From 3e7a7f8d0d6c3b71f440df9f9c7ce9e4332ca161 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Mon, 5 Aug 2024 14:43:28 +0200 Subject: [PATCH] updates --- api/v1alpha1/common.go | 4 +- api/v1alpha1/trillian_types.go | 6 -- api/v1alpha1/trillian_types_test.go | 12 ---- api/v1alpha1/zz_generated.deepcopy.go | 17 ----- .../bases/rhtas.redhat.com_securesigns.yaml | 61 ----------------- .../crd/bases/rhtas.redhat.com_trillians.yaml | 61 ----------------- config/manager/kustomization.yaml | 6 +- config/samples/rhtas_v1alpha1_securesign.yaml | 4 +- internal/controller/constants/images.go | 5 +- .../rekor/actions/server/config_map.go | 4 +- .../trillian/actions/logserver/deployment.go | 3 +- .../trillian/actions/logserver/service.go | 2 +- .../trillian/actions/logsigner/deployment.go | 67 ------------------- .../trillian/actions/logsigner/service.go | 13 ---- 14 files changed, 15 insertions(+), 250 deletions(-) diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index b1d08b2aa..7dfe90755 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -40,9 +40,9 @@ type CtlogService struct { //+optional Address string `json:"address,omitempty"` // Port of Ctlog Log Server End point - //+kubebuilder:validation:Minimum:=1 + //+kubebuilder:validation:Minimum:=0 //+kubebuilder:validation:Maximum:=65535 - //+kubebuilder:default:=80 + //+kubebuilder:default:=0 //+optional Port *int32 `json:"port,omitempty"` } diff --git a/api/v1alpha1/trillian_types.go b/api/v1alpha1/trillian_types.go index fbe918d9c..84c33fed0 100644 --- a/api/v1alpha1/trillian_types.go +++ b/api/v1alpha1/trillian_types.go @@ -29,8 +29,6 @@ type TrillianSpec struct { Db TrillianDB `json:"database,omitempty"` //+optional TrillianServer TrillianServer `json:"server,omitempty"` - //+optional - TrillianSigner TrillianSigner `json:"signer,omitempty"` // Enable Monitoring for Logsigner and Logserver Monitoring MonitoringConfig `json:"monitoring,omitempty"` } @@ -57,10 +55,6 @@ type TrillianServer struct { // Secret with TLS server certificate, private key and CA certificate TLSCertificate TLSCert `json:"tls"` } -type TrillianSigner struct { - // Secret with TLS server certificate, private key and CA certificate - TLSCertificate TLSCert `json:"tls"` -} // TrillianStatus defines the observed state of Trillian type TrillianStatus struct { diff --git a/api/v1alpha1/trillian_types_test.go b/api/v1alpha1/trillian_types_test.go index 0a6f594b3..0dd94a884 100644 --- a/api/v1alpha1/trillian_types_test.go +++ b/api/v1alpha1/trillian_types_test.go @@ -169,18 +169,6 @@ var _ = Describe("Trillian", func() { }, }, }, - TrillianSigner: TrillianSigner{ - TLSCertificate: TLSCert{ - CertRef: &SecretKeySelector{ - Key: "cert", - LocalObjectReference: LocalObjectReference{Name: "signer-secret"}, - }, - PrivateKeyRef: &SecretKeySelector{ - Key: "key", - LocalObjectReference: LocalObjectReference{Name: "signer-secret"}, - }, - }, - }, }, } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index ac310a775..906864830 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -954,28 +954,11 @@ func (in *TrillianService) DeepCopy() *TrillianService { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TrillianSigner) DeepCopyInto(out *TrillianSigner) { - *out = *in - in.TLSCertificate.DeepCopyInto(&out.TLSCertificate) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrillianSigner. -func (in *TrillianSigner) DeepCopy() *TrillianSigner { - if in == nil { - return nil - } - out := new(TrillianSigner) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TrillianSpec) DeepCopyInto(out *TrillianSpec) { *out = *in in.Db.DeepCopyInto(&out.Db) in.TrillianServer.DeepCopyInto(&out.TrillianServer) - in.TrillianSigner.DeepCopyInto(&out.TrillianSigner) out.Monitoring = in.Monitoring } diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index a2e02c9e8..6cf4fd012 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -795,67 +795,6 @@ spec: required: - tls type: object - signer: - properties: - tls: - description: Secret with TLS server certificate, private key - and CA certificate - properties: - caCertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. - Must be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) - required: - - tls - type: object type: object tuf: default: diff --git a/config/crd/bases/rhtas.redhat.com_trillians.yaml b/config/crd/bases/rhtas.redhat.com_trillians.yaml index 0dc1bf68d..23512e164 100644 --- a/config/crd/bases/rhtas.redhat.com_trillians.yaml +++ b/config/crd/bases/rhtas.redhat.com_trillians.yaml @@ -195,67 +195,6 @@ spec: required: - tls type: object - signer: - properties: - tls: - description: Secret with TLS server certificate, private key and - CA certificate - properties: - caCertRef: - description: Reference to CA certificate - properties: - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - name - type: object - x-kubernetes-map-type: atomic - certRef: - description: Reference to service certificate - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - privateKeyRef: - description: Reference to the private key - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - pattern: ^[-._a-zA-Z0-9]+$ - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - required: - - key - - name - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-validations: - - message: privateKeyRef cannot be empty - rule: (!has(self.certRef) || has(self.privateKeyRef)) - required: - - tls - type: object type: object status: description: TrillianStatus defines the observed state of Trillian diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 7598478b5..089212d22 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -3,6 +3,6 @@ resources: apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: -- digest: sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3 - name: controller - newName: registry.redhat.io/rhtas/rhtas-rhel9-operator +- name: controller + newName: quay.io/fghanmi/my_operator + newTag: v3.8.0 diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index 4b75b4fb4..7ca1001c1 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -23,8 +23,8 @@ spec: config: OIDCIssuers: - ClientID: "trusted-artifact-signer" - IssuerURL: "https://your-oidc-issuer-url" - Issuer: "https://your-oidc-issuer-url" + IssuerURL: "https://keycloak-keycloak-system.apps.rosa.av42p-79zot-u82.x8pi.p3.openshiftapps.com/auth/realms/trusted-artifact-signer" + Issuer: "https://keycloak-keycloak-system.apps.rosa.av42p-79zot-u82.x8pi.p3.openshiftapps.com/auth/realms/trusted-artifact-signer" Type: "email" certificate: organizationName: Red Hat diff --git a/internal/controller/constants/images.go b/internal/controller/constants/images.go index 9b2c2cee5..325f9d606 100644 --- a/internal/controller/constants/images.go +++ b/internal/controller/constants/images.go @@ -10,8 +10,9 @@ var ( FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:c4abc6342b39701d237ab3f0f25b75b677214b3ede00540b2488f524ad112179" - RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a" - RekorServerImage = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526" + RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a" + // RekorServerImage = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526" + RekorServerImage = "quay.io/securesign/rekor-server_test:latest" RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:5eabf561c0549d81862e521ddc1f0ab91a3f2c9d99dcd83ab5a2cf648a95dd19" BackfillRedisImage = "registry.redhat.io/rhtas/rekor-backfill-redis-rhel9@sha256:5c7460ab3cd13b2ecf2b979f5061cb384174d6714b7630879e53d063e4cb69d2" diff --git a/internal/controller/rekor/actions/server/config_map.go b/internal/controller/rekor/actions/server/config_map.go index d87f8918a..e422197e4 100644 --- a/internal/controller/rekor/actions/server/config_map.go +++ b/internal/controller/rekor/actions/server/config_map.go @@ -30,9 +30,9 @@ func (i configMapAction) Name() string { func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Rekor) bool { c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - // signingKeySecret: OCP related + // signingKeySecret: OCP signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil && signingKeySecret != nil + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && signingKeySecret != nil && instance.Spec.TLSCertificate.CACertRef == nil } func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor) *action.Result { diff --git a/internal/controller/trillian/actions/logserver/deployment.go b/internal/controller/trillian/actions/logserver/deployment.go index 1ea6d4dbf..0eb2761f7 100644 --- a/internal/controller/trillian/actions/logserver/deployment.go +++ b/internal/controller/trillian/actions/logserver/deployment.go @@ -3,6 +3,7 @@ package logserver import ( "context" "fmt" + "github.com/securesign/operator/internal/controller/common/utils" "github.com/securesign/operator/internal/controller/common/action" @@ -115,7 +116,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli Name: "tls-cert", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: "log-server-" + instance.Name + "-tls-secret", + SecretName: instance.Name + "-trillian-log-server-tls-secret", }, }, }) diff --git a/internal/controller/trillian/actions/logserver/service.go b/internal/controller/trillian/actions/logserver/service.go index a8d1199fb..49857f3ee 100644 --- a/internal/controller/trillian/actions/logserver/service.go +++ b/internal/controller/trillian/actions/logserver/service.go @@ -79,7 +79,7 @@ func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1 if logserverService.Annotations == nil { logserverService.Annotations = make(map[string]string) } - logserverService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = "log-server-" + instance.Name + "-tls-secret" + logserverService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-trillian-log-server-tls-secret" err := i.Client.Update(ctx, logserverService) if err != nil { return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate logserver service: %w", err), instance) diff --git a/internal/controller/trillian/actions/logsigner/deployment.go b/internal/controller/trillian/actions/logsigner/deployment.go index 2d89e116a..43eb975f8 100644 --- a/internal/controller/trillian/actions/logsigner/deployment.go +++ b/internal/controller/trillian/actions/logsigner/deployment.go @@ -14,8 +14,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" - corev1 "k8s.io/api/core/v1" ) func NewDeployAction() action.Action[*rhtasv1alpha1.Trillian] { @@ -64,71 +62,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Trillian LogSigner: %w", err), instance) } - // TLS certificate - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - if instance.Spec.TrillianSigner.TLSCertificate.CertRef != nil { - signer.Spec.Template.Spec.Volumes = append(signer.Spec.Template.Spec.Volumes, - corev1.Volume{ - Name: "tls-cert", - VolumeSource: corev1.VolumeSource{ - Projected: &corev1.ProjectedVolumeSource{ - Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TrillianSigner.TLSCertificate.CertRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TrillianSigner.TLSCertificate.CertRef.Key, - Path: "tls.crt", - }, - }, - }, - }, - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TrillianSigner.TLSCertificate.PrivateKeyRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TrillianSigner.TLSCertificate.PrivateKeyRef.Key, - Path: "tls.key", - }, - }, - }, - }, - }, - }, - }, - }) - } else if signingKeySecret != nil { - i.Logger.V(1).Info("TLS: Using secrets/signing-key secret") - signer.Spec.Template.Spec.Volumes = append(signer.Spec.Template.Spec.Volumes, - corev1.Volume{ - Name: "tls-cert", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: "log-signer-" + instance.Name + "-tls-secret", - }, - }, - }) - } else { - i.Logger.V(1).Info("Communication between services is insecure") - } - - if instance.Spec.TrillianSigner.TLSCertificate.CertRef != nil || signingKeySecret != nil { - signer.Spec.Template.Spec.Containers[0].VolumeMounts = append(signer.Spec.Template.Spec.Containers[0].VolumeMounts, - corev1.VolumeMount{ - Name: "tls-cert", - MountPath: "/etc/ssl/certs", - ReadOnly: true, - }) - signer.Spec.Template.Spec.Containers[0].Args = append(signer.Spec.Template.Spec.Containers[0].Args, "--tls_cert_file", "/etc/ssl/certs/tls.crt") - signer.Spec.Template.Spec.Containers[0].Args = append(signer.Spec.Template.Spec.Containers[0].Args, "--tls_key_file", "/etc/ssl/certs/tls.key") - } - if err = controllerutil.SetControllerReference(instance, signer, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for LogSigner deployment: %w", err)) } diff --git a/internal/controller/trillian/actions/logsigner/service.go b/internal/controller/trillian/actions/logsigner/service.go index 272929b84..9159810bd 100644 --- a/internal/controller/trillian/actions/logsigner/service.go +++ b/internal/controller/trillian/actions/logsigner/service.go @@ -66,19 +66,6 @@ func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1 return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create logsigner Service: %w", err), instance) } - //TLS: Annotate service - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - if signingKeySecret != nil && instance.Spec.TrillianSigner.TLSCertificate.CertRef == nil { - if logsignerService.Annotations == nil { - logsignerService.Annotations = make(map[string]string) - } - logsignerService.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = "log-signer-" + instance.Name + "-tls-secret" - err := i.Client.Update(ctx, logsignerService) - if err != nil { - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate logserver service: %w", err), instance) - } - } - if updated { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: actions.ServerCondition,