inject certificates if proxy is enabled

securesign · Jun 17, 2024 · 47b7923 · 47b7923
1 parent c3d0ae4
commit 47b7923
Show file tree

Hide file tree

Showing 12 changed files with 257 additions and 71 deletions.
diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go
@@ -55,6 +55,9 @@ type FulcioConfig struct {
 	// +optional
 	OIDCIssuers []OIDCIssuer `json:"OIDCIssuers,omitempty"`
 
+	// Define whether you want to use cluster-wide proxy or not
+	Proxy Proxy `json:"proxy,omitempty"`
+
 	// A meta issuer has a templated URL of the form:
 	//   https://oidc.eks.*.amazonaws.com/id/*
 	// Where * can match a single hostname or URI path parts
@@ -65,6 +68,12 @@ type FulcioConfig struct {
 	// +optional
 	MetaIssuers []OIDCIssuer `json:"MetaIssuers,omitempty"`
 }
+type Proxy struct {
+	// If set to true, the Operator will create a configMap containing certificates bundle.
+	//+kubebuilder:validation:XValidation:rule=(self || !oldSelf),message=Feature cannot be disabled
+	//+kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+}
 
 type OIDCIssuer struct {
 	// The expected issuer of an OIDC token

diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go
@@ -120,6 +120,7 @@ var _ = Describe("Fulcio", func() {
 			It("config is not empty", func() {
 				invalidObject := generateFulcioObject("config-invalid")
 				invalidObject.Spec.Config.OIDCIssuers = []OIDCIssuer{}
+				invalidObject.Spec.Config.Proxy = Proxy{Enabled: false}
 				invalidObject.Spec.Config.MetaIssuers = []OIDCIssuer{}
 
 				Expect(apierrors.IsInvalid(k8sClient.Create(context.Background(), invalidObject))).To(BeTrue())
@@ -130,6 +131,7 @@ var _ = Describe("Fulcio", func() {
 			It("only MetaIssuer is set", func() {
 				validObject := generateFulcioObject("config-metaissuer")
 				validObject.Spec.Config.OIDCIssuers = []OIDCIssuer{}
+				validObject.Spec.Config.Proxy = Proxy{Enabled: false}
 				validObject.Spec.Config.MetaIssuers = []OIDCIssuer{
 					{
 						ClientID: "client",
@@ -237,6 +239,9 @@ func generateFulcioObject(name string) *Fulcio {
 						Issuer:    "url",
 					},
 				},
+				Proxy: Proxy{
+					Enabled: false,
+				},
 				MetaIssuers: []OIDCIssuer{
 					{
 						ClientID:  "client",

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml
@@ -216,6 +216,21 @@ spec:
                       - Type
                       type: object
                     type: array
+                  proxy:
+                    description: Define whether you want to use cluster-wide proxy
+                      or not
+                    properties:
+                      enabled:
+                        default: false
+                        description: If set to true, the Operator will create a configMap
+                          containing certificates bundle.
+                        type: boolean
+                        x-kubernetes-validations:
+                        - message: Feature cannot be disabled
+                          rule: (self || !oldSelf)
+                    required:
+                    - enabled
+                    type: object
                 type: object
                 x-kubernetes-validations:
                 - message: At least one of OIDCIssuers or MetaIssuers must be defined

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -336,6 +336,21 @@ spec:
                           - Type
                           type: object
                         type: array
+                      proxy:
+                        description: Define whether you want to use cluster-wide proxy
+                          or not
+                        properties:
+                          enabled:
+                            default: false
+                            description: If set to true, the Operator will create
+                              a configMap containing certificates bundle.
+                            type: boolean
+                            x-kubernetes-validations:
+                            - message: Feature cannot be disabled
+                              rule: (self || !oldSelf)
+                        required:
+                        - enabled
+                        type: object
                     type: object
                     x-kubernetes-validations:
                     - message: At least one of OIDCIssuers or MetaIssuers must be

diff --git a/config/samples/rhtas_v1alpha1_fulcio.yaml b/config/samples/rhtas_v1alpha1_fulcio.yaml
@@ -10,6 +10,8 @@ spec:
   externalAccess:
     enabled: true
   config:
+    proxy:
+      enabled: false
     OIDCIssuers:
       - ClientID: "trusted-artifact-signer"
         IssuerURL: "https://your-oidc-issuer-url"

diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml
@@ -21,6 +21,8 @@ spec:
     externalAccess:
       enabled: true
     config:
+      proxy:
+        enabled: false
       OIDCIssuers:
         - ClientID: "trusted-artifact-signer"
           IssuerURL: "https://your-oidc-issuer-url"

diff --git a/internal/controller/fulcio/actions/configMap.go b/internal/controller/fulcio/actions/configMap.go
@@ -0,0 +1,71 @@
+package actions
+
+import (
+	"context"
+	"fmt"
+
+	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/controller/common/action"
+	"github.com/securesign/operator/internal/controller/constants"
+	futils "github.com/securesign/operator/internal/controller/fulcio/utils"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+func NewConfigMapAction() action.Action[rhtasv1alpha1.Fulcio] {
+	return &configMapAction{}
+}
+
+type configMapAction struct {
+	action.BaseAction
+}
+
+func (i configMapAction) Name() string {
+	return "configmap"
+}
+
+func (i configMapAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Fulcio) bool {
+	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && instance.Spec.Config.Proxy.Enabled
+}
+
+func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result {
+	var (
+		updated bool
+		err     error
+	)
+
+	cm, err := futils.CreateConfigMap(instance, "ca-inject")
+	if err != nil {
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+			Type:    constants.Ready,
+			Status:  metav1.ConditionFalse,
+			Reason:  constants.Failure,
+			Message: err.Error(),
+		})
+		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could create ConfigMap: %w", err), instance)
+	}
+
+	if err = controllerutil.SetControllerReference(instance, cm, i.Client.Scheme()); err != nil {
+		return i.Failed(fmt.Errorf("could not set controller reference for ConfigMap: %w", err))
+	}
+
+	if updated, err = i.Ensure(ctx, cm); err != nil {
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+			Type:    constants.Ready,
+			Status:  metav1.ConditionFalse,
+			Reason:  constants.Failure,
+			Message: err.Error(),
+		})
+		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create Fulcio ConfigMap: %w", err), instance)
+	}
+
+	if updated {
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready,
+			Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "ConfigMap created"})
+		return i.StatusUpdate(ctx, instance)
+	} else {
+		return i.Continue()
+	}
+}
diff --git a/internal/controller/fulcio/fulcio_controller.go b/internal/controller/fulcio/fulcio_controller.go
@@ -92,6 +92,7 @@ func (r *FulcioReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		actions.NewHandleCertAction(),
 		actions.NewRBACAction(),
 		actions.NewServerConfigAction(),
+		actions.NewConfigMapAction(),
 		actions.NewDeployAction(),
 		actions.NewCreateMonitorAction(),
 		actions.NewServiceAction(),

diff --git a/internal/controller/fulcio/fulcio_controller_test.go b/internal/controller/fulcio/fulcio_controller_test.go
@@ -104,6 +104,9 @@ var _ = Describe("Fulcio controller", func() {
 									Type:      "email",
 								},
 							},
+							Proxy: v1alpha1.Proxy{
+								Enabled: true,
+							},
 						},
 						Certificate: v1alpha1.FulcioCert{
 							OrganizationName:  "MyOrg",
@@ -219,6 +222,12 @@ var _ = Describe("Fulcio controller", func() {
 			Expect(ingress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].Backend.Service.Name).Should(Equal(service.Name))
 			Expect(ingress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].Backend.Service.Port.Name).Should(Equal("80-tcp"))
 
+			By("Checking if ConfigMap was successfully created in the reconciliation")
+			configMap := &corev1.ConfigMap{}
+			Eventually(func() error {
+				return k8sClient.Get(ctx, types.NamespacedName{Name: "ca-inject", Namespace: Namespace}, configMap)
+			}).Should(Succeed())
+
 			By("Checking if controller will return deployment to desired state")
 			deployment = &appsv1.Deployment{}
 			Eventually(func() error {

diff --git a/internal/controller/fulcio/utils/fulcio_configMap.go b/internal/controller/fulcio/utils/fulcio_configMap.go
@@ -0,0 +1,18 @@
+package utils
+
+import (
+	"github.com/securesign/operator/api/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func CreateConfigMap(instance *v1alpha1.Fulcio, configMapName string) (*corev1.ConfigMap, error) {
+
+	return &corev1.ConfigMap{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      configMapName,
+			Namespace: instance.Namespace,
+			Labels:    map[string]string{"config.openshift.io/inject-trusted-cabundle": "true"},
+		},
+	}, nil
+}