Updates to use the latest Rekor Monitor (#1416)

fghanmi · web-flow · commit d0dacfa852fe · 2025-12-01T19:02:43.000+01:00
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -43,6 +43,9 @@ type MonitoringWithTLogConfig struct {
 	// Configuration for Rekor transparency log monitoring
 	//+optional
 	TLog TlogMonitoring `json:"tlog"`
+	// TUF service configuration
+	//+optional
+	Tuf TufService `json:"tuf,omitempty"`
 }
 
 // TrillianService configuration to connect Trillian server
@@ -58,6 +61,18 @@ type TrillianService struct {
 	Port *int32 `json:"port,omitempty"`
 }
 
+// TufService configuration to connect TUF server
+type TufService struct {
+	// Address to TUF Server End point
+	//+optional
+	Address string `json:"address,omitempty"`
+	// Port of TUF Server End point
+	//+kubebuilder:validation:Minimum:=1
+	//+kubebuilder:validation:Maximum:=65535
+	//+optional
+	Port *int32 `json:"port,omitempty"`
+}
+
 // CtlogService configuration to connect Ctlog server
 type CtlogService struct {
 	// Address to Ctlog Log Server End point
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/rhtas.redhat.com_rekors.yaml b/config/crd/bases/rhtas.redhat.com_rekors.yaml
@@ -1281,6 +1281,19 @@ spec:
                     required:
                     - enabled
                     type: object
+                  tuf:
+                    description: TUF service configuration
+                    properties:
+                      address:
+                        description: Address to TUF Server End point
+                        type: string
+                      port:
+                        description: Port of TUF Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 required:
                 - enabled
                 type: object
diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -3894,6 +3894,19 @@ spec:
                         required:
                         - enabled
                         type: object
+                      tuf:
+                        description: TUF service configuration
+                        properties:
+                          address:
+                            description: Address to TUF Server End point
+                            type: string
+                          port:
+                            description: Port of TUF Server End point
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                        type: object
                     required:
                     - enabled
                     type: object
diff --git a/config/default/images.env b/config/default/images.env
@@ -13,4 +13,4 @@ RELATED_IMAGE_CTLOG=registry.redhat.io/rhtas/certificate-transparency-rhel9@sha2
 RELATED_IMAGE_HTTP_SERVER=registry.redhat.io/ubi9/httpd-24@sha256:8536169e5537fe6c330eba814248abdcf39cdd8f7e7336034d74e6fda9544050
 RELATED_IMAGE_TIMESTAMP_AUTHORITY=registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:be623422f3f636c39397a66416b02a79f1d59cf593ca258e1701d1728755dde9
 RELATED_IMAGE_CLIENT_SERVER=registry.redhat.io/rhtas/client-server-rhel9@sha256:c81aaa8f300021d7cdbb964524fc5e89ea2c79fdab5507f0ec036bf96b219332
-RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:1944eff9f103d84380b9efac6adec9cb22613643968e51f07db58df977b6b982
+RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:b7f9f8b24fe7db4e124f9e5e9289bc2d180a810e253f48feb7e1177bbef6d4d0
diff --git a/internal/controller/rekor/actions/monitor/statefulset.go b/internal/controller/rekor/actions/monitor/statefulset.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/securesign/operator/internal/images"
 
+	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/action"
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/controller/rekor/actions"
@@ -21,11 +22,13 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
-	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 )
 
-const storageVolumeName = "monitor-storage"
+const (
+	storageVolumeName = "monitor-storage"
+	tufRepoVolumeName = "tuf-repository"
+	mountPath         = "/data"
+)
 
 func NewStatefulSetAction() action.Action[*rhtasv1alpha1.Rekor] {
 	return &statefulSetAction{}
@@ -50,6 +53,7 @@ func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 		result controllerutil.OperationResult
 	)
 
+	tufServerHost := i.resolveTufUrl(instance)
 	rekorServerHost := fmt.Sprintf("http://%s.%s.svc", actions.ServerComponentName, instance.Namespace)
 
 	labels := labels.For(actions.MonitorComponentName, actions.MonitorStatefulSetName, instance.Name)
@@ -60,8 +64,8 @@ func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 				Namespace: instance.Namespace,
 			},
 		},
-		i.ensureMonitorStatefulSet(instance, actions.RBACName, labels, rekorServerHost),
-		i.ensureInitContainer(rekorServerHost),
+		i.ensureMonitorStatefulSet(instance, actions.RBACName, labels, rekorServerHost, tufServerHost),
+		i.ensureInitContainer(rekorServerHost, tufServerHost),
 		ensure.ControllerReference[*v1.StatefulSet](instance, i.Client),
 		ensure.Labels[*v1.StatefulSet](slices.Collect(maps.Keys(labels)), labels),
 		func(object *v1.StatefulSet) error {
@@ -90,7 +94,18 @@ func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.R
 	return i.Continue()
 }
 
-func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Rekor, sa string, labels map[string]string, rekorServerHost string) func(*v1.StatefulSet) error {
+func (i statefulSetAction) resolveTufUrl(instance *rhtasv1alpha1.Rekor) string {
+	if instance.Spec.Monitoring.Tuf.Address != "" {
+		url := instance.Spec.Monitoring.Tuf.Address
+		if instance.Spec.Monitoring.Tuf.Port != nil {
+			url = fmt.Sprintf("%s:%d", url, *instance.Spec.Monitoring.Tuf.Port)
+		}
+		return url
+	}
+	return fmt.Sprintf("http://tuf.%s.svc", instance.Namespace)
+}
+
+func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Rekor, sa string, labels map[string]string, rekorServerHost string, tufServerHost string) func(*v1.StatefulSet) error {
 	return func(ss *v1.StatefulSet) error {
 
 		spec := &ss.Spec
@@ -110,7 +125,9 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko
 		container.Command = []string{
 			"/bin/sh",
 			"-c",
-			fmt.Sprintf(`/rekor_monitor --file=/data/checkpoint_log.txt --once=false --interval=%s --url=%s`, interval.String(), rekorServerHost),
+			fmt.Sprintf(
+				`/rekor_monitor --file=/data/checkpoint_log.txt --once=false --interval=%s --url=%s --tuf-repository=%s --tuf-root-path="%s/root.json"`,
+				interval.String(), rekorServerHost, tufServerHost, mountPath),
 		}
 
 		container.Ports = []core.ContainerPort{
@@ -120,9 +137,15 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko
 				Protocol:      core.ProtocolTCP,
 			},
 		}
+		container.Env = []core.EnvVar{
+			{
+				Name:  "HOME",
+				Value: mountPath,
+			},
+		}
 
 		volumeMount := kubernetes.FindVolumeMountByNameOrCreate(container, storageVolumeName)
-		volumeMount.MountPath = "/data"
+		volumeMount.MountPath = mountPath
 
 		spec.VolumeClaimTemplates = []core.PersistentVolumeClaim{
 			{
@@ -141,19 +164,35 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko
 				},
 			},
 		}
+
 		return nil
 	}
 }
 
-func (i statefulSetAction) ensureInitContainer(rekorServerHost string) func(*v1.StatefulSet) error {
+func (i statefulSetAction) ensureInitContainer(rekorServerHost string, tufHost string) func(*v1.StatefulSet) error {
 	return func(ss *v1.StatefulSet) error {
-		initContainer := kubernetes.FindInitContainerByNameOrCreate(&ss.Spec.Template.Spec, "wait-for-rekor-server")
+		initContainer := kubernetes.FindInitContainerByNameOrCreate(&ss.Spec.Template.Spec, "tuf-init")
 		initContainer.Image = images.Registry.Get(images.RekorMonitor)
-
+		volumeMount := kubernetes.FindVolumeMountByNameOrCreate(initContainer, storageVolumeName)
+		volumeMount.MountPath = mountPath
 		initContainer.Command = []string{
 			"/bin/sh",
 			"-c",
-			fmt.Sprintf(`until curl -sf %s > /dev/null 2>&1; do echo 'Waiting for rekor-server to be ready...'; sleep 5; done`, rekorServerHost),
+			fmt.Sprintf(`
+                echo "Waiting for rekor-server...";
+                until curl -sf %s > /dev/null 2>&1; do
+                    echo "rekor-server not ready...";
+                    sleep 5;
+                done;
+                echo "Waiting for TUF server...";
+                until curl %s > /dev/null 2>&1; do
+                    echo "TUF server not ready...";
+                    sleep 5;
+                done;
+                echo "Downloading root.json";
+                curl %s/root.json > %s/root.json
+                echo "tuf-init completed."
+            `, rekorServerHost, tufHost, tufHost, mountPath),
 		}
 
 		return nil
diff --git a/test/e2e/rekor_monitor_log_test.go b/test/e2e/rekor_monitor_log_test.go
@@ -254,8 +254,8 @@ var _ = Describe("Rekor Monitor Log", Ordered, func() {
 				g.Expect(err).ToNot(HaveOccurred())
 				g.Expect(strings.Contains(logContent, "Root hash consistency verified")).To(BeFalse(),
 					fmt.Sprintf("Expected 'Root hash consistency verified' NOT to be in logs, but got: %s", logContent))
-				g.Expect(strings.Contains(logContent, "empty log")).To(BeTrue(),
-					fmt.Sprintf("Expected 'empty log' to be in logs, but got: %s", logContent))
+				g.Expect(strings.Contains(logContent, "skipping write of checkpoint: size is 0")).To(BeTrue(),
+					fmt.Sprintf("Expected 'skipping write of checkpoint: size is 0' to be in logs, but got: %s", logContent))
 			}, 30*time.Second, 1*time.Second).Should(Succeed(),
 				"Monitor log should be empty and not contain root hash consistency verification")
 		})
diff --git a/test/e2e/rekor_monitor_test.go b/test/e2e/rekor_monitor_test.go
@@ -14,14 +14,13 @@ import (
 	"github.com/securesign/operator/internal/labels"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/steps"
-	rekorSupport "github.com/securesign/operator/test/e2e/support/tas/rekor"
-	"github.com/securesign/operator/test/e2e/support/tas/trillian"
+	"github.com/securesign/operator/test/e2e/support/tas"
+	"github.com/securesign/operator/test/e2e/support/tas/securesign"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -30,58 +29,30 @@ var _ = Describe("Rekor Monitor", Ordered, func() {
 
 	var (
 		namespace             *v1.Namespace
-		trillianCR            *v1alpha1.Trillian
-		rekorCR               *v1alpha1.Rekor
 		rekorMonitorPod       v1.Pod
 		rekorMonitorContainer v1.Container
+		s                     *v1alpha1.Securesign
 	)
 
 	BeforeAll(steps.CreateNamespace(cli, func(new *v1.Namespace) {
 		namespace = new
 	}))
 
 	BeforeAll(func(ctx SpecContext) {
-		trillianCR = &v1alpha1.Trillian{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "test-trillian",
-				Namespace: namespace.Name,
+		s = securesign.Create(namespace.Name, "test",
+			securesign.WithDefaults(),
+			securesign.WithMonitoring(),
+			func(v *v1alpha1.Securesign) {
+				v.Spec.Rekor.Monitoring.TLog.Enabled = true
+				v.Spec.Rekor.Monitoring.TLog.Interval = metav1.Duration{Duration: time.Second * 10}
 			},
-			Spec: v1alpha1.TrillianSpec{
-				Db: v1alpha1.TrillianDB{Create: ptr.To(true)},
-			},
-		}
-		Expect(cli.Create(ctx, trillianCR)).To(Succeed())
-
-		By("Waiting for Trillian to be ready")
-		trillian.Verify(ctx, cli, namespace.Name, trillianCR.Name, true)
+		)
 	})
 
 	BeforeAll(func(ctx SpecContext) {
-		rekorCR = &v1alpha1.Rekor{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "test-rekor-monitor",
-				Namespace: namespace.Name,
-			},
-			Spec: v1alpha1.RekorSpec{
-				Monitoring: v1alpha1.MonitoringWithTLogConfig{
-					MonitoringConfig: v1alpha1.MonitoringConfig{
-						Enabled: true,
-					},
-					TLog: v1alpha1.TlogMonitoring{
-						Enabled:  true,
-						Interval: metav1.Duration{Duration: time.Minute * 10},
-					},
-				},
-				Trillian: v1alpha1.TrillianService{
-					Address: fmt.Sprintf("trillian-logserver.%s.svc.cluster.local", namespace.Name),
-					Port:    ptr.To(int32(8091)),
-				},
-			},
-		}
-		Expect(cli.Create(ctx, rekorCR)).To(Succeed())
-
-		By("Waiting for Rekor to be ready")
-		rekorSupport.Verify(ctx, cli, namespace.Name, rekorCR.Name, true)
+		Expect(cli.Create(ctx, s)).To(Succeed())
+		By("Waiting for all TAS components to be ready")
+		tas.VerifyAllComponents(ctx, cli, s, true)
 	})
 
 	Describe("Monitor Pod Deployment", func() {
@@ -123,7 +94,7 @@ var _ = Describe("Rekor Monitor", Ordered, func() {
 				updated := &v1alpha1.Rekor{}
 				err := cli.Get(ctx, types.NamespacedName{
 					Namespace: namespace.Name,
-					Name:      rekorCR.Name,
+					Name:      s.Name,
 				}, updated)
 				g.Expect(err).ToNot(HaveOccurred())
 
