improve testing, apply requested changes

Author: JasonPowr

.github/workflows/main.yml

@@ -292,7 +292,7 @@ jobs:
 
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
       - name: Install cosign
         run: go install github.com/sigstore/cosign/v2/cmd/cosign@v2.2.4
 
@@ -371,7 +371,7 @@ jobs:
           kubectl create ns ${{ env.TEST_NAMESPACE }}
           kubectl create secret generic redhat-registry -n ${{ env.TEST_NAMESPACE }} --from-file=.dockerconfigjson=/tmp/config.json --type=kubernetes.io/dockerconfigjson
           kubectl patch serviceaccount default  --type=merge -p '{"imagePullSecrets": [{"name":"redhat-registry"}]}' -n ${{ env.TEST_NAMESPACE }}
-          for NAME in "fulcio" "ctlog" "trillian" "rekor" "tuf"
+          for NAME in "fulcio" "ctlog" "trillian" "rekor" "tuf" "tsa"
           do
             echo """
             apiVersion: v1
@@ -400,7 +400,7 @@ jobs:
 
       - name: Until shell script to wait for deployment to be created
         run: |
-          for i in trillian fulcio rekor tuf ctlog; do
+          for i in trillian fulcio rekor tuf ctlog timestampAuthority; do
             until [ ! -z "$(kubectl get $i -n ${{ env.TEST_NAMESPACE }} 2>/dev/null)" ]
             do
               echo "Waiting for $i to be created."
@@ -416,6 +416,7 @@ jobs:
           kubectl wait --for=condition=ready rekor/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
           kubectl wait --for=condition=ready ctlog/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
           kubectl wait --for=condition=ready tuf/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
+          kubectl wait --for=condition=ready timestampAuthority/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
 
       - name: Test deployments are ready
         run: |
@@ -428,6 +429,7 @@ jobs:
           kubectl wait --for=condition=available deployment/rekor-search-ui -n ${{ env.TEST_NAMESPACE }}
           kubectl wait --for=condition=available deployment/tuf -n ${{ env.TEST_NAMESPACE }}
           kubectl wait --for=condition=available deployment/ctlog -n ${{ env.TEST_NAMESPACE }}
+          kubectl wait --for=condition=available deployment/tsa-server -n ${{ env.TEST_NAMESPACE }}
 
       - name: Archive test artifacts
         uses: actions/upload-artifact@v4

api/v1alpha1/timestampauthority_types.go

@@ -111,7 +111,7 @@ type KMS struct {
 	//KMS key for signing timestamp responses. Valid options include: [gcpkms://resource, azurekms://resource, hashivault://resource, awskms://resource]
 	//+required
 	KeyResource string `json:"keyResource,omitempty"`
-	//Configuration for authentication for key managment services
+	//Configuration for authentication for key management services
 	//+optional
 	Auth *Auth `json:"auth,omitempty"`
 }
@@ -124,7 +124,7 @@ type Tink struct {
 	//+required
 	//Path to KMS-encrypted keyset for Tink, decrypted by TinkKeyResource
 	KeysetRef *SecretKeySelector `json:"keysetRef,omitempty"`
-	// Configuration for authentication for key managment services
+	// Configuration for authentication for key management services
 	//+optional
 	Auth *Auth `json:"auth,omitempty"`
 }
@@ -182,6 +182,8 @@ type TimestampAuthorityStatus struct {
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
+//+kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`,description="The component status"
+//+kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.status.url`,description="The component url"
 
 // TimestampAuthority is the Schema for the timestampauthorities API
 type TimestampAuthority struct {

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -1098,7 +1098,7 @@ spec:
                         properties:
                           auth:
                             description: Configuration for authentication for key
-                              managment services
+                              management services
                             properties:
                               env:
                                 description: Environmental variables used to define
@@ -1254,7 +1254,7 @@ spec:
                         properties:
                           auth:
                             description: Configuration for authentication for key
-                              managment services
+                              management services
                             properties:
                               env:
                                 description: Environmental variables used to define

bundle/manifests/rhtas.redhat.com_timestampauthorities.yaml

@@ -14,7 +14,16 @@ spec:
     singular: timestampauthority
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - description: The component status
+      jsonPath: .status.conditions[?(@.type=="Ready")].reason
+      name: Status
+      type: string
+    - description: The component url
+      jsonPath: .status.url
+      name: URL
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: TimestampAuthority is the Schema for the timestampauthorities
@@ -378,7 +387,7 @@ spec:
                     description: Configuration for KMS based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:
@@ -530,7 +539,7 @@ spec:
                     description: Configuration for Tink based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:
@@ -1106,7 +1115,7 @@ spec:
                     description: Configuration for KMS based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:
@@ -1258,7 +1267,7 @@ spec:
                     description: Configuration for Tink based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:

cmd/main.go

@@ -241,8 +241,9 @@ func main() {
 		os.Exit(1)
 	}
 	if err = (&tsa.TimestampAuthorityReconciler{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
+		Client:   mgr.GetClient(),
+		Scheme:   mgr.GetScheme(),
+		Recorder: mgr.GetEventRecorderFor("tsa-controller"),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "TimestampAuthority")
 		os.Exit(1)

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -1098,7 +1098,7 @@ spec:
                         properties:
                           auth:
                             description: Configuration for authentication for key
-                              managment services
+                              management services
                             properties:
                               env:
                                 description: Environmental variables used to define
@@ -1254,7 +1254,7 @@ spec:
                         properties:
                           auth:
                             description: Configuration for authentication for key
-                              managment services
+                              management services
                             properties:
                               env:
                                 description: Environmental variables used to define

config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml

@@ -14,7 +14,16 @@ spec:
     singular: timestampauthority
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - description: The component status
+      jsonPath: .status.conditions[?(@.type=="Ready")].reason
+      name: Status
+      type: string
+    - description: The component url
+      jsonPath: .status.url
+      name: URL
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: TimestampAuthority is the Schema for the timestampauthorities
@@ -378,7 +387,7 @@ spec:
                     description: Configuration for KMS based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:
@@ -530,7 +539,7 @@ spec:
                     description: Configuration for Tink based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:
@@ -1106,7 +1115,7 @@ spec:
                     description: Configuration for KMS based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:
@@ -1258,7 +1267,7 @@ spec:
                     description: Configuration for Tink based signer
                     properties:
                       auth:
-                        description: Configuration for authentication for key managment
+                        description: Configuration for authentication for key management
                           services
                         properties:
                           env:

go.mod

@@ -78,6 +78,8 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/exp v0.0.0-20240213143201-ec583247a57a // indirect
 	golang.org/x/mod v0.15.0 // indirect

go.sum

@@ -157,8 +157,8 @@ go.opentelemetry.io/otel v1.23.0 h1:Df0pqjqExIywbMCMTxkAwzjLZtRf+bBKLbUcpxO2C9E=
 go.opentelemetry.io/otel v1.23.0/go.mod h1:YCycw9ZeKhcJFrb34iVSkyT0iczq/zYDtZYFufObyB0=
 go.opentelemetry.io/otel/trace v1.23.0 h1:37Ik5Ib7xfYVb4V1UtnT97T1jI+AoIYkJyPkuL4iJgI=
 go.opentelemetry.io/otel/trace v1.23.0/go.mod h1:GSGTbIClEsuZrGIzoEHqsVfxgn5UkggkflQwDScNUsk=
-go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
-go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=

internal/controller/common/utils/kubernetes/config_map.go

@@ -35,17 +35,6 @@ func CreateImmutableConfigmap(namePrefix string, namespace string, labels map[st
 	}
 }
 
-func CreateConfigMap(namePrefix string, namespace string, labels map[string]string, data map[string]string) *corev1.ConfigMap {
-	return &corev1.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: namePrefix,
-			Namespace:    namespace,
-			Labels:       labels,
-		},
-		Data: data,
-	}
-}
-
 func GetConfigMap(ctx context.Context, client client.Client, namespace, secretName string) (*corev1.ConfigMap, error) {
 	var cm corev1.ConfigMap
 

internal/controller/constants/images.go

@@ -19,8 +19,10 @@ var (
 
 	CTLogImage = "registry.redhat.io/rhtas/certificate-transparency-rhel9@sha256:a0c7d71fc8f4cb7530169a6b54dc3a67215c4058a45f84b87bb04fc62e6e8141"
 
-	ClientServerImage    = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee"
-	ClientServerImage_cg = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:987c630213065a6339b2b2582138f7b921473b86dfe82e91a002f08386a899ed"
-	ClientServerImage_re = "registry.redhat.io/rhtas/client-server-re-rhel9@sha256:dc4667af49ce6cc70d70bf83cab9d7a14b424d8ae1aae7e4863ff5c4ac769a96"
-	SegmentBackupImage   = "registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:3fcf8f14a0cfdd36f9ec263f83ba1597f892e6fa923d3d61bacbc467af643c9d"
+	ClientServerImage       = "registry.access.redhat.com/ubi9/httpd-24@sha256:7874b82335a80269dcf99e5983c2330876f5fe8bdc33dc6aa4374958a2ffaaee"
+	ClientServerImage_cg    = "registry.redhat.io/rhtas/client-server-cg-rhel9@sha256:987c630213065a6339b2b2582138f7b921473b86dfe82e91a002f08386a899ed"
+	ClientServerImage_re    = "registry.redhat.io/rhtas/client-server-re-rhel9@sha256:dc4667af49ce6cc70d70bf83cab9d7a14b424d8ae1aae7e4863ff5c4ac769a96"
+	ClientServerImage_f     = "registry.redhat.io/rhtas/client-server-f-rhel9@sha256:65fb59c8f631215d9752fc4f41571eb2750ecaaa8555083f58baa6982e97d192"
+	SegmentBackupImage      = "registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:3fcf8f14a0cfdd36f9ec263f83ba1597f892e6fa923d3d61bacbc467af643c9d"
+	TimestampAuthorityImage = "registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:3fba2f8cd09548d2bd2dfff938529952999cb28ff5b7ea42c1c5e722b8eb827f"
 )

internal/controller/constants/labels.go

@@ -1,5 +1,17 @@
 package constants
 
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
 const (
 	LabelNamespace = "rhtas.redhat.com"
 )
@@ -26,3 +38,27 @@ func LabelsRHTAS() map[string]string {
 		"app.kubernetes.io/managed-by": "controller-manager",
 	}
 }
+
+func RemoveLabel(ctx context.Context, object *metav1.PartialObjectMetadata, c client.Client, label string) error {
+	object.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   "",
+		Version: "v1",
+		Kind:    "Secret",
+	})
+	patch, err := json.Marshal([]map[string]string{
+		{
+			"op":   "remove",
+			"path": fmt.Sprintf("/metadata/labels/%s", strings.ReplaceAll(label, "/", "~1")),
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("failed to marshal patch: %v", err)
+	}
+
+	err = c.Patch(ctx, object, client.RawPatch(types.JSONPatchType, patch))
+	if err != nil {
+		return fmt.Errorf("unable to remove '%s' label from secret: %w", label, err)
+	}
+
+	return nil
+}

internal/controller/rekor/actions/server/resolve_pub_key.go

@@ -3,12 +3,10 @@ package server
 import (
 	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strconv"
-	"strings"
 
 	"k8s.io/utils/ptr"
 
@@ -22,8 +20,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
@@ -98,7 +94,7 @@ func (i resolvePubKeyAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		}
 
 		// Remove label from secret
-		if err = i.removeLabel(ctx, &secret); err != nil {
+		if err = constants.RemoveLabel(ctx, &secret, i.Client, RekorPubLabel); err != nil {
 			return i.Failed(fmt.Errorf("ResolvePubKey: %w", err))
 		}
 
@@ -177,27 +173,3 @@ func (i resolvePubKeyAction) requestPublicKey(basePath string) ([]byte, error) {
 	}
 	return nil, fmt.Errorf("unexpected http response %s", response.Status)
 }
-
-func (i resolvePubKeyAction) removeLabel(ctx context.Context, object *metav1.PartialObjectMetadata) error {
-	object.SetGroupVersionKind(schema.GroupVersionKind{
-		Group:   "",
-		Version: "v1",
-		Kind:    "Secret",
-	})
-	patch, err := json.Marshal([]map[string]string{
-		{
-			"op":   "remove",
-			"path": fmt.Sprintf("/metadata/labels/%s", strings.ReplaceAll(RekorPubLabel, "/", "~1")),
-		},
-	})
-	if err != nil {
-		return fmt.Errorf("failed to marshal patch: %v", err)
-	}
-
-	err = i.Client.Patch(ctx, object, client.RawPatch(types.JSONPatchType, patch))
-	if err != nil {
-		return fmt.Errorf("unable to remove '%s' label from secret: %w", RekorPubLabel, err)
-	}
-
-	return nil
-}