[SECURESIGN-994] Enable TLS on secureSign components: mount certificates/keys

[fghanmi]

• Please do not merge, work in progress.

Depends on open issues:

• Add option to enable TLS for communication with CTlog sigstore/fulcio#1717
• Add option to enable TLS Security for CTLog server google/certificate-transparency-go#1522
• Add option to enable TLS for communication with Trillian google/certificate-transparency-go#1524
• Add option to enable TLS for communication with Trillian sigstore/rekor#2163

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fghanmi
Once this PR has been reviewed and has the lgtm label, please assign sallyom for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@fghanmi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/tas-operator-e2e	c06886f	link	true	/test tas-operator-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[osmman]

I have a few comments on this PR. First, I recommend dividing the PR into separate components. Please test each component to see if it can use TLS, because it looks like some of them are unable to do that. If a component cannot use TLS, it is unnecessary to modify the operator for that component. Additionally, please create unit and end-to-end tests.

[osmman]

Suggested change

	TLSCertificate TLSCert `json:"tlsCertificate"`
	TLSCertificate TLSCert `json:"tls"`

[osmman]

Suggested change

	TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"`
	TLSCertificate *TLSCert `json:"tls,omitempty"`

[osmman]

Suggested change

	TLSCertificate TLSCert `json:"tlsCertificate"`
	TLSCertificate TLSCert `json:"tls"`

[osmman]

Suggested change

	TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"`
	TLSCertificate *TLSCert `json:"tls,omitempty"`

[osmman]

Suggested change

	TLSCertificate TLSCert `json:"tlsCertificate"`
	TLSCertificate TLSCert `json:"tls"`

[osmman]

Suggested change

	TLSCertificate TLSCert `json:"tlsCertificate"`
	TLSCertificate TLSCert `json:"tls"`

[osmman]

Where did you find these options? There is no option to configure TLSConfig in ct_server application

https://github.com/securesign/certificate-transparency-go/blob/main/trillian/ctfe/ct_server/main.go#L309

[fghanmi]

This PR won't be merged until the issues on upstreams are solved (mentioned here)
I've prepared 4 PRs to enable TLS on CTLog, rekor, fulcio
tls-certificate option is here: https://github.com/google/certificate-transparency-go/pull/1523/files#diff-7a183747e4fb8d227a2b6b60050cbab942013815105b231c7dedf4d0e9fbabbbR61

[osmman]

Where did you find this option on Fulcio? I unable to find any reference in it's source code.

[fghanmi]

same, still on PR
https://github.com/sigstore/fulcio/pull/1718/files#diff-1627906dbce532aff8cc81f54790572e5ba04f3e568c88b6ed39a590642dafa4R112

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.