securesign
diff --git a/‎api/v1alpha1/common.go
+14 b/‎api/v1alpha1/common.go
+14
diff --git a/‎api/v1alpha1/rekor_types.go
+3 b/‎api/v1alpha1/rekor_types.go
+3
diff --git a/‎api/v1alpha1/rekor_types_test.go
+5 b/‎api/v1alpha1/rekor_types_test.go
+5
diff --git a/‎api/v1alpha1/trillian_types.go
+13 b/‎api/v1alpha1/trillian_types.go
+13
diff --git a/‎api/v1alpha1/trillian_types_test.go
+24 b/‎api/v1alpha1/trillian_types_test.go
+24
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go
+65 b/‎api/v1alpha1/zz_generated.deepcopy.go
+65
diff --git a/‎bundle/manifests/rhtas-operator.clusterserviceversion.yaml
+1-1 b/‎bundle/manifests/rhtas-operator.clusterserviceversion.yaml
+1-1
diff --git a/‎bundle/manifests/rhtas.redhat.com_rekors.yaml
+56 b/‎bundle/manifests/rhtas.redhat.com_rekors.yaml
+56
@@ -90,3 +90,17 @@ type Pvc struct {
 	//+optional
 	StorageClass string `json:"storageClass,omitempty"`
 }
+
+// TLSCert defines fields for TLS certificate
+// +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty
+type TLSCert struct {
+	// Reference to the private key
+	//+optional
+	PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"`
+	// Reference to service certificate
+	//+optional
+	CertRef *SecretKeySelector `json:"certRef,omitempty"`
+	// Reference to CA certificate
+	//+optional
+	CACertRef *LocalObjectReference `json:"caCertRef,omitempty"`
+}
@@ -32,6 +32,9 @@ type RekorSpec struct {
 	// BackFillRedis CronJob Configuration
 	//+kubebuilder:default:={enabled: true, schedule: "0 0 * * *"}
 	BackFillRedis BackFillRedis `json:"backFillRedis,omitempty"`
+	// Reference to TLS server certificate, private key and CA certificate
+	//+optional
+	TLSCertificate TLSCert `json:"tls"`
 }
 
 type RekorSigner struct {
 
@@ -246,6 +246,11 @@ var _ = Describe("Rekor", func() {
 								Address: "trillian-system.default.svc",
 								Port:    &port,
 							},
+							TLSCertificate: TLSCert{
+								CACertRef: &LocalObjectReference{
+									Name: "ca-configmap",
+								},
+							},
 						},
 					}
 
 
@@ -27,6 +27,10 @@ type TrillianSpec struct {
 	//+kubebuilder:validation:XValidation:rule=((!self.create && self.databaseSecretRef != null) || self.create),message=databaseSecretRef cannot be empty
 	//+kubebuilder:default:={create: true, pvc: {size: "5Gi", retain: true}}
 	Db TrillianDB `json:"database,omitempty"`
+	//+optional
+	TrillianServer TrillianServer `json:"server,omitempty"`
+	//+optional
+	TrillianSigner TrillianSigner `json:"signer,omitempty"`
 	// Enable Monitoring for Logsigner and Logserver
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
 }
@@ -49,6 +53,15 @@ type TrillianDB struct {
 	Pvc Pvc `json:"pvc,omitempty"`
 }
 
+type TrillianServer struct {
+	// Secret with TLS server certificate, private key and CA certificate
+	TLSCertificate TLSCert `json:"tls"`
+}
+type TrillianSigner struct {
+	// Secret with TLS server certificate, private key and CA certificate
+	TLSCertificate TLSCert `json:"tls"`
+}
+
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {
 	Db TrillianDB `json:"database,omitempty"`
 
@@ -157,6 +157,30 @@ var _ = Describe("Trillian", func() {
 									Name: "secret",
 								},
 							},
+							TrillianServer: TrillianServer{
+								TLSCertificate: TLSCert{
+									CertRef: &SecretKeySelector{
+										Key:                  "cert",
+										LocalObjectReference: LocalObjectReference{Name: "server-secret"},
+									},
+									PrivateKeyRef: &SecretKeySelector{
+										Key:                  "key",
+										LocalObjectReference: LocalObjectReference{Name: "server-secret"},
+									},
+								},
+							},
+							TrillianSigner: TrillianSigner{
+								TLSCertificate: TLSCert{
+									CertRef: &SecretKeySelector{
+										Key:                  "cert",
+										LocalObjectReference: LocalObjectReference{Name: "signer-secret"},
+									},
+									PrivateKeyRef: &SecretKeySelector{
+										Key:                  "key",
+										LocalObjectReference: LocalObjectReference{Name: "signer-secret"},
+									},
+								},
+							},
 						},
 					}
 
 
@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-03T12:24:03Z"
+    createdAt: "2024-07-09T08:45:46Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
 
@@ -198,6 +198,62 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                 type: object
+              tls:
+                description: Reference to TLS server certificate, private key and
+                  CA certificate
+                properties:
+                  caCertRef:
+                    description: Reference to CA certificate
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  certRef:
+                    description: Reference to service certificate
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  privateKeyRef:
+                    description: Reference to the private key
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: privateKeyRef cannot be empty
+                  rule: (!has(self.certRef) || has(self.privateKeyRef))
               treeID:
                 description: |-
                   ID of Merkle tree in Trillian backend
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,9 @@ type RekorSpec struct {`
`32`	`32`	`// BackFillRedis CronJob Configuration`
`33`	`33`	`//+kubebuilder:default:={enabled: true, schedule: "0 0 * * *"}`
`34`	`34`	BackFillRedis BackFillRedis `json:"backFillRedis,omitempty"`
	`35`	`+ // Reference to TLS server certificate, private key and CA certificate`
	`36`	`+ //+optional`
	`37`	+ TLSCertificate TLSCert `json:"tls"`
`35`	`38`	`}`
`36`	`39`
`37`	`40`	`type RekorSigner struct {`
Original file line number	Diff line number	Diff line change
`@@ -192,7 +192,7 @@ metadata:`
`192`	`192`	`]`
`193`	`193`	`capabilities: Seamless Upgrades`
`194`	`194`	`containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3`
`195`		`- createdAt: "2024-07-03T12:24:03Z"`
	`195`	`+ createdAt: "2024-07-09T08:45:46Z"`
`196`	`196`	`features.operators.openshift.io/cnf: "false"`
`197`	`197`	`features.operators.openshift.io/cni: "false"`
`198`	`198`	`features.operators.openshift.io/csi: "false"`