Adding tls support for operator

Makefile

@@ -31,7 +31,7 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
 # jfrog.com/operator-bundle:$VERSION and jfrog.com/operator-catalog:$VERSION.
-IMAGE_TAG_BASE ?= docker.jfrog.io/jfrog/jfrog-registry-operator:latest
+IMAGE_TAG_BASE ?= docker.jfrog.io/jfrog/jfrog-registry-operator:1.3.0
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
@@ -239,3 +239,4 @@ build-operator-linux-amd64:
 build-operator-linux-arm64:
 	@$(call echoDebug,"")
 	@GOOS="linux" GOARCH="arm64" $(MAKE) build BINARYNAME="operator" CMD_SRC_DIR="${PROJECT_DIR}"
+

PROJECT

@@ -18,6 +18,6 @@ resources:
   domain: jfrog.com
   group: jfrog
   kind: SecretRotator
-  path: github.com/jfrog/jfrog-registry-operator.git
+  path: github.com/jfrog/jfrog-registry-operator.git/api/v1alpha1
   version: v1alpha1
 version: "3"

README.md

@@ -26,7 +26,6 @@ The following diagram shows the basic architecture of how AssumeRole integrates
 
 If you are interested in making the move from vulnerable manual secret handling to secure automated secret management, then your journey towards a more secure and seamless containerized future begins here. See how quickly this powerful capability can be deployed by checking out our [step-by-step installation and configuration guide](https://jfrog.com/help/r/jfrog-installation-setup-documentation/passwordless-access-for-amazon-eks).
 
-
 ## Install operator using helm chart - Ignore if you already installed using Setting up JFrog’s AssumeRole Capabilities in AWS
 
 ```bash
@@ -71,6 +70,12 @@ spec:
       annotationKey: annotationValue
     labels:
       labelName: labelValue
+  security:
+    enabled: false
+    secretNamespace:
+    ## NOTE: You can provide either a ca.pem or ca.crt. But make sure that key needs to same as ca.crt or ca.pem in secret
+    certificateSecretName:
+    insecureSkipVerify: false
 ```
 
 Apply the secretrotator mainfest:

api/v1alpha1/secretrotator_types.go

@@ -27,6 +27,17 @@ var (
 	SecretKind = reflect.TypeOf(SecretRotator{}).Name()
 )
 
+// Custom Certificate path
+var (
+	CustomCertificatePath = "/usr/tmp/"
+	CertPem               = "/cert.pem"
+	KeyPem                = "/key.pem"
+	CaPem                 = "/ca.pem"
+	TlsCrt                = "/tls.crt"
+	TlsKey                = "/tls.key"
+	TlsCa                 = "/ca.crt"
+)
+
 // SecretRotatorSpec defines the desired state of SecretRotator
 type SecretRotatorSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
@@ -47,6 +58,22 @@ type SecretRotatorSpec struct {
 
 	// RefreshInterval The time in which the controller should reconcile it's objects and recheck namespaces for labels.
 	RefreshInterval *metav1.Duration `json:"refreshTime,omitempty"`
+
+	// Security holding tls/ssl certificates details
+	Security SecurityDetails `json:"security,omitempty"`
+}
+
+// SecurityDetails defines details for certificates, fields are insecureSkipVerify, secret nameand enable flag.
+type SecurityDetails struct {
+	// +kubebuilder:default:=false
+	// +optional
+	Enabled bool `default:"false" json:"enabled,omitempty"`
+	// +optional
+	CertificateSecretName string `json:"certificateSecretName,omitempty"`
+	// +optional
+	SecretNamespace string `json:"secretNamespace,omitempty"`
+	// +optional
+	InsecureSkipVerify bool `default:"false" json:"insecureSkipVerify,omitempty"`
 }
 
 // SecretMetadata defines metadata fields for the ExternalSecret generated by the SecretOperator.

charts/jfrog-registry-operator/CHANGELOG.md

@@ -1,8 +1,17 @@
 # JFrog Secret Rotator Operator Chart Changelog
 All changes to this chart will be documented in this file.
 
+## [1.3.0] - Jul 17, 2024
+* Release of jfrog-registry-operator `1.3.0`
+
+## [1.2.0] - Jul 15, 2024
+* Release of jfrog-registry-operator `1.2.0`
+
 ## [1.1.0] - Feb 1, 2024
 * Updated README.md to create a namespace using `--create-namespace` as part of helm install
 
 ## [1.0.0] - Dec 12, 2023
-* First release of jfrog-registry-operator `1.0.0`
+* First release of jfrog-registry-operator `1.0.0`
+
+## [1.0.1] - Dec 20, 2023
+* Adding serviceMonitor to jfrog-registry-operator

charts/jfrog-registry-operator/Chart.yaml

@@ -3,7 +3,7 @@ kubeVersion: ">= 1.19.0-0"
 type: application
 name: jfrog-registry-operator
 home: https://jfrog.com/platform/
-version: 1.1.0
+version: 1.3.0
 appVersion: 1.x-SNAPSHOT
 dependencies:
   - name: jfrog-common

charts/jfrog-registry-operator/crds/apps.jfrog.com_secretrotators.yaml

@@ -114,6 +114,19 @@ spec:
               secretName:
                 description: SecretName holding name of the secret
                 type: string
+              security:
+                description: Security holding tls/ssl certificates details
+                properties:
+                  certificateSecretName:
+                    type: string
+                  enabled:
+                    default: false
+                    type: boolean
+                  insecureSkipVerify:
+                    type: boolean
+                  secretNamespace:
+                    type: string
+                type: object
             required:
             - namespaceSelector
             type: object

charts/jfrog-registry-operator/examples/secretrotator.yaml

@@ -17,4 +17,10 @@ spec:
     annotations:
       annotationKey: annotationValue
     labels:
-      labelName: labelValue
+      labelName: labelValue
+  security:
+    enabled: false
+    secretNamespace:
+    ## NOTE: You can provide either a ca.pem or ca.crt. But make sure that key needs to same as ca.crt or ca.pem in secret
+    certificateSecretName:
+    insecureSkipVerify: false

charts/jfrog-registry-operator/examples/tls_cert.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+stringData:
+  # ca.crt: |
+
+  # cert.pem: |
+
+kind: Secret
+metadata:
+  name: certs
+type: Opaque

charts/jfrog-registry-operator/full-values.yaml

@@ -8,7 +8,7 @@ global:
 image:
   registry: releases-docker.jfrog.io
   repository: jfrog/jfrog-registry-operator
-  tag: 1.0.0
+  tag: 1.3.0
 
   pullPolicy: IfNotPresent
   # pullSecrets:
@@ -384,3 +384,6 @@ initContainers:
     tag: 9.2.717
     pullPolicy: IfNotPresent
     pullSecrets: []
+
+serviceMonitor:
+  enabled: false

charts/jfrog-registry-operator/templates/deployment.yaml

@@ -108,8 +108,6 @@ spec:
         {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
         {{- end }}
       volumes:
-        - name: jfrog-registry-operator-data
-          emptyDir: {}
   {{- if not (contains "data" (quote .Values.persistence.volumes)) }}
   {{- if not .Values.persistence.enabled }}
         - name: data

charts/jfrog-registry-operator/templates/servicemonitor.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: jfrog-operator
+  name: jfrog-registry-operator
+  namespace: {{ .Release.Namespace | quote }}
+spec:
+  endpoints:
+  - interval: 30s
+    path: /metrics
+    port: operator
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      app: jfrog-operator
+{{- end }}

charts/jfrog-registry-operator/values.yaml

@@ -8,7 +8,7 @@ global:
 image:
   registry: releases-docker.jfrog.io
   repository: jfrog/jfrog-registry-operator
-  tag: 1.0.0
+  tag: 1.3.0
 
   pullPolicy: IfNotPresent
   # pullSecrets:
@@ -215,4 +215,7 @@ initContainers:
     repository: ubi9/ubi-minimal
     tag: 9.2.717
     pullPolicy: IfNotPresent
-    pullSecrets: []
+    pullSecrets: []
+
+serviceMonitor:
+  enabled: false

config/crd/bases/apps.jfrog.com_secretrotators.yaml

@@ -114,6 +114,19 @@ spec:
               secretName:
                 description: SecretName holding name of the secret
                 type: string
+              security:
+                description: Security holding tls/ssl certificates details
+                properties:
+                  certificateSecretName:
+                    type: string
+                  enabled:
+                    default: false
+                    type: boolean
+                  insecureSkipVerify:
+                    type: boolean
+                  secretNamespace:
+                    type: string
+                type: object
             required:
             - namespaceSelector
             type: object

config/deploy/operator.yaml

@@ -67,7 +67,7 @@ spec:
           - ./operator
         args:
         - --leader-elect
-        image: releases-docker.jfrog.io/jfrog/jfrog-registry-operator:1.0.0
+        image: releases-docker.jfrog.io/jfrog/jfrog-registry-operator:1.3.0
         name: manager
         ports:
         - containerPort: 8080

config/monitoring/operator-service.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: jfrog-registry-operator-service
+  labels:
+    app: jfrog-operator
 spec:
   selector:
     app: jfrog-operator

config/rbac/role.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+- apiGroups:
+  - apps
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps.jfrog.com
+  resources:
+  - secretrotators
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps.jfrog.com
+  resources:
+  - secretrotators/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - apps.jfrog.com
+  resources:
+  - secretrotators/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch