SECURESIGN-568: Extend Rekor API to support sharding configuration

securesign · Jul 17, 2024 · f33fcd3 · f33fcd3
1 parent a7837b4
commit f33fcd3
Show file tree

Hide file tree

Showing 15 changed files with 872 additions and 82 deletions.
diff --git a/api/v1alpha1/rekor_types.go b/api/v1alpha1/rekor_types.go
@@ -32,6 +32,12 @@ type RekorSpec struct {
 	// BackFillRedis CronJob Configuration
 	//+kubebuilder:default:={enabled: true, schedule: "0 0 * * *"}
 	BackFillRedis BackFillRedis `json:"backFillRedis,omitempty"`
+	// Inactive shards
+	// +listType=map
+	// +listMapKey=treeID
+	// +patchStrategy=merge
+	// +patchMergeKey=treeID
+	Sharding []RekorLogRange `json:"sharding,omitempty"`
 }
 
 type RekorSigner struct {
@@ -67,6 +73,23 @@ type BackFillRedis struct {
 	Schedule string `json:"schedule,omitempty"`
 }
 
+// RekorLogRange defines the range and details of a log shard
+// +structType=atomic
+type RekorLogRange struct {
+	// ID of Merkle tree in Trillian backend
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Minimum=1
+	TreeID int64 `json:"treeID"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum=0
+	// Length of the tree
+	TreeLength int64 `json:"treeLength"`
+	// The public key for the log shard, encoded in Base64 format
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern=`^[A-Za-z0-9+/]+={0,2}$`
+	EncodedPublicKey string `json:"encodedPublicKey,omitempty"`
+}
+
 // RekorStatus defines the observed state of Rekor
 type RekorStatus struct {
 	// Reference to secret with Rekor's signer public key.

diff --git a/api/v1alpha1/rekor_types_test.go b/api/v1alpha1/rekor_types_test.go
@@ -166,6 +166,50 @@ var _ = Describe("Rekor", func() {
 			})
 		})
 
+		Context("sharding", func() {
+			It("require treeId", func() {
+				invalidObject := generateRekorObject("sharding-treeid")
+				invalidObject.Spec.Sharding = []RekorLogRange{
+					{},
+				}
+
+				Expect(apierrors.IsInvalid(k8sClient.Create(context.Background(), invalidObject))).To(BeTrue())
+				Expect(k8sClient.Create(context.Background(), invalidObject)).
+					To(MatchError(ContainSubstring("treeID in body should be greater than or equal to 1")))
+			})
+
+			It("base64 encoded public key", func() {
+				invalidObject := generateRekorObject("sharding-bas64")
+				invalidObject.Spec.Sharding = []RekorLogRange{
+					{
+						TreeID:           1,
+						EncodedPublicKey: "-----BEGIN PUBLIC KEY-----\nABCD\n-----END PUBLIC KEY-----",
+					},
+				}
+
+				Expect(apierrors.IsInvalid(k8sClient.Create(context.Background(), invalidObject))).To(BeTrue())
+				Expect(k8sClient.Create(context.Background(), invalidObject)).
+					To(MatchError(ContainSubstring("body should match '^[A-Za-z0-9+/]+={0,2}$'")))
+			})
+
+			It("duplicate trees", func() {
+				invalidObject := generateRekorObject("sharding-duplicate")
+				invalidObject.Spec.Sharding = []RekorLogRange{
+					{
+						TreeID: 123,
+					},
+					{
+						TreeID:     123,
+						TreeLength: 1,
+					},
+				}
+
+				Expect(apierrors.IsInvalid(k8sClient.Create(context.Background(), invalidObject))).To(BeTrue())
+				Expect(k8sClient.Create(context.Background(), invalidObject)).
+					To(MatchError(ContainSubstring("Duplicate value")))
+			})
+		})
+
 		Context("Default settings", func() {
 			var (
 				rekorInstance         Rekor
@@ -246,6 +290,13 @@ var _ = Describe("Rekor", func() {
 								Address: "trillian-system.default.svc",
 								Port:    &port,
 							},
+							Sharding: []RekorLogRange{
+								{
+									TreeID:           123456789,
+									TreeLength:       1,
+									EncodedPublicKey: "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFWkZ0Nk5FcU14YWVVNzZsbmxZekZVTmpGUUdIcQpORjQ2QlBDVGxQL0ZnZk1aak42MDhjRFhmM0xNNWhUYnZOeUNFYWJFKzRNYk9jRU1YaERRVWxZRnZBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
+								},
+							},
 						},
 					}
 

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml
@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-10T17:23:58Z"
+    createdAt: "2024-07-17T11:36:58Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

diff --git a/bundle/manifests/rhtas.redhat.com_rekors.yaml b/bundle/manifests/rhtas.redhat.com_rekors.yaml
@@ -150,9 +150,41 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  host:
+                    description: Set hostname for your Ingress/Route.
+                    type: string
                 required:
                 - enabled
                 type: object
+              sharding:
+                description: Inactive shards
+                items:
+                  description: RekorLogRange defines the range and details of a log
+                    shard
+                  properties:
+                    encodedPublicKey:
+                      description: The public key for the log shard, encoded in Base64
+                        format
+                      pattern: ^[A-Za-z0-9+/]+={0,2}$
+                      type: string
+                    treeID:
+                      description: ID of Merkle tree in Trillian backend
+                      format: int64
+                      minimum: 1
+                      type: integer
+                    treeLength:
+                      description: Length of the tree
+                      format: int64
+                      minimum: 0
+                      type: integer
+                  required:
+                  - treeID
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
+                x-kubernetes-list-map-keys:
+                - treeID
+                x-kubernetes-list-type: map
               signer:
                 description: Signer configuration
                 properties:

diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml
@@ -512,9 +512,41 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      host:
+                        description: Set hostname for your Ingress/Route.
+                        type: string
                     required:
                     - enabled
                     type: object
+                  sharding:
+                    description: Inactive shards
+                    items:
+                      description: RekorLogRange defines the range and details of
+                        a log shard
+                      properties:
+                        encodedPublicKey:
+                          description: The public key for the log shard, encoded in
+                            Base64 format
+                          pattern: ^[A-Za-z0-9+/]+={0,2}$
+                          type: string
+                        treeID:
+                          description: ID of Merkle tree in Trillian backend
+                          format: int64
+                          minimum: 1
+                          type: integer
+                        treeLength:
+                          description: Length of the tree
+                          format: int64
+                          minimum: 0
+                          type: integer
+                      required:
+                      - treeID
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - treeID
+                    x-kubernetes-list-type: map
                   signer:
                     description: Signer configuration
                     properties:

diff --git a/config/crd/bases/rhtas.redhat.com_rekors.yaml b/config/crd/bases/rhtas.redhat.com_rekors.yaml
@@ -156,6 +156,35 @@ spec:
                 required:
                 - enabled
                 type: object
+              sharding:
+                description: Inactive shards
+                items:
+                  description: RekorLogRange defines the range and details of a log
+                    shard
+                  properties:
+                    encodedPublicKey:
+                      description: The public key for the log shard, encoded in Base64
+                        format
+                      pattern: ^[A-Za-z0-9+/]+={0,2}$
+                      type: string
+                    treeID:
+                      description: ID of Merkle tree in Trillian backend
+                      format: int64
+                      minimum: 1
+                      type: integer
+                    treeLength:
+                      description: Length of the tree
+                      format: int64
+                      minimum: 0
+                      type: integer
+                  required:
+                  - treeID
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
+                x-kubernetes-list-map-keys:
+                - treeID
+                x-kubernetes-list-type: map
               signer:
                 description: Signer configuration
                 properties:

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -518,6 +518,35 @@ spec:
                     required:
                     - enabled
                     type: object
+                  sharding:
+                    description: Inactive shards
+                    items:
+                      description: RekorLogRange defines the range and details of
+                        a log shard
+                      properties:
+                        encodedPublicKey:
+                          description: The public key for the log shard, encoded in
+                            Base64 format
+                          pattern: ^[A-Za-z0-9+/]+={0,2}$
+                          type: string
+                        treeID:
+                          description: ID of Merkle tree in Trillian backend
+                          format: int64
+                          minimum: 1
+                          type: integer
+                        treeLength:
+                          description: Length of the tree
+                          format: int64
+                          minimum: 0
+                          type: integer
+                      required:
+                      - treeID
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    type: array
+                    x-kubernetes-list-map-keys:
+                    - treeID
+                    x-kubernetes-list-type: map
                   signer:
                     description: Signer configuration
                     properties: