[SECURESIGN-663] Add option to set an external ctlog service

api/v1alpha1/common.go

@@ -34,6 +34,19 @@ type TrillianService struct {
 	Port *int32 `json:"port,omitempty"`
 }
 
+// CtlogService configuration to connect Ctlog server
+type CtlogService struct {
+	// Address to Ctlog Log Server End point
+	//+optional
+	Address string `json:"address,omitempty"`
+	// Port of Ctlog Log Server End point
+	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Maximum:=65535
+	//+kubebuilder:default:=80
+	//+optional
+	Port *int32 `json:"port,omitempty"`
+}
+
 // LocalObjectReference contains enough information to let you locate the
 // referenced object inside the same namespace.
 // +structType=atomic

api/v1alpha1/fulcio_types.go

@@ -11,6 +11,10 @@ import (
 type FulcioSpec struct {
 	// Define whether you want to export service or not
 	ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
+	// Ctlog service configuration
+	//+optional
+	//+kubebuilder:default:={port: 80}
+	Ctlog CtlogService `json:"ctlog,omitempty"`
 	// Fulcio Configuration
 	//+required
 	Config FulcioConfig `json:"config"`

api/v1alpha1/fulcio_types_test.go

@@ -165,6 +165,7 @@ var _ = Describe("Fulcio", func() {
 
 			When("CR is fully populated", func() {
 				It("outputs the CR", func() {
+					port := int32(80)
 					fulcioInstance = Fulcio{
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "fulcio-full-manifest",
@@ -208,6 +209,10 @@ var _ = Describe("Fulcio", func() {
 								PrivateKeyRef:         &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
 								PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
 							},
+							Ctlog: CtlogService{
+								Address: "ctlog.default.svc",
+								Port:    &port,
+							},
 						},
 					}
 

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-06-24T12:36:11Z"
+    createdAt: "2024-07-03T12:24:03Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -204,7 +204,7 @@ metadata:
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
     operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.34.2
+    operators.operatorframework.io/builder: operator-sdk-v1.34.1
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
     repository: https://github.com/securesign/secure-sign-operator
     support: Red Hat

bundle/manifests/rhtas.redhat.com_fulcios.yaml

@@ -221,6 +221,22 @@ spec:
                 - message: At least one of OIDCIssuers or MetaIssuers must be defined
                   rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
                     (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
+              ctlog:
+                default:
+                  port: 80
+                description: Ctlog service configuration
+                properties:
+                  address:
+                    description: Address to Ctlog Log Server End point
+                    type: string
+                  port:
+                    default: 80
+                    description: Port of Ctlog Log Server End point
+                    format: int32
+                    maximum: 65535
+                    minimum: 1
+                    type: integer
+                type: object
               externalAccess:
                 description: Define whether you want to export service or not
                 properties:

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -342,6 +342,22 @@ spec:
                         defined
                       rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
                         || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
+                  ctlog:
+                    default:
+                      port: 80
+                    description: Ctlog service configuration
+                    properties:
+                      address:
+                        description: Address to Ctlog Log Server End point
+                        type: string
+                      port:
+                        default: 80
+                        description: Port of Ctlog Log Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                   externalAccess:
                     description: Define whether you want to export service or not
                     properties:

config/crd/bases/rhtas.redhat.com_fulcios.yaml

@@ -221,6 +221,22 @@ spec:
                 - message: At least one of OIDCIssuers or MetaIssuers must be defined
                   rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0)) ||
                     (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
+              ctlog:
+                default:
+                  port: 80
+                description: Ctlog service configuration
+                properties:
+                  address:
+                    description: Address to Ctlog Log Server End point
+                    type: string
+                  port:
+                    default: 80
+                    description: Port of Ctlog Log Server End point
+                    format: int32
+                    maximum: 65535
+                    minimum: 1
+                    type: integer
+                type: object
               externalAccess:
                 description: Define whether you want to export service or not
                 properties:

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -342,6 +342,22 @@ spec:
                         defined
                       rule: (has(self.OIDCIssuers) && (size(self.OIDCIssuers) > 0))
                         || (has(self.MetaIssuers) && (size(self.MetaIssuers) > 0))
+                  ctlog:
+                    default:
+                      port: 80
+                    description: Ctlog service configuration
+                    properties:
+                      address:
+                        description: Address to Ctlog Log Server End point
+                        type: string
+                      port:
+                        default: 80
+                        description: Port of Ctlog Log Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                   externalAccess:
                     description: Define whether you want to export service or not
                     properties:

internal/controller/fulcio/actions/deployment.go

@@ -37,6 +37,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio
 	)
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
+
+	switch {
+	case instance.Spec.Ctlog.Address == "":
+		instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace)
+	case instance.Spec.Ctlog.Port == nil:
+		port := int32(80)
+		instance.Spec.Ctlog.Port = &port
+	}
 	dp, err := futils.CreateDeployment(instance, DeploymentName, RBACName, labels)
 	if err != nil {
 		if err != nil {

internal/controller/fulcio/utils/errors.go

@@ -0,0 +1,8 @@
+package utils
+
+import "errors"
+
+var (
+	CtlogAddressNotSpecified = errors.New("ctlog address not specified")
+	CtlogPortNotSpecified    = errors.New("ctlog port not specified")
+)

internal/controller/fulcio/utils/fulcio_deployment.go

@@ -38,7 +38,23 @@ func CreateDeployment(instance *v1alpha1.Fulcio, deploymentName string, sa strin
 		"/var/run/fulcio-secrets/key.pem",
 		"--fileca-cert",
 		"/var/run/fulcio-secrets/cert.pem",
-		fmt.Sprintf("--ct-log-url=http://ctlog.%s.svc/trusted-artifact-signer", instance.Namespace)}
+	}
+
+	var err error
+	var ctlogUrl string
+	switch {
+	case instance.Spec.Ctlog.Address == "":
+		err = fmt.Errorf("CreateDeployment: %w", CtlogAddressNotSpecified)
+	case instance.Spec.Ctlog.Port == nil:
+		err = fmt.Errorf("CreateDeployment: %w", CtlogPortNotSpecified)
+	default:
+		ctlogUrl = fmt.Sprintf("%s:%d/trusted-artifact-signer", instance.Spec.Ctlog.Address, *instance.Spec.Ctlog.Port)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	args = append(args, fmt.Sprintf("--ct-log-url=%s", ctlogUrl))
 
 	env := make([]corev1.EnvVar, 0)
 	env = append(env, corev1.EnvVar{

internal/controller/fulcio/utils/fulcio_deployment_test.go

@@ -105,12 +105,18 @@ func findVolume(name string, volumes []v12.Volume) *v12.Volume {
 }
 
 func createInstance() *v1alpha1.Fulcio {
+	port := int32(80)
 	return &v1alpha1.Fulcio{
 		ObjectMeta: v1.ObjectMeta{
 			Name:      "name",
 			Namespace: "default",
 		},
-		Spec: v1alpha1.FulcioSpec{},
+		Spec: v1alpha1.FulcioSpec{
+			Ctlog: v1alpha1.CtlogService{
+				Address: "http://ctlog.default.svc",
+				Port:    &port,
+			},
+		},
 		Status: v1alpha1.FulcioStatus{
 			ServerConfigRef: &v1alpha1.LocalObjectReference{Name: "config"},
 			Certificate: &v1alpha1.FulcioCert{