add file signer type

Author: JasonPowr

api/v1alpha1/timestampauthority_types.go

@@ -24,11 +24,61 @@ import (
 type TimestampAuthoritySpec struct {
 	// Define whether you want to export service or not
 	ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
+	// Signer configuration
+	Signer TimestampAuthoritySigner `json:"signer,omitempty"`
+}
+
+type TimestampAuthoritySigner struct {
+	// Timestamping authority signer. Valid options include: [kms, tink, file].
+	Type string `json:"type,omitempty"`
+	// Configuration for the Certificate Chain
+	CertificateChain CertificateChain `json:"certificateChain,omitempty"`
+	// Configuration for file-based signer
+	//+optional
+	FileSigner FileSigner `json:"fileSigner,omitempty"`
+}
+
+type CertificateChain struct {
+	// CommonName specifies the common name for the TimeStampAuthorities cert chain.
+	// If not provided, the common name will default to the host name.
+	//+optional
+	CommonName string `json:"commonName,omitempty"`
+	//+optional
+	//OrganizationName specifies the Organization Name for the TimeStampAuthorities cert chain.
+	OrganizationName string `json:"organizationName,omitempty"`
+	//+optional
+	//Organization Email specifies the Organization Email for the TimeStampAuthorities cert chain.
+	OrganizationEmail string `json:"organizationEmail,omitempty"`
+	//Reference to the certificate chain
+	//+optional
+	CertificateChainRef *SecretKeySelector `json:"certificateChainRef,omitempty"`
+	// Password to decrypt the signer's root private key
+	//+optional
+	RootPasswordRef *SecretKeySelector `json:"rootPasswordRef,omitempty"`
+	// Reference to the signer's root private key
+	//+optional
+	RootPrivateKeyRef *SecretKeySelector `json:"rootPrivateKeyRef,omitempty"`
+	// Password to decrypt the signer's Intermediate private key
+	//+optional
+	InterPasswordRef *SecretKeySelector `json:"interPasswordRef,omitempty"`
+	// Reference to the signer's Intermediate private key
+	//+optional
+	InterPrivateKeyRef *SecretKeySelector `json:"interPrivateKeyRef,omitempty"`
+}
+
+type FileSigner struct {
+	// Password to decrypt the signer's root private key
+	//+optional
+	PasswordRef *SecretKeySelector `json:"passwordRef,omitempty"`
+	// Reference to the signer's root private key
+	//+optional
+	PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"`
 }
 
 // TimestampAuthorityStatus defines the observed state of TimestampAuthority
 type TimestampAuthorityStatus struct {
-	Url string `json:"url,omitempty"`
+	Signer *TimestampAuthoritySigner `json:"signer,omitempty"`
+	Url    string                    `json:"url,omitempty"`
 	// +listType=map
 	// +listMapKey=type
 	// +patchStrategy=merge

api/v1alpha1/zz_generated.deepcopy.go

@@ -121,6 +121,14 @@ metadata:
             "tsa": {
               "externalAccess": {
                 "enabled": true
+              },
+              "signer": {
+                "certificateChain": {
+                  "commonName": "tsa.hostname",
+                  "organizationEmail": "jdoe@redhat.com",
+                  "organizationName": "Red Hat"
+                },
+                "type": "file"
               }
             },
             "tuf": {
@@ -216,7 +224,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-06-24T12:36:11Z"
+    createdAt: "2024-07-02T11:25:13Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -684,6 +684,165 @@ spec:
                     required:
                     - enabled
                     type: object
+                  signer:
+                    description: Signer configuration
+                    properties:
+                      certificateChain:
+                        description: Configuration for the Certificate Chain
+                        properties:
+                          certificateChainRef:
+                            description: Reference to the certificate chain
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          commonName:
+                            description: |-
+                              CommonName specifies the common name for the TimeStampAuthorities cert chain.
+                              If not provided, the common name will default to the host name.
+                            type: string
+                          interPasswordRef:
+                            description: Password to decrypt the signer's Intermediate
+                              private key
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          interPrivateKeyRef:
+                            description: Reference to the signer's Intermediate private
+                              key
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          organizationEmail:
+                            description: Organization Email specifies the Organization
+                              Email for the TimeStampAuthorities cert chain.
+                            type: string
+                          organizationName:
+                            description: OrganizationName specifies the Organization
+                              Name for the TimeStampAuthorities cert chain.
+                            type: string
+                          rootPasswordRef:
+                            description: Password to decrypt the signer's root private
+                              key
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          rootPrivateKeyRef:
+                            description: Reference to the signer's root private key
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      fileSigner:
+                        description: Configuration for file-based signer
+                        properties:
+                          passwordRef:
+                            description: Password to decrypt the signer's root private
+                              key
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          privateKeyRef:
+                            description: Reference to the signer's root private key
+                            properties:
+                              key:
+                                description: The key of the secret to select from.
+                                  Must be a valid secret key.
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: |-
+                                  Name of the referent.
+                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                type: string
+                            required:
+                            - key
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                        type: object
+                      type:
+                        description: 'Timestamping authority signer. Valid options
+                          include: [kms, tink, file].'
+                        type: string
+                    type: object
                 type: object
               tuf:
                 default: