feat: Default TLS encryption on Trillian services

README.md

@@ -63,19 +63,6 @@ make run
 ```
 NOTE: You can also run this in one step by running: make install run
 
-#### Port-forward service(s)
-After installation of your resource(s), you will need to allow the locally running operator to the internal service(s).
-This workaround is needed because the trillian server use insecure RPC protocol for communication with others.
-Currently, it is not possible to route insecure GRPC outside the cluster so the local deployment rely on port-forward.
-
-##### Procedure
-Install your CR and wait until the operator log prints
-```
-Operator is running on localhost. You need to port-forward services.
-Execute `oc port-forward service/trillian-logserver 8091 8091` in your namespace to continue.
-```
-Then execute the command as is written `oc port-forward service/trillian-logserver 8091 8091`
-
 ## EKS deployment
 It is possible to run RHTAS on EKS. If image building and signing all occurs within the cluster Ingress and Certifcates are not required. However, this will make it difficult to verify the image signatures from outside the cluster. It is highly suggested to deploy with Ingress and Certificates in place.
 

api/v1alpha1/ctlog_types.go

@@ -101,3 +101,13 @@ func (i *CTlog) GetConditions() []metav1.Condition {
 func (i *CTlog) SetCondition(newCondition metav1.Condition) {
 	meta.SetStatusCondition(&i.Status.Conditions, newCondition)
 }
+
+func (i *CTlog) GetTrustedCA() *LocalObjectReference {
+	if v, ok := i.GetAnnotations()["rhtas.redhat.com/trusted-ca"]; ok {
+		return &LocalObjectReference{
+			Name: v,
+		}
+	}
+
+	return nil
+}

api/v1alpha1/fulcio_types.go

@@ -144,3 +144,17 @@ func (i *Fulcio) GetConditions() []metav1.Condition {
 func (i *Fulcio) SetCondition(newCondition metav1.Condition) {
 	meta.SetStatusCondition(&i.Status.Conditions, newCondition)
 }
+
+func (i *Fulcio) GetTrustedCA() *LocalObjectReference {
+	if i.Spec.TrustedCA != nil {
+		return i.Spec.TrustedCA
+	}
+
+	if v, ok := i.GetAnnotations()["rhtas.redhat.com/trusted-ca"]; ok {
+		return &LocalObjectReference{
+			Name: v,
+		}
+	}
+
+	return nil
+}

api/v1alpha1/rekor_types.go

@@ -39,6 +39,9 @@ type RekorSpec struct {
 	// +patchMergeKey=treeID
 	// +kubebuilder:default:={}
 	Sharding []RekorLogRange `json:"sharding,omitempty"`
+	// ConfigMap with additional bundle of trusted CA
+	//+optional
+	TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
 }
 
 type RekorSigner struct {
@@ -164,3 +167,17 @@ func (i *Rekor) GetConditions() []metav1.Condition {
 func (i *Rekor) SetCondition(newCondition metav1.Condition) {
 	meta.SetStatusCondition(&i.Status.Conditions, newCondition)
 }
+
+func (i *Rekor) GetTrustedCA() *LocalObjectReference {
+	if i.Spec.TrustedCA != nil {
+		return i.Spec.TrustedCA
+	}
+
+	if v, ok := i.GetAnnotations()["rhtas.redhat.com/trusted-ca"]; ok {
+		return &LocalObjectReference{
+			Name: v,
+		}
+	}
+
+	return nil
+}

api/v1alpha1/timestampauthority_types.go

@@ -208,3 +208,17 @@ type TimestampAuthorityList struct {
 func init() {
 	SchemeBuilder.Register(&TimestampAuthority{}, &TimestampAuthorityList{})
 }
+
+func (i *TimestampAuthority) GetTrustedCA() *LocalObjectReference {
+	if i.Spec.TrustedCA != nil {
+		return i.Spec.TrustedCA
+	}
+
+	if v, ok := i.GetAnnotations()["rhtas.redhat.com/trusted-ca"]; ok {
+		return &LocalObjectReference{
+			Name: v,
+		}
+	}
+
+	return nil
+}

api/v1alpha1/trillian_types.go

@@ -29,6 +29,9 @@ type TrillianSpec struct {
 	Db TrillianDB `json:"database,omitempty"`
 	// Enable Monitoring for Logsigner and Logserver
 	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
+	// Configuration for enabling TLS (Transport Layer Security) encryption for manged log-server and log-signer services.
+	//+optional
+	TLS TLS `json:"tls,omitempty"`
 	// ConfigMap with additional bundle of trusted CA
 	//+optional
 	TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
@@ -58,6 +61,9 @@ type TrillianDB struct {
 // TrillianStatus defines the observed state of Trillian
 type TrillianStatus struct {
 	Db TrillianDB `json:"database,omitempty"`
+	// Configuration for enabling TLS (Transport Layer Security) encryption for manged log-server and log-signer services.
+	//+optional
+	TLS TLS `json:"tls,omitempty"`
 	// +listType=map
 	// +listMapKey=type
 	// +patchStrategy=merge
@@ -99,3 +105,17 @@ func (i *Trillian) GetConditions() []metav1.Condition {
 func (i *Trillian) SetCondition(newCondition metav1.Condition) {
 	meta.SetStatusCondition(&i.Status.Conditions, newCondition)
 }
+
+func (i *Trillian) GetTrustedCA() *LocalObjectReference {
+	if i.Spec.TrustedCA != nil {
+		return i.Spec.TrustedCA
+	}
+
+	if v, ok := i.GetAnnotations()["rhtas.redhat.com/trusted-ca"]; ok {
+		return &LocalObjectReference{
+			Name: v,
+		}
+	}
+
+	return nil
+}

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -297,7 +297,7 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: registry.redhat.io/rhtas/rhtas-rhel9-operator@sha256:52ba6cd82bc400a08c6f89811e8086126596a873b9b12619de8c5064a2d4faf7
-    createdAt: "2025-01-16T14:07:22Z"
+    createdAt: "2025-02-20T12:46:27Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -309,7 +309,7 @@ metadata:
     features.operators.openshift.io/token-auth-azure: "false"
     features.operators.openshift.io/token-auth-gcp: "false"
     operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.37.0
+    operators.operatorframework.io/builder: operator-sdk-v1.39.1
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
     repository: https://github.com/securesign/secure-sign-operator
     support: Red Hat
@@ -900,6 +900,8 @@ spec:
                   value: registry.redhat.io/rhtas/trillian-database-rhel9@sha256:501612745e63e5504017079388bec191ffacf00ffdebde7be6ca5b8e4fd9d323
                 - name: RELATED_IMAGE_TRILLIAN_NETCAT
                   value: registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7
+                - name: RELATED_IMAGE_TRILLIAN_CREATE_TREE
+                  value: registry.redhat.io/rhtas/createtree-rhel9@sha256:f66a707e68fb0cdcfcddc318407fe60d72f50a7b605b5db55743eccc14a422ba
                 - name: RELATED_IMAGE_FULCIO_SERVER
                   value: registry.redhat.io/rhtas/fulcio-rhel9@sha256:4b5765bbfd3dac5fa027d2fb3d672b6ebffbc573b9413ab4cb189c50fa6f9a09
                 - name: RELATED_IMAGE_REKOR_REDIS
@@ -1037,6 +1039,8 @@ spec:
     name: trillian-db
   - image: registry.redhat.io/openshift4/ose-tools-rhel8@sha256:486b4d2dd0d10c5ef0212714c94334e04fe8a3d36cf619881986201a50f123c7
     name: trillian-netcat
+  - image: registry.redhat.io/rhtas/createtree-rhel9@sha256:f66a707e68fb0cdcfcddc318407fe60d72f50a7b605b5db55743eccc14a422ba
+    name: trillian-create-tree
   - image: registry.redhat.io/rhtas/fulcio-rhel9@sha256:4b5765bbfd3dac5fa027d2fb3d672b6ebffbc573b9413ab4cb189c50fa6f9a09
     name: fulcio-server
   - image: registry.redhat.io/rhtas/trillian-redis-rhel9@sha256:18820b1fbdbc2cc3e917822974910332d937b03cfe781628bd986fd6a5ee318e

bundle/manifests/rhtas-related-images_v1_configmap.yaml

@@ -10,6 +10,7 @@ data:
   RELATED_IMAGE_REKOR_SERVER: registry.redhat.io/rhtas/rekor-server-rhel9@sha256:81e10e34f02b21bb8295e7b5c93797fc8c0e43a1a0d8304cca1b07415a3ed6f5
   RELATED_IMAGE_SEGMENT_REPORTING: registry.redhat.io/rhtas/segment-reporting-rhel9@sha256:1b87ff1ad02c476c08e06038a26af7abe61f177e491a9ff42d507550a8587ac8
   RELATED_IMAGE_TIMESTAMP_AUTHORITY: registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:fce0a22c8872309554236bab3457715dda0a83eb40dc6a9ecd3477b8023369d0
+  RELATED_IMAGE_TRILLIAN_CREATE_TREE: registry.redhat.io/rhtas/createtree-rhel9@sha256:f66a707e68fb0cdcfcddc318407fe60d72f50a7b605b5db55743eccc14a422ba
   RELATED_IMAGE_TRILLIAN_DB: registry.redhat.io/rhtas/trillian-database-rhel9@sha256:501612745e63e5504017079388bec191ffacf00ffdebde7be6ca5b8e4fd9d323
   RELATED_IMAGE_TRILLIAN_LOG_SERVER: registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:7af78c7bc4df097ffeeef345f1d13289695f715221957579ee65daeef2fa3f5b
   RELATED_IMAGE_TRILLIAN_LOG_SIGNER: registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:2d707d12e4f65e1a92b4de11465a5976d55e15ad6c9fefe994646ccd44c83840

bundle/manifests/rhtas.redhat.com_rekors.yaml

@@ -300,6 +300,18 @@ spec:
                     minimum: 1
                     type: integer
                 type: object
+              trustedCA:
+                description: ConfigMap with additional bundle of trusted CA
+                properties:
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                required:
+                - name
+                type: object
+                x-kubernetes-map-type: atomic
             type: object
           status:
             description: RekorStatus defines the observed state of Rekor

bundle/manifests/rhtas.redhat.com_securesigns.yaml

@@ -710,6 +710,18 @@ spec:
                         minimum: 1
                         type: integer
                     type: object
+                  trustedCA:
+                    description: ConfigMap with additional bundle of trusted CA
+                    properties:
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    required:
+                    - name
+                    type: object
+                    x-kubernetes-map-type: atomic
                 type: object
               trillian:
                 description: TrillianSpec defines the desired state of Trillian
@@ -866,6 +878,52 @@ spec:
                     required:
                     - enabled
                     type: object
+                  tls:
+                    description: Configuration for enabling TLS (Transport Layer Security)
+                      encryption for manged log-server and log-signer services.
+                    properties:
+                      certificateRef:
+                        description: Reference to the certificate secret used for
+                          TLS encryption.
+                        properties:
+                          key:
+                            description: The key of the secret to select from. Must
+                              be a valid secret key.
+                            pattern: ^[-._a-zA-Z0-9]+$
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      privateKeyRef:
+                        description: Reference to the private key secret used for
+                          TLS encryption.
+                        properties:
+                          key:
+                            description: The key of the secret to select from. Must
+                              be a valid secret key.
+                            pattern: ^[-._a-zA-Z0-9]+$
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                        required:
+                        - key
+                        - name
+                        type: object
+                        x-kubernetes-map-type: atomic
+                    type: object
+                    x-kubernetes-validations:
+                    - message: privateKeyRef cannot be empty
+                      rule: (!has(self.certificateRef) || has(self.privateKeyRef))
                   trustedCA:
                     description: ConfigMap with additional bundle of trusted CA
                     properties: