Skip to content

Commit

Permalink
updates: Create Tree Jobs, enable TLS on Trillian, Rekor and Ctlog
Browse files Browse the repository at this point in the history
  • Loading branch information
@fghanmi
fghanmi committed Aug 8, 2024
1 parent b616626 commit 3d96c86
Show file tree
Hide file tree
Showing 31 changed files with 1,164 additions and 395 deletions.
4 changes: 4 additions & 0 deletions api/v1alpha1/ctlog_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ type CTlogSpec struct {
// Trillian service configuration
//+kubebuilder:default:={port: 8091}
Trillian TrillianService `json:"trillian,omitempty"`
// Reference to TLS server certificate, private key and CA certificate
//+optional
TLSCertificate TLSCert `json:"tls"`
}

// CTlogStatus defines the observed state of CTlog component
Expand All @@ -51,6 +54,7 @@ type CTlogStatus struct {
PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"`
PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"`
RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"`
TLSCertificate *TLSCert `json:"tls,omitempty"`
// The ID of a Trillian tree that stores the log data.
TreeID *int64 `json:"treeID,omitempty"`
// +listType=map
Expand Down
10 changes: 10 additions & 0 deletions api/v1alpha1/ctlog_types_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,16 @@ var _ = Describe("CTlog", func() {
Address: "trillian-system.default.svc",
Port: &port,
},
TLSCertificate: TLSCert{
CertRef: &SecretKeySelector{
Key: "cert",
LocalObjectReference: LocalObjectReference{Name: "secret"},
},
PrivateKeyRef: &SecretKeySelector{
Key: "key",
LocalObjectReference: LocalObjectReference{Name: "secret"},
},
},
},
}

Expand Down
6 changes: 6 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions bundle/manifests/rhtas-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,8 @@ metadata:
"OIDCIssuers": [
{
"ClientID": "trusted-artifact-signer",
"Issuer": "https://your-oidc-issuer-url",
"IssuerURL": "https://your-oidc-issuer-url",
"Issuer": "https://keycloak-keycloak-system.apps.rosa.iduhn-ah6m6-dk9.o468.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
"IssuerURL": "https://keycloak-keycloak-system.apps.rosa.iduhn-ah6m6-dk9.o468.p3.openshiftapps.com/auth/realms/trusted-artifact-signer",
"Type": "email"
}
]
Expand Down Expand Up @@ -192,7 +192,7 @@ metadata:
]
capabilities: Seamless Upgrades
containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
createdAt: "2024-07-09T08:45:46Z"
createdAt: "2024-08-08T10:01:11Z"
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
features.operators.openshift.io/csi: "false"
Expand Down
111 changes: 111 additions & 0 deletions bundle/manifests/rhtas.redhat.com_ctlogs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,62 @@ spec:
type: object
x-kubernetes-map-type: atomic
type: array
tls:
description: Reference to TLS server certificate, private key and
CA certificate
properties:
caCertRef:
description: Reference to CA certificate
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
certRef:
description: Reference to service certificate
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certRef) || has(self.privateKeyRef))
treeID:
description: |-
The ID of a Trillian tree that stores the log data.
Expand Down Expand Up @@ -328,6 +384,61 @@ spec:
- name
type: object
x-kubernetes-map-type: atomic
tls:
description: TLSCert defines fields for TLS certificate
properties:
caCertRef:
description: Reference to CA certificate
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
certRef:
description: Reference to service certificate
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certRef) || has(self.privateKeyRef))
treeID:
description: The ID of a Trillian tree that stores the log data.
format: int64
Expand Down
4 changes: 2 additions & 2 deletions bundle/manifests/rhtas.redhat.com_fulcios.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,11 +230,11 @@ spec:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
default: 0
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
minimum: 0
type: integer
type: object
externalAccess:
Expand Down
121 changes: 58 additions & 63 deletions bundle/manifests/rhtas.redhat.com_securesigns.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,62 @@ spec:
type: object
x-kubernetes-map-type: atomic
type: array
tls:
description: Reference to TLS server certificate, private key
and CA certificate
properties:
caCertRef:
description: Reference to CA certificate
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
certRef:
description: Reference to service certificate
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certRef) || has(self.privateKeyRef))
treeID:
description: |-
The ID of a Trillian tree that stores the log data.
Expand Down Expand Up @@ -367,11 +423,11 @@ spec:
description: Address to Ctlog Log Server End point
type: string
port:
default: 80
default: 0
description: Port of Ctlog Log Server End point
format: int32
maximum: 65535
minimum: 1
minimum: 0
type: integer
type: object
externalAccess:
Expand Down Expand Up @@ -844,67 +900,6 @@ spec:
required:
- tls
type: object
signer:
properties:
tls:
description: Secret with TLS server certificate, private key
and CA certificate
properties:
caCertRef:
description: Reference to CA certificate
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
certRef:
description: Reference to service certificate
properties:
key:
description: The key of the secret to select from.
Must be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key
properties:
key:
description: The key of the secret to select from.
Must be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certRef) || has(self.privateKeyRef))
required:
- tls
type: object
type: object
tuf:
default:
Expand Down
Loading

0 comments on commit 3d96c86

Please sign in to comment.