From 36c4784df2bacd4cee5a612a0621c25bfcecb459 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Wed, 3 Jul 2024 14:24:08 +0200 Subject: [PATCH] Add option to set an external ctlog service --- api/v1alpha1/common.go | 13 ++++++++++++ api/v1alpha1/fulcio_types.go | 4 ++++ api/v1alpha1/fulcio_types_test.go | 5 +++++ api/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++++ .../rhtas-operator.clusterserviceversion.yaml | 4 ++-- .../manifests/rhtas.redhat.com_fulcios.yaml | 16 ++++++++++++++ .../rhtas.redhat.com_securesigns.yaml | 16 ++++++++++++++ .../crd/bases/rhtas.redhat.com_fulcios.yaml | 16 ++++++++++++++ .../bases/rhtas.redhat.com_securesigns.yaml | 16 ++++++++++++++ .../controller/fulcio/actions/deployment.go | 8 +++++++ internal/controller/fulcio/utils/errors.go | 8 +++++++ .../fulcio/utils/fulcio_deployment.go | 18 +++++++++++++++- .../fulcio/utils/fulcio_deployment_test.go | 8 ++++++- 13 files changed, 149 insertions(+), 4 deletions(-) create mode 100644 internal/controller/fulcio/utils/errors.go diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index a8d3940db..919cf0b10 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -34,6 +34,19 @@ type TrillianService struct { Port *int32 `json:"port,omitempty"` } +// CtlogService configuration to connect Ctlog server +type CtlogService struct { + // Address to Ctlog Log Server End point + //+optional + Address string `json:"address,omitempty"` + // Port of Ctlog Log Server End point + //+kubebuilder:validation:Minimum:=1 + //+kubebuilder:validation:Maximum:=65535 + //+kubebuilder:default:=80 + //+optional + Port *int32 `json:"port,omitempty"` +} + // LocalObjectReference contains enough information to let you locate the // referenced object inside the same namespace. // +structType=atomic diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index 3dc0ddbbe..12fd922f7 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -11,6 +11,10 @@ import ( type FulcioSpec struct { // Define whether you want to export service or not ExternalAccess ExternalAccess `json:"externalAccess,omitempty"` + // Ctlog service configuration + //+optional + //+kubebuilder:default:={port: 80} + Ctlog CtlogService `json:"ctlog,omitempty"` // Fulcio Configuration //+required Config FulcioConfig `json:"config"` diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index df0275ecc..e04ce3b35 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -165,6 +165,7 @@ var _ = Describe("Fulcio", func() { When("CR is fully populated", func() { It("outputs the CR", func() { + port := int32(80) fulcioInstance = Fulcio{ ObjectMeta: metav1.ObjectMeta{ Name: "fulcio-full-manifest", @@ -208,6 +209,10 @@ var _ = Describe("Fulcio", func() { PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, }, + Ctlog: CtlogService{ + Address: "ctlog.default.svc", + Port: &port, + }, }, } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a241f7012..b5ac4040e 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -197,6 +197,26 @@ func (in *CTlogStatus) DeepCopy() *CTlogStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CtlogService) DeepCopyInto(out *CtlogService) { + *out = *in + if in.Port != nil { + in, out := &in.Port, &out.Port + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CtlogService. +func (in *CtlogService) DeepCopy() *CtlogService { + if in == nil { + return nil + } + out := new(CtlogService) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalAccess) DeepCopyInto(out *ExternalAccess) { *out = *in @@ -330,6 +350,7 @@ func (in *FulcioList) DeepCopyObject() runtime.Object { func (in *FulcioSpec) DeepCopyInto(out *FulcioSpec) { *out = *in out.ExternalAccess = in.ExternalAccess + in.Ctlog.DeepCopyInto(&out.Ctlog) in.Config.DeepCopyInto(&out.Config) in.Certificate.DeepCopyInto(&out.Certificate) out.Monitoring = in.Monitoring diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 2c77354d8..55bf5f54f 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -192,7 +192,7 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3 - createdAt: "2024-06-24T12:36:11Z" + createdAt: "2024-07-03T12:24:03Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" @@ -204,7 +204,7 @@ metadata: features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' - operators.operatorframework.io/builder: operator-sdk-v1.34.2 + operators.operatorframework.io/builder: operator-sdk-v1.34.1 operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/securesign/secure-sign-operator support: Red Hat diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index da2e9efdc..f7d448581 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -221,6 +221,22 @@ spec: - message: At least one of OIDCIssuers or MetaIssuers must be defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + default: + port: 80 + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 62698ded9..ed6057ef3 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -342,6 +342,22 @@ spec: defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + default: + port: 80 + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index d8c31fe0b..d31cbbc5f 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -221,6 +221,22 @@ spec: - message: At least one of OIDCIssuers or MetaIssuers must be defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + default: + port: 80 + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index 5c76be488..658cab268 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -342,6 +342,22 @@ spec: defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + default: + port: 80 + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 40aac6f4c..d9e9a7972 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -37,6 +37,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio ) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + + switch { + case instance.Spec.Ctlog.Address == "": + instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) + case instance.Spec.Ctlog.Port == nil: + port := int32(80) + instance.Spec.Ctlog.Port = &port + } dp, err := futils.CreateDeployment(instance, DeploymentName, RBACName, labels) if err != nil { if err != nil { diff --git a/internal/controller/fulcio/utils/errors.go b/internal/controller/fulcio/utils/errors.go new file mode 100644 index 000000000..832ab9d11 --- /dev/null +++ b/internal/controller/fulcio/utils/errors.go @@ -0,0 +1,8 @@ +package utils + +import "errors" + +var ( + CtlogAddressNotSpecified = errors.New("ctlog address not specified") + CtlogPortNotSpecified = errors.New("ctlog port not specified") +) diff --git a/internal/controller/fulcio/utils/fulcio_deployment.go b/internal/controller/fulcio/utils/fulcio_deployment.go index d3a55c573..7ea34560c 100644 --- a/internal/controller/fulcio/utils/fulcio_deployment.go +++ b/internal/controller/fulcio/utils/fulcio_deployment.go @@ -38,7 +38,23 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin "/var/run/fulcio-secrets/key.pem", "--fileca-cert", "/var/run/fulcio-secrets/cert.pem", - fmt.Sprintf("--ct-log-url=http://ctlog.%s.svc/trusted-artifact-signer", instance.Namespace)} + } + + var err error + var ctlogUrl string + switch { + case instance.Spec.Ctlog.Address == "": + err = fmt.Errorf("CreateDeployment: %w", CtlogAddressNotSpecified) + case instance.Spec.Ctlog.Port == nil: + err = fmt.Errorf("CreateDeployment: %w", CtlogPortNotSpecified) + default: + ctlogUrl = fmt.Sprintf("%s:%d/trusted-artifact-signer", instance.Spec.Ctlog.Address, *instance.Spec.Ctlog.Port) + } + + if err != nil { + return nil, err + } + args = append(args, fmt.Sprintf("--ct-log-url=%s", ctlogUrl)) env := make([]corev1.EnvVar, 0) env = append(env, corev1.EnvVar{ diff --git a/internal/controller/fulcio/utils/fulcio_deployment_test.go b/internal/controller/fulcio/utils/fulcio_deployment_test.go index a194687e3..16cf7a1c5 100644 --- a/internal/controller/fulcio/utils/fulcio_deployment_test.go +++ b/internal/controller/fulcio/utils/fulcio_deployment_test.go @@ -105,12 +105,18 @@ func findVolume(name string, volumes []v12.Volume) *v12.Volume { } func createInstance() *v1alpha1.Fulcio { + port := int32(80) return &v1alpha1.Fulcio{ ObjectMeta: v1.ObjectMeta{ Name: "name", Namespace: "default", }, - Spec: v1alpha1.FulcioSpec{}, + Spec: v1alpha1.FulcioSpec{ + Ctlog: v1alpha1.CtlogService{ + Address: "http://ctlog.default.svc", + Port: &port, + }, + }, Status: v1alpha1.FulcioStatus{ ServerConfigRef: &v1alpha1.LocalObjectReference{Name: "config"}, Certificate: &v1alpha1.FulcioCert{