Updates to use the latest Rekor Monitor

Author: fghanmi

api/v1alpha1/common.go

@@ -43,6 +43,9 @@ type MonitoringWithTLogConfig struct {
 	// Configuration for Rekor transparency log monitoring
 	//+optional
 	TLog TlogMonitoring `json:"tlog"`
+	// TUF service configuration
+	//+optional
+	Tuf TufService `json:"tuf,omitempty"`
 }
 
 // TrillianService configuration to connect Trillian server
@@ -58,6 +61,18 @@ type TrillianService struct {
 	Port *int32 `json:"port,omitempty"`
 }
 
+// TufService configuration to connect TUF server
+type TufService struct {
+	// Address to TUF Server End point
+	//+optional
+	Address string `json:"address,omitempty"`
+	// Port of TUF Server End point
+	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Maximum:=65535
+	//+optional
+	Port *int32 `json:"port,omitempty"`
+}
+
 // CtlogService configuration to connect Ctlog server
 type CtlogService struct {
 	// Address to Ctlog Log Server End point

api/v1alpha1/zz_generated.deepcopy.go

@@ -1281,6 +1281,19 @@ spec:
                     required:
                     - enabled
                     type: object
+                  tuf:
+                    description: TUF service configuration
+                    properties:
+                      address:
+                        description: Address to TUF Server End point
+                        type: string
+                      port:
+                        description: Port of TUF Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 required:
                 - enabled
                 type: object

config/crd/bases/rhtas.redhat.com_rekors.yaml

@@ -3894,6 +3894,19 @@ spec:
                         required:
                         - enabled
                         type: object
+                      tuf:
+                        description: TUF service configuration
+                        properties:
+                          address:
+                            description: Address to TUF Server End point
+                            type: string
+                          port:
+                            description: Port of TUF Server End point
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                        type: object
                     required:
                     - enabled
                     type: object

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -13,4 +13,4 @@ RELATED_IMAGE_CTLOG=registry.redhat.io/rhtas/certificate-transparency-rhel9@sha2
 RELATED_IMAGE_HTTP_SERVER=registry.redhat.io/ubi9/httpd-24@sha256:8536169e5537fe6c330eba814248abdcf39cdd8f7e7336034d74e6fda9544050
 RELATED_IMAGE_TIMESTAMP_AUTHORITY=registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:be623422f3f636c39397a66416b02a79f1d59cf593ca258e1701d1728755dde9
 RELATED_IMAGE_CLIENT_SERVER=registry.redhat.io/rhtas/client-server-rhel9@sha256:c81aaa8f300021d7cdbb964524fc5e89ea2c79fdab5507f0ec036bf96b219332
-RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:1944eff9f103d84380b9efac6adec9cb22613643968e51f07db58df977b6b982
+RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:b7f9f8b24fe7db4e124f9e5e9289bc2d180a810e253f48feb7e1177bbef6d4d0

config/default/images.env

@@ -75,8 +75,17 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
+<<<<<<< HEAD
 	github.com/prometheus/common v0.67.3 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
+=======
+	github.com/prometheus/common v0.67.1 // indirect
+<<<<<<< HEAD
+	github.com/prometheus/procfs v0.17.0 // indirect
+>>>>>>> a51ad306 (create TUF PVC configMap and use it in Rekor monitor statefulSet)
+=======
+	github.com/prometheus/procfs v0.19.1 // indirect
+>>>>>>> 4acadffb (add missing changes)
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/vbatts/tar-split v0.12.2 // indirect

go.mod

@@ -127,10 +127,22 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+<<<<<<< HEAD
+<<<<<<< HEAD
 github.com/openshift/api v0.0.0-20251119073004-138912d4ee99 h1:VGkPn3iO7ZapVYtUd7Lj1tE2ZwRfOOUVFzoA/sWlWDc=
 github.com/openshift/api v0.0.0-20251119073004-138912d4ee99/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/operator-framework/api v0.36.0 h1:6+duRhamCvB540JbvNp/1+Pot7luff7HqdAOm9bAntg=
 github.com/operator-framework/api v0.36.0/go.mod h1:QSmHMx8XpGsNWvjU5CUelVZC916VLp/TZhfYvGKpghM=
+=======
+github.com/openshift/api v0.0.0-20251016080153-44baf885fd37 h1:LuZb5xyKz8PZXqV80NOLfda9DDLdax/XNjqc2pL4Efg=
+github.com/openshift/api v0.0.0-20251016080153-44baf885fd37/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+=======
+github.com/openshift/api v0.0.0-20251023193535-8691c3014652 h1:iFo7XEz9/q6qxZey/MCCBTqCC88DXbtUz7mUWtGkQzg=
+github.com/openshift/api v0.0.0-20251023193535-8691c3014652/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+>>>>>>> 4acadffb (add missing changes)
+github.com/operator-framework/api v0.35.0 h1:xKrffuGEagk3CWy6zqdK5YmIErlBtWUblNNK+q7ld7c=
+github.com/operator-framework/api v0.35.0/go.mod h1:A9UNu/pdcO1RauMHvV54unp4DNm/Y5fMVbGDpnIIF+M=
+>>>>>>> a51ad306 (create TUF PVC configMap and use it in Rekor monitor statefulSet)
 github.com/operator-framework/operator-lib v0.19.0 h1:az6ogYj21rtU0SF9uYctRLyKp2dtlqTsmpfehFy6Ce8=
 github.com/operator-framework/operator-lib v0.19.0/go.mod h1:KxycAjFnHt0DBtHmH3Jm7yHcY5sdrshPKTqM/HKAQ08=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -144,10 +156,22 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+<<<<<<< HEAD
 github.com/prometheus/common v0.67.3 h1:shd26MlnwTw5jksTDhC7rTQIteBxy+ZZDr3t7F2xN2Q=
 github.com/prometheus/common v0.67.3/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
 github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
 github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+=======
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
+<<<<<<< HEAD
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
+>>>>>>> a51ad306 (create TUF PVC configMap and use it in Rekor monitor statefulSet)
+=======
+github.com/prometheus/procfs v0.19.1 h1:QVtROpTkphuXuNlnCv3m1ut3JytkXHtQ3xvck/YmzMM=
+github.com/prometheus/procfs v0.19.1/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+>>>>>>> 4acadffb (add missing changes)
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=

go.sum

@@ -8,6 +8,7 @@ import (
 
 	"github.com/securesign/operator/internal/images"
 
+	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/action"
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/controller/rekor/actions"
@@ -21,11 +22,13 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
-	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 )
 
-const storageVolumeName = "monitor-storage"
+const (
+	storageVolumeName = "monitor-storage"
+	tufRepoVolumeName = "tuf-repository"
+	mountPath         = "/data"
+)
 
 func NewStatefulSetAction() action.Action[*rhtasv1alpha1.Rekor] {
 	return &statefulSetAction{}
@@ -50,6 +53,7 @@ func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 		result controllerutil.OperationResult
 	)
 
+	tufServerHost := i.resolveTufUrl(instance)
 	rekorServerHost := fmt.Sprintf("http://%s.%s.svc", actions.ServerComponentName, instance.Namespace)
 
 	labels := labels.For(actions.MonitorComponentName, actions.MonitorStatefulSetName, instance.Name)
@@ -60,8 +64,8 @@ func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 				Namespace: instance.Namespace,
 			},
 		},
-		i.ensureMonitorStatefulSet(instance, actions.RBACName, labels, rekorServerHost),
-		i.ensureInitContainer(rekorServerHost),
+		i.ensureMonitorStatefulSet(instance, actions.RBACName, labels, rekorServerHost, tufServerHost),
+		i.ensureInitContainer(rekorServerHost, tufServerHost),
 		ensure.ControllerReference[*v1.StatefulSet](instance, i.Client),
 		ensure.Labels[*v1.StatefulSet](slices.Collect(maps.Keys(labels)), labels),
 		func(object *v1.StatefulSet) error {
@@ -90,7 +94,18 @@ func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 	return i.Continue()
 }
 
-func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Rekor, sa string, labels map[string]string, rekorServerHost string) func(*v1.StatefulSet) error {
+func (i statefulSetAction) resolveTufUrl(instance *rhtasv1alpha1.Rekor) string {
+	if instance.Spec.Monitoring.Tuf.Address != "" {
+		url := instance.Spec.Monitoring.Tuf.Address
+		if instance.Spec.Monitoring.Tuf.Port != nil {
+			url = fmt.Sprintf("%s:%d", url, *instance.Spec.Monitoring.Tuf.Port)
+		}
+		return url
+	}
+	return fmt.Sprintf("http://tuf.%s.svc", instance.Namespace)
+}
+
+func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Rekor, sa string, labels map[string]string, rekorServerHost string, tufServerHost string) func(*v1.StatefulSet) error {
 	return func(ss *v1.StatefulSet) error {
 
 		spec := &ss.Spec
@@ -110,7 +125,9 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko
 		container.Command = []string{
 			"/bin/sh",
 			"-c",
-			fmt.Sprintf(`/rekor_monitor --file=/data/checkpoint_log.txt --once=false --interval=%s --url=%s`, interval.String(), rekorServerHost),
+			fmt.Sprintf(
+				`/rekor_monitor --file=/data/checkpoint_log.txt --once=false --interval=%s --url=%s --tuf-repository=%s --tuf-root-path="%s/root.json"`,
+				interval.String(), rekorServerHost, tufServerHost, mountPath),
 		}
 
 		container.Ports = []core.ContainerPort{
@@ -120,9 +137,15 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko
 				Protocol:      core.ProtocolTCP,
 			},
 		}
+		container.Env = []core.EnvVar{
+			{
+				Name:  "HOME",
+				Value: mountPath,
+			},
+		}
 
 		volumeMount := kubernetes.FindVolumeMountByNameOrCreate(container, storageVolumeName)
-		volumeMount.MountPath = "/data"
+		volumeMount.MountPath = mountPath
 
 		spec.VolumeClaimTemplates = []core.PersistentVolumeClaim{
 			{
@@ -141,19 +164,35 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko
 				},
 			},
 		}
+
 		return nil
 	}
 }
 
-func (i statefulSetAction) ensureInitContainer(rekorServerHost string) func(*v1.StatefulSet) error {
+func (i statefulSetAction) ensureInitContainer(rekorServerHost string, tufHost string) func(*v1.StatefulSet) error {
 	return func(ss *v1.StatefulSet) error {
-		initContainer := kubernetes.FindInitContainerByNameOrCreate(&ss.Spec.Template.Spec, "wait-for-rekor-server")
+		initContainer := kubernetes.FindInitContainerByNameOrCreate(&ss.Spec.Template.Spec, "tuf-init")
 		initContainer.Image = images.Registry.Get(images.RekorMonitor)
-
+		volumeMount := kubernetes.FindVolumeMountByNameOrCreate(initContainer, storageVolumeName)
+		volumeMount.MountPath = mountPath
 		initContainer.Command = []string{
 			"/bin/sh",
 			"-c",
-			fmt.Sprintf(`until curl -sf %s > /dev/null 2>&1; do echo 'Waiting for rekor-server to be ready...'; sleep 5; done`, rekorServerHost),
+			fmt.Sprintf(`
+                echo "Waiting for rekor-server...";
+                until curl -sf %s > /dev/null 2>&1; do
+                    echo "rekor-server not ready...";
+                    sleep 5;
+                done;
+                echo "Waiting for TUF server...";
+                until curl %s > /dev/null 2>&1; do
+                    echo "TUF server not ready...";
+                    sleep 5;
+                done;
+                echo "Downloading root.json";
+                curl %s/root.json > %s/root.json
+                echo "tuf-init completed."
+            `, rekorServerHost, tufHost, tufHost, mountPath),
 		}
 
 		return nil

internal/controller/rekor/actions/monitor/statefulset.go

@@ -254,8 +254,8 @@ var _ = Describe("Rekor Monitor Log", Ordered, func() {
 				g.Expect(err).ToNot(HaveOccurred())
 				g.Expect(strings.Contains(logContent, "Root hash consistency verified")).To(BeFalse(),
 					fmt.Sprintf("Expected 'Root hash consistency verified' NOT to be in logs, but got: %s", logContent))
-				g.Expect(strings.Contains(logContent, "empty log")).To(BeTrue(),
-					fmt.Sprintf("Expected 'empty log' to be in logs, but got: %s", logContent))
+				g.Expect(strings.Contains(logContent, "skipping write of checkpoint: size is 0")).To(BeTrue(),
+					fmt.Sprintf("Expected 'skipping write of checkpoint: size is 0' to be in logs, but got: %s", logContent))
 			}, 30*time.Second, 1*time.Second).Should(Succeed(),
 				"Monitor log should be empty and not contain root hash consistency verification")
 		})