feat: add support for image pull secrets for all components

Signed-off-by: Kevin Conner <kev.conner@gmail.com>

Author: knrc

.crdify.yaml

@@ -0,0 +1,3 @@
+validations:
+  - name: description
+    enforcement: None

.github/workflows/linter.yml

@@ -31,27 +31,27 @@ jobs:
           go-version-file: 'go.mod'
       - name: Install crdifi
         run: |
-          go install sigs.k8s.io/crdify@v0.4.0
+          go install sigs.k8s.io/crdify@v0.5.0
       - name: Compare CTlog CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml"
       - name: Compare Fulcio CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml"
       - name: Compare Rekor CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml"
       - name: Compare TSA CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml"
       - name: Compare Trillian CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml"
       - name: Compare TUF CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml"
       - name: Compare Securesign CRD
         run: |
-          crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml"
+          crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml"
 
 

api/v1alpha1/common.go

@@ -159,3 +159,9 @@ type PodRequirements struct {
 	Resources   *core.ResourceRequirements `json:"resources,omitempty"`
 	Tolerations []core.Toleration          `json:"tolerations,omitempty"`
 }
+
+type ServiceAccountRequirements struct {
+	// ImagePullSecrets is an optional list of references to secrets for pulling container images.
+	//+optional
+	ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+}

api/v1alpha1/ctlog_types.go

@@ -58,6 +58,8 @@ type CTlogSpec struct {
 	//+kubebuilder:default:=153600
 	//+optional
 	MaxCertChainSize *int64 `json:"maxCertChainSize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // CTlogStatus defines the observed state of CTlog component

api/v1alpha1/fulcio_types.go

@@ -33,6 +33,8 @@ type FulcioSpec struct {
 	// ConfigMap with additional bundle of trusted CA
 	//+optional
 	TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // FulcioCert defines fields for system-generated certificate

api/v1alpha1/rekor_types.go

@@ -58,6 +58,8 @@ type RekorSpec struct {
 	//+kubebuilder:default:=10485760
 	//+optional
 	MaxRequestBodySize *int64 `json:"maxRequestBodySize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // RekorAttestations defines the configuration for storing attestations.

api/v1alpha1/securesign_types.go

@@ -24,7 +24,8 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
-// SecuresignSpec defines the desired state of Securesign
+// SecuresignSpec defines the desired state of Securesign.
+// Service account settings defined at this level (such as imagePullSecrets) are inherited by all components.
 // +kubebuilder:validation:XValidation:rule="(has(self.rekor.attestations.enabled) && !self.rekor.attestations.enabled) || !self.rekor.attestations.url.startsWith('file://') || (!(self.rekor.replicas > 1) || ('ReadWriteMany' in self.rekor.pvc.accessModes))",message="When Rekor's rich attestation storage is enabled, and it's URL starts with 'file://', then PVC accessModes must contain 'ReadWriteMany' for replicas greater than 1."
 // +kubebuilder:validation:XValidation:rule="!(self.tuf.replicas > 1) || ('ReadWriteMany' in self.tuf.pvc.accessModes)",message="For TUF deployments with more than 1 replica, tuf.pvc.accessModes must include 'ReadWriteMany'."
 type SecuresignSpec struct {
@@ -35,6 +36,8 @@ type SecuresignSpec struct {
 	Tuf                TufSpec                 `json:"tuf,omitempty"`
 	Ctlog              CTlogSpec               `json:"ctlog,omitempty"`
 	TimestampAuthority *TimestampAuthoritySpec `json:"tsa,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // SecuresignStatus defines the observed state of Securesign

api/v1alpha1/timestampauthority_types.go

@@ -42,6 +42,8 @@ type TimestampAuthoritySpec struct {
 	//+kubebuilder:default:=1048576
 	//+optional
 	MaxRequestBodySize *int64 `json:"maxRequestBodySize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // TimestampAuthoritySigner defines the desired state of the Timestamp Authority Signer

api/v1alpha1/trillian_types.go

@@ -42,6 +42,8 @@ type TrillianSpec struct {
 	//+kubebuilder:default:=153600
 	//+optional
 	MaxRecvMessageSize *int64 `json:"maxRecvMessageSize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 type trillianService struct {

api/v1alpha1/tuf_types.go

@@ -29,6 +29,8 @@ type TufSpec struct {
 	// You can use ReadWriteOnce accessMode if you don't have suitable storage provider but your deployment will not support HA mode
 	//+kubebuilder:default:={size: "100Mi",retain: true,accessModes: {ReadWriteOnce}}
 	Pvc TufPvc `json:"pvc,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // TufPvc configuration of the persistent storage claim for deployment in the cluster.