updates

Author: fghanmi

api/v1alpha1/common.go

@@ -40,9 +40,9 @@ type CtlogService struct {
 	//+optional
 	Address string `json:"address,omitempty"`
 	// Port of Ctlog Log Server End point
-	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Minimum:=0
 	//+kubebuilder:validation:Maximum:=65535
-	//+kubebuilder:default:=80
+	//+kubebuilder:default:=0
 	//+optional
 	Port *int32 `json:"port,omitempty"`
 }

api/v1alpha1/trillian_types.go

@@ -29,8 +29,6 @@ type TrillianSpec struct {
 	Db TrillianDB `json:"database,omitempty"`
 	//+optional
 	TrillianServer TrillianServer `json:"server,omitempty"`
-	//+optional
-	TrillianSigner TrillianSigner `json:"signer,omitempty"`
 	// Enable Monitoring for Logsigner and Logserver
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
 }
@@ -57,10 +55,6 @@ type TrillianServer struct {
 	// Secret with TLS server certificate, private key and CA certificate
 	TLSCertificate TLSCert `json:"tls"`
 }
-type TrillianSigner struct {
-	// Secret with TLS server certificate, private key and CA certificate
-	TLSCertificate TLSCert `json:"tls"`
-}
 
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -844,67 +844,6 @@ spec:
                     required:
                     - tls
                     type: object
-                  signer:
-                    properties:
-                      tls:
-                        description: Secret with TLS server certificate, private key
-                          and CA certificate
-                        properties:
-                          caCertRef:
-                            description: Reference to CA certificate
-                            properties:
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          certRef:
-                            description: Reference to service certificate
-                            properties:
-                              key:
-                                description: The key of the secret to select from.
-                                  Must be a valid secret key.
-                                pattern: ^[-._a-zA-Z0-9]+$
-                                type: string
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - key
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          privateKeyRef:
-                            description: Reference to the private key
-                            properties:
-                              key:
-                                description: The key of the secret to select from.
-                                  Must be a valid secret key.
-                                pattern: ^[-._a-zA-Z0-9]+$
-                                type: string
-                              name:
-                                description: |-
-                                  Name of the referent.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                type: string
-                            required:
-                            - key
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                        type: object
-                        x-kubernetes-validations:
-                        - message: privateKeyRef cannot be empty
-                          rule: (!has(self.certRef) || has(self.privateKeyRef))
-                    required:
-                    - tls
-                    type: object
                 type: object
               tuf:
                 default:

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -195,67 +195,6 @@ spec:
                 required:
                 - tls
                 type: object
-              signer:
-                properties:
-                  tls:
-                    description: Secret with TLS server certificate, private key and
-                      CA certificate
-                    properties:
-                      caCertRef:
-                        description: Reference to CA certificate
-                        properties:
-                          name:
-                            description: |-
-                              Name of the referent.
-                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            type: string
-                        required:
-                        - name
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      certRef:
-                        description: Reference to service certificate
-                        properties:
-                          key:
-                            description: The key of the secret to select from. Must
-                              be a valid secret key.
-                            pattern: ^[-._a-zA-Z0-9]+$
-                            type: string
-                          name:
-                            description: |-
-                              Name of the referent.
-                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            type: string
-                        required:
-                        - key
-                        - name
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      privateKeyRef:
-                        description: Reference to the private key
-                        properties:
-                          key:
-                            description: The key of the secret to select from. Must
-                              be a valid secret key.
-                            pattern: ^[-._a-zA-Z0-9]+$
-                            type: string
-                          name:
-                            description: |-
-                              Name of the referent.
-                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            type: string
-                        required:
-                        - key
-                        - name
-                        type: object
-                        x-kubernetes-map-type: atomic
-                    type: object
-                    x-kubernetes-validations:
-                    - message: privateKeyRef cannot be empty
-                      rule: (!has(self.certRef) || has(self.privateKeyRef))
-                required:
-                - tls
-                type: object
             type: object
           status:
             description: TrillianStatus defines the observed state of Trillian

config/crd/bases/rhtas.redhat.com_trillians.yaml

@@ -3,6 +3,6 @@ resources:
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-- digest: sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-  name: controller
-  newName: registry.redhat.io/rhtas/rhtas-rhel9-operator
+- name: controller
+  newName: quay.io/fghanmi/my_operator
+  newTag: v3.8.0

config/manager/kustomization.yaml

@@ -23,8 +23,8 @@ spec:
     config:
       OIDCIssuers:
         - ClientID: "trusted-artifact-signer"
-          IssuerURL: "https://your-oidc-issuer-url"
-          Issuer: "https://your-oidc-issuer-url"
+          IssuerURL: "https://keycloak-keycloak-system.apps.rosa.av42p-79zot-u82.x8pi.p3.openshiftapps.com/auth/realms/trusted-artifact-signer"
+          Issuer: "https://keycloak-keycloak-system.apps.rosa.av42p-79zot-u82.x8pi.p3.openshiftapps.com/auth/realms/trusted-artifact-signer"
           Type: "email"
     certificate:
       organizationName: Red Hat

config/samples/rhtas_v1alpha1_securesign.yaml

@@ -10,8 +10,9 @@ var (
 
 	FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:c4abc6342b39701d237ab3f0f25b75b677214b3ede00540b2488f524ad112179"
 
-	RekorRedisImage    = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a"
-	RekorServerImage   = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526"
+	RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a"
+	// RekorServerImage   = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526"
+	RekorServerImage   = "quay.io/securesign/rekor-server_test:latest"
 	RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:5eabf561c0549d81862e521ddc1f0ab91a3f2c9d99dcd83ab5a2cf648a95dd19"
 	BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:5c7460ab3cd13b2ecf2b979f5061cb384174d6714b7630879e53d063e4cb69d2"
 

internal/controller/constants/images.go

@@ -30,9 +30,9 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Rekor) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	// signingKeySecret: OCP related
+	// signingKeySecret: OCP
 	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil && signingKeySecret != nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && signingKeySecret != nil && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor) *action.Result {

internal/controller/rekor/actions/server/config_map.go

@@ -111,7 +111,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 				Name: "tls-cert",
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
-						SecretName: "log-server-" + instance.Name + "-tls-secret",
+						SecretName: instance.Name + "-trillian-log-server-tls-secret",
 					},
 				},
 			})

internal/controller/trillian/actions/logserver/deployment.go

@@ -79,7 +79,7 @@ func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		if logserverService.Annotations == nil {
 			logserverService.Annotations = make(map[string]string)
 		}
-		logserverService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = "log-server-" + instance.Name + "-tls-secret"
+		logserverService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-trillian-log-server-tls-secret"
 		err := i.Client.Update(ctx, logserverService)
 		if err != nil {
 			return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate logserver service: %w", err), instance)