Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURESIGN-994] Add TLS to Fulcio and CTlog services #492

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

[SECURESIGN-994] Add TLS to Fulcio and CTlog services #492

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
97e06d1
Add TLS to Rekor and Trillian services
fghanmi Jul 5, 2024
3100639
updates-1
fghanmi Aug 3, 2024
0e8373f
fix conflicts
fghanmi Aug 3, 2024
4dd44ad
resolve conflicts+updates
fghanmi Aug 17, 2024
1943664
updates
fghanmi Aug 17, 2024
73a3ee4
refactor code
fghanmi Sep 12, 2024
2bd7784
revert v1alpha1_securesign.yaml
fghanmi Sep 12, 2024
35065b2
update
fghanmi Sep 12, 2024
65ebbc7
update
fghanmi Sep 12, 2024
e400331
update
fghanmi Sep 12, 2024
ba8516c
fix comments
fghanmi Sep 12, 2024
9baa3a1
update manifests
fghanmi Sep 12, 2024
93104c1
updates: review
fghanmi Sep 13, 2024
c0abda6
revert operator-sdk version
fghanmi Sep 13, 2024
ed50271
fix fulcio tests
fghanmi Sep 13, 2024
67edfb8
jbouska - test
bouskaJ Sep 16, 2024
ef02856
updates
fghanmi Sep 16, 2024
17aeae0
fix golangci-lint
fghanmi Sep 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/v1alpha1/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ type CtlogService struct {
//+optional
Address string `json:"address,omitempty"`
// Port of Ctlog Log Server End point
//+kubebuilder:validation:Minimum:=1
//+kubebuilder:validation:Minimum:=0
//+kubebuilder:validation:Maximum:=65535
//+kubebuilder:default:=80
//+kubebuilder:default:=0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that default port 0 is the right choice. I would prefer to omit this value (use nil) in case it is not used.

//+optional
Port *int32 `json:"port,omitempty"`
// Prefix is the name of the log. The prefix cannot be empty and can
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/ctlog_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ type CTlogSpec struct {
// publicKeyRef, rootCertificates and trillian will be overridden.
//+optional
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
// Configuration for enabling TLS (Transport Layer Security) encryption for manged database.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please fix doc, it is configuration to encrypt CTlog server

//+optional
TLS TLS `json:"tls,omitempty"`
}

// CTlogStatus defines the observed state of CTlog component
Expand All @@ -57,6 +60,7 @@ type CTlogStatus struct {
PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"`
PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"`
RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"`
TLS TLS `json:"tls,omitempty"`
// The ID of a Trillian tree that stores the log data.
TreeID *int64 `json:"treeID,omitempty"`
// +listType=map
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/fulcio_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ type FulcioSpec struct {
ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
// Ctlog service configuration
//+optional
//+kubebuilder:default:={port: 80, prefix: trusted-artifact-signer}
//+kubebuilder:default:={prefix: trusted-artifact-signer}
Ctlog CtlogService `json:"ctlog,omitempty"`
// Fulcio Configuration
//+required
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions bundle/manifests/rhtas-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@ metadata:
]
capabilities: Seamless Upgrades
containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:028b6eec7f821b18cf710237a7613ef76d2bacdeff56462368e4e186f26627cc
createdAt: "2024-09-11T13:45:32Z"
createdAt: "2024-09-12T09:06:03Z"
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
features.operators.openshift.io/csi: "false"
Expand All @@ -309,7 +309,7 @@ metadata:
features.operators.openshift.io/token-auth-azure: "false"
features.operators.openshift.io/token-auth-gcp: "false"
operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
operators.operatorframework.io/builder: operator-sdk-v1.34.2
operators.operatorframework.io/builder: operator-sdk-v1.34.1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not change operator-sdk version

operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
repository: https://github.com/securesign/secure-sign-operator
support: Red Hat
Expand Down
92 changes: 92 additions & 0 deletions bundle/manifests/rhtas.redhat.com_ctlogs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,52 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: Configuration for enabling TLS (Transport Layer Security)
encryption for manged database.
properties:
certificateRef:
description: Reference to the certificate secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
treeID:
description: |-
The ID of a Trillian tree that stores the log data.
Expand Down Expand Up @@ -343,6 +389,52 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: TLS (Transport Layer Security) Configuration for enabling
service encryption.
properties:
certificateRef:
description: Reference to the certificate secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
treeID:
description: The ID of a Trillian tree that stores the log data.
format: int64
Expand Down
5 changes: 2 additions & 3 deletions bundle/manifests/rhtas.redhat.com_fulcios.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,19 +223,18 @@ spec:
(has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
ctlog:
default:
port: 80
prefix: trusted-artifact-signer
description: Ctlog service configuration
properties:
address:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
default: 0
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
minimum: 0
type: integer
prefix:
default: trusted-artifact-signer
Expand Down
51 changes: 48 additions & 3 deletions bundle/manifests/rhtas.redhat.com_securesigns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,52 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: Configuration for enabling TLS (Transport Layer Security)
encryption for manged database.
properties:
certificateRef:
description: Reference to the certificate secret used for
TLS encryption.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for
TLS encryption.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
treeID:
description: |-
The ID of a Trillian tree that stores the log data.
Expand Down Expand Up @@ -375,19 +421,18 @@ spec:
|| (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
ctlog:
default:
port: 80
prefix: trusted-artifact-signer
description: Ctlog service configuration
properties:
address:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
default: 0
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
minimum: 0
type: integer
prefix:
default: trusted-artifact-signer
Expand Down
92 changes: 92 additions & 0 deletions config/crd/bases/rhtas.redhat.com_ctlogs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,52 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: Configuration for enabling TLS (Transport Layer Security)
encryption for manged database.
properties:
certificateRef:
description: Reference to the certificate secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
treeID:
description: |-
The ID of a Trillian tree that stores the log data.
Expand Down Expand Up @@ -343,6 +389,52 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: TLS (Transport Layer Security) Configuration for enabling
service encryption.
properties:
certificateRef:
description: Reference to the certificate secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for TLS
encryption.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
treeID:
description: The ID of a Trillian tree that stores the log data.
format: int64
Expand Down
Loading
Loading