review updates

api/v1alpha1/common.go

@@ -107,15 +107,15 @@ type Pvc struct {
 	AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty"`
 }
 
-<<<<<<< HEAD
 type Auth struct {
 	// Environmental variables used to define authentication parameters
 	//+optional
 	Env []core.EnvVar `json:"env,omitempty"`
 	// Secret ref to be mounted inside a pod, Mount path defaults to /var/run/secrets/tas/auth
 	//+optional
 	SecretMount []SecretKeySelector `json:"secretMount,omitempty"`
-=======
+}
+
 // TLSCert defines fields for TLS certificate
 // +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty
 type TLSCert struct {
@@ -128,7 +128,6 @@ type TLSCert struct {
 	// Reference to CA certificate
 	//+optional
 	CACertRef *LocalObjectReference `json:"caCertRef,omitempty"`
->>>>>>> bddb484 (Add TLS to Rekor and Trillian services)
 }
 
 // TLS (Transport Layer Security) Configuration for enabling service encryption.

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -92,8 +92,8 @@ metadata:
                 "OIDCIssuers": [
                   {
                     "ClientID": "trusted-artifact-signer",
-                    "Issuer": "https://keycloak-keycloak-system.apps.rosa.tbc2f-pzqvt-33r.f86b.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
-                    "IssuerURL": "https://keycloak-keycloak-system.apps.rosa.tbc2f-pzqvt-33r.f86b.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
+                    "Issuer": "https://keycloak-keycloak-system.apps.rosa.ersmh-9o3fp-99x.qre7.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
+                    "IssuerURL": "https://keycloak-keycloak-system.apps.rosa.ersmh-9o3fp-99x.qre7.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
                     "Type": "email"
                   }
                 ]

config/samples/rhtas_v1alpha1_securesign.yaml

@@ -23,8 +23,8 @@ spec:
     config:
       OIDCIssuers:
         - ClientID: "trusted-artifact-signer"
-          IssuerURL: "https://your-oidc-issuer-url"
-          Issuer: "https://your-oidc-issuer-url"
+          IssuerURL: "https://keycloak-keycloak-system.apps.rosa.ersmh-9o3fp-99x.qre7.p3.openshiftapps.com/auth/realms/trusted-artifact-signer"
+          Issuer: "https://keycloak-keycloak-system.apps.rosa.ersmh-9o3fp-99x.qre7.p3.openshiftapps.com/auth/realms/trusted-artifact-signer"
           Type: "email"
     certificate:
       organizationName: Red Hat

internal/controller/ctlog/actions/config_map.go → internal/controller/ctlog/actions/ca_configmap.go

@@ -29,9 +29,7 @@ func (i configMapAction) Name() string {
 func (i configMapAction) CanHandle(ctx context.Context, instance *rhtasv1alpha1.CTlog) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
 	cm, _ := k8sutils.GetConfigMap(ctx, i.Client, instance.Namespace, "ca-configmap")
-	// signingKeySecret: OCP
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && signingKeySecret != nil && instance.Spec.TLSCertificate.CACertRef == nil
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && cm == nil && k8sutils.IsOpenShift() && instance.Spec.TLSCertificate.CACertRef == nil
 }
 
 func (i configMapAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result {

internal/controller/ctlog/actions/create_tree_job.go

@@ -100,14 +100,13 @@ func (i createTreeJobAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 	activeDeadlineSeconds := int64(600)
 	backoffLimit := int32(5)
 
-	signingKeySecret, _ := kubernetes.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	trustedCAAnnotation := cutils.TrustedCAAnnotationToReference(instance.Annotations)
 	cmd := ""
 	switch {
 	case trustedCAAnnotation != nil:
 		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=ctlog-tree --tls_cert_file=/var/run/configs/tas/ca-trust/ca-bundle.crt", trillUrl)
-	case signingKeySecret != nil:
-		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=ctlog-tree --tls_cert_file=/etc/ssl/certs/tls.crt", trillUrl)
+	case kubernetes.IsOpenShift():
+		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=ctlog-tree --tls_cert_file=/var/run/secrets/tas/tls.crt", trillUrl)
 	default:
 		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=ctlog-tree", trillUrl)
 	}
@@ -146,14 +145,12 @@ func (i createTreeJobAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		return i.Failed(fmt.Errorf("could not set controller reference for Job: %w", err))
 	}
 
-	if trustedCAAnnotation != nil {
-		err = cutils.SetTrustedCA(&job.Spec.Template, cutils.TrustedCAAnnotationToReference(instance.Annotations))
-		if err != nil {
-			return i.Failed(err)
-		}
+	err = cutils.SetTrustedCA(&job.Spec.Template, cutils.TrustedCAAnnotationToReference(instance.Annotations))
+	if err != nil {
+		return i.Failed(err)
 	}
 
-	if signingKeySecret != nil && trustedCAAnnotation == nil {
+	if kubernetes.IsOpenShift() && trustedCAAnnotation == nil {
 		job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes,
 			corev1.Volume{
 				Name: "tls-cert",
@@ -166,7 +163,7 @@ func (i createTreeJobAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		job.Spec.Template.Spec.Containers[0].VolumeMounts = append(job.Spec.Template.Spec.Containers[0].VolumeMounts,
 			corev1.VolumeMount{
 				Name:      "tls-cert",
-				MountPath: "/etc/ssl/certs",
+				MountPath: "/var/run/secrets/tas",
 				ReadOnly:  true,
 			})
 	}

internal/controller/ctlog/actions/deployment.go

@@ -8,7 +8,7 @@ import (
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
-	k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes"
+	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	"github.com/securesign/operator/internal/controller/constants"
 	"github.com/securesign/operator/internal/controller/ctlog/utils"
 	trillian "github.com/securesign/operator/internal/controller/trillian/actions"
@@ -43,7 +43,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	switch {
 	case instance.Spec.Trillian.Address == "":
 		instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace)
@@ -115,7 +114,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 					},
 				},
 			})
-	} else if signingKeySecret != nil {
+	} else if kubernetes.IsOpenShift() {
 		i.Logger.V(1).Info("TLS: Using secrets/signing-key secret")
 		dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes,
 			corev1.Volume{
@@ -151,16 +150,16 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 		i.Logger.V(1).Info("Communication between services is insecure")
 	}
 
-	if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil {
+	if instance.Spec.TLSCertificate.CertRef != nil && instance.Spec.TLSCertificate.CACertRef != nil || kubernetes.IsOpenShift() {
 		dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts,
 			corev1.VolumeMount{
 				Name:      "tls-cert",
-				MountPath: "/etc/ssl/certs",
+				MountPath: "/var/run/secrets/tas",
 				ReadOnly:  true,
 			})
-		// dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/etc/ssl/certs/tls.crt")
-		// dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/etc/ssl/certs/tls.key")
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/etc/ssl/certs/ca.crt")
+		// dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_certificate", "/var/run/secrets/tas/tls.crt")
+		// dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls_key", "/var/run/secrets/tas/tls.key")
+		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", "/var/run/secrets/tas/ca.crt")
 	}
 
 	if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {

internal/controller/ctlog/actions/resolve_tree.go

@@ -71,7 +71,6 @@ func (i resolveTreeAction) Handle(ctx context.Context, instance *rhtasv1alpha1.C
 		if err != nil {
 			i.Logger.V(1).Error(fmt.Errorf("waiting for the ConfigMap"), err.Error())
 		}
-		time.Sleep(2 * time.Second)
 	}
 
 	if err != nil {

internal/controller/ctlog/actions/service.go

@@ -7,7 +7,6 @@ import (
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
-	k8sutils "github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	"github.com/securesign/operator/internal/controller/constants"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -42,7 +41,6 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 	labels := constants.LabelsFor(ComponentName, ComponentName, instance.Name)
 
 	svc := kubernetes.CreateService(instance.Namespace, ComponentName, ServerPortName, ServerPort, ServerTargetPort, labels)
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if instance.Spec.Monitoring.Enabled {
 		svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{
 			Name:       MetricsPortName,
@@ -65,7 +63,7 @@ func (i serviceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog
 	}
 
 	//TLS: Annotate service
-	if signingKeySecret != nil && instance.Spec.TLSCertificate.CertRef == nil {
+	if kubernetes.IsOpenShift() && instance.Spec.TLSCertificate.CertRef == nil {
 		if svc.Annotations == nil {
 			svc.Annotations = make(map[string]string)
 		}

internal/controller/rekor/actions/server/create_tree_job.go

@@ -101,14 +101,13 @@ func (i createTreeJobAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 	activeDeadlineSeconds := int64(600)
 	backoffLimit := int32(5)
 
-	signingKeySecret, _ := kubernetes.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	trustedCAAnnotation := cutils.TrustedCAAnnotationToReference(instance.Annotations)
 	cmd := ""
 	switch {
 	case trustedCAAnnotation != nil:
 		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=rekor-tree --tls_cert_file=/var/run/configs/tas/ca-trust/ca-bundle.crt", trillUrl)
-	case signingKeySecret != nil:
-		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=rekor-tree --tls_cert_file=/etc/ssl/certs/tls.crt", trillUrl)
+	case kubernetes.IsOpenShift():
+		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=rekor-tree --tls_cert_file=/var/run/secrets/tas/tls.crt", trillUrl)
 	default:
 		cmd = fmt.Sprintf("/createtree --admin_server=%s --display_name=rekor-tree", trillUrl)
 	}
@@ -147,14 +146,12 @@ func (i createTreeJobAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		return i.Failed(fmt.Errorf("could not set controller reference for Job: %w", err))
 	}
 
-	if trustedCAAnnotation != nil {
-		err = cutils.SetTrustedCA(&job.Spec.Template, cutils.TrustedCAAnnotationToReference(instance.Annotations))
-		if err != nil {
-			return i.Failed(err)
-		}
+	err = cutils.SetTrustedCA(&job.Spec.Template, cutils.TrustedCAAnnotationToReference(instance.Annotations))
+	if err != nil {
+		return i.Failed(err)
 	}
 
-	if signingKeySecret != nil && trustedCAAnnotation == nil {
+	if kubernetes.IsOpenShift() && trustedCAAnnotation == nil {
 		job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes,
 			corev1.Volume{
 				Name: "tls-cert",
@@ -167,7 +164,7 @@ func (i createTreeJobAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		job.Spec.Template.Spec.Containers[0].VolumeMounts = append(job.Spec.Template.Spec.Containers[0].VolumeMounts,
 			corev1.VolumeMount{
 				Name:      "tls-cert",
-				MountPath: "/etc/ssl/certs",
+				MountPath: "/var/run/secrets/tas",
 				ReadOnly:  true,
 			})
 	}

internal/controller/rekor/actions/server/deployment.go

@@ -72,7 +72,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 	}
 
 	// TLS certificate
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if instance.Spec.TLSCertificate.CACertRef != nil {
 		dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes,
 			corev1.Volume{
@@ -97,7 +96,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 					},
 				},
 			})
-	} else if signingKeySecret != nil {
+	} else if k8sutils.IsOpenShift() {
 		dp.Spec.Template.Spec.Volumes = append(dp.Spec.Template.Spec.Volumes,
 			corev1.Volume{
 				Name: "tls-cert",
@@ -125,14 +124,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 		i.Logger.V(1).Info("Communication between services is insecure")
 	}
 
-	if instance.Spec.TLSCertificate.CACertRef != nil || signingKeySecret != nil {
+	if instance.Spec.TLSCertificate.CACertRef != nil || k8sutils.IsOpenShift() {
 		dp.Spec.Template.Spec.Containers[0].VolumeMounts = append(dp.Spec.Template.Spec.Containers[0].VolumeMounts,
 			corev1.VolumeMount{
 				Name:      "tls-cert",
-				MountPath: "/etc/ssl/certs",
+				MountPath: "/var/run/secrets/tas",
 				ReadOnly:  true,
 			})
-		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls_ca_cert", "/etc/ssl/certs/ca.crt")
+		dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls_ca_cert", "/var/run/secrets/tas/ca.crt")
 	}
 
 	if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {

internal/controller/rekor/actions/server/resolve_tree.go

@@ -72,7 +72,6 @@ func (i resolveTreeAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 		if err != nil {
 			i.Logger.V(1).Error(fmt.Errorf("waiting for the ConfigMap"), err.Error())
 		}
-		time.Sleep(2 * time.Second)
 	}
 
 	if err != nil {

internal/controller/trillian/actions/logserver/deployment.go

@@ -71,7 +71,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 	}
 
 	// TLS certificate
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
 	if instance.Spec.TrillianServer.TLSCertificate.CertRef != nil {
 		server.Spec.Template.Spec.Volumes = append(server.Spec.Template.Spec.Volumes,
 			corev1.Volume{
@@ -109,7 +108,7 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 					},
 				},
 			})
-	} else if signingKeySecret != nil {
+	} else if k8sutils.IsOpenShift() {
 		i.Logger.V(1).Info("TLS: Using secrets/signing-key secret")
 		server.Spec.Template.Spec.Volumes = append(server.Spec.Template.Spec.Volumes,
 			corev1.Volume{
@@ -124,15 +123,15 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Trilli
 		i.Logger.V(1).Info("Communication between services is insecure")
 	}
 
-	if instance.Spec.TrillianServer.TLSCertificate.CertRef != nil || signingKeySecret != nil {
+	if instance.Spec.TrillianServer.TLSCertificate.CertRef != nil || k8sutils.IsOpenShift() {
 		server.Spec.Template.Spec.Containers[0].VolumeMounts = append(server.Spec.Template.Spec.Containers[0].VolumeMounts,
 			corev1.VolumeMount{
 				Name:      "tls-cert",
-				MountPath: "/etc/ssl/certs",
+				MountPath: "/var/run/secrets/tas",
 				ReadOnly:  true,
 			})
-		server.Spec.Template.Spec.Containers[0].Args = append(server.Spec.Template.Spec.Containers[0].Args, "--tls_cert_file", "/etc/ssl/certs/tls.crt")
-		server.Spec.Template.Spec.Containers[0].Args = append(server.Spec.Template.Spec.Containers[0].Args, "--tls_key_file", "/etc/ssl/certs/tls.key")
+		server.Spec.Template.Spec.Containers[0].Args = append(server.Spec.Template.Spec.Containers[0].Args, "--tls_cert_file", "/var/run/secrets/tas/tls.crt")
+		server.Spec.Template.Spec.Containers[0].Args = append(server.Spec.Template.Spec.Containers[0].Args, "--tls_key_file", "/var/run/secrets/tas/tls.key")
 	}
 
 	if err = controllerutil.SetControllerReference(instance, server, i.Client.Scheme()); err != nil {

internal/controller/trillian/actions/logserver/service.go

@@ -74,8 +74,7 @@ func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 	}
 
 	//TLS: Annotate service
-	signingKeySecret, _ := k8sutils.GetSecret(i.Client, "openshift-service-ca", "signing-key")
-	if signingKeySecret != nil && instance.Spec.TrillianServer.TLSCertificate.CertRef == nil {
+	if k8sutils.IsOpenShift() && instance.Spec.TrillianServer.TLSCertificate.CertRef == nil {
 		if logserverService.Annotations == nil {
 			logserverService.Annotations = make(map[string]string)
 		}