securesign · osmman · Feb 14, 2024 · Feb 9, 2024
diff --git a/Makefile b/Makefile
@@ -130,6 +130,10 @@ run: manifests generate fmt vet ## Run a controller from your host.
 docker-build: test ## Build docker image with the manager.
 	docker build . -t ${IMG}
 
+.PHONY: docker-build-skip-test
+docker-build-skip-test: ## Build docker image with the manager.
+	docker build . -t ${IMG}
+
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}

diff --git a/controllers/constants/labels.go b/controllers/constants/labels.go
@@ -2,15 +2,8 @@ package constants
 
 const (
 	LabelNamespace = "rhtas.redhat.com"
-	//DiscoverableByTUFKeyLabel = LabelNamespace + "/tuf-key"
-	TufLabelNamespace = "tuf." + LabelNamespace
 )
 
-func TufDiscoverableSecretLabel(name string, key string) map[string]string {
-	return map[string]string{
-		TufLabelNamespace + "/" + name: key,
-	}
-}
 func LabelsFor(component, name, instance string) map[string]string {
 	labels := LabelsForComponent(component, instance)
 	labels["app.kubernetes.io/name"] = name

diff --git a/controllers/ctlog/actions/generate_keys.go b/controllers/ctlog/actions/generate_keys.go
@@ -3,7 +3,6 @@ package actions
 import (
 	"context"
 	"fmt"
-	"maps"
 
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/controllers/common/action"
@@ -43,18 +42,13 @@ func (g generateKeys) Handle(ctx context.Context, instance *v1alpha1.CTlog) *act
 		return g.Failed(err)
 	}
 
-	secretLabels := map[string]string{
-		constants.TufLabelNamespace + "/ctfe.pub": "public",
-	}
-	maps.Copy(secretLabels, labels)
-
 	secretName := fmt.Sprintf(KeySecretNameFormat, instance.Name)
 
 	secret := k8sutils.CreateSecret(secretName, instance.Namespace,
 		map[string][]byte{
 			"private": config.PrivateKey,
 			"public":  config.PublicKey,
-		}, secretLabels)
+		}, labels)
 
 	if err = controllerutil.SetControllerReference(instance, secret, g.Client.Scheme()); err != nil {
 		return g.Failed(fmt.Errorf("could not set controller reference for Secret: %w", err))

diff --git a/controllers/ctlog/actions/handle_fulcio_root.go b/controllers/ctlog/actions/handle_fulcio_root.go
@@ -7,7 +7,7 @@ import (
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/controllers/common/action"
 	k8sutils "github.com/securesign/operator/controllers/common/utils/kubernetes"
-	"github.com/securesign/operator/controllers/constants"
+	"github.com/securesign/operator/controllers/fulcio/actions"
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -29,23 +29,23 @@ func (g handleFulcioCert) CanHandle(instance *v1alpha1.CTlog) bool {
 
 func (g handleFulcioCert) Handle(ctx context.Context, instance *v1alpha1.CTlog) *action.Result {
 
-	scr, err := k8sutils.FindSecret(ctx, g.Client, instance.Namespace, constants.TufLabelNamespace+"/fulcio_v1.crt.pem")
+	scr, err := k8sutils.FindSecret(ctx, g.Client, instance.Namespace, actions.FulcioCALabel)
 	if err != nil {
 		return g.Failed(err)
 	}
 	if scr == nil {
 		//TODO: add status condition - waiting for fulcio
 		return g.Requeue()
 	}
-	if scr.Data[scr.Labels[constants.TufLabelNamespace+"/fulcio_v1.crt.pem"]] == nil {
+	if scr.Data[scr.Labels[actions.FulcioCALabel]] == nil {
 		return g.Failed(fmt.Errorf("can't find fulcio certificate in provided secret"))
 	}
 
 	instance.Spec.RootCertificates = append(instance.Spec.RootCertificates, v1alpha1.SecretKeySelector{
 		LocalObjectReference: v1.LocalObjectReference{
 			Name: scr.Name,
 		},
-		Key: scr.Labels[constants.TufLabelNamespace+"/fulcio_v1.crt.pem"],
+		Key: scr.Labels[actions.FulcioCALabel],
 	})
 	return g.Update(ctx, instance)
 }
diff --git a/controllers/ctlog/actions/servrConfig.go → controllers/ctlog/actions/serverConfig.go b/controllers/ctlog/actions/servrConfig.go → controllers/ctlog/actions/serverConfig.go
@@ -3,6 +3,7 @@ package actions
 import (
 	"context"
 	"fmt"
+	"maps"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/controllers/common/action"
@@ -17,6 +18,7 @@ import (
 )
 
 const ConfigSecretNameFormat = "ctlog-%s-config"
+const CTLLabel = constants.LabelNamespace + "/ctfe.pub"
 
 func NewServerConfigAction() action.Action[rhtasv1alpha1.CTlog] {
 	return &serverConfig{}
@@ -58,8 +60,13 @@ func (i serverConfig) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog)
 	}
 
 	var config *corev1.Secret
+	secretLabels := map[string]string{
+		CTLLabel: "public",
+	}
+	maps.Copy(secretLabels, labels)
+
 	//TODO: the config is generated in every reconcile loop rotation - it can cause performance issues
-	if config, err = ctlogUtils.CreateCtlogConfig(ctx, instance.Namespace, trillUrl+":8091", *instance.Spec.TreeID, rootCerts, labels, certConfig); err != nil {
+	if config, err = ctlogUtils.CreateCtlogConfig(ctx, instance.Namespace, trillUrl+":8091", *instance.Spec.TreeID, rootCerts, secretLabels, certConfig); err != nil {
 		instance.Status.Phase = rhtasv1alpha1.PhaseError
 		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create CTLog configuration: %w", err), instance)
 	}

diff --git a/controllers/ctlog/ctlog_controller_test.go b/controllers/ctlog/ctlog_controller_test.go
@@ -25,6 +25,7 @@ import (
 	"github.com/securesign/operator/controllers/common/utils/kubernetes"
 	"github.com/securesign/operator/controllers/constants"
 	"github.com/securesign/operator/controllers/ctlog/actions"
+	fulcio "github.com/securesign/operator/controllers/fulcio/actions"
 	trillian "github.com/securesign/operator/controllers/trillian/actions"
 	"k8s.io/apimachinery/pkg/api/errors"
 
@@ -125,7 +126,7 @@ var _ = Describe("CTlog controller", func() {
 			By("Creating fulcio root cert")
 			Expect(k8sClient.Create(ctx, kubernetes.CreateSecret("test", Namespace,
 				map[string][]byte{"cert": []byte("fakeCert")},
-				map[string]string{constants.TufLabelNamespace + "/fulcio_v1.crt.pem": "cert"},
+				map[string]string{fulcio.FulcioCALabel: "cert"},
 			))).To(Succeed())
 
 			Eventually(func() v1alpha1.Phase {

diff --git a/controllers/fulcio/actions/generate_cert.go b/controllers/fulcio/actions/generate_cert.go
@@ -21,6 +21,7 @@ import (
 )
 
 const SecretNameFormat = "fulcio-%s-cert"
+const FulcioCALabel = constants.LabelNamespace + "/fulcio_v1.crt.pem"
 
 func NewGenerateCertAction() action.Action[v1alpha1.Fulcio] {
 	return &generateCert{}
@@ -65,9 +66,8 @@ func (g generateCert) Handle(ctx context.Context, instance *v1alpha1.Fulcio) *ac
 
 	labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name)
 
-	// TODO: tturek
 	secretLabels := map[string]string{
-		constants.TufLabelNamespace + "/fulcio_v1.crt.pem": "cert",
+		FulcioCALabel: "cert",
 	}
 	maps.Copy(secretLabels, labels)
 

diff --git a/controllers/rekor/actions/server/generate_signer.go b/controllers/rekor/actions/server/generate_signer.go
@@ -19,7 +19,7 @@ import (
 
 const SecretNameFormat = "rekor-%s-signer"
 
-const RekorPubLabel = constants.TufLabelNamespace + "/rekor.pub"
+const RekorPubLabel = constants.LabelNamespace + "/rekor.pub"
 
 func NewGenerateSignerAction() action.Action[v1alpha1.Rekor] {
 	return &generateSigner{}

diff --git a/controllers/rekor/actions/server/resolve_pub_key.go b/controllers/rekor/actions/server/resolve_pub_key.go
@@ -14,7 +14,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
@@ -35,18 +34,19 @@ func (i resolvePubKeyAction) Name() string {
 }
 
 func (i resolvePubKeyAction) CanHandle(instance *rhtasv1alpha1.Rekor) bool {
-	return instance.Status.Phase != rhtasv1alpha1.PhaseInitialize
+	return instance.Status.Phase == rhtasv1alpha1.PhaseInitialize
 }
 
 func (i resolvePubKeyAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor) *action.Result {
 	var (
-		err error
+		err     error
+		updated bool
 	)
-	secrets, err := i.findSecret(ctx, instance.Namespace)
+	secret, err := k8sutils.FindSecret(ctx, i.Client, instance.Namespace, RekorPubLabel)
 	if err != nil {
 		return i.Failed(err)
 	}
-	if len(secrets.Items) > 0 {
+	if secret != nil {
 		return i.Continue()
 	}
 
@@ -55,18 +55,19 @@ func (i resolvePubKeyAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		return i.Failed(err)
 	}
 
+	keyName := "public"
 	secretName := fmt.Sprintf(pubSecretNameFormat, instance.Name)
 	labels := constants.LabelsFor(actions.ServerComponentName, secretName, instance.Name)
-	labels[RekorPubLabel] = "public"
+	labels[RekorPubLabel] = keyName
 
-	secret := k8sutils.CreateSecret(secretName, instance.Namespace,
+	scr := k8sutils.CreateSecret(secretName, instance.Namespace,
 		map[string][]byte{
-			"public": key,
+			keyName: key,
 		}, labels)
-	if err = controllerutil.SetControllerReference(instance, secret, i.Client.Scheme()); err != nil {
+	if err = controllerutil.SetControllerReference(instance, scr, i.Client.Scheme()); err != nil {
 		return i.Failed(fmt.Errorf("could not set controller reference for Secret: %w", err))
 	}
-	if _, err = i.Ensure(ctx, secret); err != nil {
+	if updated, err = i.Ensure(ctx, scr); err != nil {
 		instance.Status.Phase = rhtasv1alpha1.PhaseError
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:    string(rhtasv1alpha1.PhaseReady),
@@ -76,15 +77,12 @@ func (i resolvePubKeyAction) Handle(ctx context.Context, instance *rhtasv1alpha1
 		})
 		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not create secret: %w", err), instance)
 	}
+	if updated {
+		i.Recorder.Event(instance, v1.EventTypeNormal, "PublicKeySecretCreated", "New Rekor public key created: "+scr.Name)
+	}
 	return i.Continue()
 }
 
-func (i resolvePubKeyAction) findSecret(ctx context.Context, namespace string) (*v1.SecretList, error) {
-	list := &v1.SecretList{}
-	err := i.Client.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{RekorPubLabel: "public"})
-	return list, err
-}
-
 func (i resolvePubKeyAction) resolvePubKey(instance rhtasv1alpha1.Rekor) ([]byte, error) {
 	var (
 		pubKeyResponse *http.Response

diff --git a/controllers/tuf/actions/generate_cert.go b/controllers/tuf/actions/generate_cert.go
@@ -104,7 +104,7 @@ func (i pendingAction) handleKey(ctx context.Context, instance *rhtasv1alpha1.Tu
 }
 
 func (i pendingAction) discoverSecret(ctx context.Context, namespace string, key *rhtasv1alpha1.TufKey) (*rhtasv1alpha1.SecretKeySelector, error) {
-	labelName := constants.TufLabelNamespace + "/" + key.Name
+	labelName := constants.LabelNamespace + "/" + key.Name
 	s, err := k8sutils.FindSecret(ctx, i.Client, namespace, labelName)
 	if err != nil {
 		return nil, err

diff --git a/controllers/tuf/tuf_controller_test.go b/controllers/tuf/tuf_controller_test.go
@@ -141,10 +141,10 @@ var _ = Describe("TUF controller", func() {
 
 			By("Creating ctlog secret with public key")
 			secretLabels := map[string]string{
-				constants.TufLabelNamespace + "/ctfe.pub": "public",
+				constants.LabelNamespace + "/ctfe.pub": "public",
 			}
 			maps.Copy(secretLabels, constants.LabelsFor(actions2.ComponentName, actions2.ComponentName, actions2.ComponentName))
-			_ = k8sClient.Create(ctx, kubernetes.CreateSecret("ctlog", typeNamespaceName.Namespace, map[string][]byte{
+			_ = k8sClient.Create(ctx, kubernetes.CreateSecret("ctlog-test", typeNamespaceName.Namespace, map[string][]byte{
 				"public": []byte("secret"),
 			}, secretLabels))