Skip to content

Commit

Permalink
Merge pull request #465 from securesign/SECURESIGN-663
Browse files Browse the repository at this point in the history
[SECURESIGN-663] Add option to set an external ctlog service
  • Loading branch information
openshift-merge-bot[bot] authored Jul 4, 2024
2 parents d46c30c + 36c4784 commit 1d2b88a
Show file tree
Hide file tree
Showing 13 changed files with 149 additions and 4 deletions.
13 changes: 13 additions & 0 deletions api/v1alpha1/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,19 @@ type TrillianService struct {
Port *int32 `json:"port,omitempty"`
}

// CtlogService configuration to connect Ctlog server
type CtlogService struct {
// Address to Ctlog Log Server End point
//+optional
Address string `json:"address,omitempty"`
// Port of Ctlog Log Server End point
//+kubebuilder:validation:Minimum:=1
//+kubebuilder:validation:Maximum:=65535
//+kubebuilder:default:=80
//+optional
Port *int32 `json:"port,omitempty"`
}

// LocalObjectReference contains enough information to let you locate the
// referenced object inside the same namespace.
// +structType=atomic
Expand Down
4 changes: 4 additions & 0 deletions api/v1alpha1/fulcio_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ import (
type FulcioSpec struct {
// Define whether you want to export service or not
ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
// Ctlog service configuration
//+optional
//+kubebuilder:default:={port: 80}
Ctlog CtlogService `json:"ctlog,omitempty"`
// Fulcio Configuration
//+required
Config FulcioConfig `json:"config"`
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/fulcio_types_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ var _ = Describe("Fulcio", func() {

When("CR is fully populated", func() {
It("outputs the CR", func() {
port := int32(80)
fulcioInstance = Fulcio{
ObjectMeta: metav1.ObjectMeta{
Name: "fulcio-full-manifest",
Expand Down Expand Up @@ -208,6 +209,10 @@ var _ = Describe("Fulcio", func() {
PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
},
Ctlog: CtlogService{
Address: "ctlog.default.svc",
Port: &port,
},
},
}

Expand Down
21 changes: 21 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions bundle/manifests/rhtas-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ metadata:
]
capabilities: Seamless Upgrades
containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
createdAt: "2024-06-24T12:36:11Z"
createdAt: "2024-07-03T12:24:03Z"
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
features.operators.openshift.io/csi: "false"
Expand All @@ -204,7 +204,7 @@ metadata:
features.operators.openshift.io/token-auth-azure: "false"
features.operators.openshift.io/token-auth-gcp: "false"
operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
operators.operatorframework.io/builder: operator-sdk-v1.34.2
operators.operatorframework.io/builder: operator-sdk-v1.34.1
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
repository: https://github.com/securesign/secure-sign-operator
support: Red Hat
Expand Down
16 changes: 16 additions & 0 deletions bundle/manifests/rhtas.redhat.com_fulcios.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,22 @@ spec:
- message: At least one of OIDCIssuers or MetaIssuers must be defined
rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
(has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
ctlog:
default:
port: 80
description: Ctlog service configuration
properties:
address:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
type: integer
type: object
externalAccess:
description: Define whether you want to export service or not
properties:
Expand Down
16 changes: 16 additions & 0 deletions bundle/manifests/rhtas.redhat.com_securesigns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,22 @@ spec:
defined
rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
|| (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
ctlog:
default:
port: 80
description: Ctlog service configuration
properties:
address:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
type: integer
type: object
externalAccess:
description: Define whether you want to export service or not
properties:
Expand Down
16 changes: 16 additions & 0 deletions config/crd/bases/rhtas.redhat.com_fulcios.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,22 @@ spec:
- message: At least one of OIDCIssuers or MetaIssuers must be defined
rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
(has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
ctlog:
default:
port: 80
description: Ctlog service configuration
properties:
address:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
type: integer
type: object
externalAccess:
description: Define whether you want to export service or not
properties:
Expand Down
16 changes: 16 additions & 0 deletions config/crd/bases/rhtas.redhat.com_securesigns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,22 @@ spec:
defined
rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
|| (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
ctlog:
default:
port: 80
description: Ctlog service configuration
properties:
address:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
type: integer
type: object
externalAccess:
description: Define whether you want to export service or not
properties:
Expand Down
8 changes: 8 additions & 0 deletions internal/controller/fulcio/actions/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
)

labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)

switch {
case instance.Spec.Ctlog.Address == "":
instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace)
case instance.Spec.Ctlog.Port == nil:
port := int32(80)
instance.Spec.Ctlog.Port = &port
}
dp, err := futils.CreateDeployment(instance, DeploymentName, RBACName, labels)
if err != nil {
if err != nil {
Expand Down
8 changes: 8 additions & 0 deletions internal/controller/fulcio/utils/errors.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package utils

import "errors"

var (
CtlogAddressNotSpecified = errors.New("ctlog address not specified")
CtlogPortNotSpecified = errors.New("ctlog port not specified")
)
18 changes: 17 additions & 1 deletion internal/controller/fulcio/utils/fulcio_deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,23 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin
"/var/run/fulcio-secrets/key.pem",
"--fileca-cert",
"/var/run/fulcio-secrets/cert.pem",
fmt.Sprintf("--ct-log-url=http://ctlog.%s.svc/trusted-artifact-signer", instance.Namespace)}
}

var err error
var ctlogUrl string
switch {
case instance.Spec.Ctlog.Address == "":
err = fmt.Errorf("CreateDeployment: %w", CtlogAddressNotSpecified)
case instance.Spec.Ctlog.Port == nil:
err = fmt.Errorf("CreateDeployment: %w", CtlogPortNotSpecified)
default:
ctlogUrl = fmt.Sprintf("%s:%d/trusted-artifact-signer", instance.Spec.Ctlog.Address, *instance.Spec.Ctlog.Port)
}

if err != nil {
return nil, err
}
args = append(args, fmt.Sprintf("--ct-log-url=%s", ctlogUrl))

env := make([]corev1.EnvVar, 0)
env = append(env, corev1.EnvVar{
Expand Down
8 changes: 7 additions & 1 deletion internal/controller/fulcio/utils/fulcio_deployment_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,18 @@ func findVolume(name string, volumes []v12.Volume) *v12.Volume {
}

func createInstance() *v1alpha1.Fulcio {
port := int32(80)
return &v1alpha1.Fulcio{
ObjectMeta: v1.ObjectMeta{
Name: "name",
Namespace: "default",
},
Spec: v1alpha1.FulcioSpec{},
Spec: v1alpha1.FulcioSpec{
Ctlog: v1alpha1.CtlogService{
Address: "http://ctlog.default.svc",
Port: &port,
},
},
Status: v1alpha1.FulcioStatus{
ServerConfigRef: &v1alpha1.LocalObjectReference{Name: "config"},
Certificate: &v1alpha1.FulcioCert{
Expand Down

0 comments on commit 1d2b88a

Please sign in to comment.