Merge pull request #769 from securesign/tturek/log-type

feat: log-type annotation to configure logging type
securesign · Nov 25, 2024 · ad29b1c · ad29b1c
2 parents cbba7dd + a82a4b7
commit ad29b1c
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 3 deletions.
diff --git a/internal/controller/annotations/annotations.go b/internal/controller/annotations/annotations.go
@@ -62,6 +62,33 @@
 //	  annotations:
 //	    rhtas.redhat.com/trusted-ca: "custom-ca-bundle"
 //	---
+//
+// # Annotation: rhtas.redhat.com/log-type
+//
+// [LogType] specifies the logging configuration for managed services.
+//
+// If not set, the logging configuration defaults to "prod" type.
+//
+// Supported logging types:
+//   - "dev": Enables verbose logging for debugging purposes.
+//   - "prod": Enables minimal, structured logging optimized for performance.
+//
+// Affects the following services:
+//   - Rekor ([github.com/securesign/operator/api/v1alpha1.Rekor])
+//   - Timestamp Authority ([github.com/securesign/operator/api/v1alpha1.TimestampAuthority])
+//   - Fulcio ([github.com/securesign/operator/api/v1alpha1.Fulcio])
+//
+// If set on the Securesign resource, this annotation is automatically propagated
+// to child resources. ([github.com/securesign/operator/api/v1alpha1.Securesign])
+//
+// Example usage:
+//
+//	apiVersion: rhtas.redhat.com/v1alpha1
+//	kind: Securesign
+//	metadata:
+//	  name: example
+//	  annotations:
+//	    rhtas.redhat.com/log-type: "dev"
 package annotations
 
 const (
@@ -74,14 +101,17 @@ const (
 	// TrustedCA defines the annotation key for specifying a custom CA bundle ConfigMap.
 	TrustedCA = "rhtas.redhat.com/trusted-ca"
 
+	// LogType defines the annotation key used to configure the logging type for managed resources.
+	LogType = "rhtas.redhat.com/log-type"
+
 	// TreeId define the annotation key to document association of resource with specific Merkle Tree
 	TreeId = "rhtas.redhat.com/treeId"
 
 	TLS = "service.beta.openshift.io/serving-cert-secret-name"
 )
 
 var inheritable = []string{
-	TrustedCA,
+	TrustedCA, LogType,
 }
 
 func FilterInheritable(annotations map[string]string) map[string]string {

diff --git a/internal/controller/common/utils/collections.go b/internal/controller/common/utils/collections.go
@@ -0,0 +1,10 @@
+package utils
+
+// GetOrDefault retrieves the value from the map if present,
+// otherwise returns the specified default value.
+func GetOrDefault(m map[string]string, key string, defaultValue string) string {
+	if val, exists := m[key]; exists {
+		return val
+	}
+	return defaultValue
+}
diff --git a/internal/controller/constants/log.go b/internal/controller/constants/log.go
@@ -0,0 +1,8 @@
+package constants
+
+type LogType string
+
+const (
+	Dev  LogType = "dev"
+	Prod LogType = "prod"
+)
diff --git a/internal/controller/fulcio/utils/fulcio_deployment.go b/internal/controller/fulcio/utils/fulcio_deployment.go
@@ -4,9 +4,9 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/securesign/operator/internal/controller/common/utils"
-
 	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/controller/annotations"
+	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/constants"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -51,6 +51,7 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin
 		"serve",
 		"--port=5555",
 		"--grpc-port=5554",
+		fmt.Sprintf("--log_type=%s", utils.GetOrDefault(instance.GetAnnotations(), annotations.LogType, string(constants.Prod))),
 		"--ca=fileca",
 		"--fileca-key",
 		"/var/run/fulcio-secrets/key.pem",

diff --git a/internal/controller/rekor/utils/rekor_deployment.go b/internal/controller/rekor/utils/rekor_deployment.go
@@ -6,6 +6,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/controller/annotations"
 	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/constants"
 	apps "k8s.io/api/apps/v1"
@@ -39,6 +40,7 @@ func CreateRekorDeployment(instance *v1alpha1.Rekor, dpName string, sa string, l
 		fmt.Sprintf("--trillian_log_server.tlog_id=%d", *instance.Status.TreeID),
 		"--enable_attestation_storage",
 		"--attestation_storage_bucket=file:///var/run/attestations",
+		fmt.Sprintf("--log_type=%s", utils.GetOrDefault(instance.GetAnnotations(), annotations.LogType, string(constants.Prod))),
 	}
 	volumes := []core.Volume{
 		{

diff --git a/internal/controller/tsa/utils/tsa_deployment.go b/internal/controller/tsa/utils/tsa_deployment.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/controller/annotations"
 	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/constants"
 	apps "k8s.io/api/apps/v1"
@@ -41,6 +42,7 @@ func CreateTimestampAuthorityDeployment(instance *v1alpha1.TimestampAuthority, n
 		"serve",
 		"--host=0.0.0.0",
 		"--port=3000",
+		fmt.Sprintf("--log-type=%s", utils.GetOrDefault(instance.GetAnnotations(), annotations.LogType, string(constants.Prod))),
 		fmt.Sprintf("--certificate-chain-path=%s/certificate-chain.pem", certChainMountPath),
 		fmt.Sprintf("--disable-ntp-monitoring=%v", !instance.Spec.NTPMonitoring.Enabled),
 	}