Enabling Rekor to point to custom trillian

securesign · Feb 27, 2024 · 915a219 · 915a219
1 parent 24cb410
commit 915a219
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 12 deletions.
diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml
@@ -111,7 +111,9 @@ metadata:
             "trillian": {
               "database": {
                 "create": true
-              }
+              },
+              "trillianAddress": "trillian-address",
+              "trillienPort": "8091"
             },
             "tuf": {
               "externalAccess": {
@@ -176,7 +178,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2024-02-19T13:25:38Z"
+    createdAt: "2024-02-27T11:40:46Z"
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
   name: rhtas-operator.v0.0.1

diff --git a/bundle/manifests/rhtas.redhat.com_rekors.yaml b/bundle/manifests/rhtas.redhat.com_rekors.yaml
@@ -78,6 +78,9 @@ spec:
                     type: boolean
                 type: object
               pvc:
+                default:
+                  retain: true
+                  size: 5Gi
                 description: PVC configuration
                 properties:
                   name:
@@ -94,6 +97,8 @@ spec:
                   storageClass:
                     description: Storage class for the PVC
                     type: string
+                required:
+                - retain
                 type: object
               rekorSearchUI:
                 description: Rekor Search UI

diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml
@@ -330,6 +330,9 @@ spec:
                         type: boolean
                     type: object
                   pvc:
+                    default:
+                      retain: true
+                      size: 5Gi
                     description: PVC configuration
                     properties:
                       name:
@@ -346,6 +349,8 @@ spec:
                       storageClass:
                         description: Storage class for the PVC
                         type: string
+                    required:
+                    - retain
                     type: object
                   rekorSearchUI:
                     description: Rekor Search UI
@@ -402,11 +407,6 @@ spec:
                 description: TrillianSpec defines the desired state of Trillian
                 properties:
                   database:
-                    default:
-                      create: true
-                      pvc:
-                        retain: true
-                        size: 5Gi
                     description: Define your database connection
                     properties:
                       create:
@@ -444,6 +444,8 @@ spec:
                           storageClass:
                             description: Storage class for the PVC
                             type: string
+                        required:
+                        - retain
                         type: object
                     required:
                     - create

diff --git a/bundle/manifests/rhtas.redhat.com_trillians.yaml b/bundle/manifests/rhtas.redhat.com_trillians.yaml
@@ -40,11 +40,6 @@ spec:
             description: TrillianSpec defines the desired state of Trillian
             properties:
               database:
-                default:
-                  create: true
-                  pvc:
-                    retain: true
-                    size: 5Gi
                 description: Define your database connection
                 properties:
                   create:
@@ -82,6 +77,8 @@ spec:
                       storageClass:
                         description: Storage class for the PVC
                         type: string
+                    required:
+                    - retain
                     type: object
                 required:
                 - create
@@ -198,6 +195,8 @@ spec:
                       storageClass:
                         description: Storage class for the PVC
                         type: string
+                    required:
+                    - retain
                     type: object
                 required:
                 - create

diff --git a/config/crd/bases/rhtas.redhat.com_trillians.yaml b/config/crd/bases/rhtas.redhat.com_trillians.yaml
@@ -196,6 +196,8 @@ spec:
                       storageClass:
                         description: Storage class for the PVC
                         type: string
+                    required:
+                    - retain
                     type: object
                 required:
                 - create

diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml
@@ -15,6 +15,8 @@ spec:
   trillian:
     database:
       create: true
+    trillianAddress: "trillian-address"
+    trillienPort: "8091"
   fulcio:
     externalAccess:
       enabled: true

diff --git a/notes.txt b/notes.txt
@@ -0,0 +1,10 @@
+TUF_URL=$(oc -n tas-test get tuf securesign-sample -o jsonpath='{.status.url}')
+FULCIO_URL=$(oc -n tas-test get fulcio securesign-sample -o jsonpath='{.status.url}')
+REKOR_URL=$(oc -n tas-test get rekor securesign-sample -o jsonpath='{.status.url}')
+OPENSHIFT_APPS_SUBDOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
+OIDC_ISSUER=https://keycloak-keycloak-system.$OPENSHIFT_APPS_SUBDOMAIN/auth/realms/sigstore
+
+rm -r ~/.sigstore
+cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
+cosign sign -y --fulcio-url=$FULCIO_URL --rekor-url=$REKOR_URL --oidc-issuer=$OIDC_ISSUER quay.io/tdalton/rhtastest:test3
+cosign verify --rekor-url=$REKOR_URL --certificate-identity-regexp jdoe --certificate-oidc-issuer-regexp keycloak quay.io/tdalton/rhtastest:test3