updates-1

Author: fghanmi

api/v1alpha1/common.go

@@ -40,9 +40,9 @@ type CtlogService struct {
 	//+optional
 	Address string `json:"address,omitempty"`
 	// Port of Ctlog Log Server End point
-	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Minimum:=0
 	//+kubebuilder:validation:Maximum:=65535
-	//+kubebuilder:default:=80
+	//+kubebuilder:default:=0
 	//+optional
 	Port *int32 `json:"port,omitempty"`
 }

api/v1alpha1/fulcio_types.go

@@ -14,7 +14,6 @@ type FulcioSpec struct {
 	ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
 	// Ctlog service configuration
 	//+optional
-	//+kubebuilder:default:={port: 80}
 	Ctlog CtlogService `json:"ctlog,omitempty"`
 	// Fulcio Configuration
 	//+required

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -192,7 +192,11 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
+<<<<<<< HEAD
     createdAt: "2024-07-30T13:51:04Z"
+=======
+    createdAt: "2024-08-03T09:05:31Z"
+>>>>>>> df48e12 (updates-1)
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

bundle/manifests/rhtas.redhat.com_fulcios.yaml

@@ -222,19 +222,17 @@ spec:
                   rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
                     (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
               ctlog:
-                default:
-                  port: 80
                 description: Ctlog service configuration
                 properties:
                   address:
                     description: Address to Ctlog Log Server End point
                     type: string
                   port:
-                    default: 80
+                    default: 0
                     description: Port of Ctlog Log Server End point
                     format: int32
                     maximum: 65535
-                    minimum: 1
+                    minimum: 0
                     type: integer
                 type: object
               externalAccess:

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -415,19 +415,17 @@ spec:
                       rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
                         || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
                   ctlog:
-                    default:
-                      port: 80
                     description: Ctlog service configuration
                     properties:
                       address:
                         description: Address to Ctlog Log Server End point
                         type: string
                       port:
-                        default: 80
+                        default: 0
                         description: Port of Ctlog Log Server End point
                         format: int32
                         maximum: 65535
-                        minimum: 1
+                        minimum: 0
                         type: integer
                     type: object
                   externalAccess:

config/crd/bases/rhtas.redhat.com_fulcios.yaml

@@ -222,19 +222,17 @@ spec:
                   rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
                     (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
               ctlog:
-                default:
-                  port: 80
                 description: Ctlog service configuration
                 properties:
                   address:
                     description: Address to Ctlog Log Server End point
                     type: string
                   port:
-                    default: 80
+                    default: 0
                     description: Port of Ctlog Log Server End point
                     format: int32
                     maximum: 65535
-                    minimum: 1
+                    minimum: 0
                     type: integer
                 type: object
               externalAccess:

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -415,19 +415,17 @@ spec:
                       rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
                         || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
                   ctlog:
-                    default:
-                      port: 80
                     description: Ctlog service configuration
                     properties:
                       address:
                         description: Address to Ctlog Log Server End point
                         type: string
                       port:
-                        default: 80
+                        default: 0
                         description: Port of Ctlog Log Server End point
                         format: int32
                         maximum: 65535
-                        minimum: 1
+                        minimum: 0
                         type: integer
                     type: object
                   externalAccess:

internal/controller/constants/images.go

@@ -8,16 +8,15 @@ var (
 	// TODO: remove and check the DB pod status
 	TrillianNetcatImage = "registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7"
 
-	FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:c4abc6342b39701d237ab3f0f25b75b677214b3ede00540b2488f524ad112179"
-
+	FulcioServerImage  = "quay.io/securesign/fulcio-server@sha256:67495de82e2fcd2ab4ad0e53442884c392da1aa3f5dd56d9488a1ed5df97f513"
 	RekorRedisImage    = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a"
 	RekorServerImage   = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526"
 	RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:5eabf561c0549d81862e521ddc1f0ab91a3f2c9d99dcd83ab5a2cf648a95dd19"
 	BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:5c7460ab3cd13b2ecf2b979f5061cb384174d6714b7630879e53d063e4cb69d2"
 
 	TufImage = "registry.redhat.io/rhtas/tuf-server-rhel9@sha256:8c229e2c7f9d6cc0ebf4f23dd944373d497be2ed31960f0383b1bb43f16de0db"
 
-	CTLogImage = "registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:44906b1e52b0b5e324f23cae088837caf15444fd34679e6d2f3cc018d4e093fe"
+	CTLogImage = "quay.io/securesign/certificate-transparency-go@sha256:a0c7d71fc8f4cb7530169a6b54dc3a67215c4058a45f84b87bb04fc62e6e8141"
 
 	ClientServerImage    = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee"
 	ClientServerImage_cg = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:046029a9a2028efa9dcbf8eff9b41fe5ac4e9ad64caf0241f5680a5cb36bf36b"

internal/controller/ctlog/actions/config_map.go

@@ -29,7 +29,7 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result {

internal/controller/ctlog/actions/deployment.go

@@ -43,12 +43,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
+<<<<<<< HEAD
 	switch {
 	case instance.Spec.Trillian.Address == "":
 		instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace)
 	}
 
 	dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort)
+=======
+	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
+	useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil)
+	dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, useHTTPS)
+>>>>>>> df48e12 (updates-1)
 	if err != nil {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    constants.Ready,
@@ -64,7 +70,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 	}
 
 	// TLS certificate
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil {
 		dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes,
 			corev1.Volume{
@@ -126,7 +131,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 							{
 								Secret: &corev1.SecretProjection{
 									LocalObjectReference: corev1.LocalObjectReference{
-										Name: instance.Name + "-tls-secret",
+										Name: instance.Name + "-ctlog-tls-secret",
 									},
 								},
 							},
@@ -160,7 +165,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 			})
 		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt")
 		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key")
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt")
+		// dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt")
 	}
 
 	if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {

internal/controller/ctlog/actions/service.go

@@ -41,6 +41,7 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 
 	labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name)
 
+<<<<<<< HEAD
 	svc := kubernetes.CreateService(instance.Namespace, ComponentName, ServerPortName, ServerPort, ServerTargetPort, labels)
 	if instance.Spec.Monitoring.Enabled {
 		svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
@@ -50,6 +51,23 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 			TargetPort: intstr.FromInt32(MetricsPort),
 		})
 	}
+=======
+	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
+	var port int32
+	if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil {
+		port = int32(443)
+	} else {
+		port = int32(80)
+	}
+	portName := fmt.Sprintf("%d-tcp", port)
+	svc := kubernetes.CreateService(instance.Namespace, ComponentName, MetricsPortName, MetricsPort, labels)
+	svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
+		Name:       portName,
+		Protocol:   corev1.ProtocolTCP,
+		Port:       port,
+		TargetPort: intstr.FromInt32(6962),
+	})
+>>>>>>> df48e12 (updates-1)
 	if err = controllerutil.SetControllerReference(instance, svc, i.Client.Scheme()); err != nil {
 		return i.Failed(fmt.Errorf("could not set controller reference for Service: %w", err))
 	}
@@ -64,12 +82,11 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 	}
 
 	//TLS: Annotate service
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil {
 		if svc.Annotations == nil {
 			svc.Annotations = make(map[string]string)
 		}
-		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret"
+		svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-ctlog-tls-secret"
 		err := i.Client.Update(ctx, svc)
 		if err != nil {
 			return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance)

internal/controller/ctlog/ctlog_controller_test.go

@@ -174,7 +174,12 @@ var _ = Describe("CTlog controller", func() {
 			Eventually(func() error {
 				return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service)
 			}).Should(Succeed())
+<<<<<<< HEAD
 			Expect(service.Spec.Ports[0].Port).Should(Equal(int32(80)))
+=======
+			Expect(service.Spec.Ports[0].Port).Should(Equal(int32(6963)))
+			Expect(service.Spec.Ports[1].Port).Should(Equal(int32(443)))
+>>>>>>> df48e12 (updates-1)
 
 			By("Move to Ready phase")
 			// Workaround to succeed condition for Ready phase

internal/controller/ctlog/utils/ctlog_deployment.go

@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
+<<<<<<< HEAD
 func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32) (*appsv1.Deployment, error) {
 	switch {
 	case instance.Status.ServerConfigRef == nil:
@@ -23,8 +24,17 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string
 		return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianAddressNotSpecified)
 	case instance.Spec.Trillian.Port == nil:
 		return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianPortNotSpecified)
+=======
+func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, useHTTPS bool) (*appsv1.Deployment, error) {
+	if instance.Status.ServerConfigRef == nil {
+		return nil, errors.New("server config name not specified")
+>>>>>>> df48e12 (updates-1)
 	}
 	replicas := int32(1)
+	scheme := corev1.URISchemeHTTP
+	if useHTTPS {
+		scheme = corev1.URISchemeHTTPS
+	}
 	// Define a new Deployment object
 
 	containerPorts := []corev1.ContainerPort{
@@ -73,8 +83,14 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string
 							LivenessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{
+<<<<<<< HEAD
 										Path: "/healthz",
 										Port: intstr.FromInt32(serverPort),
+=======
+										Path:   "/healthz",
+										Port:   intstr.FromInt32(6962),
+										Scheme: scheme,
+>>>>>>> df48e12 (updates-1)
 									},
 								},
 								InitialDelaySeconds: 10,
@@ -86,8 +102,14 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string
 							ReadinessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{
+<<<<<<< HEAD
 										Path: "/healthz",
 										Port: intstr.FromInt32(serverPort),
+=======
+										Path:   "/healthz",
+										Port:   intstr.FromInt32(6962),
+										Scheme: scheme,
+>>>>>>> df48e12 (updates-1)
 									},
 								},
 								InitialDelaySeconds: 10,

internal/controller/fulcio/actions/config_map.go

@@ -29,7 +29,7 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result {