Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURESIGN-994] Add TLS to Rekor and Trillian services #493

Open
wants to merge 34 commits into
base: main
Choose a base branch
from
Open

[SECURESIGN-994] Add TLS to Rekor and Trillian services #493

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
33083c2
Add TLS to Rekor and Trillian services
fghanmi Jul 9, 2024
f48f6e5
updates tls e2e
fghanmi Jul 9, 2024
78faaa2
updates
fghanmi Aug 5, 2024
81eeeb1
updates: Create Tree Jobs, enable TLS on Trillian, Rekor and Ctlog
fghanmi Aug 8, 2024
8268ca5
update
fghanmi Aug 8, 2024
6fabfd8
fix lint
fghanmi Aug 8, 2024
b018066
updates
fghanmi Aug 8, 2024
c7dd2ee
update e2e
fghanmi Aug 8, 2024
cd12c14
make API_SERVER generic
fghanmi Aug 8, 2024
e149cff
updates(images+ctlog cm)
fghanmi Aug 8, 2024
b1b428d
test operator image
fghanmi Aug 8, 2024
752d860
remove tls e2e
fghanmi Aug 8, 2024
a546376
update
fghanmi Aug 8, 2024
9515212
update api/v1alpha1/common.go
fghanmi Aug 9, 2024
bd5435e
updates
fghanmi Aug 17, 2024
d46f495
review updates
fghanmi Aug 21, 2024
5f73e75
fix conflicts
fghanmi Aug 21, 2024
c7d4f69
improve resolve_tree
fghanmi Aug 28, 2024
aef2cf9
update: create_tree
fghanmi Aug 31, 2024
467e3cf
add CREATE_TREE_IMAGE var to manager cli
fghanmi Sep 2, 2024
dba5a13
solve conflicts, updates
fghanmi Sep 11, 2024
93191cb
solve conflicts
fghanmi Sep 11, 2024
c512c85
fix comments
fghanmi Sep 12, 2024
128470e
remove unsed comment
fghanmi Sep 12, 2024
d55f915
fix typo
fghanmi Sep 12, 2024
03d0bf2
update manifests
fghanmi Sep 12, 2024
1dc5287
updates
fghanmi Sep 12, 2024
a8248c7
updates
fghanmi Sep 12, 2024
c97bae3
remove unused changes
fghanmi Sep 13, 2024
76c0b08
remove unused changes
fghanmi Sep 13, 2024
98cc6b4
updates: reviews
fghanmi Sep 13, 2024
b6cf949
updates2: reviews
fghanmi Sep 13, 2024
cab998c
generic create_tree_job
fghanmi Sep 14, 2024
25f265b
enhance useTLS
fghanmi Sep 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions api/v1alpha1/ctlog_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ type CTlogSpec struct {
// publicKeyRef, rootCertificates and trillian will be overridden.
//+optional
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CTLog is part of #492 can you remove CTLog changes from this PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done, but I kept TrustedCA, which is used by CTlog to communicate with trillian server that has TLS enabed.

// ConfigMap with additional bundle of trusted CA
//+optional
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
}

// CTlogStatus defines the observed state of CTlog component
Expand All @@ -57,6 +61,7 @@ type CTlogStatus struct {
PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"`
PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"`
RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"`
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
// The ID of a Trillian tree that stores the log data.
// +kubebuilder:validation:Type=number
TreeID *int64 `json:"treeID,omitempty"`
Expand Down
3 changes: 3 additions & 0 deletions api/v1alpha1/rekor_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ type RekorSpec struct {
// +patchMergeKey=treeID
// +kubebuilder:default:={}
Sharding []RekorLogRange `json:"sharding,omitempty"`
// ConfigMap with additional bundle of trusted CA
//+optional
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
}

type RekorSigner struct {
Expand Down
11 changes: 10 additions & 1 deletion api/v1alpha1/trillian_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ type TrillianSpec struct {
//+kubebuilder:validation:XValidation:rule=((!self.create && self.databaseSecretRef != null) || self.create),message=databaseSecretRef cannot be empty
//+kubebuilder:default:={create: true, pvc: {size: "5Gi", retain: true, accessModes: {ReadWriteOnce}}}
Db TrillianDB `json:"database,omitempty"`
//+optional
Server TrillianServer `json:"server,omitempty"`
// Enable Monitoring for Logsigner and Logserver
Monitoring MonitoringConfig `json:"monitoring,omitempty"`
// ConfigMap with additional bundle of trusted CA
Expand Down Expand Up @@ -55,9 +57,16 @@ type TrillianDB struct {
TLS TLS `json:"tls,omitempty"`
}

type TrillianServer struct {
// Configuration for enabling TLS (Transport Layer Security) encryption for Trillian server.
//+optional
TLS TLS `json:"tls,omitempty"`
}

// TrillianStatus defines the observed state of Trillian
type TrillianStatus struct {
Db TrillianDB `json:"database,omitempty"`
Db TrillianDB `json:"database,omitempty"`
Server TrillianServer `json:"server,omitempty"`
// +listType=map
// +listMapKey=type
// +patchStrategy=merge
Expand Down
33 changes: 33 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 26 additions & 0 deletions bundle/manifests/rhtas.redhat.com_ctlogs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,18 @@ spec:
minimum: 1
type: integer
type: object
trustedCA:
description: ConfigMap with additional bundle of trusted CA
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
Expand Down Expand Up @@ -347,6 +359,20 @@ spec:
description: The ID of a Trillian tree that stores the log data.
format: int64
type: number
trustedCA:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
type: object
type: object
served: true
Expand Down
12 changes: 12 additions & 0 deletions bundle/manifests/rhtas.redhat.com_rekors.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,18 @@ spec:
minimum: 1
type: integer
type: object
trustedCA:
description: ConfigMap with additional bundle of trusted CA
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
type: object
status:
description: RekorStatus defines the observed state of Rekor
Expand Down
73 changes: 73 additions & 0 deletions bundle/manifests/rhtas.redhat.com_securesigns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,18 @@ spec:
minimum: 1
type: integer
type: object
trustedCA:
description: ConfigMap with additional bundle of trusted CA
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
Expand Down Expand Up @@ -686,6 +698,18 @@ spec:
minimum: 1
type: integer
type: object
trustedCA:
description: ConfigMap with additional bundle of trusted CA
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- name
type: object
x-kubernetes-map-type: atomic
type: object
trillian:
description: TrillianSpec defines the desired state of Trillian
Expand Down Expand Up @@ -842,6 +866,55 @@ spec:
required:
- enabled
type: object
server:
properties:
tls:
description: Configuration for enabling TLS (Transport Layer
Security) encryption for Trillian server.
properties:
certificateRef:
description: Reference to the certificate secret used
for TLS encryption.
properties:
key:
description: The key of the secret to select from.
Must be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used
for TLS encryption.
properties:
key:
description: The key of the secret to select from.
Must be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
type: object
trustedCA:
description: ConfigMap with additional bundle of trusted CA
properties:
Expand Down
98 changes: 98 additions & 0 deletions bundle/manifests/rhtas.redhat.com_trillians.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,55 @@ spec:
required:
- enabled
type: object
server:
properties:
tls:
description: Configuration for enabling TLS (Transport Layer Security)
encryption for Trillian server.
properties:
certificateRef:
description: Reference to the certificate secret used for
TLS encryption.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for
TLS encryption.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
type: object
trustedCA:
description: ConfigMap with additional bundle of trusted CA
properties:
Expand Down Expand Up @@ -410,6 +459,55 @@ spec:
required:
- create
type: object
server:
properties:
tls:
description: Configuration for enabling TLS (Transport Layer Security)
encryption for Trillian server.
properties:
certificateRef:
description: Reference to the certificate secret used for
TLS encryption.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
privateKeyRef:
description: Reference to the private key secret used for
TLS encryption.
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
required:
- key
- name
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: privateKeyRef cannot be empty
rule: (!has(self.certificateRef) || has(self.privateKeyRef))
type: object
type: object
type: object
served: true
Expand Down
Loading
Loading