From ae7b5673cc237ae9267432f87b1458bbcd9806a2 Mon Sep 17 00:00:00 2001 From: JasonPowr <20076537@mail.wit.ie> Date: Fri, 8 Mar 2024 11:17:40 +0000 Subject: [PATCH] fix-fulcio-config --- api/v1alpha1/fulcio_types.go | 12 ++- api/v1alpha1/fulcio_types_test.go | 30 +++++-- api/v1alpha1/zz_generated.deepcopy.go | 12 +-- .../rhtas-operator.clusterserviceversion.yaml | 16 ++-- bundle/manifests/rhtas.redhat.com_ctlogs.yaml | 35 ++++---- .../manifests/rhtas.redhat.com_fulcios.yaml | 67 ++++++++------- bundle/manifests/rhtas.redhat.com_rekors.yaml | 19 ++--- .../rhtas.redhat.com_securesigns.yaml | 81 ++++++++++--------- .../manifests/rhtas.redhat.com_trillians.yaml | 6 +- bundle/manifests/rhtas.redhat.com_tufs.yaml | 8 +- ci/openshift/sign-test.sh | 2 + .../crd/bases/rhtas.redhat.com_fulcios.yaml | 38 +++++---- .../bases/rhtas.redhat.com_securesigns.yaml | 38 +++++---- config/samples/rhtas_v1alpha1_fulcio.yaml | 4 +- config/samples/rhtas_v1alpha1_securesign.yaml | 4 +- controllers/fulcio/actions/servrConfig.go | 28 ++++++- controllers/fulcio/fulcio_controller_test.go | 5 +- controllers/fulcio/fulcio_hot_update_test.go | 8 +- e2e/byodb_test.go | 5 +- e2e/common_install_test.go | 8 +- e2e/config_update_test.go | 19 +++-- e2e/key_autodiscovery_test.go | 8 +- e2e/provided_certs_test.go | 8 +- 23 files changed, 279 insertions(+), 182 deletions(-) diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go index 965c3adad..6cb4f03d1 100644 --- a/api/v1alpha1/fulcio_types.go +++ b/api/v1alpha1/fulcio_types.go @@ -11,6 +11,7 @@ import ( type FulcioSpec struct { // Define whether you want to export service or not ExternalAccess ExternalAccess `json:"externalAccess,omitempty"` + // Fulcio Configuration //+required Config FulcioConfig `json:"config"` // Certificate configuration @@ -44,8 +45,9 @@ type FulcioCert struct { } type FulcioConfig struct { - //+kubebuilder:validation:MinProperties:=1 - OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers"` + // OIDC Configuration + // +kubebuilder:validation:MinItems=1 + OIDCIssuers []OIDCIssuer `json:"OIDCIssuers"` // A meta issuer has a templated URL of the form: // https://oidc.eks.*.amazonaws.com/id/* @@ -55,13 +57,15 @@ type FulcioConfig struct { // * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB // * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster // +optional - MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty"` + MetaIssuers []OIDCIssuer `json:"MetaIssuers,omitempty"` } type OIDCIssuer struct { // The expected issuer of an OIDC token IssuerURL string `json:"IssuerURL,omitempty"` - // The expected client ID of the OIDC token + // The expected issuer of an OIDC token + //+required + Issuer string `json:"Issuer"` //+required ClientID string `json:"ClientID"` // Used to determine the subject of the certificate and if additional diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go index c1a2799c3..fa078cbb0 100644 --- a/api/v1alpha1/fulcio_types_test.go +++ b/api/v1alpha1/fulcio_types_test.go @@ -29,7 +29,7 @@ var _ = Describe("Fulcio", func() { Expect(k8sClient.Get(context.Background(), getKey(created), fetched)).To(Succeed()) Expect(fetched).To(Equal(created)) - fetched.Spec.Config.OIDCIssuers["test"] = OIDCIssuer{ + fetched.Spec.Config.OIDCIssuers[0] = OIDCIssuer{ Type: "email", ClientID: "client", } @@ -128,11 +128,11 @@ var _ = Describe("Fulcio", func() { It("config is not empty", func() { invalidObject := generateFulcioObject("config-invalid") - invalidObject.Spec.Config.OIDCIssuers = make(map[string]OIDCIssuer) + invalidObject.Spec.Config.OIDCIssuers = []OIDCIssuer{} Expect(apierrors.IsInvalid(k8sClient.Create(context.Background(), invalidObject))).To(BeTrue()) Expect(k8sClient.Create(context.Background(), invalidObject)). - To(MatchError(ContainSubstring("in body should have at least 1 properties"))) + To(MatchError(ContainSubstring("in body should have at least 1 items"))) }) }) @@ -170,8 +170,8 @@ var _ = Describe("Fulcio", func() { Host: "hostname", }, Config: FulcioConfig{ - OIDCIssuers: map[string]OIDCIssuer{ - "oidc": { + OIDCIssuers: []OIDCIssuer{ + { ClientID: "client", Type: "email", IssuerURL: "url", @@ -180,7 +180,7 @@ var _ = Describe("Fulcio", func() { SPIFFETrustDomain: "SPIFFE", SubjectDomain: "domain", }, - "oidc2": { + { ClientID: "clien2", Type: "email2", IssuerURL: "url2", @@ -220,11 +220,25 @@ func generateFulcioObject(name string) *Fulcio { }, Spec: FulcioSpec{ Config: FulcioConfig{ - OIDCIssuers: map[string]OIDCIssuer{ - "oidc": { + OIDCIssuers: []OIDCIssuer{ + { ClientID: "client", Type: "email", IssuerURL: "url", + Issuer: "url", + }, + }, + MetaIssuers: []OIDCIssuer{ + { + ClientID: "client", + Type: "email", + IssuerURL: "url", + Issuer: "url", + }, + { + ClientID: "client", + Type: "email", + Issuer: "url", }, }, }, diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index e0a605e10..30d6712bb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -268,17 +268,13 @@ func (in *FulcioConfig) DeepCopyInto(out *FulcioConfig) { *out = *in if in.OIDCIssuers != nil { in, out := &in.OIDCIssuers, &out.OIDCIssuers - *out = make(map[string]OIDCIssuer, len(*in)) - for key, val := range *in { - (*out)[key] = val - } + *out = make([]OIDCIssuer, len(*in)) + copy(*out, *in) } if in.MetaIssuers != nil { in, out := &in.MetaIssuers, &out.MetaIssuers - *out = make(map[string]OIDCIssuer, len(*in)) - for key, val := range *in { - (*out)[key] = val - } + *out = make([]OIDCIssuer, len(*in)) + copy(*out, *in) } } diff --git a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml index 5d7d944b9..af806216f 100644 --- a/bundle/manifests/rhtas-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtas-operator.clusterserviceversion.yaml @@ -45,13 +45,14 @@ metadata: "organizationName": "Red Hat" }, "config": { - "OIDCIssuers": { - "https://your-oidc-issuer-url": { + "OIDCIssuers": [ + { "ClientID": "trusted-artifact-signer", + "Issuer": "https://your-oidc-issuer-url", "IssuerURL": "https://your-oidc-issuer-url", "Type": "email" } - } + ] }, "externalAccess": { "enabled": true @@ -95,13 +96,14 @@ metadata: "organizationName": "Red Hat" }, "config": { - "OIDCIssuers": { - "https://your-oidc-issuer-url": { + "OIDCIssuers": [ + { "ClientID": "trusted-artifact-signer", + "Issuer": "https://your-oidc-issuer-url", "IssuerURL": "https://your-oidc-issuer-url", "Type": "email" } - } + ] }, "externalAccess": { "enabled": true @@ -186,7 +188,7 @@ metadata: } ] capabilities: Basic Install - createdAt: "2024-03-05T14:59:04Z" + createdAt: "2024-03-12T10:13:29Z" operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 name: rhtas-operator.v1.0.0 diff --git a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml index ce940e18e..91befbd76 100644 --- a/bundle/manifests/rhtas.redhat.com_ctlogs.yaml +++ b/bundle/manifests/rhtas.redhat.com_ctlogs.yaml @@ -50,16 +50,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic privateKeyRef: @@ -68,16 +68,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic publicKeyRef: @@ -89,16 +89,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic rootCertificates: @@ -111,16 +111,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: array @@ -217,16 +217,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic privateKeyRef: @@ -235,16 +235,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic publicKeyRef: @@ -253,16 +253,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic rootCertificates: @@ -272,16 +272,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: array @@ -294,8 +294,9 @@ spec: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string + required: + - name type: object x-kubernetes-map-type: atomic type: object diff --git a/bundle/manifests/rhtas.redhat.com_fulcios.yaml b/bundle/manifests/rhtas.redhat.com_fulcios.yaml index c9ba56995..6a7967a4b 100644 --- a/bundle/manifests/rhtas.redhat.com_fulcios.yaml +++ b/bundle/manifests/rhtas.redhat.com_fulcios.yaml @@ -57,16 +57,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic commonName: @@ -81,16 +81,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic privateKeyRef: @@ -99,28 +99,39 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: object x-kubernetes-validations: - message: commonName cannot be empty rule: (has(self.caRef) || self.commonName != "") + - message: organizationName cannot be empty + rule: (has(self.caRef) || self.organizationName != "") - message: privateKeyRef cannot be empty rule: (!has(self.caRef) || has(self.privateKeyRef)) config: + description: Fulcio Configuration properties: MetaIssuers: - additionalProperties: + description: |- + A meta issuer has a templated URL of the form: + https://oidc.eks.*.amazonaws.com/id/* + Where * can match a single hostname or URI path parts + (in particular, no '.' or '/' are permitted, among + other special characters) Some examples we want to match: + * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB + * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster + items: properties: ChallengeClaim: description: |- @@ -128,7 +139,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different claim @@ -157,17 +170,10 @@ spec: - ClientID - Type type: object - description: |- - A meta issuer has a templated URL of the form: - https://oidc.eks.*.amazonaws.com/id/* - Where * can match a single hostname or URI path parts - (in particular, no '.' or '/' are permitted, among - other special characters) Some examples we want to match: - * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB - * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster - type: object + type: array OIDCIssuers: - additionalProperties: + description: OIDC Configuration + items: properties: ChallengeClaim: description: |- @@ -175,7 +181,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different claim @@ -204,8 +212,8 @@ spec: - ClientID - Type type: object - minProperties: 1 - type: object + minItems: 1 + type: array required: - OIDCIssuers type: object @@ -256,16 +264,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic commonName: @@ -280,16 +288,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic privateKeyRef: @@ -298,22 +306,24 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: object x-kubernetes-validations: - message: commonName cannot be empty rule: (has(self.caRef) || self.commonName != "") + - message: organizationName cannot be empty + rule: (has(self.caRef) || self.organizationName != "") - message: privateKeyRef cannot be empty rule: (!has(self.caRef) || has(self.privateKeyRef)) conditions: @@ -397,8 +407,9 @@ spec: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string + required: + - name type: object x-kubernetes-map-type: atomic url: diff --git a/bundle/manifests/rhtas.redhat.com_rekors.yaml b/bundle/manifests/rhtas.redhat.com_rekors.yaml index 74fce455d..1cc0fd6e1 100644 --- a/bundle/manifests/rhtas.redhat.com_rekors.yaml +++ b/bundle/manifests/rhtas.redhat.com_rekors.yaml @@ -160,16 +160,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic kms: @@ -183,16 +183,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: object @@ -291,8 +291,9 @@ spec: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string + required: + - name type: object x-kubernetes-map-type: atomic signer: @@ -303,16 +304,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic kms: @@ -326,16 +327,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: object diff --git a/bundle/manifests/rhtas.redhat.com_securesigns.yaml b/bundle/manifests/rhtas.redhat.com_securesigns.yaml index e8de2c90a..94f3dab8a 100644 --- a/bundle/manifests/rhtas.redhat.com_securesigns.yaml +++ b/bundle/manifests/rhtas.redhat.com_securesigns.yaml @@ -65,16 +65,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic privateKeyRef: @@ -83,16 +83,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic publicKeyRef: @@ -104,16 +104,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic rootCertificates: @@ -126,16 +126,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: array @@ -163,16 +163,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic commonName: @@ -187,16 +187,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic privateKeyRef: @@ -205,28 +205,39 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: object x-kubernetes-validations: - message: commonName cannot be empty rule: (has(self.caRef) || self.commonName != "") + - message: organizationName cannot be empty + rule: (has(self.caRef) || self.organizationName != "") - message: privateKeyRef cannot be empty rule: (!has(self.caRef) || has(self.privateKeyRef)) config: + description: Fulcio Configuration properties: MetaIssuers: - additionalProperties: + description: |- + A meta issuer has a templated URL of the form: + https://oidc.eks.*.amazonaws.com/id/* + Where * can match a single hostname or URI path parts + (in particular, no '.' or '/' are permitted, among + other special characters) Some examples we want to match: + * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB + * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster + items: properties: ChallengeClaim: description: |- @@ -234,7 +245,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different @@ -263,17 +276,10 @@ spec: - ClientID - Type type: object - description: |- - A meta issuer has a templated URL of the form: - https://oidc.eks.*.amazonaws.com/id/* - Where * can match a single hostname or URI path parts - (in particular, no '.' or '/' are permitted, among - other special characters) Some examples we want to match: - * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB - * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster - type: object + type: array OIDCIssuers: - additionalProperties: + description: OIDC Configuration + items: properties: ChallengeClaim: description: |- @@ -281,7 +287,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different @@ -310,8 +318,8 @@ spec: - ClientID - Type type: object - minProperties: 1 - type: object + minItems: 1 + type: array required: - OIDCIssuers type: object @@ -467,16 +475,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic kms: @@ -491,16 +499,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic type: object @@ -543,8 +551,9 @@ spec: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string + required: + - name type: object x-kubernetes-map-type: atomic pvc: @@ -638,16 +647,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic required: diff --git a/bundle/manifests/rhtas.redhat.com_trillians.yaml b/bundle/manifests/rhtas.redhat.com_trillians.yaml index 1e81fc851..de8cfe443 100644 --- a/bundle/manifests/rhtas.redhat.com_trillians.yaml +++ b/bundle/manifests/rhtas.redhat.com_trillians.yaml @@ -73,8 +73,9 @@ spec: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string + required: + - name type: object x-kubernetes-map-type: atomic pvc: @@ -219,8 +220,9 @@ spec: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string + required: + - name type: object x-kubernetes-map-type: atomic pvc: diff --git a/bundle/manifests/rhtas.redhat.com_tufs.yaml b/bundle/manifests/rhtas.redhat.com_tufs.yaml index 6a309917e..b663d685f 100644 --- a/bundle/manifests/rhtas.redhat.com_tufs.yaml +++ b/bundle/manifests/rhtas.redhat.com_tufs.yaml @@ -87,16 +87,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic required: @@ -202,16 +202,16 @@ spec: key: description: The key of the secret to select from. Must be a valid secret key. - pattern: '[-._a-zA-Z0-9]+' + pattern: ^[-._a-zA-Z0-9]+$ type: string name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid? type: string required: - key + - name type: object x-kubernetes-map-type: atomic required: diff --git a/ci/openshift/sign-test.sh b/ci/openshift/sign-test.sh index 81d7642b2..6c2ac2d21 100755 --- a/ci/openshift/sign-test.sh +++ b/ci/openshift/sign-test.sh @@ -68,6 +68,8 @@ spec: backoffLimit: 4 # Defines the number of retries before considering the Job failed. EOF +oc logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager + # Apply the modified YAML using kubectl kubectl apply -f job.yaml -n default oc wait --for=condition=complete job/tas-test-sign-verify --timeout=5m -n default diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml index 77271fd5d..4df04ad61 100644 --- a/config/crd/bases/rhtas.redhat.com_fulcios.yaml +++ b/config/crd/bases/rhtas.redhat.com_fulcios.yaml @@ -120,9 +120,18 @@ spec: - message: privateKeyRef cannot be empty rule: (!has(self.caRef) || has(self.privateKeyRef)) config: + description: Fulcio Configuration properties: MetaIssuers: - additionalProperties: + description: |- + A meta issuer has a templated URL of the form: + https://oidc.eks.*.amazonaws.com/id/* + Where * can match a single hostname or URI path parts + (in particular, no '.' or '/' are permitted, among + other special characters) Some examples we want to match: + * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB + * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster + items: properties: ChallengeClaim: description: |- @@ -130,7 +139,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different claim @@ -157,19 +168,13 @@ spec: type: string required: - ClientID + - Issuer - Type type: object - description: |- - A meta issuer has a templated URL of the form: - https://oidc.eks.*.amazonaws.com/id/* - Where * can match a single hostname or URI path parts - (in particular, no '.' or '/' are permitted, among - other special characters) Some examples we want to match: - * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB - * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster - type: object + type: array OIDCIssuers: - additionalProperties: + description: OIDC Configuration + items: properties: ChallengeClaim: description: |- @@ -177,7 +182,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different claim @@ -204,10 +211,11 @@ spec: type: string required: - ClientID + - Issuer - Type type: object - minProperties: 1 - type: object + minItems: 1 + type: array required: - OIDCIssuers type: object diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index b03958adb..f4843f893 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -226,9 +226,18 @@ spec: - message: privateKeyRef cannot be empty rule: (!has(self.caRef) || has(self.privateKeyRef)) config: + description: Fulcio Configuration properties: MetaIssuers: - additionalProperties: + description: |- + A meta issuer has a templated URL of the form: + https://oidc.eks.*.amazonaws.com/id/* + Where * can match a single hostname or URI path parts + (in particular, no '.' or '/' are permitted, among + other special characters) Some examples we want to match: + * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB + * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster + items: properties: ChallengeClaim: description: |- @@ -236,7 +245,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different @@ -263,19 +274,13 @@ spec: type: string required: - ClientID + - Issuer - Type type: object - description: |- - A meta issuer has a templated URL of the form: - https://oidc.eks.*.amazonaws.com/id/* - Where * can match a single hostname or URI path parts - (in particular, no '.' or '/' are permitted, among - other special characters) Some examples we want to match: - * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB - * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster - type: object + type: array OIDCIssuers: - additionalProperties: + description: OIDC Configuration + items: properties: ChallengeClaim: description: |- @@ -283,7 +288,9 @@ spec: Set if using a custom issuer type: string ClientID: - description: The expected client ID of the OIDC token + type: string + Issuer: + description: The expected issuer of an OIDC token type: string IssuerClaim: description: Optional, if the issuer is in a different @@ -310,10 +317,11 @@ spec: type: string required: - ClientID + - Issuer - Type type: object - minProperties: 1 - type: object + minItems: 1 + type: array required: - OIDCIssuers type: object diff --git a/config/samples/rhtas_v1alpha1_fulcio.yaml b/config/samples/rhtas_v1alpha1_fulcio.yaml index 1013fc448..aa8f63dff 100644 --- a/config/samples/rhtas_v1alpha1_fulcio.yaml +++ b/config/samples/rhtas_v1alpha1_fulcio.yaml @@ -11,9 +11,9 @@ spec: enabled: true config: OIDCIssuers: - "https://your-oidc-issuer-url": - ClientID: "trusted-artifact-signer" + - ClientID: "trusted-artifact-signer" IssuerURL: "https://your-oidc-issuer-url" + Issuer: "https://your-oidc-issuer-url" Type: "email" certificate: organizationName: Red Hat diff --git a/config/samples/rhtas_v1alpha1_securesign.yaml b/config/samples/rhtas_v1alpha1_securesign.yaml index 665fe48fe..91cc980ae 100644 --- a/config/samples/rhtas_v1alpha1_securesign.yaml +++ b/config/samples/rhtas_v1alpha1_securesign.yaml @@ -20,9 +20,9 @@ spec: enabled: true config: OIDCIssuers: - "https://your-oidc-issuer-url": - ClientID: "trusted-artifact-signer" + - ClientID: "trusted-artifact-signer" IssuerURL: "https://your-oidc-issuer-url" + Issuer: "https://your-oidc-issuer-url" Type: "email" certificate: organizationName: Red Hat diff --git a/controllers/fulcio/actions/servrConfig.go b/controllers/fulcio/actions/servrConfig.go index a4eeea415..a1dbe805d 100644 --- a/controllers/fulcio/actions/servrConfig.go +++ b/controllers/fulcio/actions/servrConfig.go @@ -27,6 +27,11 @@ func (i serverConfig) Name() string { return "create server config" } +type FulcioMapConfig struct { + OIDCIssuers map[string]rhtasv1alpha1.OIDCIssuer + MetaIssuers map[string]rhtasv1alpha1.OIDCIssuer +} + func (i serverConfig) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) bool { c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) if c.Reason != constants.Creating && c.Reason != constants.Ready { @@ -41,7 +46,7 @@ func (i serverConfig) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Ful i.Logger.Error(err, "Cant load existing configuration") return false } - expected, err := json.Marshal(instance.Spec.Config) + expected, err := json.Marshal(ConvertToFulcioMapConfig(instance.Spec.Config)) if err != nil { i.Logger.Error(err, "Cant parse expected configuration") return false @@ -49,13 +54,32 @@ func (i serverConfig) CanHandle(ctx context.Context, instance *rhtasv1alpha1.Ful return existing.Data["config.json"] != string(expected) } +func ConvertToFulcioMapConfig(fulcioConfig rhtasv1alpha1.FulcioConfig) *FulcioMapConfig { + OIDCIssuers := make(map[string]rhtasv1alpha1.OIDCIssuer) + MetaIssuers := make(map[string]rhtasv1alpha1.OIDCIssuer) + + for _, issuer := range fulcioConfig.OIDCIssuers { + OIDCIssuers[issuer.Issuer] = issuer + } + + for _, issuer := range fulcioConfig.MetaIssuers { + MetaIssuers[issuer.Issuer] = issuer + } + + fulcioMapConfig := &FulcioMapConfig{ + OIDCIssuers: OIDCIssuers, + MetaIssuers: MetaIssuers, + } + return fulcioMapConfig +} + func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.Fulcio) *action.Result { var ( err error ) labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) - config, err := json.Marshal(instance.Spec.Config) + config, err := json.Marshal(ConvertToFulcioMapConfig(instance.Spec.Config)) if err != nil { return i.FailedWithStatusUpdate(ctx, err, instance) } diff --git a/controllers/fulcio/fulcio_controller_test.go b/controllers/fulcio/fulcio_controller_test.go index 54ddf4b4b..218baa69f 100644 --- a/controllers/fulcio/fulcio_controller_test.go +++ b/controllers/fulcio/fulcio_controller_test.go @@ -96,9 +96,10 @@ var _ = Describe("Fulcio controller", func() { Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - "test": { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { IssuerURL: "test", + Issuer: "test", ClientID: "test", Type: "email", }, diff --git a/controllers/fulcio/fulcio_hot_update_test.go b/controllers/fulcio/fulcio_hot_update_test.go index 22ca694d8..392410620 100644 --- a/controllers/fulcio/fulcio_hot_update_test.go +++ b/controllers/fulcio/fulcio_hot_update_test.go @@ -95,9 +95,10 @@ var _ = Describe("Fulcio hot update", func() { Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - "test": { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { IssuerURL: "test", + Issuer: "test", ClientID: "test", Type: "email", }, @@ -189,8 +190,9 @@ var _ = Describe("Fulcio hot update", func() { By("Update OIDC") Expect(k8sClient.Get(ctx, typeNamespaceName, found)).Should(Succeed()) - found.Spec.Config.OIDCIssuers["fakeProvider"] = v1alpha1.OIDCIssuer{ + found.Spec.Config.OIDCIssuers[0] = v1alpha1.OIDCIssuer{ IssuerURL: "fake", + Issuer: "fake", ClientID: "fake", Type: "email", } diff --git a/e2e/byodb_test.go b/e2e/byodb_test.go index e1fdb4911..b88983232 100644 --- a/e2e/byodb_test.go +++ b/e2e/byodb_test.go @@ -56,10 +56,11 @@ var _ = Describe("Securesign install with byodb", Ordered, func() { Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - support.OidcIssuerUrl(): { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { ClientID: support.OidcClientID(), IssuerURL: support.OidcIssuerUrl(), + Issuer: support.OidcIssuerUrl(), Type: "email", }, }}, diff --git a/e2e/common_install_test.go b/e2e/common_install_test.go index 5cfe8db36..58a8bee4d 100644 --- a/e2e/common_install_test.go +++ b/e2e/common_install_test.go @@ -4,10 +4,11 @@ package e2e_test import ( "context" - "github.com/securesign/operator/controllers/common/utils" "net/http" "time" + "github.com/securesign/operator/controllers/common/utils" + "github.com/google/uuid" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -60,10 +61,11 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - support.OidcIssuerUrl(): { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { ClientID: support.OidcClientID(), IssuerURL: support.OidcIssuerUrl(), + Issuer: support.OidcIssuerUrl(), Type: "email", }, }}, diff --git a/e2e/config_update_test.go b/e2e/config_update_test.go index c1644971d..387ffdc28 100644 --- a/e2e/config_update_test.go +++ b/e2e/config_update_test.go @@ -5,9 +5,11 @@ package e2e_test import ( "context" "encoding/json" - "github.com/securesign/operator/controllers/common/utils" "time" + "github.com/securesign/operator/controllers/common/utils" + "github.com/securesign/operator/controllers/fulcio/actions" + "github.com/google/uuid" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -62,10 +64,11 @@ var _ = Describe("Securesign hot update", Ordered, func() { Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - support.OidcIssuerUrl(): { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { ClientID: support.OidcClientID(), IssuerURL: support.OidcIssuerUrl(), + Issuer: support.OidcIssuerUrl(), Type: "email", }, }}, @@ -170,15 +173,17 @@ var _ = Describe("Securesign hot update", Ordered, func() { Describe("Fulcio Config update", func() { It("Pods are restarted after update", func() { Expect(cli.Get(ctx, runtimeCli.ObjectKeyFromObject(securesign), securesign)).To(Succeed()) - securesign.Spec.Fulcio.Config.OIDCIssuers = map[string]v1alpha1.OIDCIssuer{ - support.OidcIssuerUrl(): { + securesign.Spec.Fulcio.Config.OIDCIssuers = []v1alpha1.OIDCIssuer{ + { ClientID: support.OidcClientID(), IssuerURL: support.OidcIssuerUrl(), + Issuer: support.OidcIssuerUrl(), Type: "email", }, - "fake": { + { ClientID: "fake", IssuerURL: "fake", + Issuer: "fake", Type: "email", }, } @@ -196,7 +201,7 @@ var _ = Describe("Securesign hot update", Ordered, func() { cm := &v1.ConfigMap{} Expect(cli.Get(ctx, types.NamespacedName{Namespace: namespace.Name, Name: fulcio.Status.ServerConfigRef.Name}, cm)).To(Succeed()) - config := &v1alpha1.FulcioConfig{} + config := &actions.FulcioMapConfig{} Expect(json.Unmarshal([]byte(cm.Data["config.json"]), config)).To(Succeed()) Expect(config.OIDCIssuers).To(HaveKey("fake")) }) diff --git a/e2e/key_autodiscovery_test.go b/e2e/key_autodiscovery_test.go index 6daf40349..5036ed9d0 100644 --- a/e2e/key_autodiscovery_test.go +++ b/e2e/key_autodiscovery_test.go @@ -4,9 +4,10 @@ package e2e_test import ( "context" - "github.com/securesign/operator/controllers/common/utils" "time" + "github.com/securesign/operator/controllers/common/utils" + "github.com/google/uuid" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -64,10 +65,11 @@ var _ = Describe("Securesign key autodiscovery test", Ordered, func() { Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - support.OidcIssuerUrl(): { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { ClientID: support.OidcClientID(), IssuerURL: support.OidcIssuerUrl(), + Issuer: support.OidcIssuerUrl(), Type: "email", }, }}, diff --git a/e2e/provided_certs_test.go b/e2e/provided_certs_test.go index 246b4ddcd..4900421be 100644 --- a/e2e/provided_certs_test.go +++ b/e2e/provided_certs_test.go @@ -10,10 +10,11 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" - "github.com/securesign/operator/controllers/common/utils" "math/big" "time" + "github.com/securesign/operator/controllers/common/utils" + "github.com/google/uuid" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -72,10 +73,11 @@ var _ = Describe("Securesign install with provided certs", Ordered, func() { Enabled: true, }, Config: v1alpha1.FulcioConfig{ - OIDCIssuers: map[string]v1alpha1.OIDCIssuer{ - support.OidcIssuerUrl(): { + OIDCIssuers: []v1alpha1.OIDCIssuer{ + { ClientID: support.OidcClientID(), IssuerURL: support.OidcIssuerUrl(), + Issuer: support.OidcIssuerUrl(), Type: "email", }, }},