Enabling Rekor to set custom Trillian log signer service

Author: tommyd450

api/v1alpha1/common.go

@@ -21,6 +21,19 @@ type MonitoringConfig struct {
 	Enabled bool `json:"enabled"`
 }
 
+// TrillianService configuration to connect Trillian server
+type TrillianService struct {
+	// Address to Trillian Log Server End point
+	//+optional
+	Address string `json:"address,omitempty"`
+	// Port of Trillian Log Server End point
+	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Maximum:=65535
+	//+kubebuilder:default:=8091
+	//+optional
+	Port *int32 `json:"port,omitempty"`
+}
+
 // LocalObjectReference contains enough information to let you locate the
 // referenced object inside the same namespace.
 // +structType=atomic

api/v1alpha1/rekor_types.go

@@ -13,6 +13,8 @@ type RekorSpec struct {
 	// If it is unset, the operator will create new Merkle tree in the Trillian backend
 	//+optional
 	TreeID *int64 `json:"treeID,omitempty"`
+	// Trillian service configuration
+	Trillian TrillianService `json:"trillian,omitempty"`
 	// Define whether you want to export service or not
 	ExternalAccess ExternalAccess `json:"externalAccess,omitempty"`
 	//Enable Service monitors for rekor

api/v1alpha1/rekor_types_test.go

@@ -198,6 +198,7 @@ var _ = Describe("Rekor", func() {
 				It("outputs the CR", func() {
 					storage := k8sresource.MustParse("987Gi")
 					tree := int64(1269875)
+					port := int32(8091)
 
 					rekorInstance = Rekor{
 						ObjectMeta: metav1.ObjectMeta{
@@ -241,6 +242,10 @@ var _ = Describe("Rekor", func() {
 									Key: "key",
 								},
 							},
+							Trillian: TrillianService{
+								Address: "trillian-system.default.svc",
+								Port:    &port,
+							},
 						},
 					}
 
@@ -254,7 +259,6 @@ var _ = Describe("Rekor", func() {
 			When("CR is partially set", func() {
 
 				It("sets spec.pvc.storage if spec.pvc is partially set", func() {
-
 					rekorInstance = Rekor{
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "rekor-storage",
@@ -300,6 +304,9 @@ func generateRekorObject(name string) *Rekor {
 				Retain: utils.Pointer(true),
 				Size:   &storage,
 			},
+			Trillian: TrillianService{
+				Port: utils.Pointer(int32(8091)),
+			},
 		},
 	}
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-05-28T11:15:21Z"
+    createdAt: "2024-06-03T14:37:13Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -204,7 +204,7 @@ metadata:
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
     operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.34.1
+    operators.operatorframework.io/builder: operator-sdk-v1.34.2
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/securesign/secure-sign-operator
     support: Red Hat

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -204,6 +204,20 @@ spec:
                   If it is unset, the operator will create new Merkle tree in the Trillian backend
                 format: int64
                 type: integer
+              trillian:
+                description: Trillian service configuration
+                properties:
+                  address:
+                    description: Address to Trillian Log Server End point
+                    type: string
+                  port:
+                    default: 8091
+                    description: Port of Trillian Log Server End point
+                    format: int32
+                    maximum: 65535
+                    minimum: 1
+                    type: integer
+                type: object
             type: object
           status:
             description: RekorStatus defines the observed state of Rekor

bundle/manifests/rhtas.redhat.com_rekors.yaml

@@ -551,6 +551,20 @@ spec:
                       If it is unset, the operator will create new Merkle tree in the Trillian backend
                     format: int64
                     type: integer
+                  trillian:
+                    description: Trillian service configuration
+                    properties:
+                      address:
+                        description: Address to Trillian Log Server End point
+                        type: string
+                      port:
+                        default: 8091
+                        description: Port of Trillian Log Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 type: object
               trillian:
                 description: TrillianSpec defines the desired state of Trillian

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -204,6 +204,20 @@ spec:
                   If it is unset, the operator will create new Merkle tree in the Trillian backend
                 format: int64
                 type: integer
+              trillian:
+                description: Trillian service configuration
+                properties:
+                  address:
+                    description: Address to Trillian Log Server End point
+                    type: string
+                  port:
+                    default: 8091
+                    description: Port of Trillian Log Server End point
+                    format: int32
+                    maximum: 65535
+                    minimum: 1
+                    type: integer
+                type: object
             type: object
           status:
             description: RekorStatus defines the observed state of Rekor

config/crd/bases/rhtas.redhat.com_rekors.yaml

@@ -551,6 +551,20 @@ spec:
                       If it is unset, the operator will create new Merkle tree in the Trillian backend
                     format: int64
                     type: integer
+                  trillian:
+                    description: Trillian service configuration
+                    properties:
+                      address:
+                        description: Address to Trillian Log Server End point
+                        type: string
+                      port:
+                        default: 8091
+                        description: Port of Trillian Log Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 type: object
               trillian:
                 description: TrillianSpec defines the desired state of Trillian

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -100,7 +100,7 @@ func (g handleKeys) Handle(ctx context.Context, instance *v1alpha1.CTlog) *actio
 			}
 		}
 		config, err = utils.GeneratePublicKey(&utils.PrivateKeyConfig{PrivateKey: private, PrivateKeyPass: password})
-		if err != nil || config == nil{
+		if err != nil || config == nil {
 			return g.Failed(fmt.Errorf("unable to generate public key: %w", err))
 		}
 		data = map[string][]byte{"public": config.PublicKey}

controllers/ctlog/actions/handle_keys.go

@@ -3,14 +3,14 @@ package server
 import (
 	"context"
 	"fmt"
-
+	"github.com/google/trillian"
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/controllers/common"
 	"github.com/securesign/operator/controllers/common/action"
-	k8sutils "github.com/securesign/operator/controllers/common/utils/kubernetes"
 	"github.com/securesign/operator/controllers/constants"
 	"github.com/securesign/operator/controllers/rekor/actions"
-	trillian "github.com/securesign/operator/controllers/trillian/actions"
+	"github.com/securesign/operator/controllers/rekor/utils"
+	actions2 "github.com/securesign/operator/controllers/trillian/actions"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -39,12 +39,20 @@ func (i createTrillianTreeAction) Handle(ctx context.Context, instance *rhtasv1a
 		return i.StatusUpdate(ctx, instance)
 	}
 	var err error
+	var tree *trillian.Tree
+	var trillUrl string
 
-	trillUrl, err := k8sutils.GetInternalUrl(ctx, i.Client, instance.Namespace, trillian.LogserverDeploymentName)
-	if err != nil {
-		return i.Failed(err)
+	switch {
+	case instance.Spec.Trillian.Port == nil:
+		err = fmt.Errorf("%s: %w", i.Name(), utils.TrillianPortNotSpecified)
+	case instance.Spec.Trillian.Address == "":
+		trillUrl = fmt.Sprintf("%s.%s.svc:%d", actions2.LogserverDeploymentName, instance.Namespace, *instance.Spec.Trillian.Port)
+	default:
+		trillUrl = fmt.Sprintf("%s:%d", instance.Spec.Trillian.Address, *instance.Spec.Trillian.Port)
 	}
-	tree, err := common.CreateTrillianTree(ctx, "rekor-tree", trillUrl+":8091")
+	i.Logger.V(1).Info("trillian logserver", "address", trillUrl)
+
+	tree, err = common.CreateTrillianTree(ctx, "rekor-tree", trillUrl)
 	if err != nil {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    actions.ServerCondition,

controllers/rekor/actions/pending.go

@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"fmt"
+	actions2 "github.com/securesign/operator/controllers/trillian/actions"
 
 	"github.com/securesign/operator/controllers/common/action"
 	"github.com/securesign/operator/controllers/constants"
@@ -38,7 +39,14 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 		updated bool
 	)
 	labels := constants.LabelsFor(actions.ServerComponentName, actions.ServerDeploymentName, instance.Name)
-	dp, err := utils.CreateRekorDeployment(instance, actions.ServerDeploymentName, actions.RBACName, labels)
+
+	insCopy := instance.DeepCopy()
+	if insCopy.Spec.Trillian.Address == "" {
+		insCopy.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", actions2.LogserverDeploymentName, instance.Namespace)
+	}
+	i.Logger.V(1).Info("trillian logserver", "address", insCopy.Spec.Trillian.Address)
+	dp, err := utils.CreateRekorDeployment(insCopy, actions.ServerDeploymentName, actions.RBACName, labels)
+
 	if err != nil {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    actions.ServerCondition,

controllers/rekor/actions/server/createTree.go

@@ -90,8 +90,6 @@ func (r *RekorReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 		// NONE -> PENDING
 		actions2.NewInitializeConditions(),
 
-		// PENDING
-		actions2.NewPendingAction(),
 		// PENDING -> CREATE
 		server.NewGenerateSignerAction(),
 

controllers/rekor/actions/server/deployment.go

@@ -23,11 +23,9 @@ import (
 	"github.com/securesign/operator/controllers/common/utils"
 
 	"github.com/securesign/operator/api/v1alpha1"
-	"github.com/securesign/operator/controllers/common/utils/kubernetes"
 	"github.com/securesign/operator/controllers/constants"
 	"github.com/securesign/operator/controllers/rekor/actions"
 	"github.com/securesign/operator/controllers/rekor/actions/server"
-	trillian "github.com/securesign/operator/controllers/trillian/actions"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -128,15 +126,6 @@ var _ = Describe("Rekor controller", func() {
 				return meta.IsStatusConditionPresentAndEqual(found.Status.Conditions, constants.Ready, metav1.ConditionFalse)
 			}, time.Minute, time.Second).Should(BeTrue())
 
-			Eventually(func() string {
-				found := &v1alpha1.Rekor{}
-				Expect(k8sClient.Get(ctx, typeNamespaceName, found)).Should(Succeed())
-				return meta.FindStatusCondition(found.Status.Conditions, constants.Ready).Reason
-			}, time.Minute, time.Second).Should(Equal(constants.Pending))
-
-			By("Move to CreatingPhase by creating trillian service")
-			Expect(k8sClient.Create(ctx, kubernetes.CreateService(Namespace, trillian.LogserverDeploymentName, 8091, constants.LabelsForComponent(trillian.LogServerComponentName, instance.Name)))).To(Succeed())
-
 			By("Rekor signer created")
 			found := &v1alpha1.Rekor{}
 			Eventually(func() *v1alpha1.SecretKeySelector {

controllers/rekor/rekor_controller.go

@@ -0,0 +1,11 @@
+package utils
+
+import "errors"
+
+var (
+	ServerConfigNotSpecified    = errors.New("server config name not specified")
+	TreeNotSpecified            = errors.New("tree not specified")
+	TrillianAddressNotSpecified = errors.New("trillian address not specified")
+	TrillianPortNotSpecified    = errors.New("trillian port not specified")
+	SignerKeyNotSpecified       = errors.New("signer key reference not specified")
+)