From ab5cd594b188ece472f2c5bada4fd6e9d229ffd4 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Wed, 3 Jul 2024 13:50:00 +0200 Subject: [PATCH] Add option to set an external ctlog service --- .../rhtas-operator-bundle-pull-request.yaml | 2 +- .tekton/rhtas-operator-bundle-push.yaml | 2 +- .tekton/rhtas-operator-pull-request.yaml | 2 +- .tekton/rhtas-operator-push.yaml | 2 +- api/v1alpha1/common.go | 13 ++++++++++++ api/v1alpha1/fulcio_types.go | 3 +++ api/v1alpha1/fulcio_types_test.go | 5 +++++ api/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++++ .../rhtas-operator.clusterserviceversion.yaml | 2 +- .../manifests/rhtas.redhat.com_fulcios.yaml | 14 +++++++++++++ .../rhtas.redhat.com_securesigns.yaml | 14 +++++++++++++ .../crd/bases/rhtas.redhat.com_fulcios.yaml | 14 +++++++++++++ .../bases/rhtas.redhat.com_securesigns.yaml | 14 +++++++++++++ .../controller/fulcio/actions/deployment.go | 8 +++++++ internal/controller/fulcio/utils/errors.go | 8 +++++++ .../fulcio/utils/fulcio_deployment.go | 18 +++++++++++++++- .../fulcio/utils/fulcio_deployment_test.go | 8 ++++++- test/e2e/upgrade_test.go | 5 +++++ 18 files changed, 148 insertions(+), 7 deletions(-) create mode 100644 internal/controller/fulcio/utils/errors.go diff --git a/.tekton/rhtas-operator-bundle-pull-request.yaml b/.tekton/rhtas-operator-bundle-pull-request.yaml index 095317f46..00a7464b7 100644 --- a/.tekton/rhtas-operator-bundle-pull-request.yaml +++ b/.tekton/rhtas-operator-bundle-pull-request.yaml @@ -24,7 +24,7 @@ spec: - name: image-expires-after value: 5d - name: output-image - value: quay.io/securesign/rhtas-operator-bundle:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/operator/rhtas-operator-bundle:on-pr-{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rhtas-operator-bundle-push.yaml b/.tekton/rhtas-operator-bundle-push.yaml index e337fb745..8cd77c577 100644 --- a/.tekton/rhtas-operator-bundle-push.yaml +++ b/.tekton/rhtas-operator-bundle-push.yaml @@ -22,7 +22,7 @@ spec: - name: git-url value: '{{source_url}}' - name: output-image - value: quay.io/securesign/rhtas-operator-bundle:{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/operator/rhtas-operator-bundle:{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rhtas-operator-pull-request.yaml b/.tekton/rhtas-operator-pull-request.yaml index 8326aa27a..e3998bcf0 100644 --- a/.tekton/rhtas-operator-pull-request.yaml +++ b/.tekton/rhtas-operator-pull-request.yaml @@ -25,7 +25,7 @@ spec: - name: image-expires-after value: 5d - name: output-image - value: quay.io/securesign/rhtas-operator:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/operator/rhtas-operator:on-pr-{{revision}} - name: path-context value: . - name: revision diff --git a/.tekton/rhtas-operator-push.yaml b/.tekton/rhtas-operator-push.yaml index 485c66fb4..5825df168 100644 --- a/.tekton/rhtas-operator-push.yaml +++ b/.tekton/rhtas-operator-push.yaml @@ -23,7 +23,7 @@ spec: - name: git-url value: '{{repo_url}}' - name: output-image - value: quay.io/securesign/rhtas-operator:{{revision}} + value: quay.io/redhat-user-workloads/rhtas-tenant/operator/rhtas-operator:{{revision}} - name: path-context value: . - name: revision diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go index a8d3940db..919cf0b10 100644 --- a/api/v1alpha1/common.go +++ b/api/v1alpha1/common.go @@ -34,6 +34,19 @@ type TrillianService struct { Port *int32 `json:"port,omitempty"` } +// CtlogService configuration to connect Ctlog server +type CtlogService struct { + // Address to Ctlog Log Server End point + //+optional + Address string `json:"address,omitempty"` + // Port of Ctlog Log Server End point + //+kubebuilder:validation:Minimum:=1 + //+kubebuilder:validation:Maximum:=65535 + //+kubebuilder:default:=80 + //+optional + Port *int32 `json:"port,omitempty"` +} + // LocalObjectReference contains enough information to let you locate the // referenced object inside the same namespace. // +structType=atomic diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index 3dc0ddbbe..c970bd31b 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -11,6 +11,9 @@ import ( type FulcioSpec struct { // Define whether you want to export service or not ExternalAccess ExternalAccess `json:"externalAccess,omitempty"` + // Ctlog service configuration + //+optional + Ctlog CtlogService `json:"ctlog,omitempty"` // Fulcio Configuration //+required Config FulcioConfig `json:"config"` diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index df0275ecc..e04ce3b35 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -165,6 +165,7 @@ var _ = Describe("Fulcio", func() { When("CR is fully populated", func() { It("outputs the CR", func() { + port := int32(80) fulcioInstance = Fulcio{ ObjectMeta: metav1.ObjectMeta{ Name: "fulcio-full-manifest", @@ -208,6 +209,10 @@ var _ = Describe("Fulcio", func() { PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}}, }, + Ctlog: CtlogService{ + Address: "ctlog.default.svc", + Port: &port, + }, }, } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a241f7012..b5ac4040e 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -197,6 +197,26 @@ func (in *CTlogStatus) DeepCopy() *CTlogStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CtlogService) DeepCopyInto(out *CtlogService) { + *out = *in + if in.Port != nil { + in, out := &in.Port, &out.Port + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CtlogService. +func (in *CtlogService) DeepCopy() *CtlogService { + if in == nil { + return nil + } + out := new(CtlogService) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalAccess) DeepCopyInto(out *ExternalAccess) { *out = *in @@ -330,6 +350,7 @@ func (in *FulcioList) DeepCopyObject() runtime.Object { func (in *FulcioSpec) DeepCopyInto(out *FulcioSpec) { *out = *in out.ExternalAccess = in.ExternalAccess + in.Ctlog.DeepCopyInto(&out.Ctlog) in.Config.DeepCopyInto(&out.Config) in.Certificate.DeepCopyInto(&out.Certificate) out.Monitoring = in.Monitoring diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 2c77354d8..eaa9381f2 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -192,7 +192,7 @@ metadata: ] capabilities: Seamless Upgrades containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3 - createdAt: "2024-06-24T12:36:11Z" + createdAt: "2024-07-03T07:28:11Z" features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index da2e9efdc..d73ad45fa 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -221,6 +221,20 @@ spec: - message: At least one of OIDCIssuers or MetaIssuers must be defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index 62698ded9..c13ea142c 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -342,6 +342,20 @@ spec: defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index d8c31fe0b..76bea8150 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -221,6 +221,20 @@ spec: - message: At least one of OIDCIssuers or MetaIssuers must be defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index 5c76be488..e4c067010 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -342,6 +342,20 @@ spec: defined rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0)) + ctlog: + description: Ctlog service configuration + properties: + address: + description: Address to Ctlog Log Server End point + type: string + port: + default: 80 + description: Port of Ctlog Log Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object externalAccess: description: Define whether you want to export service or not properties: diff --git a/internal/controller/fulcio/actions/deployment.go b/internal/controller/fulcio/actions/deployment.go index 40aac6f4c..d9e9a7972 100644 --- a/internal/controller/fulcio/actions/deployment.go +++ b/internal/controller/fulcio/actions/deployment.go @@ -37,6 +37,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio ) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) + + switch { + case instance.Spec.Ctlog.Address == "": + instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) + case instance.Spec.Ctlog.Port == nil: + port := int32(80) + instance.Spec.Ctlog.Port = &port + } dp, err := futils.CreateDeployment(instance, DeploymentName, RBACName, labels) if err != nil { if err != nil { diff --git a/internal/controller/fulcio/utils/errors.go b/internal/controller/fulcio/utils/errors.go new file mode 100644 index 000000000..832ab9d11 --- /dev/null +++ b/internal/controller/fulcio/utils/errors.go @@ -0,0 +1,8 @@ +package utils + +import "errors" + +var ( + CtlogAddressNotSpecified = errors.New("ctlog address not specified") + CtlogPortNotSpecified = errors.New("ctlog port not specified") +) diff --git a/internal/controller/fulcio/utils/fulcio_deployment.go b/internal/controller/fulcio/utils/fulcio_deployment.go index d3a55c573..7ea34560c 100644 --- a/internal/controller/fulcio/utils/fulcio_deployment.go +++ b/internal/controller/fulcio/utils/fulcio_deployment.go @@ -38,7 +38,23 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin "/var/run/fulcio-secrets/key.pem", "--fileca-cert", "/var/run/fulcio-secrets/cert.pem", - fmt.Sprintf("--ct-log-url=http://ctlog.%s.svc/trusted-artifact-signer", instance.Namespace)} + } + + var err error + var ctlogUrl string + switch { + case instance.Spec.Ctlog.Address == "": + err = fmt.Errorf("CreateDeployment: %w", CtlogAddressNotSpecified) + case instance.Spec.Ctlog.Port == nil: + err = fmt.Errorf("CreateDeployment: %w", CtlogPortNotSpecified) + default: + ctlogUrl = fmt.Sprintf("%s:%d/trusted-artifact-signer", instance.Spec.Ctlog.Address, *instance.Spec.Ctlog.Port) + } + + if err != nil { + return nil, err + } + args = append(args, fmt.Sprintf("--ct-log-url=%s", ctlogUrl)) env := make([]corev1.EnvVar, 0) env = append(env, corev1.EnvVar{ diff --git a/internal/controller/fulcio/utils/fulcio_deployment_test.go b/internal/controller/fulcio/utils/fulcio_deployment_test.go index a194687e3..16cf7a1c5 100644 --- a/internal/controller/fulcio/utils/fulcio_deployment_test.go +++ b/internal/controller/fulcio/utils/fulcio_deployment_test.go @@ -105,12 +105,18 @@ func findVolume(name string, volumes []v12.Volume) *v12.Volume { } func createInstance() *v1alpha1.Fulcio { + port := int32(80) return &v1alpha1.Fulcio{ ObjectMeta: v1.ObjectMeta{ Name: "name", Namespace: "default", }, - Spec: v1alpha1.FulcioSpec{}, + Spec: v1alpha1.FulcioSpec{ + Ctlog: v1alpha1.CtlogService{ + Address: "http://ctlog.default.svc", + Port: &port, + }, + }, Status: v1alpha1.FulcioStatus{ ServerConfigRef: &v1alpha1.LocalObjectReference{Name: "config"}, Certificate: &v1alpha1.FulcioCert{ diff --git a/test/e2e/upgrade_test.go b/test/e2e/upgrade_test.go index a08d98a8f..fa9bf0d5c 100644 --- a/test/e2e/upgrade_test.go +++ b/test/e2e/upgrade_test.go @@ -170,6 +170,7 @@ var _ = Describe("Operator upgrade", Ordered, func() { }) It("Install securesign", func() { + port := int32(80) securesignDeployment = &tasv1alpha.Securesign{ ObjectMeta: metav1.ObjectMeta{ Namespace: namespace.Name, @@ -205,6 +206,10 @@ var _ = Describe("Operator upgrade", Ordered, func() { OrganizationEmail: "my@email.org", CommonName: "fulcio", }, + Ctlog: v1alpha1.CtlogService{ + Address: "http://ctlog.default.svc", + Port: &port, + }, }, Ctlog: tasv1alpha.CTlogSpec{}, Tuf: tasv1alpha.TufSpec{