including bundle changes

bundle/manifests/rhtas-operator.clusterserviceversion.yaml

@@ -110,15 +110,15 @@ metadata:
                 "enabled": true
               },
               "monitoring": {
-                "enabled": false
+                "enabled": true
               }
             },
             "rekor": {
               "externalAccess": {
                 "enabled": true
               },
               "monitoring": {
-                "enabled": false
+                "enabled": true
               }
             },
             "trillian": {
@@ -189,7 +189,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2024-04-02T16:39:44Z"
+    createdAt: "2024-04-02T21:10:39Z"
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
   name: rhtas-operator.v1.0.0

bundle/manifests/rhtas.redhat.com_fulcios.yaml

@@ -241,7 +241,7 @@ spec:
                 description: Enable Service monitors for fulcio
                 properties:
                   enabled:
-                    default: false
+                    default: true
                     description: If true, the Operator will create monitoring resources
                     type: boolean
                     x-kubernetes-validations:

bundle/manifests/rhtas.redhat.com_rekors.yaml

@@ -91,7 +91,7 @@ spec:
                 description: Enable Service monitors for rekor
                 properties:
                   enabled:
-                    default: false
+                    default: true
                     description: If true, the Operator will create monitoring resources
                     type: boolean
                     x-kubernetes-validations:

controllers/common/utils/kubernetes/role.go

@@ -15,3 +15,13 @@ func CreateRole(namespace, name string, labels map[string]string, rules []rbacv1
 		Rules: rules,
 	}
 }
+
+func CreateClusterRole(name string, labels map[string]string, rules []rbacv1.PolicyRule) *rbacv1.ClusterRole {
+	return &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   name,
+			Labels: labels,
+		},
+		Rules: rules,
+	}
+}

controllers/ctlog/actions/handle_fulcio_root_test.go

@@ -21,7 +21,7 @@ func Test_HandleFulcioCert_Autodiscover(t *testing.T) {
 
 	instance := &v1alpha1.CTlog{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "auto",
+			Name:      "auto",
 			Namespace: "default",
 		},
 		Spec: v1alpha1.CTlogSpec{},
@@ -59,13 +59,12 @@ func Test_HandleFulcioCert_Autodiscover(t *testing.T) {
 	g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue())
 }
 
-
 func Test_HandleFulcioCert_Empty(t *testing.T) {
 	g := NewWithT(t)
 
 	instance := &v1alpha1.CTlog{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "empty",
+			Name:      "empty",
 			Namespace: "default",
 		},
 		Spec: v1alpha1.CTlogSpec{},
@@ -102,17 +101,17 @@ func Test_HandleFulcioCert_Configured(t *testing.T) {
 
 	instance := &v1alpha1.CTlog{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "configured",
+			Name:      "configured",
 			Namespace: "default",
 		},
 		Spec: v1alpha1.CTlogSpec{
 			RootCertificates: []v1alpha1.SecretKeySelector{
 				{
-					Key: "key",
+					Key:                  "key",
 					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret"},
 				},
 				{
-					Key: "key",
+					Key:                  "key",
 					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-2"},
 				},
 			},
@@ -157,13 +156,13 @@ func Test_HandleFulcioCert_Configured_Priority(t *testing.T) {
 
 	instance := &v1alpha1.CTlog{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "configured-priority",
+			Name:      "configured-priority",
 			Namespace: "default",
 		},
 		Spec: v1alpha1.CTlogSpec{
 			RootCertificates: []v1alpha1.SecretKeySelector{
 				{
-					Key: "key",
+					Key:                  "key",
 					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "my-secret"},
 				},
 			},
@@ -208,13 +207,13 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) {
 
 	instance := &v1alpha1.CTlog{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "delete-config",
+			Name:      "delete-config",
 			Namespace: "default",
 		},
 		Spec: v1alpha1.CTlogSpec{
 			RootCertificates: []v1alpha1.SecretKeySelector{
 				{
-					Key: "key",
+					Key:                  "key",
 					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret"},
 				},
 			},
@@ -232,7 +231,7 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) {
 	}
 
 	c := testAction.FakeClientBuilder().WithObjects(
-		kubernetes.CreateImmutableSecret("ctlog-config", instance.Namespace, map[string][]byte{},  map[string]string{}),
+		kubernetes.CreateImmutableSecret("ctlog-config", instance.Namespace, map[string][]byte{}, map[string]string{}),
 		instance,
 	).Build()
 
@@ -250,4 +249,3 @@ func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) {
 	g.Expect(i.Status.ServerConfigRef).To(BeNil())
 	g.Expect(c.Get(context.TODO(), types.NamespacedName{Name: "ctlog-config", Namespace: instance.GetNamespace()}, &v1.Secret{})).To(HaveOccurred())
 }
-

controllers/securesign/actions/rbac.go

@@ -16,6 +16,7 @@ import (
 )
 
 const namespacedNamePattern = SegmentRBACName + "-%s"
+const namespacedResourcedNamePattern = SegmentRBACName + "-%s" + "-%s"
 
 func NewRBACAction() action.Action[rhtasv1alpha1.Securesign] {
 	return &rbacAction{}
@@ -57,104 +58,103 @@ func (i rbacAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Securesi
 		return i.Failed(fmt.Errorf("could not set controll reference for SA: %w", err))
 	}
 	// don't re-enqueue for RBAC in any case (except failure)
-	_, err = i.Ensure(ctx, sa)
+	i.Ensure(ctx, sa)
 
 	// `openshift-monitoring` RBAC
 
-	roleOpenshiftMontiroing := kubernetes.CreateRole("openshift-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{
+	tmpNamespace := "openshift-monitoring"
+
+	roleOpenshiftMontiroingConfigmaps := kubernetes.CreateRole("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "configmaps"), labels, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{""},
 			Resources: []string{"configmaps"},
-			Verbs:     []string{"get", "list"},
+			Verbs:     []string{"get", "list", "patch"},
 		},
+	})
+
+	i.Ensure(ctx, roleOpenshiftMontiroingConfigmaps)
+
+	rolebindingOpenshiftMontiroingConfigmaps := kubernetes.CreateRoleBinding("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "configmaps"), labels, rbacv1.RoleRef{
+		APIGroup: v1.SchemeGroupVersion.Group,
+		Kind:     "Role",
+		Name:     fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "configmaps"),
+	},
+		[]rbacv1.Subject{
+			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
+		})
+
+	i.Ensure(ctx, rolebindingOpenshiftMontiroingConfigmaps)
+
+	roleOpenshiftMontiroingRoutes := kubernetes.CreateRole("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "routes"), labels, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{"route.openshift.io"},
 			Resources: []string{"routes"},
 			Verbs:     []string{"get", "list"},
 		},
 	})
 
-	if err = ctrl.SetControllerReference(instance, roleOpenshiftMontiroing, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err))
-	}
-	_, err = i.Ensure(ctx, roleOpenshiftMontiroing)
+	i.Ensure(ctx, roleOpenshiftMontiroingRoutes)
 
-	rolebindingOpenshiftMonitoring := kubernetes.CreateRoleBinding("openshift-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{
+	rolebindingOpenshiftMontiroingRoutes := kubernetes.CreateRoleBinding("openshift-monitoring", fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "routes"), labels, rbacv1.RoleRef{
 		APIGroup: v1.SchemeGroupVersion.Group,
 		Kind:     "Role",
-		Name:     SegmentRBACName,
+		Name:     fmt.Sprintf(namespacedResourcedNamePattern, tmpNamespace, "routes"),
 	},
 		[]rbacv1.Subject{
 			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
 		})
 
-	if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftMonitoring, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err))
-	}
-
-	_, err = i.Ensure(ctx, rolebindingOpenshiftMonitoring)
+	i.Ensure(ctx, rolebindingOpenshiftMontiroingRoutes)
 
 	// `openshift-console` RBAC
 
-	roleOpenshiftConsole := kubernetes.CreateRole("openshift-console", SegmentRBACName, labels, []rbacv1.PolicyRule{
+	tmpNamespace = "openshift-console"
+
+	clusterRoleOpenshiftConsole := kubernetes.CreateClusterRole(fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{"operator.openshift.io"},
 			Resources: []string{"consoles"},
 			Verbs:     []string{"get", "list"},
 		},
 	})
 
-	if err = ctrl.SetControllerReference(instance, roleOpenshiftConsole, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err))
-	}
+	i.Ensure(ctx, clusterRoleOpenshiftConsole)
 
-	_, err = i.Ensure(ctx, roleOpenshiftConsole)
-
-	rolebindingOpenshiftConsole := kubernetes.CreateRoleBinding("openshift-console", SegmentRBACName, labels, rbacv1.RoleRef{
+	rolebindingOpenshiftConsole := kubernetes.CreateRoleBinding("openshift-console", fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, rbacv1.RoleRef{
 		APIGroup: v1.SchemeGroupVersion.Group,
-		Kind:     "Role",
-		Name:     SegmentRBACName,
+		Kind:     "ClusterRole",
+		Name:     fmt.Sprintf(namespacedNamePattern, tmpNamespace),
 	},
 		[]rbacv1.Subject{
 			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
 		})
 
-	if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftConsole, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err))
-	}
-
-	_, err = i.Ensure(ctx, rolebindingOpenshiftConsole)
+	i.Ensure(ctx, rolebindingOpenshiftConsole)
 
 	// `openshift-user-workload-monitoring` RBAC
 
-	roleOpenshiftUserWorkloadMonitoring := kubernetes.CreateRole("openshift-user-workload-monitoring", SegmentRBACName, labels, []rbacv1.PolicyRule{
+	tmpNamespace = "openshift-user-workload-monitoring"
+
+	roleOpenshiftUserWorkloadMonitoring := kubernetes.CreateRole("openshift-user-workload-monitoring", fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{""},
 			Resources: []string{"secrets"},
 			Verbs:     []string{"get", "list"},
 		},
 	})
 
-	if err = ctrl.SetControllerReference(instance, roleOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controll reference for role: %w", err))
-	}
-
-	_, err = i.Ensure(ctx, roleOpenshiftUserWorkloadMonitoring)
+	i.Ensure(ctx, roleOpenshiftUserWorkloadMonitoring)
 
-	rolebindingOpenshiftUserWorkloadMonitoring := kubernetes.CreateRoleBinding("openshift-user-workload-monitoring", SegmentRBACName, labels, rbacv1.RoleRef{
+	rolebindingOpenshiftUserWorkloadMonitoring := kubernetes.CreateRoleBinding("openshift-user-workload-monitoring", fmt.Sprintf(namespacedNamePattern, tmpNamespace), labels, rbacv1.RoleRef{
 		APIGroup: v1.SchemeGroupVersion.Group,
 		Kind:     "Role",
-		Name:     SegmentRBACName,
+		Name:     fmt.Sprintf(namespacedNamePattern, tmpNamespace),
 	},
 		[]rbacv1.Subject{
 			{Kind: "ServiceAccount", Name: SegmentRBACName, Namespace: instance.Namespace},
 		})
 
-	if err = ctrl.SetControllerReference(instance, rolebindingOpenshiftUserWorkloadMonitoring, i.Client.Scheme()); err != nil {
-		return i.Failed(fmt.Errorf("could not set controll reference for rolebinding: %w", err))
-	}
-
-	_, err = i.Ensure(ctx, rolebindingOpenshiftUserWorkloadMonitoring)
+	i.Ensure(ctx, rolebindingOpenshiftUserWorkloadMonitoring)
 
 	return i.Continue()
 }