[SECURESIGN-1393] Migrate trillian logserver

Author: bouskaJ

internal/controller/common/utils/kubernetes/deployment.go

@@ -128,6 +128,16 @@ func FindContainerByNameOrCreate(podSpec *corev1.PodSpec, containerName string)
 	return &podSpec.Containers[len(podSpec.Containers)-1]
 }
 
+func FindInitContainerByNameOrCreate(podSpec *corev1.PodSpec, containerName string) *corev1.Container {
+	for i, c := range podSpec.InitContainers {
+		if c.Name == containerName {
+			return &podSpec.InitContainers[i]
+		}
+	}
+	podSpec.InitContainers = append(podSpec.InitContainers, corev1.Container{Name: containerName})
+	return &podSpec.InitContainers[len(podSpec.InitContainers)-1]
+}
+
 func FindVolumeByNameOrCreate(podSpec *corev1.PodSpec, volumeName string) *corev1.Volume {
 	for i, v := range podSpec.Volumes {
 		if v.Name == volumeName {

internal/controller/common/utils/kubernetes/ensure/deployment.go

@@ -11,6 +11,7 @@ import (
 const (
 	CaTrustVolumeName = "ca-trust"
 	TLSVolumeName     = "tls-cert"
+	CATRustMountPath  = "/var/run/configs/tas/ca-trust"
 
 	TLSVolumeMount = "/var/run/secrets/tas"
 
@@ -32,10 +33,10 @@ func TrustedCA(lor *v1alpha1.LocalObjectReference) func(dp *v1.Deployment) error
 		template := &dp.Spec.Template
 		for i := range template.Spec.Containers {
 			env := kubernetes.FindEnvByNameOrCreate(&template.Spec.Containers[i], "SSL_CERT_DIR")
-			env.Value = "/var/run/configs/tas/ca-trust:/var/run/secrets/kubernetes.io/serviceaccount"
+			env.Value = CATRustMountPath + ":/var/run/secrets/kubernetes.io/serviceaccount"
 
 			volumeMount := kubernetes.FindVolumeMountByNameOrCreate(&template.Spec.Containers[i], CaTrustVolumeName)
-			volumeMount.MountPath = "/var/run/configs/tas/ca-trust"
+			volumeMount.MountPath = CATRustMountPath
 			volumeMount.ReadOnly = true
 
 		}

internal/controller/trillian/actions/db/deployment.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/common/utils"
@@ -258,9 +259,23 @@ func (i *deployAction) ensureTLS(instance *rhtasv1alpha1.Trillian) func(deployme
 
 		container.LivenessProbe.Exec.Command = []string{"bash", "-c", livenessCommand + " --ssl"}
 
-		container.Args = append(container.Args, "--ssl-cert", ensure.TLSCertPath)
-		container.Args = append(container.Args, "--ssl-key", ensure.TLSKeyPath)
+		if i := slices.Index(container.Args, "--ssl-cert"); i == -1 {
+			container.Args = append(container.Args, "--ssl-cert", ensure.TLSCertPath)
+		} else {
+			if len(container.Args)-1 < i+1 {
+				container.Args = append(container.Args, ensure.TLSCertPath)
+			}
+			container.Args[i+1] = ensure.TLSCertPath
+		}
 
+		if i := slices.Index(container.Args, "--ssl-key"); i == -1 {
+			container.Args = append(container.Args, "--ssl-key", ensure.TLSKeyPath)
+		} else {
+			if len(container.Args)-1 < i+1 {
+				container.Args = append(container.Args, ensure.TLSKeyPath)
+			}
+			container.Args[i+1] = ensure.TLSKeyPath
+		}
 		return nil
 	}
 }

internal/controller/trillian/actions/logserver/deployment.go

@@ -6,10 +6,14 @@ import (
 
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/common/utils"
+	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
+	"github.com/securesign/operator/internal/controller/common/utils/kubernetes/ensure"
 	"github.com/securesign/operator/internal/controller/constants"
 	"github.com/securesign/operator/internal/controller/labels"
 	"github.com/securesign/operator/internal/controller/trillian/actions"
 	trillianUtils "github.com/securesign/operator/internal/controller/trillian/utils"
+	"golang.org/x/exp/maps"
+	apps "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -36,60 +40,40 @@ func (i deployAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Trill
 
 func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trillian) *action.Result {
 	var (
-		err     error
-		updated bool
+		err    error
+		result controllerutil.OperationResult
 	)
 
 	labels := labels.For(actions.LogServerComponentName, actions.LogserverDeploymentName, instance.Name)
-	server, err := trillianUtils.CreateLogServerDeployment(ctx, i.Client, instance, constants.TrillianServerImage, actions.LogserverDeploymentName, actions.RBACName, labels)
-	if err != nil {
-		return i.Failed(err)
-	}
-
-	caTrustRef := utils.TrustedCAAnnotationToReference(instance.Annotations)
-	// override if spec.trustedCA is defined
-	if instance.Spec.TrustedCA != nil {
-		caTrustRef = instance.Spec.TrustedCA
-	}
-	err = utils.SetTrustedCA(&server.Spec.Template, caTrustRef)
-
-	if err != nil {
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    actions.ServerCondition,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: err.Error(),
-		})
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    constants.Ready,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: err.Error(),
-		})
-		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Trillian server: %w", err), instance)
-	}
+	insCopy := instance.DeepCopy()
 
-	if err = controllerutil.SetControllerReference(instance, server, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controller reference for server: %w", err))
+	if insCopy.Spec.TrustedCA != nil {
+		insCopy.Spec.TrustedCA = utils.TrustedCAAnnotationToReference(instance.Annotations)
 	}
 
-	if updated, err = i.Ensure(ctx, server); err != nil {
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+	if result, err = kubernetes.CreateOrUpdate(ctx, i.Client,
+		&apps.Deployment{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      actions.LogserverDeploymentName,
+				Namespace: instance.Namespace,
+			},
+		},
+		trillianUtils.EnsureServerDeployment(insCopy, constants.TrillianServerImage, actions.LogserverDeploymentName, actions.RBACName, labels),
+		ensure.ControllerReference[*apps.Deployment](insCopy, i.Client),
+		ensure.Labels[*apps.Deployment](maps.Keys(labels), labels),
+		ensure.Proxy(),
+		ensure.TrustedCA(insCopy.Spec.TrustedCA),
+		ensure.Optional(trillianUtils.UseTLS(insCopy), i.withTlsDB(ctx, insCopy)),
+	); err != nil {
+		return i.Error(ctx, fmt.Errorf("could not create Trillian server: %w", err), instance, metav1.Condition{
 			Type:    actions.ServerCondition,
 			Status:  metav1.ConditionFalse,
 			Reason:  constants.Failure,
 			Message: err.Error(),
 		})
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    constants.Ready,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: err.Error(),
-		})
-		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Trillian server: %w", err), instance)
 	}
 
-	if updated {
+	if result != controllerutil.OperationResultNone {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    actions.ServerCondition,
 			Status:  metav1.ConditionFalse,
@@ -101,3 +85,23 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 		return i.Continue()
 	}
 }
+
+func (i deployAction) withTlsDB(ctx context.Context, instance *rhtasv1alpha1.Trillian) func(deployment *apps.Deployment) error {
+	return func(dp *apps.Deployment) error {
+		caPath, err := trillianUtils.CAPath(ctx, i.Client, instance)
+		if err != nil {
+			return fmt.Errorf("failed to get CA path: %w", err)
+		}
+
+		c := kubernetes.FindContainerByNameOrCreate(&dp.Spec.Template.Spec, actions.LogserverDeploymentName)
+		c.Args = append(c.Args, "--mysql_tls_ca", caPath)
+
+		mysqlServerName := "$(MYSQL_HOSTNAME)." + instance.Namespace + ".svc"
+		if !*instance.Spec.Db.Create {
+			mysqlServerName = "$(MYSQL_HOSTNAME)"
+		}
+		c.Args = append(c.Args, "--mysql_server_name", mysqlServerName)
+		return nil
+	}
+
+}

internal/controller/trillian/actions/logsigner/deployment.go

@@ -6,10 +6,14 @@ import (
 
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/common/utils"
+	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
+	"github.com/securesign/operator/internal/controller/common/utils/kubernetes/ensure"
 	"github.com/securesign/operator/internal/controller/constants"
 	"github.com/securesign/operator/internal/controller/labels"
 	"github.com/securesign/operator/internal/controller/trillian/actions"
 	trillianUtils "github.com/securesign/operator/internal/controller/trillian/utils"
+	"golang.org/x/exp/maps"
+	apps "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -36,62 +40,40 @@ func (i deployAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Trill
 
 func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trillian) *action.Result {
 	var (
-		err     error
-		updated bool
+		err    error
+		result controllerutil.OperationResult
 	)
 
 	labels := labels.For(actions.LogSignerComponentName, actions.LogsignerDeploymentName, instance.Name)
-	signer, err := trillianUtils.CreateLogServerDeployment(ctx, i.Client, instance, constants.TrillianLogSignerImage, actions.LogsignerDeploymentName, actions.RBACName, labels)
-	if err != nil {
-		return i.Failed(err)
-	}
-
-	signer.Spec.Template.Spec.Containers[0].Args = append(signer.Spec.Template.Spec.Containers[0].Args, "--force_master=true")
 
 	caTrustRef := utils.TrustedCAAnnotationToReference(instance.Annotations)
 	// override if spec.trustedCA is defined
 	if instance.Spec.TrustedCA != nil {
 		caTrustRef = instance.Spec.TrustedCA
 	}
-	err = utils.SetTrustedCA(&signer.Spec.Template, caTrustRef)
 
-	if err != nil {
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+	if result, err = kubernetes.CreateOrUpdate(ctx, i.Client,
+		&apps.Deployment{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      actions.LogsignerDeploymentName,
+				Namespace: instance.Namespace,
+			},
+		},
+		trillianUtils.EnsureServerDeployment(instance, constants.TrillianLogSignerImage, actions.LogsignerDeploymentName, actions.RBACName, labels, "--force_master=true"),
+		ensure.ControllerReference[*apps.Deployment](instance, i.Client),
+		ensure.Labels[*apps.Deployment](maps.Keys(labels), labels),
+		ensure.Proxy(),
+		ensure.TrustedCA(caTrustRef),
+	); err != nil {
+		return i.Error(ctx, fmt.Errorf("could not create Trillian LogSigner: %w", err), instance, metav1.Condition{
 			Type:    actions.SignerCondition,
 			Status:  metav1.ConditionFalse,
 			Reason:  constants.Failure,
 			Message: err.Error(),
 		})
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    constants.Ready,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: err.Error(),
-		})
-		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Trillian LogSigner: %w", err), instance)
-	}
-
-	if err = controllerutil.SetControllerReference(instance, signer, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controller reference for LogSigner deployment: %w", err))
-	}
-
-	if updated, err = i.Ensure(ctx, signer); err != nil {
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    actions.SignerCondition,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: err.Error(),
-		})
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    constants.Ready,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: err.Error(),
-		})
-		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Trillian LogSigner deployment: %w", err), instance)
 	}
 
-	if updated {
+	if result != controllerutil.OperationResultNone {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    actions.SignerCondition,
 			Status:  metav1.ConditionFalse,