Add TLS to Rekor and Trillian services

api/v1alpha1/common.go

@@ -90,3 +90,17 @@ type Pvc struct {
 	//+optional
 	StorageClass string `json:"storageClass,omitempty"`
 }
+
+// TLSCert defines fields for TLS certificate
+// +kubebuilder:validation:XValidation:rule=(!has(self.certRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty
+type TLSCert struct {
+	// Reference to the private key
+	//+optional
+	PrivateKeyRef *SecretKeySelector `json:"privateKeyRef,omitempty"`
+	// Reference to service certificate
+	//+optional
+	CertRef *SecretKeySelector `json:"certRef,omitempty"`
+	// Reference to CA certificate
+	//+optional
+	CACertRef *LocalObjectReference `json:"CACertRef,omitempty"`
+}

api/v1alpha1/ctlog_types.go

@@ -38,6 +38,10 @@ type CTlogSpec struct {
 
 	//Enable Service monitors for ctlog
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
+
+	// Reference to TLS server certificate, private key and CA certificate
+	//+optional
+	TLSCertificate TLSCert `json:"tls"`
 }
 
 // CTlogStatus defines the observed state of CTlog component
@@ -47,6 +51,7 @@ type CTlogStatus struct {
 	PrivateKeyPasswordRef *SecretKeySelector    `json:"privateKeyPasswordRef,omitempty"`
 	PublicKeyRef          *SecretKeySelector    `json:"publicKeyRef,omitempty"`
 	RootCertificates      []SecretKeySelector   `json:"rootCertificates,omitempty"`
+	TLSCertificate        *TLSCert              `json:"tls,omitempty"`
 	// The ID of a Trillian tree that stores the log data.
 	TreeID *int64 `json:"treeID,omitempty"`
 	// +listType=map

api/v1alpha1/ctlog_types_test.go

@@ -130,6 +130,16 @@ var _ = Describe("CTlog", func() {
 									},
 								},
 							},
+							TLSCertificate: TLSCert{
+								CertRef: &SecretKeySelector{
+									Key:                  "cert",
+									LocalObjectReference: LocalObjectReference{Name: "secret"},
+								},
+								PrivateKeyRef: &SecretKeySelector{
+									Key:                  "key",
+									LocalObjectReference: LocalObjectReference{Name: "secret"},
+								},
+							},
 						},
 					}
 

api/v1alpha1/fulcio_types.go

@@ -26,6 +26,9 @@ type FulcioSpec struct {
 	// ConfigMap with additional bundle of trusted CA
 	//+optional
 	TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
+	// Reference to TLS server certificate, private key and CA certificate
+	//+optional
+	TLSCertificate TLSCert `json:"tls"`
 }
 
 // FulcioCert defines fields for system-generated certificate
@@ -101,6 +104,7 @@ type OIDCIssuer struct {
 type FulcioStatus struct {
 	ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
 	Certificate     *FulcioCert           `json:"certificate,omitempty"`
+	TLSCertificate  *TLSCert              `json:"tls,omitempty"`
 	Url             string                `json:"url,omitempty"`
 	// +listType=map
 	// +listMapKey=type

api/v1alpha1/fulcio_types_test.go

@@ -209,10 +209,16 @@ var _ = Describe("Fulcio", func() {
 								PrivateKeyRef:         &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
 								PrivateKeyPasswordRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
 							},
+
 							Ctlog: CtlogService{
 								Address: "ctlog.default.svc",
 								Port:    &port,
 							},
+							TLSCertificate: TLSCert{
+								CertRef:       &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
+								PrivateKeyRef: &SecretKeySelector{Key: "key", LocalObjectReference: LocalObjectReference{Name: "name"}},
+								CACertRef:     &LocalObjectReference{Name: "ca-configmap"},
+							},
 						},
 					}
 
@@ -260,6 +266,17 @@ func generateFulcioObject(name string) *Fulcio {
 				CommonName:       "hostname",
 				OrganizationName: "organization",
 			},
+			TLSCertificate: TLSCert{
+				CertRef: &SecretKeySelector{
+					Key:                  "cert",
+					LocalObjectReference: LocalObjectReference{Name: "secret"},
+				},
+				PrivateKeyRef: &SecretKeySelector{
+					Key:                  "key",
+					LocalObjectReference: LocalObjectReference{Name: "secret"},
+				},
+				CACertRef: &LocalObjectReference{Name: "ca-configmap"},
+			},
 		},
 	}
 }

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -192,7 +192,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:a21f7128694a64989bf0d84a7a7da4c1ffc89edf62d594dc8bea7bcfe9ac08d3
-    createdAt: "2024-07-03T12:24:03Z"
+    createdAt: "2024-07-04T14:29:12Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

bundle/manifests/rhtas.redhat.com_ctlogs.yaml

@@ -137,6 +137,62 @@ spec:
                   type: object
                   x-kubernetes-map-type: atomic
                 type: array
+              tls:
+                description: Reference to TLS server certificate, private key and
+                  CA certificate
+                properties:
+                  CACertRef:
+                    description: Reference to CA certificate
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  certRef:
+                    description: Reference to service certificate
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  privateKeyRef:
+                    description: Reference to the private key
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: privateKeyRef cannot be empty
+                  rule: (!has(self.certRef) || has(self.privateKeyRef))
               treeID:
                 description: |-
                   The ID of a Trillian tree that stores the log data.
@@ -312,6 +368,61 @@ spec:
                 - name
                 type: object
                 x-kubernetes-map-type: atomic
+              tls:
+                description: TLSCert defines fields for TLS certificate
+                properties:
+                  CACertRef:
+                    description: Reference to CA certificate
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  certRef:
+                    description: Reference to service certificate
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  privateKeyRef:
+                    description: Reference to the private key
+                    properties:
+                      key:
+                        description: The key of the secret to select from. Must be
+                          a valid secret key.
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: privateKeyRef cannot be empty
+                  rule: (!has(self.certRef) || has(self.privateKeyRef))
               treeID:
                 description: The ID of a Trillian tree that stores the log data.
                 format: int64