diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index bc833784f..d7a299339 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -40,9 +40,9 @@ type CtlogService struct { //+optional Address string `json:"address,omitempty"` // Port of Ctlog Log Server End point - //+kubebuilder:validation:Minimum:=1 + //+kubebuilder:validation:Minimum:=0 //+kubebuilder:validation:Maximum:=65535 - //+kubebuilder:default:=80 + //+kubebuilder:default:=0 //+optional Port *int32 `json:"port,omitempty"` } diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index 02621845d..c817b63c6 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -14,7 +14,6 @@ type FulcioSpec struct { ExternalAccess ExternalAccess `json:"externalAccess,omitempty"` // Ctlog service configuration //+optional - //+kubebuilder:default:={port: 80} Ctlog CtlogService `json:"ctlog,omitempty"` // Fulcio Configuration //+required diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 58385b35b..446b692f2 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -192,7 +192,11 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3 +<<<<<<< HEAD createdAt: "2024-07-30T13:51:04Z" +======= + createdAt: "2024-08-03T09:05:31Z" +>>>>>>> df48e12 (updates-1) features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index 964dd4257..605275306 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -222,19 +222,17 @@ spec: rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: - default: - port: 80 description: Ctlog service configuration properties: address: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer type: object externalAccess: diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 19234dea8..4b862b132 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -415,19 +415,17 @@ spec: rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: - default: - port: 80 description: Ctlog service configuration properties: address: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer type: object externalAccess: diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index 2d3a5594b..f09562984 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -222,19 +222,17 @@ spec: rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: - default: - port: 80 description: Ctlog service configuration properties: address: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer type: object externalAccess: diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index b804a6f3a..0d853e26b 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -415,19 +415,17 @@ spec: rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) ctlog: - default: - port: 80 description: Ctlog service configuration properties: address: description: Address to Ctlog Log Server End point type: string port: - default: 80 + default: 0 description: Port of Ctlog Log Server End point format: int32 maximum: 65535 - minimum: 1 + minimum: 0 type: integer type: object externalAccess: diff --git a/internal/controller/constants/images.go b/internal/controller/constants/images.go index 9b2c2cee5..acff6e6d0 100644 --- a/internal/controller/constants/images.go +++ b/internal/controller/constants/images.go @@ -8,8 +8,7 @@ var ( // TODO: remove and check the DB pod status TrillianNetcatImage = "registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7" - FulcioServerImage = "registry.redhat.io/rhtas/fulcio-rhel9@sha256:c4abc6342b39701d237ab3f0f25b75b677214b3ede00540b2488f524ad112179" - + FulcioServerImage = "quay.io/securesign/fulcio-server@sha256:67495de82e2fcd2ab4ad0e53442884c392da1aa3f5dd56d9488a1ed5df97f513" RekorRedisImage = "registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:5f0630c7aa29eeee28668f7ad451f129c9fb2feb86ec21b6b1b0b5cc42b44f4a" RekorServerImage = "registry.redhat.io/rhtas/rekor-server-rhel9@sha256:d4ea970447f3b4c18c309d2f0090a5d02260dd5257a0d41f87fefc4f014a9526" RekorSearchUiImage = "registry.redhat.io/rhtas/rekor-search-ui-rhel9@sha256:5eabf561c0549d81862e521ddc1f0ab91a3f2c9d99dcd83ab5a2cf648a95dd19" @@ -17,7 +16,7 @@ var ( TufImage = "registry.redhat.io/rhtas/tuf-server-rhel9@sha256:8c229e2c7f9d6cc0ebf4f23dd944373d497be2ed31960f0383b1bb43f16de0db" - CTLogImage = "registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:44906b1e52b0b5e324f23cae088837caf15444fd34679e6d2f3cc018d4e093fe" + CTLogImage = "quay.io/securesign/certificate-transparency-go@sha256:a0c7d71fc8f4cb7530169a6b54dc3a67215c4058a45f84b87bb04fc62e6e8141" ClientServerImage = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee" ClientServerImage_cg = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:046029a9a2028efa9dcbf8eff9b41fe5ac4e9ad64caf0241f5680a5cb36bf36b" diff --git a/internal/controller/ctlog/actions/config_map.go b/internal/controller/ctlog/actions/config_map.go index e6ee19d33..354b76878 100644 --- a/internal/controller/ctlog/actions/config_map.go +++ b/internal/controller/ctlog/actions/config_map.go @@ -29,7 +29,7 @@ func (i configMapAction) Name() string { func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool { c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil } func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { diff --git a/internal/controller/ctlog/actions/deployment.go b/internal/controller/ctlog/actions/deployment.go index fdd798501..8e92fe620 100644 --- a/internal/controller/ctlog/actions/deployment.go +++ b/internal/controller/ctlog/actions/deployment.go @@ -43,12 +43,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) +<<<<<<< HEAD switch { case instance.Spec.Trillian.Address == "": instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace) } dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort) +======= + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + useHTTPS := (instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil) || (signingKeySecret != nil) + dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, useHTTPS) +>>>>>>> df48e12 (updates-1) if err != nil { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ Type: constants.Ready, @@ -64,7 +70,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) } // TLS certificate - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, corev1.Volume{ @@ -126,7 +131,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) { Secret: &corev1.SecretProjection{ LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Name + "-tls-secret", + Name: instance.Name + "-ctlog-tls-secret", }, }, }, @@ -160,7 +165,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) }) dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt") dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") + // dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt") } if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { diff --git a/internal/controller/ctlog/actions/service.go b/internal/controller/ctlog/actions/service.go index 9ac903bb4..0ce31d7b0 100644 --- a/internal/controller/ctlog/actions/service.go +++ b/internal/controller/ctlog/actions/service.go @@ -41,6 +41,7 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name) +<<<<<<< HEAD svc := kubernetes.CreateService(instance.Namespace, ComponentName, ServerPortName, ServerPort, ServerTargetPort, labels) if instance.Spec.Monitoring.Enabled { svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ @@ -50,6 +51,23 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog TargetPort: intstr.FromInt32(MetricsPort), }) } +======= + signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") + var port int32 + if instance.Spec.TLSCertificate.CertRef != nil || signingKeySecret != nil { + port = int32(443) + } else { + port = int32(80) + } + portName := fmt.Sprintf("%d-tcp", port) + svc := kubernetes.CreateService(instance.Namespace, ComponentName, MetricsPortName, MetricsPort, labels) + svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ + Name: portName, + Protocol: corev1.ProtocolTCP, + Port: port, + TargetPort: intstr.FromInt32(6962), + }) +>>>>>>> df48e12 (updates-1) if err = controllerutil.SetControllerReference(instance, svc, i.Client.Scheme()); err != nil { return i.Failed(fmt.Errorf("could not set controller reference for Service: %w", err)) } @@ -64,12 +82,11 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog } //TLS: Annotate service - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { if svc.Annotations == nil { svc.Annotations = make(map[string]string) } - svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret" + svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-ctlog-tls-secret" err := i.Client.Update(ctx, svc) if err != nil { return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go index b63953246..1653cc36f 100644 --- a/internal/controller/ctlog/ctlog_controller_test.go +++ b/internal/controller/ctlog/ctlog_controller_test.go @@ -174,7 +174,12 @@ var _ = Describe("CTlog controller", func() { Eventually(func() error { return k8sClient.Get(ctx, types.NamespacedName{Name: actions.ComponentName, Namespace: Namespace}, service) }).Should(Succeed()) +<<<<<<< HEAD Expect(service.Spec.Ports[0].Port).Should(Equal(int32(80))) +======= + Expect(service.Spec.Ports[0].Port).Should(Equal(int32(6963))) + Expect(service.Spec.Ports[1].Port).Should(Equal(int32(443))) +>>>>>>> df48e12 (updates-1) By("Move to Ready phase") // Workaround to succeed condition for Ready phase diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go index e8af3ba9e..c029ed7e5 100644 --- a/internal/controller/ctlog/utils/ctlog_deployment.go +++ b/internal/controller/ctlog/utils/ctlog_deployment.go @@ -13,6 +13,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) +<<<<<<< HEAD func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, serverPort, metricsPort int32) (*appsv1.Deployment, error) { switch { case instance.Status.ServerConfigRef == nil: @@ -23,8 +24,17 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianAddressNotSpecified) case instance.Spec.Trillian.Port == nil: return nil, fmt.Errorf("CreateCTLogDeployment: %w", TrillianPortNotSpecified) +======= +func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string, labels map[string]string, useHTTPS bool) (*appsv1.Deployment, error) { + if instance.Status.ServerConfigRef == nil { + return nil, errors.New("server config name not specified") +>>>>>>> df48e12 (updates-1) } replicas := int32(1) + scheme := corev1.URISchemeHTTP + if useHTTPS { + scheme = corev1.URISchemeHTTPS + } // Define a new Deployment object containerPorts := []corev1.ContainerPort{ @@ -73,8 +83,14 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ +<<<<<<< HEAD Path: "/healthz", Port: intstr.FromInt32(serverPort), +======= + Path: "/healthz", + Port: intstr.FromInt32(6962), + Scheme: scheme, +>>>>>>> df48e12 (updates-1) }, }, InitialDelaySeconds: 10, @@ -86,8 +102,14 @@ func CreateDeployment(instance *v1alpha1.CTlog, deploymentName string, sa string ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ +<<<<<<< HEAD Path: "/healthz", Port: intstr.FromInt32(serverPort), +======= + Path: "/healthz", + Port: intstr.FromInt32(6962), + Scheme: scheme, +>>>>>>> df48e12 (updates-1) }, }, InitialDelaySeconds: 10, diff --git a/internal/controller/fulcio/actions/config_map.go b/internal/controller/fulcio/actions/config_map.go index 1084ebb5d..272b42a82 100644 --- a/internal/controller/fulcio/actions/config_map.go +++ b/internal/controller/fulcio/actions/config_map.go @@ -29,7 +29,7 @@ func (i configMapAction) Name() string { func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool { c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap") - return c.Reason == constants.Creating || c.Reason == constants.Ready && cm == nil + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && instance.Spec.TLSCertificate.CACertRef == nil } func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result { diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 9b461d689..7e17f98e1 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -41,18 +41,17 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - switch { - case instance.Spec.Ctlog.Address == "": + if instance.Spec.Ctlog.Address == "" { if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { instance.Spec.Ctlog.Address = fmt.Sprintf("https://ctlog.%s.svc", instance.Namespace) } else { instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) } - case instance.Spec.Ctlog.Port == nil: + } + if instance.Spec.Ctlog.Port == nil || *instance.Spec.Ctlog.Port == 0 { var port int32 if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil { port = int32(443) - } else { port = int32(80) } @@ -72,39 +71,13 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio } // TLS certificate - if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil { + if instance.Spec.TLSCertificate.CACertRef != nil { dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes, corev1.Volume{ Name: "tls-cert", VolumeSource: corev1.VolumeSource{ Projected: &corev1.ProjectedVolumeSource{ Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.CertRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TLSCertificate.CertRef.Key, - Path: "tls.crt", - }, - }, - }, - }, - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Spec.TLSCertificate.PrivateKeyRef.Name, - }, - Items: []corev1.KeyToPath{ - { - Key: instance.Spec.TLSCertificate.PrivateKeyRef.Key, - Path: "tls.key", - }, - }, - }, - }, { ConfigMap: &corev1.ConfigMapProjection{ LocalObjectReference: corev1.LocalObjectReference{ @@ -130,13 +103,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio VolumeSource: corev1.VolumeSource{ Projected: &corev1.ProjectedVolumeSource{ Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: instance.Name + "-tls-secret", - }, - }, - }, { ConfigMap: &corev1.ConfigMapProjection{ LocalObjectReference: corev1.LocalObjectReference{ @@ -166,9 +132,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio ReadOnly: true, }) - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-certificate", "/etc/ssl/certs/tls.crt") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-key", "/etc/ssl/certs/tls.key") - dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-ca-cert", "/etc/ssl/certs/ca.crt") + dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", "/etc/ssl/certs/ca.crt") } if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil { diff --git a/internal/controller/fulcio/actions/service.go b/internal/controller/fulcio/actions/service.go index 30f8e8daf..b12a37af4 100644 --- a/internal/controller/fulcio/actions/service.go +++ b/internal/controller/fulcio/actions/service.go @@ -7,7 +7,6 @@ import ( rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" "github.com/securesign/operator/internal/controller/common/action" "github.com/securesign/operator/internal/controller/common/utils/kubernetes" - k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes" "github.com/securesign/operator/internal/controller/constants" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" @@ -71,19 +70,6 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulci return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create service: %w", err), instance) } - //TLS: Annotate service - signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key") - if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil { - if svc.Annotations == nil { - svc.Annotations = make(map[string]string) - } - svc.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = instance.Name + "-tls-secret" - err := i.Client.Update(ctx, svc) - if err != nil { - return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not annotate service: %w", err), instance) - } - } - if updated { meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready, Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "Service created"})