Merge pull request #315 from securesign/fix_rekor_cert_generation

Fix rekor signer generation action
securesign · Apr 15, 2024 · f2096a4 · f2096a4
2 parents fcea686 + 49e2fbd
commit f2096a4
Show file tree

Hide file tree

Showing 14 changed files with 100 additions and 42 deletions.
diff --git a/controllers/common/action/base_action.go b/controllers/common/action/base_action.go
@@ -135,6 +135,9 @@ func (action *BaseAction) Ensure(ctx context.Context, obj client2.Object) (bool,
 	action.Logger.Info("Updating object",
 		"kind", reflect.TypeOf(currentObj).Elem().Name(), "Namespace", key.Namespace, "Name", key.Name)
 	if err := action.Client.Update(ctx, currentObj); err != nil {
+		if strings.Contains(err.Error(), OptimisticLockErrorMsg) {
+			return action.Ensure(ctx, obj)
+		}
 		action.Logger.Error(err, "Failed to update object",
 			"kind", reflect.TypeOf(obj).Elem().Name(), "Namespace", key.Namespace, "Name", key.Name)
 		return false, err

diff --git a/controllers/rekor/actions/pending.go b/controllers/rekor/actions/pending.go
@@ -43,11 +43,6 @@ func (i pendingAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor
 		return i.Requeue()
 	}
 
-	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-		Type:   constants.Ready,
-		Status: metav1.ConditionFalse,
-		Reason: constants.Creating,
-	})
-	return i.StatusUpdate(ctx, instance)
+	return i.Continue()
 
 }
diff --git a/controllers/rekor/actions/server/generate_signer.go b/controllers/rekor/actions/server/generate_signer.go
@@ -43,23 +43,36 @@ func (g generateSigner) Name() string {
 
 func (g generateSigner) CanHandle(_ context.Context, instance *v1alpha1.Rekor) bool {
 	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
-	if c.Reason != constants.Creating && c.Reason != constants.Ready {
+	if c.Reason != constants.Pending && c.Reason != constants.Ready {
 		return false
 	}
 
-	if instance.Spec.Signer.KMS != "secret" && instance.Spec.Signer.KMS != "" {
-		return false
-	}
 	return instance.Status.Signer.KeyRef == nil || !equality.Semantic.DeepDerivative(instance.Spec.Signer, instance.Status.Signer)
 
 }
 
 func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *action.Result {
-	if meta.FindStatusCondition(instance.Status.Conditions, constants.Ready).Reason != constants.Creating {
+	if instance.Spec.Signer.KMS != "secret" && instance.Spec.Signer.KMS != "" {
+		instance.Status.Signer = instance.Spec.Signer
+		// skip signer resolution and move to creating
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:   constants.Ready,
 			Status: metav1.ConditionFalse,
 			Reason: constants.Creating,
+		})
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+			Type:    actions.SignerCondition,
+			Status:  metav1.ConditionTrue,
+			Reason:  constants.Ready,
+			Message: "Not using Secret resource",
+		})
+		return g.StatusUpdate(ctx, instance)
+	}
+	if meta.FindStatusCondition(instance.Status.Conditions, constants.Ready).Reason != constants.Pending {
+		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+			Type:   constants.Ready,
+			Status: metav1.ConditionFalse,
+			Reason: constants.Pending,
 		},
 		)
 		return g.StatusUpdate(ctx, instance)
@@ -68,11 +81,6 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *a
 		err error
 	)
 
-	instance.Status.Signer = instance.Spec.Signer
-	if instance.Status.Signer.KeyRef != nil {
-		return g.StatusUpdate(ctx, instance)
-	}
-
 	certConfig, err := g.CreateRekorKey(instance)
 	if err != nil {
 		if !meta.IsStatusConditionFalse(instance.Status.Conditions, actions.SignerCondition) {
@@ -82,6 +90,12 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *a
 				Reason:  constants.Failure,
 				Message: err.Error(),
 			})
+			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+				Type:    actions.ServerCondition,
+				Status:  metav1.ConditionFalse,
+				Reason:  constants.Pending,
+				Message: "resolving keys",
+			})
 			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 				Type:    constants.Ready,
 				Status:  metav1.ConditionFalse,
@@ -95,6 +109,9 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *a
 	}
 
 	labels := constants.LabelsFor(actions.ServerComponentName, actions.ServerDeploymentName, instance.Name)
+	if err = g.Client.DeleteAllOf(ctx, &v1.Secret{}, client.InNamespace(instance.Namespace), client.MatchingLabels(labels), client.HasLabels{RekorPubLabel}); err != nil {
+		return g.Failed(err)
+	}
 
 	data := make(map[string][]byte)
 	if certConfig.RekorKey != nil {
@@ -104,10 +121,6 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *a
 		data["password"] = certConfig.RekorKeyPassword
 	}
 	if certConfig.RekorPubKey != nil {
-		// ensure that only new key is exposed
-		if err = g.Client.DeleteAllOf(ctx, &v1.Secret{}, client.InNamespace(instance.Namespace), client.MatchingLabels(labels), client.HasLabels{RekorPubLabel}); err != nil {
-			return g.Failed(err)
-		}
 		labels[RekorPubLabel] = "public"
 		data["public"] = certConfig.RekorPubKey
 	}
@@ -158,6 +171,11 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *a
 		Reason:  constants.Creating,
 		Message: "Signer resolved",
 	})
+	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+		Type:   actions.ServerCondition,
+		Status: metav1.ConditionFalse,
+		Reason: constants.Creating,
+	})
 	meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 		Type:   actions.SignerCondition,
 		Status: metav1.ConditionTrue,

diff --git a/e2e/byodb_test.go b/e2e/byodb_test.go
@@ -4,6 +4,7 @@ package e2e_test
 
 import (
 	"context"
+	"os"
 	"time"
 
 	"github.com/google/uuid"
@@ -30,7 +31,11 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 
 	AfterEach(func() {
 		if CurrentSpecReport().Failed() {
-			support.DumpNamespace(ctx, cli, namespace.Name)
+			if val, present := os.LookupEnv("CI"); present && val == "true" {
+				if val, present := os.LookupEnv("CI"); present && val == "true" {
+					support.DumpNamespace(ctx, cli, namespace.Name)
+				}
+			}
 		}
 	})
 

diff --git a/e2e/common_install_test.go b/e2e/common_install_test.go
@@ -5,6 +5,7 @@ package e2e_test
 import (
 	"context"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/securesign/operator/controllers/common/utils"
@@ -32,7 +33,9 @@ var _ = Describe("Securesign install with certificate generation", Ordered, func
 
 	AfterEach(func() {
 		if CurrentSpecReport().Failed() {
-			support.DumpNamespace(ctx, cli, namespace.Name)
+			if val, present := os.LookupEnv("CI"); present && val == "true" {
+				support.DumpNamespace(ctx, cli, namespace.Name)
+			}
 		}
 	})
 

diff --git a/e2e/config_update_test.go b/e2e/config_update_test.go
@@ -5,6 +5,7 @@ package e2e_test
 import (
 	"context"
 	"encoding/json"
+	"os"
 	"time"
 
 	"github.com/securesign/operator/controllers/common/utils"
@@ -26,6 +27,7 @@ import (
 )
 
 var _ = Describe("Securesign hot update", Ordered, func() {
+	SetDefaultEventuallyTimeout(time.Duration(5) * time.Minute)
 	cli, _ := CreateClient()
 	ctx := context.TODO()
 
@@ -35,7 +37,9 @@ var _ = Describe("Securesign hot update", Ordered, func() {
 
 	AfterEach(func() {
 		if CurrentSpecReport().Failed() {
-			support.DumpNamespace(ctx, cli, namespace.Name)
+			if val, present := os.LookupEnv("CI"); present && val == "true" {
+				support.DumpNamespace(ctx, cli, namespace.Name)
+			}
 		}
 	})
 
@@ -225,7 +229,7 @@ var _ = Describe("Securesign hot update", Ordered, func() {
 			Eventually(func() string {
 				rekor := tas.GetRekor(ctx, cli, namespace.Name, securesign.Name)()
 				return meta.FindStatusCondition(rekor.Status.Conditions, constants.Ready).Reason
-			}).Should(Equal(constants.Creating))
+			}).Should(Equal(constants.Pending))
 
 			Expect(cli.Create(ctx, initRekorSecret(namespace.Name, "my-rekor-secret")))
 

diff --git a/e2e/key_autodiscovery_test.go b/e2e/key_autodiscovery_test.go
@@ -4,6 +4,7 @@ package e2e_test
 
 import (
 	"context"
+	"os"
 	"time"
 
 	"github.com/securesign/operator/controllers/common/utils"
@@ -30,7 +31,9 @@ var _ = Describe("Securesign key autodiscovery test", Ordered, func() {
 
 	AfterEach(func() {
 		if CurrentSpecReport().Failed() {
-			support.DumpNamespace(ctx, cli, namespace.Name)
+			if val, present := os.LookupEnv("CI"); present && val == "true" {
+				support.DumpNamespace(ctx, cli, namespace.Name)
+			}
 		}
 	})
 

diff --git a/e2e/provided_certs_test.go b/e2e/provided_certs_test.go
@@ -11,6 +11,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
+	"os"
 	"time"
 
 	"github.com/securesign/operator/controllers/common/utils"
@@ -38,7 +39,9 @@ var _ = Describe("Securesign install with provided certs", Ordered, func() {
 
 	AfterEach(func() {
 		if CurrentSpecReport().Failed() {
-			support.DumpNamespace(ctx, cli, namespace.Name)
+			if val, present := os.LookupEnv("CI"); present && val == "true" {
+				support.DumpNamespace(ctx, cli, namespace.Name)
+			}
 		}
 	})
 

diff --git a/e2e/support/common.go b/e2e/support/common.go
@@ -66,6 +66,13 @@ func EnvOrDefault(env string, def string) string {
 func DumpNamespace(ctx context.Context, cli client.Client, ns string) {
 
 	core.GinkgoWriter.Println("----------------------- Dumping namespace " + ns + " -----------------------")
+	securesigns := &v1alpha1.SecuresignList{}
+	cli.List(ctx, securesigns, client.InNamespace(ns))
+	core.GinkgoWriter.Println("Securesigns:")
+	for _, p := range securesigns.Items {
+		core.GinkgoWriter.Println(toYAMLNoManagedFields(&p))
+	}
+
 	fulcios := &v1alpha1.FulcioList{}
 	cli.List(ctx, fulcios, client.InNamespace(ns))
 	core.GinkgoWriter.Println("Fulcios:")

diff --git a/e2e/support/tas/ctlog.go b/e2e/support/tas/ctlog.go
@@ -25,8 +25,11 @@ func VerifyCTLog(ctx context.Context, cli client.Client, namespace string, name
 	}).Should(BeTrue())
 
 	list := &v1.PodList{}
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 }
 
 func GetCTLogServerPod(ctx context.Context, cli client.Client, ns string) func() *v1.Pod {

diff --git a/e2e/support/tas/fulcio.go b/e2e/support/tas/fulcio.go
@@ -21,8 +21,10 @@ func VerifyFulcio(ctx context.Context, cli client.Client, namespace string, name
 		}, BeTrue()))
 
 	list := &v1.PodList{}
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 }
 
 func GetFulcioServerPod(ctx context.Context, cli client.Client, ns string) func() *v1.Pod {

diff --git a/e2e/support/tas/rekor.go b/e2e/support/tas/rekor.go
@@ -23,12 +23,16 @@ func VerifyRekor(ctx context.Context, cli client.Client, namespace string, name
 	list := &v1.PodList{}
 
 	// server
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ServerComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ServerComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 
 	// redis
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.RedisComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.RedisComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 }
 
 func GetRekorServerPod(ctx context.Context, cli client.Client, ns string) func() *v1.Pod {

diff --git a/e2e/support/tas/trillian.go b/e2e/support/tas/trillian.go
@@ -26,13 +26,19 @@ func VerifyTrillian(ctx context.Context, cli client.Client, namespace string, na
 
 	list := &v1.PodList{}
 	if dbPresent {
-		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.DbComponentName})
-		Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+		Eventually(func() []v1.Pod {
+			cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.DbComponentName})
+			return list.Items
+		}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 	}
 
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.LogServerComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.LogServerComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.LogSignerComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.LogSignerComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 }
diff --git a/e2e/support/tas/tuf.go b/e2e/support/tas/tuf.go
@@ -21,8 +21,10 @@ func VerifyTuf(ctx context.Context, cli client.Client, namespace string, name st
 		}, Equal(constants.Ready)))
 
 	list := &v1.PodList{}
-	cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName})
-	Expect(list.Items).To(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
+	Eventually(func() []v1.Pod {
+		cli.List(ctx, list, client.InNamespace(namespace), client.MatchingLabels{kubernetes.ComponentLabel: actions.ComponentName})
+		return list.Items
+	}).Should(And(Not(BeEmpty()), HaveEach(WithTransform(func(p v1.Pod) v1.PodPhase { return p.Status.Phase }, Equal(v1.PodRunning)))))
 }
 
 func GetTuf(ctx context.Context, cli client.Client, ns string, name string) func() *v1alpha1.Tuf {