feat: add option to set custom CTlog server's config

securesign · Aug 8, 2024 · 4ecbc2f · 4ecbc2f
1 parent e3643bb
commit 4ecbc2f
Show file tree

Hide file tree

Showing 14 changed files with 454 additions and 18 deletions.
diff --git a/api/v1alpha1/ctlog_types.go b/api/v1alpha1/ctlog_types.go
@@ -42,6 +42,12 @@ type CTlogSpec struct {
 	// Trillian service configuration
 	//+kubebuilder:default:={port: 8091}
 	Trillian TrillianService `json:"trillian,omitempty"`
+
+	// Secret holding Certificate Transparency server config in text proto format
+	// If it is set then any setting of treeID, privateKeyRef, privateKeyPasswordRef,
+	// publicKeyRef, rootCertificates and trillian will be overridden.
+	//+optional
+	ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
 }
 
 // CTlogStatus defines the observed state of CTlog component

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml
@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-08-07T14:15:11Z"
+    createdAt: "2024-08-08T17:23:21Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

diff --git a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml
@@ -137,6 +137,21 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
                 type: array
+              serverConfigRef:
+                description: |-
+                  Secret holding Certificate Transparency server config in text proto format
+                  If it is set then any setting of treeID, privateKeyRef, privateKeyPasswordRef,
+                  publicKeyRef, rootCertificates and trillian will be overridden.
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                required:
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
               treeID:
                 description: |-
                   The ID of a Trillian tree that stores the log data.

diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml
@@ -153,6 +153,21 @@ spec:
                       type: object
                       x-kubernetes-map-type: atomic
                     type: array
+                  serverConfigRef:
+                    description: |-
+                      Secret holding Certificate Transparency server config in text proto format
+                      If it is set then any setting of treeID, privateKeyRef, privateKeyPasswordRef,
+                      publicKeyRef, rootCertificates and trillian will be overridden.
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
                   treeID:
                     description: |-
                       The ID of a Trillian tree that stores the log data.

diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml
@@ -137,6 +137,21 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
                 type: array
+              serverConfigRef:
+                description: |-
+                  Secret holding Certificate Transparency server config in text proto format
+                  If it is set then any setting of treeID, privateKeyRef, privateKeyPasswordRef,
+                  publicKeyRef, rootCertificates and trillian will be overridden.
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                required:
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
               treeID:
                 description: |-
                   The ID of a Trillian tree that stores the log data.

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -153,6 +153,21 @@ spec:
                       type: object
                       x-kubernetes-map-type: atomic
                     type: array
+                  serverConfigRef:
+                    description: |-
+                      Secret holding Certificate Transparency server config in text proto format
+                      If it is set then any setting of treeID, privateKeyRef, privateKeyPasswordRef,
+                      publicKeyRef, rootCertificates and trillian will be overridden.
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
                   treeID:
                     description: |-
                       The ID of a Trillian tree that stores the log data.

diff --git a/internal/controller/ctlog/actions/constants.go b/internal/controller/ctlog/actions/constants.go
@@ -1,5 +1,7 @@
 package actions
 
+import "github.com/securesign/operator/internal/controller/constants"
+
 const (
 	DeploymentName     = "ctlog"
 	ComponentName      = "ctlog"
@@ -13,4 +15,6 @@ const (
 	MetricsPortName  = "metrics"
 	MetricsPort      = 6963
 	ServerCondition  = "ServerAvailable"
+
+	CTLPubLabel = constants.LabelNamespace + "/ctfe.pub"
 )
diff --git a/.../controller/ctlog/actions/serverConfig.go → ...controller/ctlog/actions/server_config.go b/.../controller/ctlog/actions/serverConfig.go → ...controller/ctlog/actions/server_config.go
@@ -2,7 +2,6 @@ package actions
 
 import (
 	"context"
-	"errors"
 	"fmt"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
@@ -12,15 +11,12 @@ import (
 	ctlogUtils "github.com/securesign/operator/internal/controller/ctlog/utils"
 	trillian "github.com/securesign/operator/internal/controller/trillian/actions"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
-const (
-	CTLPubLabel = constants.LabelNamespace + "/ctfe.pub"
-)
-
 func NewServerConfigAction() action.Action[*rhtasv1alpha1.CTlog] {
 	return &serverConfig{}
 }
@@ -30,47 +26,66 @@ type serverConfig struct {
 }
 
 func (i serverConfig) Name() string {
-	return "create server config"
+	return "server config"
 }
 
 func (i serverConfig) CanHandle(_ context.Context, instance *rhtasv1alpha1.CTlog) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	return c.Reason == constants.Creating && instance.Status.ServerConfigRef == nil
+
+	switch {
+	case c == nil:
+		return false
+	case c.Reason != constants.Creating && c.Reason != constants.Ready:
+		return false
+	case instance.Status.ServerConfigRef == nil:
+		return true
+	case instance.Spec.ServerConfigRef != nil:
+		return !equality.Semantic.DeepEqual(instance.Spec.ServerConfigRef, instance.Status.ServerConfigRef)
+	default:
+		return false
+	}
 }
 
 func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result {
 	var (
 		err error
 	)
+
+	if instance.Spec.ServerConfigRef != nil {
+		instance.Status.ServerConfigRef = instance.Spec.ServerConfigRef
+		i.Recorder.Event(instance, corev1.EventTypeNormal, "CTLogConfigUpdated", "CTLog config updated")
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{Type: constants.Ready,
+			Status: metav1.ConditionFalse, Reason: constants.Creating, Message: "CTLog config updated"})
+		return i.StatusUpdate(ctx, instance)
+	}
+
 	switch {
 	case instance.Status.TreeID == nil:
-		return i.Failed(errors.New("reference to Trillian TreeID not set"))
+		return i.Failed(fmt.Errorf("%s: %v", i.Name(), ctlogUtils.TreeNotSpecified))
 	case instance.Status.PrivateKeyRef == nil:
-		return i.Failed(errors.New("status reference to private key not set"))
+		return i.Failed(fmt.Errorf("%s: %v", i.Name(), ctlogUtils.PrivateKeyNotSpecified))
+	case instance.Spec.Trillian.Port == nil:
+		return i.Failed(fmt.Errorf("%s: %v", i.Name(), ctlogUtils.TrillianPortNotSpecified))
 	case instance.Spec.Trillian.Address == "":
 		instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace)
 	}
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
-	//trillUrl, err := utils.GetInternalUrl(ctx, i.Client, instance.Namespace, trillian.LogserverDeploymentName)
 	trillianService := instance.DeepCopy().Spec.Trillian
+
+	rootCerts, err := i.handleRootCertificates(instance)
 	if err != nil {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    constants.Ready,
 			Status:  metav1.ConditionFalse,
 			Reason:  constants.Creating,
-			Message: "Waiting for Trillian logserver",
+			Message: fmt.Sprintf("Waiting for Fulcio root certificate: %v", err.Error()),
 		})
 		i.StatusUpdate(ctx, instance)
 		return i.Requeue()
 	}
 
-	rootCerts, err := i.handleRootCertificates(instance)
-	if err != nil {
-		return i.Failed(err)
-	}
-
 	certConfig, err := i.handlePrivateKey(instance)
 	if err != nil {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
@@ -120,6 +135,9 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 }
 
 func (i serverConfig) handlePrivateKey(instance *rhtasv1alpha1.CTlog) (*ctlogUtils.PrivateKeyConfig, error) {
+	if instance == nil {
+		return nil, nil
+	}
 	private, err := utils.GetSecretData(i.Client, instance.Namespace, instance.Status.PrivateKeyRef)
 	if err != nil {
 		return nil, err
@@ -146,7 +164,7 @@ func (i serverConfig) handleRootCertificates(instance *rhtasv1alpha1.CTlog) ([]c
 	for _, selector := range instance.Status.RootCertificates {
 		data, err := utils.GetSecretData(i.Client, instance.Namespace, &selector)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("%s/%s: %w", selector.Name, selector.Key, err)
 		}
 		certs = append(certs, data)
 	}