updates

Author: fghanmi

api/v1alpha1/common.go

@@ -40,9 +40,9 @@ type CtlogService struct {
 	//+optional
 	Address string `json:"address,omitempty"`
 	// Port of Ctlog Log Server End point
-	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Minimum:=0
 	//+kubebuilder:validation:Maximum:=65535
-	//+kubebuilder:default:=80
+	//+kubebuilder:default:=0
 	//+optional
 	Port *int32 `json:"port,omitempty"`
 }

api/v1alpha1/trillian_types.go

@@ -29,8 +29,6 @@ type TrillianSpec struct {
 	Db TrillianDB `json:"database,omitempty"`
 	//+optional
 	TrillianServer TrillianServer `json:"server,omitempty"`
-	//+optional
-	TrillianSigner TrillianSigner `json:"signer,omitempty"`
 	// Enable Monitoring for Logsigner and Logserver
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
 }
@@ -57,10 +55,6 @@ type TrillianServer struct {
 	// Secret with TLS server certificate, private key and CA certificate
 	TLSCertificate TLSCert `json:"tls"`
 }
-type TrillianSigner struct {
-	// Secret with TLS server certificate, private key and CA certificate
-	TLSCertificate TLSCert `json:"tls"`
-}
 
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {

api/v1alpha1/trillian_types_test.go

@@ -169,18 +169,6 @@ var _ = Describe("Trillian", func() {
 									},
 								},
 							},
-							TrillianSigner: TrillianSigner{
-								TLSCertificate: TLSCert{
-									CertRef: &SecretKeySelector{
-										Key:                  "cert",
-										LocalObjectReference: LocalObjectReference{Name: "signer-secret"},
-									},
-									PrivateKeyRef: &SecretKeySelector{
-										Key:                  "key",
-										LocalObjectReference: LocalObjectReference{Name: "signer-secret"},
-									},
-								},
-							},
 						},
 					}
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -795,67 +795,6 @@ spec:
                     required:
                     - tls
                     type: object
-                  signer:
-                    properties:
-                      tls:
-                        description: Secret with TLS server certificate, private key
-                          and CA certificate
-                        properties:
-                          caCertRef:
-                            description: Reference to CA certificate
-                            properties:
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          certRef:
-                            description: Reference to service certificate
-                            properties:
-                              key:
-                                description: The key of the secret to select from.
-                                  Must be a valid secret key.
-                                pattern: ^[-._a-zA-Z0-9]+$
-                                type: string
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - key
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          privateKeyRef:
-                            description: Reference to the private key
-                            properties:
-                              key:
-                                description: The key of the secret to select from.
-                                  Must be a valid secret key.
-                                pattern: ^[-._a-zA-Z0-9]+$
-                                type: string
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - key
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                        type: object
-                        x-kubernetes-validations:
-                        - message: privateKeyRef cannot be empty
-                          rule: (!has(self.certRef) || has(self.privateKeyRef))
-                    required:
-                    - tls
-                    type: object
                 type: object
               tuf:
                 default:

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -195,67 +195,6 @@ spec:
                 required:
                 - tls
                 type: object
-              signer:
-                properties:
-                  tls:
-                    description: Secret with TLS server certificate, private key and
-                      CA certificate
-                    properties:
-                      caCertRef:
-                        description: Reference to CA certificate
-                        properties:
-                          name:
-                            description: |-
-                              Name of the referent.
-                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            type: string
-                        required:
-                        - name
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      certRef:
-                        description: Reference to service certificate
-                        properties:
-                          key:
-                            description: The key of the secret to select from. Must
-                              be a valid secret key.
-                            pattern: ^[-._a-zA-Z0-9]+$
-                            type: string
-                          name:
-                            description: |-
-                              Name of the referent.
-                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            type: string
-                        required:
-                        - key
-                        - name
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      privateKeyRef:
-                        description: Reference to the private key
-                        properties:
-                          key:
-                            description: The key of the secret to select from. Must
-                              be a valid secret key.
-                            pattern: ^[-._a-zA-Z0-9]+$
-                            type: string
-                          name:
-                            description: |-
-                              Name of the referent.
-                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            type: string
-                        required:
-                        - key
-                        - name
-                        type: object
-                        x-kubernetes-map-type: atomic
-                    type: object
-                    x-kubernetes-validations:
-                    - message: privateKeyRef cannot be empty
-                      rule: (!has(self.certRef) || has(self.privateKeyRef))
-                required:
-                - tls
-                type: object
             type: object
           status:
             description: TrillianStatus defines the observed state of Trillian

config/crd/bases/rhtas.redhat.com_trillians.yaml

@@ -3,6 +3,6 @@ resources:
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-- digest: sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-  name: controller
-  newName: registry.redhat.io/rhtas/rhtas-rhel9-operator
+- name: controller
+  newName: quay.io/fghanmi/my_operator
+  newTag: v3.8.0

config/manager/kustomization.yaml

@@ -23,8 +23,8 @@ spec:
     config:
       OIDCIssuers:
         - ClientID: "trusted-artifact-signer"
-          IssuerURL: "https://your-oidc-issuer-url"
-          Issuer: "https://your-oidc-issuer-url"
+          IssuerURL: "https://keycloak-keycloak-system.apps.rosa.av42p-79zot-u82.x8pi.p3.openshiftapps.com/auth/realms/trusted-artifact-signer"
+          Issuer: "https://keycloak-keycloak-system.apps.rosa.av42p-79zot-u82.x8pi.p3.openshiftapps.com/auth/realms/trusted-artifact-signer"
           Type: "email"
     certificate:
       organizationName: Red Hat

config/samples/rhtas_v1alpha1_securesign.yaml

@@ -10,8 +10,9 @@ var (
 
 	FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:c4abc6342b39701d237ab3f0f25b75b677214b3ede00540b2488f524ad112179"
 
-	RekorRedisImage    = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a"
-	RekorServerImage   = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526"
+	RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a"
+	// RekorServerImage   = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526"
+	RekorServerImage   = "quay.io/securesign/rekor-server_test:latest"
 	RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:5eabf561c0549d81862e521ddc1f0ab91a3f2c9d99dcd83ab5a2cf648a95dd19"
 	BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:5c7460ab3cd13b2ecf2b979f5061cb384174d6714b7630879e53d063e4cb69d2"
 

internal/controller/constants/images.go

@@ -30,9 +30,9 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Rekor) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	// signingKeySecret: OCP related
+	// signingKeySecret: OCP
 	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil && signingKeySecret != nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && signingKeySecret != nil && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor) *action.Result {

internal/controller/rekor/actions/server/config_map.go

@@ -3,6 +3,7 @@ package logserver
 import (
 	"context"
 	"fmt"
+
 	"github.com/securesign/operator/internal/controller/common/utils"
 
 	"github.com/securesign/operator/internal/controller/common/action"
@@ -115,7 +116,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 				Name: "tls-cert",
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
-						SecretName: "log-server-" + instance.Name + "-tls-secret",
+						SecretName: instance.Name + "-trillian-log-server-tls-secret",
 					},
 				},
 			})

internal/controller/trillian/actions/logserver/deployment.go

@@ -79,7 +79,7 @@ func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		if logserverService.Annotations == nil {
 			logserverService.Annotations = make(map[string]string)
 		}
-		logserverService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = "log-server-" + instance.Name + "-tls-secret"
+		logserverService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-trillian-log-server-tls-secret"
 		err := i.Client.Update(ctx, logserverService)
 		if err != nil {
 			return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate logserver service: %w", err), instance)

internal/controller/trillian/actions/logserver/service.go

@@ -14,8 +14,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
-	k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes"
-	corev1 "k8s.io/api/core/v1"
 )
 
 func NewDeployAction() action.Action[*rhtasv1alpha1.Trillian] {
@@ -64,71 +62,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Trillian LogSigner: %w", err), instance)
 	}
 
-	// TLS certificate
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	if instance.Spec.TrillianSigner.TLSCertificate.CertRef != nil {
-		signer.Spec.Template.Spec.Volumes = append(signer.Spec.Template.Spec.Volumes,
-			corev1.Volume{
-				Name: "tls-cert",
-				VolumeSource: corev1.VolumeSource{
-					Projected: &corev1.ProjectedVolumeSource{
-						Sources: []corev1.VolumeProjection{
-							{
-								Secret: &corev1.SecretProjection{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Spec.TrillianSigner.TLSCertificate.CertRef.Name,
-									},
-									Items: []corev1.KeyToPath{
-										{
-											Key:  instance.Spec.TrillianSigner.TLSCertificate.CertRef.Key,
-											Path: "tls.crt",
-										},
-									},
-								},
-							},
-							{
-								Secret: &corev1.SecretProjection{
-									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Spec.TrillianSigner.TLSCertificate.PrivateKeyRef.Name,
-									},
-									Items: []corev1.KeyToPath{
-										{
-											Key:  instance.Spec.TrillianSigner.TLSCertificate.PrivateKeyRef.Key,
-											Path: "tls.key",
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			})
-	} else if signingKeySecret != nil {
-		i.Logger.V(1).Info("TLS: Using secrets/signing-key secret")
-		signer.Spec.Template.Spec.Volumes = append(signer.Spec.Template.Spec.Volumes,
-			corev1.Volume{
-				Name: "tls-cert",
-				VolumeSource: corev1.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: "log-signer-" + instance.Name + "-tls-secret",
-					},
-				},
-			})
-	} else {
-		i.Logger.V(1).Info("Communication between services is insecure")
-	}
-
-	if instance.Spec.TrillianSigner.TLSCertificate.CertRef != nil || signingKeySecret != nil {
-		signer.Spec.Template.Spec.Containers[0].VolumeMounts = append(signer.Spec.Template.Spec.Containers[0].VolumeMounts,
-			corev1.VolumeMount{
-				Name:      "tls-cert",
-				MountPath: "/etc/ssl/certs",
-				ReadOnly:  true,
-			})
-		signer.Spec.Template.Spec.Containers[0].Args = append(signer.Spec.Template.Spec.Containers[0].Args, "--tls_cert_file", "/etc/ssl/certs/tls.crt")
-		signer.Spec.Template.Spec.Containers[0].Args = append(signer.Spec.Template.Spec.Containers[0].Args, "--tls_key_file", "/etc/ssl/certs/tls.key")
-	}
-
 	if err = controllerutil.SetControllerReference(instance, signer, i.Client.Scheme()); err != nil {
 		return i.Failed(fmt.Errorf("could not set controller reference for LogSigner deployment: %w", err))
 	}

internal/controller/trillian/actions/logsigner/deployment.go

@@ -66,19 +66,6 @@ func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create logsigner Service: %w", err), instance)
 	}
 
-	//TLS: Annotate service
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	if signingKeySecret != nil && instance.Spec.TrillianSigner.TLSCertificate.CertRef == nil {
-		if logsignerService.Annotations == nil {
-			logsignerService.Annotations = make(map[string]string)
-		}
-		logsignerService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = "log-signer-" + instance.Name + "-tls-secret"
-		err := i.Client.Update(ctx, logsignerService)
-		if err != nil {
-			return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate logserver service: %w", err), instance)
-		}
-	}
-
 	if updated {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    actions.ServerCondition,