updates: Create Tree Jobs, enable TLS on Trillian, Rekor and Ctlog

Author: fghanmi

api/v1alpha1/ctlog_types.go

@@ -42,6 +42,9 @@ type CTlogSpec struct {
 	// Trillian service configuration
 	//+kubebuilder:default:={port: 8091}
 	Trillian TrillianService `json:"trillian,omitempty"`
+	// Reference to TLS server certificate, private key and CA certificate
+	//+optional
+	TLSCertificate TLSCert `json:"tls"`
 }
 
 // CTlogStatus defines the observed state of CTlog component
@@ -51,6 +54,7 @@ type CTlogStatus struct {
 	PrivateKeyPasswordRef *SecretKeySelector    `json:"privateKeyPasswordRef,omitempty"`
 	PublicKeyRef          *SecretKeySelector    `json:"publicKeyRef,omitempty"`
 	RootCertificates      []SecretKeySelector   `json:"rootCertificates,omitempty"`
+	TLSCertificate        *TLSCert              `json:"tls,omitempty"`
 	// The ID of a Trillian tree that stores the log data.
 	TreeID *int64 `json:"treeID,omitempty"`
 	// +listType=map

api/v1alpha1/ctlog_types_test.go

@@ -136,6 +136,16 @@ var _ = Describe("CTlog", func() {
 								Address: "trillian-system.default.svc",
 								Port:    &port,
 							},
+							TLSCertificate: TLSCert{
+								CertRef: &SecretKeySelector{
+									Key:                  "cert",
+									LocalObjectReference: LocalObjectReference{Name: "secret"},
+								},
+								PrivateKeyRef: &SecretKeySelector{
+									Key:                  "key",
+									LocalObjectReference: LocalObjectReference{Name: "secret"},
+								},
+							},
 						},
 					}
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -92,8 +92,8 @@ metadata:
                 "OIDCIssuers": [
                   {
                     "ClientID": "trusted-artifact-signer",
-                    "Issuer": "https://your-oidc-issuer-url",
-                    "IssuerURL": "https://your-oidc-issuer-url",
+                    "Issuer": "https://keycloak-keycloak-system.apps.rosa.iduhn-ah6m6-dk9.o468.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
+                    "IssuerURL": "https://keycloak-keycloak-system.apps.rosa.iduhn-ah6m6-dk9.o468.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
                     "Type": "email"
                   }
                 ]
@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-09T08:45:46Z"
+    createdAt: "2024-08-08T10:01:11Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -137,6 +137,62 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
                 type: array
+              tls:
+                description: Reference to TLS server certificate, private key and
+                  CA certificate
+                properties:
+                  caCertRef:
+                    description: Reference to CA certificate
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  certRef:
+                    description: Reference to service certificate
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  privateKeyRef:
+                    description: Reference to the private key
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: privateKeyRef cannot be empty
+                  rule: (!has(self.certRef) || has(self.privateKeyRef))
               treeID:
                 description: |-
                   The ID of a Trillian tree that stores the log data.
@@ -328,6 +384,61 @@ spec:
                 - name
                 type: object
                 x-kubernetes-map-type: atomic
+              tls:
+                description: TLSCert defines fields for TLS certificate
+                properties:
+                  caCertRef:
+                    description: Reference to CA certificate
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  certRef:
+                    description: Reference to service certificate
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  privateKeyRef:
+                    description: Reference to the private key
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: privateKeyRef cannot be empty
+                  rule: (!has(self.certRef) || has(self.privateKeyRef))
               treeID:
                 description: The ID of a Trillian tree that stores the log data.
                 format: int64

bundle/manifests/rhtas.redhat.com_ctlogs.yaml

@@ -230,11 +230,11 @@ spec:
                     description: Address to Ctlog Log Server End point
                     type: string
                   port:
-                    default: 80
+                    default: 0
                     description: Port of Ctlog Log Server End point
                     format: int32
                     maximum: 65535
-                    minimum: 1
+                    minimum: 0
                     type: integer
                 type: object
               externalAccess:

bundle/manifests/rhtas.redhat.com_fulcios.yaml

@@ -153,6 +153,62 @@ spec:
                       type: object
                       x-kubernetes-map-type: atomic
                     type: array
+                  tls:
+                    description: Reference to TLS server certificate, private key
+                      and CA certificate
+                    properties:
+                      caCertRef:
+                        description: Reference to CA certificate
+                        properties:
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                        required:
+                        - name
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      certRef:
+                        description: Reference to service certificate
+                        properties:
+                          key:
+                            description: The key of the secret to select from. Must
+                              be a valid secret key.
+                            pattern: ^[-._a-zA-Z0-9]+$
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      privateKeyRef:
+                        description: Reference to the private key
+                        properties:
+                          key:
+                            description: The key of the secret to select from. Must
+                              be a valid secret key.
+                            pattern: ^[-._a-zA-Z0-9]+$
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
+                        x-kubernetes-map-type: atomic
+                    type: object
+                    x-kubernetes-validations:
+                    - message: privateKeyRef cannot be empty
+                      rule: (!has(self.certRef) || has(self.privateKeyRef))
                   treeID:
                     description: |-
                       The ID of a Trillian tree that stores the log data.
@@ -367,11 +423,11 @@ spec:
                         description: Address to Ctlog Log Server End point
                         type: string
                       port:
-                        default: 80
+                        default: 0
                         description: Port of Ctlog Log Server End point
                         format: int32
                         maximum: 65535
-                        minimum: 1
+                        minimum: 0
                         type: integer
                     type: object
                   externalAccess:
@@ -844,67 +900,6 @@ spec:
                     required:
                     - tls
                     type: object
-                  signer:
-                    properties:
-                      tls:
-                        description: Secret with TLS server certificate, private key
-                          and CA certificate
-                        properties:
-                          caCertRef:
-                            description: Reference to CA certificate
-                            properties:
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          certRef:
-                            description: Reference to service certificate
-                            properties:
-                              key:
-                                description: The key of the secret to select from.
-                                  Must be a valid secret key.
-                                pattern: ^[-._a-zA-Z0-9]+$
-                                type: string
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - key
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          privateKeyRef:
-                            description: Reference to the private key
-                            properties:
-                              key:
-                                description: The key of the secret to select from.
-                                  Must be a valid secret key.
-                                pattern: ^[-._a-zA-Z0-9]+$
-                                type: string
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - key
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                        type: object
-                        x-kubernetes-validations:
-                        - message: privateKeyRef cannot be empty
-                          rule: (!has(self.certRef) || has(self.privateKeyRef))
-                    required:
-                    - tls
-                    type: object
                 type: object
               tuf:
                 default: