Add TLS to Rekor and Trillian services

securesign · Jul 9, 2024 · bfe2571 · bfe2571
1 parent 52c95e5
commit bfe2571
Show file tree

Hide file tree

Showing 21 changed files with 1,312 additions and 1 deletion.
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -90,3 +90,17 @@ type Pvc struct {
 	//+optional
 	StorageClass string `json:"storageClass,omitempty"`
 }
+
+// TLSCert defines fields for TLS certificate
+// +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty
+type TLSCert struct {
+	// Reference to the private key
+	//+optional
+	PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"`
+	// Reference to service certificate
+	//+optional
+	CertRef *SecretKeySelector `json:"certRef,omitempty"`
+	// Reference to CA certificate
+	//+optional
+	CACertRef *LocalObjectReference `json:"caCertRef,omitempty"`
+}
diff --git a/api/v1alpha1/rekor_types.go b/api/v1alpha1/rekor_types.go
@@ -32,6 +32,9 @@ type RekorSpec struct {
 	// BackFillRedis CronJob Configuration
 	//+kubebuilder:default:={enabled: true, schedule: "0 0 * * *"}
 	BackFillRedis BackFillRedis `json:"backFillRedis,omitempty"`
+	// Reference to TLS server certificate, private key and CA certificate
+	//+optional
+	TLSCertificate TLSCert `json:"tls"`
 }
 
 type RekorSigner struct {

diff --git a/api/v1alpha1/rekor_types_test.go b/api/v1alpha1/rekor_types_test.go
@@ -246,6 +246,11 @@ var _ = Describe("Rekor", func() {
 								Address: "trillian-system.default.svc",
 								Port:    &port,
 							},
+							TLSCertificate: TLSCert{
+								CACertRef: &LocalObjectReference{
+									Name: "ca-configmap",
+								},
+							},
 						},
 					}
 

diff --git a/api/v1alpha1/trillian_types.go b/api/v1alpha1/trillian_types.go
@@ -27,6 +27,10 @@ type TrillianSpec struct {
 	//+kubebuilder:validation:XValidation:rule=((!self.create && self.databaseSecretRef != null) || self.create),message=databaseSecretRef cannot be empty
 	//+kubebuilder:default:={create: true, pvc: {size: "5Gi", retain: true}}
 	Db TrillianDB `json:"database,omitempty"`
+	//+optional
+	TrillianServer TrillianServer `json:"server,omitempty"`
+	//+optional
+	TrillianSigner TrillianSigner `json:"signer,omitempty"`
 	// Enable Monitoring for Logsigner and Logserver
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
 }
@@ -49,6 +53,15 @@ type TrillianDB struct {
 	Pvc Pvc `json:"pvc,omitempty"`
 }
 
+type TrillianServer struct {
+	// Secret with TLS server certificate, private key and CA certificate
+	TLSCertificate TLSCert `json:"tls"`
+}
+type TrillianSigner struct {
+	// Secret with TLS server certificate, private key and CA certificate
+	TLSCertificate TLSCert `json:"tls"`
+}
+
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {
 	Db TrillianDB `json:"database,omitempty"`

diff --git a/api/v1alpha1/trillian_types_test.go b/api/v1alpha1/trillian_types_test.go
@@ -157,6 +157,30 @@ var _ = Describe("Trillian", func() {
 									Name: "secret",
 								},
 							},
+							TrillianServer: TrillianServer{
+								TLSCertificate: TLSCert{
+									CertRef: &SecretKeySelector{
+										Key:                  "cert",
+										LocalObjectReference: LocalObjectReference{Name: "server-secret"},
+									},
+									PrivateKeyRef: &SecretKeySelector{
+										Key:                  "key",
+										LocalObjectReference: LocalObjectReference{Name: "server-secret"},
+									},
+								},
+							},
+							TrillianSigner: TrillianSigner{
+								TLSCertificate: TLSCert{
+									CertRef: &SecretKeySelector{
+										Key:                  "cert",
+										LocalObjectReference: LocalObjectReference{Name: "signer-secret"},
+									},
+									PrivateKeyRef: &SecretKeySelector{
+										Key:                  "key",
+										LocalObjectReference: LocalObjectReference{Name: "signer-secret"},
+									},
+								},
+							},
 						},
 					}
 

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml
@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-03T12:24:03Z"
+    createdAt: "2024-07-09T08:45:46Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

diff --git a/bundle/manifests/rhtas.redhat.com_rekors.yaml b/bundle/manifests/rhtas.redhat.com_rekors.yaml
@@ -198,6 +198,62 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                 type: object
+              tls:
+                description: Reference to TLS server certificate, private key and
+                  CA certificate
+                properties:
+                  caCertRef:
+                    description: Reference to CA certificate
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  certRef:
+                    description: Reference to service certificate
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  privateKeyRef:
+                    description: Reference to the private key
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: privateKeyRef cannot be empty
+                  rule: (!has(self.certRef) || has(self.privateKeyRef))
               treeID:
                 description: |-
                   ID of Merkle tree in Trillian backend