Remove scaffolding jobs

.github/workflows/main.yml

@@ -83,79 +83,65 @@ jobs:
           kubectl create ns create-cert
           kubectl apply -f config/samples/rhtas_v1alpha1_securesign_cert_create.yaml -n create-cert
 
-      - name: Until shell script to wait for fulcio deployment to be created
+        #Deployment is done in iterations TUF should be the last one
+      - name: Until shell script to wait for tuf deployment to be created
         run: |
-          until [ ! -z "$(kubectl get deployment fulcio-server -n test 2>/dev/null)" ]
+          until [ ! -z "$(kubectl get deployment tuf -n test 2>/dev/null)" ]
           do
-            echo "Waiting for fulcio deployment to be created. Pods in test namespace:"
+            echo "Waiting for tuf deployment to be created. Pods in test namespace:"
             kubectl get pods -n test
+            kubectl get rekor,fulcio,tuf,ctlog,trillian -n test
             sleep 3
           done
         shell: bash
 
       - name: Check the deployment of fulcio
-        run: kubectl wait --for=condition=available deployment/fulcio-server --timeout=80s -n test
+        run: kubectl wait --for=condition=available deployment/fulcio-server --timeout=200s -n test
 
       - name: Check the deployment of rekor
-        run: kubectl wait --for=condition=available deployment/rekor-server --timeout=80s -n test
+        run: kubectl wait --for=condition=available deployment/rekor-server --timeout=200s -n test
 
       - name: Check for the deployment of redis
-        run: kubectl wait --for=condition=available deployment/rekor-redis --timeout=80s -n test
+        run: kubectl wait --for=condition=available deployment/rekor-redis --timeout=200s -n test
 
       - name: Check for the deployment of trillian logsigner
-        run: kubectl wait --for=condition=available deployment/trillian-logsigner --timeout=80s -n test
+        run: kubectl wait --for=condition=available deployment/trillian-logsigner --timeout=200s -n test
 
       - name: Check for the deployment of trillian logserver
-        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=80s -n test
-
-      - name: wait for the createtree job to finish
-        run: kubectl wait --for=condition=complete job/create-tree --timeout=120s -n test
-
-      - name: wait for the create-tree-rekor job to finish
-        run: kubectl wait --for=condition=complete job/create-tree-rekor --timeout=120s -n test
-
-      - name: wait for create-config job to finish
-        run: kubectl wait --for=condition=complete job/create-config --timeout=120s -n test
+        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=200s -n test
 
       - name: Check for the deployment of tuf
-        run: kubectl wait --for=condition=available deployment/tuf --timeout=120s -n test
+        run: kubectl wait --for=condition=available deployment/tuf --timeout=200s -n test
 
       - name: Check for the deployment of ctlog
-        run: kubectl wait --for=condition=available deployment/ctlog --timeout=120s -n test
+        run: kubectl wait --for=condition=available deployment/ctlog --timeout=200s -n test
 
-      - name: Until shell script to wait for fulcio deployment to be created
+      #Deployment is done in iterations TUF should be the last one
+      - name: Until shell script to wait for tuf deployment to be created
         run: |
-          until [ ! -z "$(kubectl get deployment fulcio-server -n create-cert 2>/dev/null)" ]
+          until [ ! -z "$(kubectl get deployment tuf -n create-cert 2>/dev/null)" ]
           do
-            echo "Waiting for fulcio deployment to be created. Pods in create-cert namespace:"
+            echo "Waiting for tuf deployment to be created. Pods in create-cert namespace:"
             kubectl get pods -n create-cert
+            kubectl get rekor,fulcio,tuf,ctlog,trillian -n create-cert
             sleep 3
           done
         shell: bash
 
       - name: Check the deployment of fulcio
-        run: kubectl wait --for=condition=available deployment/fulcio-server --timeout=80s -n create-cert
+        run: kubectl wait --for=condition=available deployment/fulcio-server --timeout=200s -n create-cert
 
       - name: Check the deployment of rekor
-        run: kubectl wait --for=condition=available deployment/rekor-server --timeout=80s -n create-cert
+        run: kubectl wait --for=condition=available deployment/rekor-server --timeout=200s -n create-cert
 
       - name: Check for the deployment of redis
-        run: kubectl wait --for=condition=available deployment/rekor-redis --timeout=80s -n create-cert
+        run: kubectl wait --for=condition=available deployment/rekor-redis --timeout=200s -n create-cert
 
       - name: Check for the deployment of trillian logsigner
-        run: kubectl wait --for=condition=available deployment/trillian-logsigner --timeout=80s -n create-cert
+        run: kubectl wait --for=condition=available deployment/trillian-logsigner --timeout=200s -n create-cert
 
       - name: Check for the deployment of trillian logserver
-        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=80s -n create-cert
-
-      - name: wait for the createtree job to finish
-        run: kubectl wait --for=condition=complete job/create-tree --timeout=120s -n create-cert
-
-      - name: wait for the create-tree-rekor job to finish
-        run: kubectl wait --for=condition=complete job/create-tree-rekor --timeout=120s -n create-cert
-
-      - name: wait for create-config job to finish
-        run: kubectl wait --for=condition=complete job/create-config --timeout=120s -n create-cert
+        run: kubectl wait --for=condition=available deployment/trillian-logserver --timeout=200s -n create-cert
 
       - name: Check for the deployment of tuf
         run: kubectl wait --for=condition=available deployment/tuf --timeout=120s -n create-cert
@@ -169,5 +155,7 @@ jobs:
         if: always()
 
       - name: dump all deployments
-        run: kubectl get deployments -A
+        run: |
+          kubectl get deployments -A
+          kubectl get rekor,fulcio,tuf,ctlog,trillian -A
         if: always()

README.md

@@ -41,6 +41,15 @@ UnDeploy the controller from the cluster:
 make undeploy
 ```
 
+### Local Development
+The controller connects to services running inside the cluster to configure them. The Trillian server is configured using RPC protocol.
+The RPC protocol rely on the HTTP/2 that is hard to route outside the cluster (see #issueLink). 
+Until the issue is fixed, the locally running operator will fail with
+```
+Admin server unavailable: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: lookup trillian-logserver.test.svc: no such host"
+CreateTree...
+```
+
 ## Contributing
 // TODO(user): Add detailed information on how you would like others to contribute to this project
 
@@ -51,9 +60,6 @@ It uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controlle
 which provide a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster.
 
 ### Test It Out
-The controller connects to services running inside the cluster. If you want to run the operator locally,
-you would need to expose them OR use `kubectl port-forward` function.
-
 1. Install the CRDs into the cluster:
 
 ```sh
@@ -67,15 +73,6 @@ make run
 
 **NOTE:** You can also run this in one step by running: `make install run`
 
-### FAQ
-#### Q: I am getting following error from the locally running operator
-```
-Admin server unavailable: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp: lookup trillian-logserver.test.svc: no such host"
-CreateTree...
-```
-**A:** The controller try to connect to the local service (trillian in this case).
-You need to export it OR use port-forward and set the correct URL to the CR configuration.
-
 ### Modifying the API definitions
 If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
 

api/v1alpha1/trillian_types.go

@@ -33,8 +33,9 @@ type TrillianSpec struct {
 
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {
-	Url   string `json:"url"`
-	Phase Phase  `json:"phase"`
+	Url    string `json:"url"`
+	TreeID int64  `json:"treeID"`
+	Phase  Phase  `json:"phase"`
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 }

config/crd/bases/rhtas.redhat.com_trillians.yaml

@@ -56,10 +56,14 @@ spec:
             properties:
               phase:
                 type: string
+              treeID:
+                format: int64
+                type: integer
               url:
                 type: string
             required:
             - phase
+            - treeID
             - url
             type: object
         type: object

config/rbac/role.yaml

@@ -329,3 +329,15 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch

config/samples/rhtas_v1alpha1_securesign.yaml

@@ -20,13 +20,12 @@ spec:
     oidcIssuers:
       "http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore":
         ClientID: "sigstore"
-        IssuerURL: "https://keycloak-keycloak-system.apps.rosa.hhdxf-cd9dh-3dt.1b9r.p3.openshiftapps.com/auth/realms/sigstore"
+        IssuerURL: "http://keycloak-internal.keycloak-system.svc/auth/realms/sigstore"
         Type: "email"
     fulcioCert:
       create: false
 
   trillian:
-    external: true
   tuf:
     external: true
-  ctlog:
+  ctlog:

config/samples/rhtas_v1alpha1_securesign_cert_create.yaml

@@ -31,4 +31,4 @@ spec:
   trillian:
   tuf:
     external: true
-  ctlog:
+  ctlog:

controllers/common/base_action.go

@@ -1,13 +1,15 @@
 package common
 
 import (
+	"github.com/go-logr/logr"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type BaseAction struct {
 	Client   client.Client
 	Recorder record.EventRecorder
+	Logger   logr.Logger
 }
 
 func (action *BaseAction) InjectClient(client client.Client) {
@@ -17,3 +19,7 @@ func (action *BaseAction) InjectClient(client client.Client) {
 func (action *BaseAction) InjectRecorder(recorder record.EventRecorder) {
 	action.Recorder = recorder
 }
+
+func (action *BaseAction) InjectLogger(logger logr.Logger) {
+	action.Logger = logger
+}

controllers/common/utils/kubernetes/secret.go

@@ -5,22 +5,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func CreateSecret(namespace, name, component, app string, secrets map[string]string) *corev1.Secret {
-	secretData := make(map[string][]byte)
-	for k, v := range secrets {
-		secretData[k] = []byte(v)
-	}
-
+func CreateSecret(name string, namespace string, data map[string][]byte, labels map[string]string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
-			Labels: map[string]string{
-				"app.kubernetes.io/component": component,
-				"app.kubernetes.io/name":      app,
-				"app.kubernetes.io/instance":  "trusted-artifact-signer",
-			},
+			Labels:    labels,
 		},
-		Data: secretData,
+		Data: data,
 	}
 }

controllers/constants/images.go

@@ -5,10 +5,15 @@ const (
 	TrillianServerImage    = "registry.redhat.io/rhtas-tech-preview/trillian-logserver-rhel9@sha256:43bfc6b7b8ed902592f19b830103d9030b59862f959c97c376cededba2ac3a03"
 	TrillianDbImage        = "registry.redhat.io/rhtas-tech-preview/trillian-database-rhel9@sha256:fe4758ff57a9a6943a4655b21af63fb579384dc51838af85d0089c04290b4957"
 
+	// TODO: remove and check the DB pod status
+	TrillianNetcatImage = "registry.redhat.io/rhtas-tech-preview/trillian-netcat-rhel9@sha256:b9fa895af8967cceb7a05ed7c9f2b80df047682ed11c87249ca2edba86492f6e"
+
 	FulcioServerImage = "registry.redhat.io/rhtas-tech-preview/fulcio-rhel9@sha256:0421d44d2da8dd87f05118293787d95686e72c65c0f56dfb9461a61e259b8edc"
 
 	RekorRedisImage  = "docker.io/redis@sha256:6c42cce2871e8dc5fb3e843ed5c4e7939d312faf5e53ff0ff4ca955a7e0b2b39"
 	RekorServerImage = "registry.redhat.io/rhtas-tech-preview/rekor-server-rhel9@sha256:8ee7d5dd2fa1c955d64ab83d716d482a3feda8e029b861241b5b5dfc6f1b258e"
 
 	TufImage = "registry.redhat.io/rhtas-tech-preview/tuf-server-rhel9@sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9"
+
+	CTLogImage = "registry.redhat.io/rhtas-tech-preview/ct-server-rhel9@sha256:6124a531097c91bf8c872393a6f313c035ca03eca316becd3c350930d978929f"
 )

controllers/ctlog/create.go

@@ -31,7 +31,7 @@ func (i createAction) Name() string {
 }
 
 func (i createAction) CanHandle(ctlog *rhtasv1alpha1.CTlog) bool {
-	return ctlog.Status.Phase == rhtasv1alpha1.PhaseNone
+	return ctlog.Status.Phase == rhtasv1alpha1.PhaseCreating
 }
 
 func (i createAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) (*rhtasv1alpha1.CTlog, error) {
@@ -41,28 +41,37 @@ func (i createAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 	labels["app.kubernetes.io/component"] = ComponentName
 	labels["app.kubernetes.io/name"] = deploymentName
 
-	server := ctlogUtils.CreateDeployment(instance.Namespace, deploymentName, labels)
-	controllerutil.SetControllerReference(instance, server, i.Client.Scheme())
-	if err = i.Client.Create(ctx, server); err != nil {
+	trillians, err := findTrillians(ctx, i.Client, *instance)
+	if err != nil {
 		instance.Status.Phase = rhtasv1alpha1.PhaseError
-		return instance, fmt.Errorf("could not create job: %w", err)
+		return instance, fmt.Errorf("could not find trillian: %w", err)
 	}
 
-	cm := utils.InitConfigmap(instance.Namespace, "ctlog-config", labels, map[string]string{
-		"__placeholder": "###################################################################\n" +
-			"# Just a placeholder so that reapplying this won't overwrite treeID\n" +
-			"# if it already exists. This caused grief, do not remove.\n" +
-			"###################################################################",
-	})
-	controllerutil.SetControllerReference(instance, cm, i.Client.Scheme())
-	if err = i.Client.Create(ctx, cm); err != nil {
+	fulcios, err := findFulcios(ctx, i.Client, *instance)
+	if err != nil {
 		instance.Status.Phase = rhtasv1alpha1.PhaseError
-		return instance, fmt.Errorf("could not create job: %w", err)
+		return instance, fmt.Errorf("could not find fulcio: %w", err)
 	}
 
-	// TODO: move code from job to operator
-	config := ctlogUtils.CreateCTJob(instance.Namespace, "create-config")
+	var config, pubKey *corev1.Secret
+	if config, pubKey, err = ctlogUtils.CreateCtlogConfig(ctx, i.Client, instance.Namespace, trillians.Items[0].Status.Url, trillians.Items[0].Status.TreeID, fulcios.Items[0].Status.Url, labels); err != nil {
+		instance.Status.Phase = rhtasv1alpha1.PhaseError
+		return instance, fmt.Errorf("could not create CTLog configuration: %w", err)
+	}
+	controllerutil.SetControllerReference(instance, config, i.Client.Scheme())
+	controllerutil.SetControllerReference(instance, pubKey, i.Client.Scheme())
 	if err = i.Client.Create(ctx, config); err != nil {
+		instance.Status.Phase = rhtasv1alpha1.PhaseError
+		return instance, fmt.Errorf("could not create CTLog configuration secret: %w", err)
+	}
+	if err = i.Client.Create(ctx, pubKey); err != nil {
+		instance.Status.Phase = rhtasv1alpha1.PhaseError
+		return instance, fmt.Errorf("could not create CTLog public key secret: %w", err)
+	}
+
+	server := ctlogUtils.CreateDeployment(instance.Namespace, deploymentName, config.Name, labels)
+	controllerutil.SetControllerReference(instance, server, i.Client.Scheme())
+	if err = i.Client.Create(ctx, server); err != nil {
 		instance.Status.Phase = rhtasv1alpha1.PhaseError
 		return instance, fmt.Errorf("could not create job: %w", err)
 	}
@@ -80,7 +89,7 @@ func (i createAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 		return instance, fmt.Errorf("could not create service: %w", err)
 	}
 
-	instance.Status.Phase = rhtasv1alpha1.PhaseCreating
+	instance.Status.Phase = rhtasv1alpha1.PhaseInitialize
 	return instance, nil
 
 }

controllers/ctlog/ctlog_controller.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
@@ -66,6 +67,7 @@ func (r *CTlogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 	}
 	target := instance.DeepCopy()
 	actions := []Action{
+		NewPendingAction(),
 		NewCreateAction(),
 		NewWaitAction(),
 	}
@@ -98,5 +100,7 @@ func (r *CTlogReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&rhtasv1alpha1.CTlog{}).
 		Owns(&v1.Deployment{}).
+		// TODO: we should not rely on ownership of securesign resource
+		Watches(&rhtasv1alpha1.Trillian{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &rhtasv1alpha1.Securesign{})).
 		Complete(r)
 }