),
Prefix: "trusted-artifact-signer",
},
TLSCertificate: TLSCert{
CertRef: &SecretKeySelector{
Key: "cert",
LocalObjectReference: LocalObjectReference{Name: "secret"},
},
PrivateKeyRef: &SecretKeySelector{
Key: "key",
LocalObjectReference: LocalObjectReference{Name: "secret"},
},
CACertRef: &LocalObjectReference{Name: "ca-configmap"},
},
},
}
}
40 changes: 40 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

111 changes: 111 additions & 0 deletions bundle/manifests/rhtas.redhat.com_ctlogs.yaml
Original file line number Diff line number Diff line change
@@ -152,6 +152,62 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: Reference to TLS server certificate, private key and
CA certificate
properties:
CACertRef:
description: Reference to CA certificate
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
certRef:
description: Reference to service certificate
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certRef) || has(self.privateKeyRef))
treeID:
description: |-
The ID of a Trillian tree that stores the log data.
@@ -343,6 +399,61 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: TLSCert defines fields for TLS certificate
properties:
CACertRef:
description: Reference to CA certificate
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
certRef:
description: Reference to service certificate
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certRef) || has(self.privateKeyRef))
treeID:
description: The ID of a Trillian tree that stores the log data.
format: int64
Loading
Oops, something went wrong.