diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index dd9f010ea..9933aed43 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -297,7 +297,7 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:52ba6cd82bc400a08c6f89811e8086126596a873b9b12619de8c5064a2d4faf7 - createdAt: "2024-11-07T12:56:22Z" + createdAt: "2025-02-12T10:17:51Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" @@ -309,7 +309,7 @@ metadata: features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' - operators.operatorframework.io/builder: operator-sdk-v1.37.0 + operators.operatorframework.io/builder: operator-sdk-v1.39.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/securesign/secure-sign-operator support: Red Hat @@ -458,6 +458,16 @@ spec: - patch - update - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - patch + - update + - watch - apiGroups: - "" resources: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 3396ccb01..7d8daa4b3 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -93,6 +93,16 @@ rules: - patch - update - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - patch + - update + - watch - apiGroups: - "" resources: diff --git a/internal/controller/constants/images.go b/internal/controller/constants/images.go index 9717dde79..a7db343c8 100644 --- a/internal/controller/constants/images.go +++ b/internal/controller/constants/images.go @@ -1,7 +1,7 @@ package constants var ( - TrillianLogSignerImage = "registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:2d707d12e4f65e1a92b4de11465a5976d55e15ad6c9fefe994646ccd44c83840" + TrillianLogSignerImage = "gcr.io/trillian-opensource-ci/log_signer:latest" TrillianServerImage = "registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:7af78c7bc4df097ffeeef345f1d13289695f715221957579ee65daeef2fa3f5b" TrillianDbImage = "registry.redhat.io/rhtas/trillian-database-rhel9@sha256:501612745e63e5504017079388bec191ffacf00ffdebde7be6ca5b8e4fd9d323" diff --git a/internal/controller/trillian/actions/logsigner/deployment.go b/internal/controller/trillian/actions/logsigner/deployment.go index 5eb1f61fc..7f58e0bee 100644 --- a/internal/controller/trillian/actions/logsigner/deployment.go +++ b/internal/controller/trillian/actions/logsigner/deployment.go @@ -58,7 +58,8 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli Namespace: instance.Namespace, }, }, - trillianUtils.EnsureServerDeployment(instance, constants.TrillianLogSignerImage, actions.LogsignerDeploymentName, actions.RBACName, labels, "--force_master=true"), + trillianUtils.EnsureServerDeployment(instance, constants.TrillianLogSignerImage, actions.LogsignerDeploymentName, actions.RBACName, labels, + "--election_system=k8s", "--lock_namespace=$(NAMESPACE)", "--lock_holder_identity=$(POD_NAME)"), ensure.ControllerReference[*apps.Deployment](instance, i.Client), ensure.Labels[*apps.Deployment](maps.Keys(labels), labels), ensure.Proxy(), diff --git a/internal/controller/trillian/actions/rbac.go b/internal/controller/trillian/actions/rbac.go index ba03df564..85ab58671 100644 --- a/internal/controller/trillian/actions/rbac.go +++ b/internal/controller/trillian/actions/rbac.go @@ -74,6 +74,11 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trillian Resources: []string{"secrets"}, Verbs: []string{"create", "get", "update"}, }, + rbacv1.PolicyRule{ + APIGroups: []string{"coordination.k8s.io"}, + Resources: []string{"leases"}, + Verbs: []string{"create", "get", "update", "watch", "patch"}, + }, ), ); err != nil { return i.Error(ctx, reconcile.TerminalError(fmt.Errorf("could not create Role: %w", err)), instance) diff --git a/internal/controller/trillian/trillian_controller.go b/internal/controller/trillian/trillian_controller.go index 2dbae6468..1845366fb 100644 --- a/internal/controller/trillian/trillian_controller.go +++ b/internal/controller/trillian/trillian_controller.go @@ -53,6 +53,7 @@ type TrillianReconciler struct { //+kubebuilder:rbac:groups=rhtas.redhat.com,resources=trillians,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=rhtas.redhat.com,resources=trillians/status,verbs=get;update;patch //+kubebuilder:rbac:groups=rhtas.redhat.com,resources=trillians/finalizers,verbs=update +//+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;watch;create;update;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/internal/controller/trillian/utils/server-deployment.go b/internal/controller/trillian/utils/server-deployment.go index d6ab91cab..634a41212 100644 --- a/internal/controller/trillian/utils/server-deployment.go +++ b/internal/controller/trillian/utils/server-deployment.go @@ -122,6 +122,22 @@ func EnsureServerDeployment(instance *v1alpha1.Trillian, image string, name stri }, } + podNameEnv := kubernetes.FindEnvByNameOrCreate(container, "POD_NAME") + podNameEnv.ValueFrom = &core.EnvVarSource{ + FieldRef: &core.ObjectFieldSelector{ + APIVersion: "v1", + FieldPath: "metadata.name", + }, + } + + namespaceEnv := kubernetes.FindEnvByNameOrCreate(container, "NAMESPACE") + namespaceEnv.ValueFrom = &core.EnvVarSource{ + FieldRef: &core.ObjectFieldSelector{ + APIVersion: "v1", + FieldPath: "metadata.namespace", + }, + } + port := kubernetes.FindPortByNameOrCreate(container, "8091-tcp") port.ContainerPort = 8091 port.Protocol = core.ProtocolTCP