add testing

Author: JasonPowr

.github/workflows/main.yml

@@ -199,7 +199,7 @@ jobs:
 
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
       - name: Install cosign
         run: go install github.com/sigstore/cosign/v2/cmd/cosign@v2.2.2
 

.gitignore

@@ -35,3 +35,6 @@ go.work
 
 # K8s dump from e2e tests
 k8s-dump-*.tar.gz
+
+#tsa certificate chain file
+ts_chain.pem

api/v1alpha1/securesign_types.go

@@ -29,7 +29,7 @@ type SecuresignSpec struct {
 	Rekor    RekorSpec    `json:"rekor,omitempty"`
 	Fulcio   FulcioSpec   `json:"fulcio,omitempty"`
 	Trillian TrillianSpec `json:"trillian,omitempty"`
-	//+kubebuilder:default:={keys:{{name: rekor.pub},{name: ctfe.pub},{name: fulcio_v1.crt.pem}}}
+	//+kubebuilder:default:={keys:{{name: rekor.pub},{name: ctfe.pub},{name: fulcio_v1.crt.pem},{name: tsa_cert_chain.pem}}}
 	Tuf                TufSpec                `json:"tuf,omitempty"`
 	Ctlog              CTlogSpec              `json:"ctlog,omitempty"`
 	TimestampAuthority TimestampAuthoritySpec `json:"tsa,omitempty"`

api/v1alpha1/tuf_types.go

@@ -17,7 +17,7 @@ type TufSpec struct {
 	//+kubebuilder:validation:Maximum:=65535
 	Port int32 `json:"port,omitempty"`
 	// List of TUF targets which will be added to TUF root
-	//+kubebuilder:default:={{name: rekor.pub},{name: ctfe.pub},{name: fulcio_v1.crt.pem}}
+	//+kubebuilder:default:={{name: rekor.pub},{name: ctfe.pub},{name: fulcio_v1.crt.pem},{name: tsa_cert_chain.pem}}
 	//+kubebuilder:validation:MinItems:=1
 	Keys []TufKey `json:"keys,omitempty"`
 }

api/v1alpha1/tuf_types_test.go

@@ -206,6 +206,9 @@ func generateTufObject(name string) *Tuf {
 				{
 					Name: "fulcio_v1.crt.pem",
 				},
+				{
+					Name: "tsa_cert_chain.pem",
+				},
 			},
 		},
 	}

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -134,8 +134,7 @@ metadata:
                     "organizationEmail": "jdoe@redhat.com",
                     "organizationName": "Red Hat"
                   }
-                },
-                "type": "file"
+                }
               }
             },
             "tuf": {
@@ -151,6 +150,9 @@ metadata:
                 },
                 {
                   "name": "fulcio_v1.crt.pem"
+                },
+                {
+                  "name": "tsa_cert_chain.pem"
                 }
               ]
             }
@@ -172,6 +174,20 @@ metadata:
           "spec": {
             "externalAccess": {
               "enabled": true
+            },
+            "signer": {
+              "certificateChain": {
+                "intermediateCA": {
+                  "commonName": "tsa.hostname",
+                  "organizationEmail": "jdoe@redhat.com",
+                  "organizationName": "Red Hat"
+                },
+                "rootCA": {
+                  "commonName": "tsa.hostname",
+                  "organizationEmail": "jdoe@redhat.com",
+                  "organizationName": "Red Hat"
+                }
+              }
             }
           }
         },
@@ -224,14 +240,21 @@ metadata:
                   "key": "public",
                   "name": "ctlog-pub-key"
                 }
+              },
+              {
+                "name": "tsa_cert_chain.pem",
+                "secretRef": {
+                  "key": "certificateChain",
+                  "name": "tsa-cert-chain"
+                }
               }
             ]
           }
         }
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-08T09:54:48Z"
+    createdAt: "2024-07-15T15:46:15Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

bundle/manifests/rhtas.redhat.com_rekors.yaml

@@ -150,6 +150,9 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  host:
+                    description: Set hostname for your Ingress/Route.
+                    type: string
                 required:
                 - enabled
                 type: object

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -533,6 +533,9 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      host:
+                        description: Set hostname for your Ingress/Route.
+                        type: string
                     required:
                     - enabled
                     type: object
@@ -1286,6 +1289,7 @@ spec:
                   - name: rekor.pub
                   - name: ctfe.pub
                   - name: fulcio_v1.crt.pem
+                  - name: tsa_cert_chain.pem
                 description: TufSpec defines the desired state of Tuf
                 properties:
                   externalAccess:
@@ -1311,6 +1315,7 @@ spec:
                     - name: rekor.pub
                     - name: ctfe.pub
                     - name: fulcio_v1.crt.pem
+                    - name: tsa_cert_chain.pem
                     description: List of TUF targets which will be added to TUF root
                     items:
                       properties:

bundle/manifests/rhtas.redhat.com_tufs.yaml

@@ -71,6 +71,7 @@ spec:
                 - name: rekor.pub
                 - name: ctfe.pub
                 - name: fulcio_v1.crt.pem
+                - name: tsa_cert_chain.pem
                 description: List of TUF targets which will be added to TUF root
                 items:
                   properties:

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -1289,6 +1289,7 @@ spec:
                   - name: rekor.pub
                   - name: ctfe.pub
                   - name: fulcio_v1.crt.pem
+                  - name: tsa_cert_chain.pem
                 description: TufSpec defines the desired state of Tuf
                 properties:
                   externalAccess:
@@ -1314,6 +1315,7 @@ spec:
                     - name: rekor.pub
                     - name: ctfe.pub
                     - name: fulcio_v1.crt.pem
+                    - name: tsa_cert_chain.pem
                     description: List of TUF targets which will be added to TUF root
                     items:
                       properties:

config/crd/bases/rhtas.redhat.com_tufs.yaml

@@ -71,6 +71,7 @@ spec:
                 - name: rekor.pub
                 - name: ctfe.pub
                 - name: fulcio_v1.crt.pem
+                - name: tsa_cert_chain.pem
                 description: List of TUF targets which will be added to TUF root
                 items:
                   properties:

internal/controller/securesign/securesign_controller.go

@@ -18,6 +18,7 @@ package securesign
 
 import (
 	"context"
+
 	v12 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -164,5 +165,6 @@ func (r *SecuresignReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&rhtasv1alpha1.Tuf{}).
 		Owns(&rhtasv1alpha1.Trillian{}).
 		Owns(&rhtasv1alpha1.CTlog{}).
+		Owns(&rhtasv1alpha1.TimestampAuthority{}).
 		Complete(r)
 }

internal/controller/tsa/actions/generate_signer.go

@@ -70,7 +70,9 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Timestamp
 			Reason:  constants.Pending,
 			Message: "Resolving keys",
 		})
-		return g.FailedWithStatusUpdate(ctx, err, instance)
+		g.StatusUpdate(ctx, instance)
+		// swallow error and retry
+		return g.Requeue()
 	}
 
 	secretLabels := map[string]string{

test/e2e/byodb_test.go

@@ -89,6 +89,25 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 						Name: "my-db",
 					},
 				}},
+				TimestampAuthority: v1alpha1.TimestampAuthoritySpec{
+					ExternalAccess: v1alpha1.ExternalAccess{
+						Enabled: true,
+					},
+					Signer: v1alpha1.TimestampAuthoritySigner{
+						CertificateChain: v1alpha1.CertificateChain{
+							RootCA: v1alpha1.TsaCertificateAuthority{
+								OrganizationName:  "MyOrg",
+								OrganizationEmail: "my@email.org",
+								CommonName:        "tsa.hostname",
+							},
+							IntermediateCA: v1alpha1.TsaCertificateAuthority{
+								OrganizationName:  "MyOrg",
+								OrganizationEmail: "my@email.org",
+								CommonName:        "tsa.hostname",
+							},
+						},
+					},
+				},
 			},
 		}
 	})
@@ -110,6 +129,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 			tas.VerifyRekor(ctx, cli, namespace.Name, securesign.Name)
 			tas.VerifyCTLog(ctx, cli, namespace.Name, securesign.Name)
 			tas.VerifyTuf(ctx, cli, namespace.Name, securesign.Name)
+			tas.VerifyTSA(ctx, cli, namespace.Name, securesign.Name)
 		})
 
 		It("No other DB is created", func() {
@@ -128,6 +148,11 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 			tuf := tas.GetTuf(ctx, cli, namespace.Name, securesign.Name)()
 			Expect(tuf).ToNot(BeNil())
 
+			tsa := tas.GetTSA(ctx, cli, namespace.Name, securesign.Name)()
+			Expect(tsa).ToNot(BeNil())
+			err := tas.GetTSACertificateChain(ctx, cli, tsa.Namespace, tsa.Name, tsa.Status.Url)
+			Expect(err).To(BeNil())
+
 			oidcToken, err := support.OidcToken(ctx)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(oidcToken).ToNot(BeEmpty())
@@ -141,6 +166,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 				"cosign", "sign", "-y",
 				"--fulcio-url="+fulcio.Status.Url,
 				"--rekor-url="+rekor.Status.Url,
+				"--timestamp-server-url="+tsa.Status.Url+"/api/v1/timestamp",
 				"--oidc-issuer="+support.OidcIssuerUrl(),
 				"--oidc-client-id="+support.OidcClientID(),
 				"--identity-token="+oidcToken,
@@ -150,6 +176,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 			Expect(clients.Execute(
 				"cosign", "verify",
 				"--rekor-url="+rekor.Status.Url,
+				"--timestamp-certificate-chain=ts_chain.pem",
 				"--certificate-identity-regexp", ".*@redhat",
 				"--certificate-oidc-issuer-regexp", ".*keycloak.*",
 				targetImageName,

test/e2e/common_install_test.go

@@ -89,6 +89,25 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 				Trillian: v1alpha1.TrillianSpec{Db: v1alpha1.TrillianDB{
 					Create: utils.Pointer(true),
 				}},
+				TimestampAuthority: v1alpha1.TimestampAuthoritySpec{
+					ExternalAccess: v1alpha1.ExternalAccess{
+						Enabled: true,
+					},
+					Signer: v1alpha1.TimestampAuthoritySigner{
+						CertificateChain: v1alpha1.CertificateChain{
+							RootCA: v1alpha1.TsaCertificateAuthority{
+								OrganizationName:  "MyOrg",
+								OrganizationEmail: "my@email.org",
+								CommonName:        "tsa.hostname",
+							},
+							IntermediateCA: v1alpha1.TsaCertificateAuthority{
+								OrganizationName:  "MyOrg",
+								OrganizationEmail: "my@email.org",
+								CommonName:        "tsa.hostname",
+							},
+						},
+					},
+				},
 			},
 		}
 	})
@@ -138,6 +157,23 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 					)))
 		})
 
+		It("operator should generate TSA secret", func() {
+			Eventually(func() *v1.Secret {
+				tsa := tas.GetTSA(ctx, cli, namespace.Name, securesign.Name)()
+				scr := &v1.Secret{}
+				Expect(cli.Get(ctx, types.NamespacedName{Namespace: namespace.Name, Name: tsa.Status.Signer.FileSigner.PrivateKeyRef.Name}, scr)).To(Succeed())
+				return scr
+			}).Should(
+				WithTransform(func(secret *v1.Secret) map[string][]byte { return secret.Data },
+					And(
+						&matchers.HaveKeyMatcher{Key: "rootPrivateKey"},
+						&matchers.HaveKeyMatcher{Key: "rootPrivateKeyPassword"},
+						&matchers.HaveKeyMatcher{Key: "interPrivateKey"},
+						&matchers.HaveKeyMatcher{Key: "interPrivateKeyPassword"},
+						&matchers.HaveKeyMatcher{Key: "certificateChain"},
+					)))
+		})
+
 		It("fulcio is running with mounted certs", func() {
 			server := tas.GetFulcioServerPod(ctx, cli, namespace.Name)()
 			Expect(server).NotTo(BeNil())
@@ -175,12 +211,29 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 
 		})
 
+		It("tsa is running with mounted certs", func() {
+			tas.VerifyTSA(ctx, cli, namespace.Name, securesign.Name)
+			server := tas.GetTSAServerPod(ctx, cli, namespace.Name)()
+			Expect(server).NotTo(BeNil())
+			Expect(server.Spec.Volumes).To(
+				ContainElement(
+					WithTransform(func(volume v1.Volume) string {
+						if volume.VolumeSource.Secret != nil {
+							return volume.VolumeSource.Secret.SecretName
+						}
+						return ""
+					}, Equal(tas.GetTSA(ctx, cli, namespace.Name, securesign.Name)().Status.Signer.FileSigner.PrivateKeyRef.Name))),
+			)
+
+		})
+
 		It("All other components are running", func() {
 			tas.VerifySecuresign(ctx, cli, namespace.Name, securesign.Name)
 			tas.VerifyTrillian(ctx, cli, namespace.Name, securesign.Name, true)
 			tas.VerifyCTLog(ctx, cli, namespace.Name, securesign.Name)
 			tas.VerifyTuf(ctx, cli, namespace.Name, securesign.Name)
 			tas.VerifyRekorSearchUI(ctx, cli, namespace.Name, securesign.Name)
+			tas.VerifyTSA(ctx, cli, namespace.Name, securesign.Name)
 		})
 
 		It("Verify Rekor Search UI is accessible", func() {
@@ -211,6 +264,11 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 			tuf := tas.GetTuf(ctx, cli, namespace.Name, securesign.Name)()
 			Expect(tuf).ToNot(BeNil())
 
+			tsa := tas.GetTSA(ctx, cli, namespace.Name, securesign.Name)()
+			Expect(tsa).ToNot(BeNil())
+			err := tas.GetTSACertificateChain(ctx, cli, tsa.Namespace, tsa.Name, tsa.Status.Url)
+			Expect(err).To(BeNil())
+
 			oidcToken, err := support.OidcToken(ctx)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(oidcToken).ToNot(BeEmpty())
@@ -224,6 +282,7 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 				"cosign", "sign", "-y",
 				"--fulcio-url="+fulcio.Status.Url,
 				"--rekor-url="+rekor.Status.Url,
+				"--timestamp-server-url="+tsa.Status.Url+"/api/v1/timestamp",
 				"--oidc-issuer="+support.OidcIssuerUrl(),
 				"--oidc-client-id="+support.OidcClientID(),
 				"--identity-token="+oidcToken,
@@ -233,6 +292,7 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 			Expect(clients.Execute(
 				"cosign", "verify",
 				"--rekor-url="+rekor.Status.Url,
+				"--timestamp-certificate-chain=ts_chain.pem",
 				"--certificate-identity-regexp", ".*@redhat",
 				"--certificate-oidc-issuer-regexp", ".*keycloak.*",
 				targetImageName,