Merge pull request #19 from securesign/labels

Remove scaffolding images
securesign · Jan 10, 2024 · 074e2a6 · 074e2a6
2 parents 2cc4585 + e57a4b0
commit 074e2a6
Show file tree

Hide file tree

Showing 66 changed files with 1,614 additions and 1,082 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -83,12 +83,14 @@ jobs:
           kubectl create ns create-cert
           kubectl apply -f config/samples/rhtas_v1alpha1_securesign_cert_create.yaml -n create-cert
 
-      - name: Until shell script to wait for fulcio deployment to be created
+        #Deployment is done in iterations TUF should be the last one
+      - name: Until shell script to wait for tuf deployment to be created
         run: |
-          timeout 120s bash -c 'until [ ! -z "$(kubectl get deployment fulcio-server -n test 2>/dev/null)" ]
+          timeout 120s bash -c 'until [ ! -z "$(kubectl get deployment tuf -n test 2>/dev/null)" ]
           do
-            echo "Waiting for fulcio deployment to be created. Pods in test namespace:"
+            echo "Waiting for tuf deployment to be created. Pods in test namespace:"
             kubectl get pods -n test
+            kubectl get rekor,fulcio,tuf,ctlog,trillian -n test
             sleep 3
           done'
         shell: bash
@@ -106,31 +108,24 @@ jobs:
         run: kubectl wait --for=condition=available deployment/trillian-logsigner --timeout=80s -n test
 
       - name: Check for the deployment of trillian logserver
-        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=80s -n test
-
-      - name: wait for the createtree job to finish
-        run: kubectl wait --for=condition=complete job/create-tree --timeout=120s -n test
-
-      - name: wait for the create-tree-rekor job to finish
-        run: kubectl wait --for=condition=complete job/create-tree-rekor --timeout=120s -n test
-
-      - name: wait for create-config job to finish
-        run: kubectl wait --for=condition=complete job/create-config --timeout=120s -n test
+        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=200s -n test
 
       - name: Check for the deployment of tuf
         run: kubectl wait --for=condition=available deployment/tuf --timeout=120s -n test
 
       - name: Check for the deployment of ctlog
         run: kubectl wait --for=condition=available deployment/ctlog --timeout=120s -n test
 
-      - name: Until shell script to wait for fulcio deployment to be created
+      #Deployment is done in iterations TUF should be the last one
+      - name: Until shell script to wait for tuf deployment to be created
         run: |
-          until [ ! -z "$(kubectl get deployment fulcio-server -n create-cert 2>/dev/null)" ]
+          timeout 120s bash -c 'until [ ! -z "$(kubectl get deployment tuf -n create-cert 2>/dev/null)" ]
           do
-            echo "Waiting for fulcio deployment to be created. Pods in create-cert namespace:"
+            echo "Waiting for tuf deployment to be created. Pods in create-cert namespace:"
             kubectl get pods -n create-cert
+            kubectl get rekor,fulcio,tuf,ctlog,trillian -n create-cert
             sleep 3
-          done
+          done'
         shell: bash
 
       - name: Check the deployment of fulcio
@@ -146,16 +141,7 @@ jobs:
         run: kubectl wait --for=condition=available deployment/trillian-logsigner --timeout=80s -n create-cert
 
       - name: Check for the deployment of trillian logserver
-        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=80s -n create-cert
-
-      - name: wait for the createtree job to finish
-        run: kubectl wait --for=condition=complete job/create-tree --timeout=120s -n create-cert
-
-      - name: wait for the create-tree-rekor job to finish
-        run: kubectl wait --for=condition=complete job/create-tree-rekor --timeout=120s -n create-cert
-
-      - name: wait for create-config job to finish
-        run: kubectl wait --for=condition=complete job/create-config --timeout=120s -n create-cert
+        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=200s -n create-cert
 
       - name: Check for the deployment of tuf
         run: kubectl wait --for=condition=available deployment/tuf --timeout=120s -n create-cert
@@ -169,5 +155,7 @@ jobs:
         if: always()
 
       - name: dump all deployments
-        run: kubectl get deployments -A
+        run: |
+          kubectl get deployments -A
+          kubectl get rekor,fulcio,tuf,ctlog,trillian -A
         if: always()
diff --git a/README.md b/README.md
@@ -41,6 +41,25 @@ UnDeploy the controller from the cluster:
 make undeploy
 ```
 
+### Local Development
+As a prerequisite you need to enable HTTP/2 on a single Ingress Controller. To enable HTTP/2 on an Ingress Controller, enter the oc annotate command:
+
+```
+$  oc -n openshift-ingress-operator annotate ingresscontrollers/<ingresscontroller_name> ingress.operator.openshift.io/default-enable-http2=true
+```
+Replace <ingresscontroller_name> with the name of the Ingress Controller to annotate.
+
+#### Install the CRDs into the cluster:
+```
+make install
+````
+
+Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
+```
+make run
+```
+NOTE: You can also run this in one step by running: make install run
+
 ## Contributing
 // TODO(user): Add detailed information on how you would like others to contribute to this project
 
@@ -58,7 +77,6 @@ make install
 ```
 
 2. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
-
 ```sh
 make run
 ```

diff --git a/api/v1alpha1/phase.go b/api/v1alpha1/phase.go
@@ -3,10 +3,11 @@ package v1alpha1
 type Phase string
 
 const (
-	PhaseNone             Phase = ""
-	PhaseInitialization   Phase = "Initialization"
-	PhaseReady            Phase = "Ready"
-	PhasePending          Phase = "Pending"
-	PhaseError            Phase = "Error"
-	PhaseDuplicitResource       = "DuplicitResource"
+	PhaseNone     Phase = ""
+	PhaseCreating Phase = "Creating"
+
+	PhaseInitialize Phase = "Initialization"
+	PhaseReady      Phase = "Ready"
+	PhasePending    Phase = "Pending"
+	PhaseError      Phase = "Error"
 )
diff --git a/api/v1alpha1/trillian_types.go b/api/v1alpha1/trillian_types.go
@@ -27,19 +27,23 @@ import (
 type TrillianSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
-	PvcName string `json:"pvcName,omitempty"`
+	PvcName  string `json:"pvcName,omitempty"`
+	External bool   `json:"external,omitempty"`
 }
 
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {
-	Phase Phase `json:"phase"`
+	Url    string `json:"url"`
+	TreeID int64  `json:"treeID"`
+	Phase  Phase  `json:"phase"`
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 }
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+kubebuilder:printcolumn:name="Phase",type=string,JSONPath=`.status.phase`,description="The component phase"
+//+kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.status.url`,description="The component url"
 
 // Trillian is the Schema for the trillians API
 type Trillian struct {

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -95,6 +95,8 @@ spec:
               trillian:
                 description: TrillianSpec defines the desired state of Trillian
                 properties:
+                  external:
+                    type: boolean
                   pvcName:
                     description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of
                       cluster Important: Run "make" to regenerate code after modifying

diff --git a/config/crd/bases/rhtas.redhat.com_trillians.yaml b/config/crd/bases/rhtas.redhat.com_trillians.yaml
@@ -20,6 +20,10 @@ spec:
       jsonPath: .status.phase
       name: Phase
       type: string
+    - description: The component url
+      jsonPath: .status.url
+      name: URL
+      type: string
     name: v1alpha1
     schema:
       openAPIV3Schema:
@@ -40,6 +44,8 @@ spec:
           spec:
             description: TrillianSpec defines the desired state of Trillian
             properties:
+              external:
+                type: boolean
               pvcName:
                 description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
                   Important: Run "make" to regenerate code after modifying this file'
@@ -50,8 +56,15 @@ spec:
             properties:
               phase:
                 type: string
+              treeID:
+                format: int64
+                type: integer
+              url:
+                type: string
             required:
             - phase
+            - treeID
+            - url
             type: object
         type: object
     served: true

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -329,3 +329,15 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml
@@ -10,12 +10,12 @@ metadata:
   name: securesign-sample
 spec:
   rekor:
-    external: true
+    external: false
     keySecret: rekor-private-key
     rekorCert:
       create: false
   fulcio:
-    external: true
+    external: false
     keySecret: fulcio-secret-rh
     oidcIssuers:
       "http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore":
@@ -27,5 +27,5 @@ spec:
 
   trillian:
   tuf:
-    external: true
-  ctlog:
+    external: false
+  ctlog:
diff --git a/config/samples/rhtas_v1alpha1_securesign_cert_create.yaml b/config/samples/rhtas_v1alpha1_securesign_cert_create.yaml
@@ -10,12 +10,12 @@ metadata:
   name: securesign-sample
 spec:
   rekor:
-    external: true
+    external: false
     keySecret: rekor-private-key
     rekorCert:
       create: true
   fulcio:
-    external: true
+    external: false
     keySecret: fulcio-secret-rh
     oidcIssuers:
       "http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore":
@@ -31,4 +31,4 @@ spec:
   trillian:
   tuf:
     external: true
-  ctlog:
+  ctlog:
diff --git a/controllers/common/base_action.go b/controllers/common/base_action.go
@@ -1,13 +1,15 @@
 package common
 
 import (
+	"github.com/go-logr/logr"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type BaseAction struct {
 	Client   client.Client
 	Recorder record.EventRecorder
+	Logger   logr.Logger
 }
 
 func (action *BaseAction) InjectClient(client client.Client) {
@@ -17,3 +19,7 @@ func (action *BaseAction) InjectClient(client client.Client) {
 func (action *BaseAction) InjectRecorder(recorder record.EventRecorder) {
 	action.Recorder = recorder
 }
+
+func (action *BaseAction) InjectLogger(logger logr.Logger) {
+	action.Logger = logger
+}
diff --git a/controllers/common/utils/deployment.go b/controllers/common/utils/deployment.go
diff --git a/controllers/common/utils/kubernetes/common.go b/controllers/common/utils/kubernetes/common.go
@@ -0,0 +1,11 @@
+package kubernetes
+
+func FilterCommonLabels(labels map[string]string) map[string]string {
+	out := map[string]string{}
+	for key, value := range labels {
+		if key == "app.kubernetes.io/part-of" || key == "app.kubernetes.io/instance" {
+			out[key] = value
+		}
+	}
+	return out
+}
diff --git a/controllers/common/utils/kubernetes/config_map.go b/controllers/common/utils/kubernetes/config_map.go
@@ -0,0 +1,18 @@
+package kubernetes
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func InitConfigmap(namespace string, name string, labels map[string]string, data map[string]string) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    labels,
+		},
+
+		Data: data,
+	}
+}
diff --git a/controllers/common/utils/kubernetes/deployment.go b/controllers/common/utils/kubernetes/deployment.go
@@ -0,0 +1,23 @@
+package kubernetes
+
+import (
+	"context"
+
+	v1 "k8s.io/api/apps/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func DeploymentIsRunning(ctx context.Context, cli client.Client, namespace string, labels map[string]string) (bool, error) {
+	var err error
+	list := &v1.DeploymentList{}
+
+	if err = cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels(labels)); err != nil {
+		return false, err
+	}
+	for _, d := range list.Items {
+		if d.Status.ReadyReplicas != *d.Spec.Replicas {
+			return false, nil
+		}
+	}
+	return true, nil
+}
diff --git a/controllers/common/utils/pvc.go → controllers/common/utils/kubernetes/pvc.go b/controllers/common/utils/pvc.go → controllers/common/utils/kubernetes/pvc.go
@@ -1,4 +1,4 @@
-package utils
+package kubernetes
 
 import (
 	corev1 "k8s.io/api/core/v1"

diff --git a/controllers/common/utils/route.go → controllers/common/utils/kubernetes/route.go b/controllers/common/utils/route.go → controllers/common/utils/kubernetes/route.go
@@ -1,4 +1,4 @@
-package utils
+package kubernetes
 
 import (
 	routev1 "github.com/openshift/api/route/v1"
@@ -7,11 +7,12 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
-func CreateRoute(svc v1.Service, port string) *routev1.Route {
+func CreateRoute(svc v1.Service, port string, labels map[string]string) *routev1.Route {
 	return &routev1.Route{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      svc.Name,
 			Namespace: svc.Namespace,
+			Labels:    labels,
 		},
 		Spec: routev1.RouteSpec{
 			To: routev1.RouteTargetReference{