Merge pull request #517 from securesign/tdalton/SECURESIGN-574

[SECURESIGN-574] | Independently deployable CTlog Changes

api/v1alpha1/ctlog_types.go

@@ -38,6 +38,10 @@ type CTlogSpec struct {
 
 	//Enable Service monitors for ctlog
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
+
+	// Trillian service configuration
+	//+kubebuilder:default:={port: 8091}
+	Trillian TrillianService `json:"trillian,omitempty"`
 }
 
 // CTlogStatus defines the observed state of CTlog component

api/v1alpha1/ctlog_types_test.go

@@ -7,6 +7,7 @@ import (
 	_ "k8s.io/api/apps/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 )
 
 var _ = Describe("CTlog", func() {
@@ -97,6 +98,7 @@ var _ = Describe("CTlog", func() {
 			When("CR is fully populated", func() {
 				It("outputs the CR", func() {
 					tree := int64(1269875)
+					port := int32(8091)
 					ctlogInstance = CTlog{
 						ObjectMeta: metav1.ObjectMeta{
 							Name:      "ctlog-full-manifest",
@@ -130,6 +132,10 @@ var _ = Describe("CTlog", func() {
 									},
 								},
 							},
+							Trillian: TrillianService{
+								Address: "trillian-system.default.svc",
+								Port:    &port,
+							},
 						},
 					}
 
@@ -171,6 +177,10 @@ func generateCTlogObject(name string) *CTlog {
 			Name:      name,
 			Namespace: "default",
 		},
-		Spec: CTlogSpec{},
+		Spec: CTlogSpec{
+			Trillian: TrillianService{
+				Port: pointer.Int32(int32(8091)),
+			},
+		},
 	}
 }

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-26T12:13:19Z"
+    createdAt: "2024-07-30T13:51:04Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -204,7 +204,7 @@ metadata:
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
     operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.34.2
+    operators.operatorframework.io/builder: operator-sdk-v1.34.1
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
     repository: https://github.com/securesign/secure-sign-operator
     support: Red Hat

bundle/manifests/rhtas.redhat.com_ctlogs.yaml

@@ -143,6 +143,22 @@ spec:
                   If it is unset, the operator will create new Merkle tree in the Trillian backend
                 format: int64
                 type: integer
+              trillian:
+                default:
+                  port: 8091
+                description: Trillian service configuration
+                properties:
+                  address:
+                    description: Address to Trillian Log Server End point
+                    type: string
+                  port:
+                    default: 8091
+                    description: Port of Trillian Log Server End point
+                    format: int32
+                    maximum: 65535
+                    minimum: 1
+                    type: integer
+                type: object
             type: object
             x-kubernetes-validations:
             - message: privateKeyRef cannot be empty

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -159,6 +159,22 @@ spec:
                       If it is unset, the operator will create new Merkle tree in the Trillian backend
                     format: int64
                     type: integer
+                  trillian:
+                    default:
+                      port: 8091
+                    description: Trillian service configuration
+                    properties:
+                      address:
+                        description: Address to Trillian Log Server End point
+                        type: string
+                      port:
+                        default: 8091
+                        description: Port of Trillian Log Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 type: object
                 x-kubernetes-validations:
                 - message: privateKeyRef cannot be empty

config/crd/bases/rhtas.redhat.com_ctlogs.yaml

@@ -143,6 +143,22 @@ spec:
                   If it is unset, the operator will create new Merkle tree in the Trillian backend
                 format: int64
                 type: integer
+              trillian:
+                default:
+                  port: 8091
+                description: Trillian service configuration
+                properties:
+                  address:
+                    description: Address to Trillian Log Server End point
+                    type: string
+                  port:
+                    default: 8091
+                    description: Port of Trillian Log Server End point
+                    format: int32
+                    maximum: 65535
+                    minimum: 1
+                    type: integer
+                type: object
             type: object
             x-kubernetes-validations:
             - message: privateKeyRef cannot be empty

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -159,6 +159,22 @@ spec:
                       If it is unset, the operator will create new Merkle tree in the Trillian backend
                     format: int64
                     type: integer
+                  trillian:
+                    default:
+                      port: 8091
+                    description: Trillian service configuration
+                    properties:
+                      address:
+                        description: Address to Trillian Log Server End point
+                        type: string
+                      port:
+                        default: 8091
+                        description: Port of Trillian Log Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 type: object
                 x-kubernetes-validations:
                 - message: privateKeyRef cannot be empty

internal/controller/ctlog/actions/constants.go

@@ -12,4 +12,5 @@ const (
 	ServerTargetPort = 6962
 	MetricsPortName  = "metrics"
 	MetricsPort      = 6963
+	ServerCondition  = "ServerAvailable"
 )

internal/controller/ctlog/actions/deployment.go

@@ -10,6 +10,7 @@ import (
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/constants"
 	"github.com/securesign/operator/internal/controller/ctlog/utils"
+	trillian "github.com/securesign/operator/internal/controller/trillian/actions"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -40,6 +41,11 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
+	switch {
+	case instance.Spec.Trillian.Address == "":
+		instance.Spec.Trillian.Address = fmt.Sprintf("%s.%s.svc", trillian.LogserverDeploymentName, instance.Namespace)
+	}
+
 	dp, err := utils.CreateDeployment(instance, DeploymentName, RBACName, labels, ServerTargetPort, MetricsPort)
 	if err != nil {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{

internal/controller/ctlog/actions/resolve_tree.go

@@ -8,7 +8,8 @@ import (
 	"github.com/securesign/operator/internal/controller/common"
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/constants"
-	trillian2 "github.com/securesign/operator/internal/controller/trillian/actions"
+	"github.com/securesign/operator/internal/controller/ctlog/utils"
+	actions2 "github.com/securesign/operator/internal/controller/trillian/actions"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -60,11 +61,29 @@ func (i resolveTreeAction) Handle(ctx context.Context, instance *rhtasv1alpha1.C
 	}
 	var err error
 	var tree *trillian.Tree
-	trillUrl := fmt.Sprintf("%s.%s.svc:8091", trillian2.LogserverDeploymentName, instance.Namespace)
+	var trillUrl string
+
+	switch {
+	case instance.Spec.Trillian.Port == nil:
+		err = fmt.Errorf("%s: %v", i.Name(), utils.TrillianPortNotSpecified)
+	case instance.Spec.Trillian.Address == "":
+		trillUrl = fmt.Sprintf("%s.%s.svc:%d", actions2.LogserverDeploymentName, instance.Namespace, *instance.Spec.Trillian.Port)
+	default:
+		trillUrl = fmt.Sprintf("%s:%d", instance.Spec.Trillian.Address, *instance.Spec.Trillian.Port)
+	}
+	if err != nil {
+		return i.Failed(err)
+	}
 	i.Logger.V(1).Info("trillian logserver", "address", trillUrl)
 
 	tree, err = i.createTree(ctx, "ctlog-tree", trillUrl, constants.CreateTreeDeadline)
 	if err != nil {
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+			Type:    ServerCondition,
+			Status:  metav1.ConditionFalse,
+			Reason:  constants.Failure,
+			Message: err.Error(),
+		})
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    constants.Ready,
 			Status:  metav1.ConditionFalse,

internal/controller/ctlog/actions/resolve_tree_test.go

@@ -9,6 +9,7 @@ import (
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/constants"
+	"github.com/securesign/operator/internal/controller/ctlog/utils"
 	"github.com/securesign/operator/internal/controller/trillian/actions"
 	testAction "github.com/securesign/operator/internal/testing/action"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -128,76 +129,82 @@ func TestResolveTree_Handle(t *testing.T) {
 			name: "create a new tree",
 			env: env{
 				spec: rhtasv1alpha1.CTlogSpec{
-					TreeID: nil,
+					TreeID:   nil,
+					Trillian: rhtasv1alpha1.TrillianService{Port: pointer.Int32(8091)},
 				},
 				createTree: mockCreateTree(&trillian.Tree{TreeId: 5555555}, nil, nil),
 			},
 			want: want{
 				result: testAction.StatusUpdate(),
-				verify: func(g Gomega, rekor *rhtasv1alpha1.CTlog) {
-					g.Expect(rekor.Spec.TreeID).Should(BeNil())
-					g.Expect(rekor.Status.TreeID).ShouldNot(BeNil())
-					g.Expect(rekor.Status.TreeID).To(HaveValue(BeNumerically(">", 0)))
-					g.Expect(rekor.Status.TreeID).To(HaveValue(BeNumerically("==", 5555555)))
+				verify: func(g Gomega, ctlog *rhtasv1alpha1.CTlog) {
+					g.Expect(ctlog.Spec.TreeID).Should(BeNil())
+					g.Expect(ctlog.Status.TreeID).ShouldNot(BeNil())
+					g.Expect(ctlog.Status.TreeID).To(HaveValue(BeNumerically(">", 0)))
+					g.Expect(ctlog.Status.TreeID).To(HaveValue(BeNumerically("==", 5555555)))
 				},
 			},
 		},
 		{
 			name: "update tree",
 			env: env{
 				spec: rhtasv1alpha1.CTlogSpec{
-					TreeID: pointer.Int64(123456),
+					TreeID:   pointer.Int64(123456),
+					Trillian: rhtasv1alpha1.TrillianService{Port: pointer.Int32(8091)},
 				},
 				statusTreeId: pointer.Int64(654321),
 			},
 			want: want{
 				result: testAction.StatusUpdate(),
-				verify: func(g Gomega, rekor *rhtasv1alpha1.CTlog) {
-					g.Expect(rekor.Spec.TreeID).ShouldNot(BeNil())
-					g.Expect(rekor.Status.TreeID).ShouldNot(BeNil())
-					g.Expect(rekor.Spec.TreeID).To(HaveValue(BeNumerically(">", 0)))
-					g.Expect(rekor.Spec.TreeID).To(HaveValue(BeNumerically("==", *rekor.Status.TreeID)))
+				verify: func(g Gomega, ctlog *rhtasv1alpha1.CTlog) {
+					g.Expect(ctlog.Spec.TreeID).ShouldNot(BeNil())
+					g.Expect(ctlog.Status.TreeID).ShouldNot(BeNil())
+					g.Expect(ctlog.Spec.TreeID).To(HaveValue(BeNumerically(">", 0)))
+					g.Expect(ctlog.Spec.TreeID).To(HaveValue(BeNumerically("==", *ctlog.Status.TreeID)))
 				},
 			},
 		},
 		{
 			name: "use tree from spec",
 			env: env{
 				spec: rhtasv1alpha1.CTlogSpec{
-					TreeID: pointer.Int64(123456),
+					TreeID:   pointer.Int64(123456),
+					Trillian: rhtasv1alpha1.TrillianService{Port: pointer.Int32(8091)},
 				},
 			},
 			want: want{
 				result: testAction.StatusUpdate(),
-				verify: func(g Gomega, rekor *rhtasv1alpha1.CTlog) {
-					g.Expect(rekor.Spec.TreeID).ShouldNot(BeNil())
-					g.Expect(rekor.Status.TreeID).ShouldNot(BeNil())
-					g.Expect(rekor.Spec.TreeID).To(HaveValue(BeNumerically(">", 0)))
-					g.Expect(rekor.Spec.TreeID).To(HaveValue(BeNumerically("==", *rekor.Status.TreeID)))
-					g.Expect(rekor.Status.TreeID).To(HaveValue(BeNumerically("==", 123456)))
+				verify: func(g Gomega, ctlog *rhtasv1alpha1.CTlog) {
+					g.Expect(ctlog.Spec.TreeID).ShouldNot(BeNil())
+					g.Expect(ctlog.Status.TreeID).ShouldNot(BeNil())
+					g.Expect(ctlog.Spec.TreeID).To(HaveValue(BeNumerically(">", 0)))
+					g.Expect(ctlog.Spec.TreeID).To(HaveValue(BeNumerically("==", *ctlog.Status.TreeID)))
+					g.Expect(ctlog.Status.TreeID).To(HaveValue(BeNumerically("==", 123456)))
 				},
 			},
 		},
 		{
 			name: "unable to create a new tree",
 			env: env{
 				spec: rhtasv1alpha1.CTlogSpec{
-					TreeID: nil,
+					TreeID:   nil,
+					Trillian: rhtasv1alpha1.TrillianService{Port: pointer.Int32(8091)},
 				},
 				createTree: mockCreateTree(nil, errors.New("timeout error"), nil),
 			},
 			want: want{
 				result: testAction.FailedWithStatusUpdate(fmt.Errorf("could not create trillian tree: timeout error")),
-				verify: func(g Gomega, rekor *rhtasv1alpha1.CTlog) {
-					g.Expect(rekor.Spec.TreeID).Should(BeNil())
-					g.Expect(rekor.Status.TreeID).Should(BeNil())
+				verify: func(g Gomega, ctlog *rhtasv1alpha1.CTlog) {
+					g.Expect(ctlog.Spec.TreeID).Should(BeNil())
+					g.Expect(ctlog.Status.TreeID).Should(BeNil())
 				},
 			},
 		},
 		{
 			name: "resolve trillian address",
 			env: env{
-				spec: rhtasv1alpha1.CTlogSpec{},
+				spec: rhtasv1alpha1.CTlogSpec{
+					Trillian: rhtasv1alpha1.TrillianService{Port: pointer.Int32(8091)},
+				},
 				createTree: mockCreateTree(&trillian.Tree{TreeId: 5555555}, nil, func(displayName string, trillianURL string, deadline int64) {
 					g.Expect(trillianURL).Should(Equal(fmt.Sprintf("%s.%s.svc:%d", actions.LogserverDeploymentName, "default", 8091)))
 				}),
@@ -206,6 +213,31 @@ func TestResolveTree_Handle(t *testing.T) {
 				result: testAction.StatusUpdate(),
 			},
 		},
+		{
+			name: "custom trillian address",
+			env: env{
+				spec: rhtasv1alpha1.CTlogSpec{
+					Trillian: rhtasv1alpha1.TrillianService{Port: pointer.Int32(1234), Address: "custom-address.namespace.svc"},
+				},
+				createTree: mockCreateTree(&trillian.Tree{TreeId: 5555555}, nil, func(displayName string, trillianURL string, deadline int64) {
+					g.Expect(trillianURL).Should(Equal(fmt.Sprintf("custom-address.namespace.svc:%d", 1234)))
+				}),
+			},
+			want: want{
+				result: testAction.StatusUpdate(),
+			},
+		},
+		{
+			name: "trillian port not specified",
+			env: env{
+				spec: rhtasv1alpha1.CTlogSpec{
+					Trillian: rhtasv1alpha1.TrillianService{Port: nil},
+				},
+			},
+			want: want{
+				result: testAction.Failed(fmt.Errorf("resolve treeID: %v", utils.TrillianPortNotSpecified)),
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {