securesign · knrc · Nov 6, 2025 · osmman · Nov 11, 2025 · knrc
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -159,3 +159,9 @@ type PodRequirements struct {
 	Resources   *core.ResourceRequirements `json:"resources,omitempty"`
 	Tolerations []core.Toleration          `json:"tolerations,omitempty"`
 }
+
+type ServiceAccountRequirements struct {
+	// ImagePullSecrets is an optional list of references to secrets for pulling container images.
+	//+optional
+	ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+}
diff --git a/api/v1alpha1/ctlog_types.go b/api/v1alpha1/ctlog_types.go
@@ -58,6 +58,8 @@ type CTlogSpec struct {
 	//+kubebuilder:default:=153600
 	//+optional
 	MaxCertChainSize *int64 `json:"maxCertChainSize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // CTlogStatus defines the observed state of CTlog component

diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go
@@ -33,6 +33,8 @@ type FulcioSpec struct {
 	// ConfigMap with additional bundle of trusted CA
 	//+optional
 	TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // FulcioCert defines fields for system-generated certificate

diff --git a/api/v1alpha1/rekor_types.go b/api/v1alpha1/rekor_types.go
@@ -58,6 +58,8 @@ type RekorSpec struct {
 	//+kubebuilder:default:=10485760
 	//+optional
 	MaxRequestBodySize *int64 `json:"maxRequestBodySize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // RekorAttestations defines the configuration for storing attestations.

diff --git a/api/v1alpha1/securesign_types.go b/api/v1alpha1/securesign_types.go
@@ -24,7 +24,7 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
-// SecuresignSpec defines the desired state of Securesign
+// SecuresignSpec defines the desired state of Securesign.
 // +kubebuilder:validation:XValidation:rule="(has(self.rekor.attestations.enabled) && !self.rekor.attestations.enabled) || !self.rekor.attestations.url.startsWith('file://') || (!(self.rekor.replicas > 1) || ('ReadWriteMany' in self.rekor.pvc.accessModes))",message="When Rekor's rich attestation storage is enabled, and it's URL starts with 'file://', then PVC accessModes must contain 'ReadWriteMany' for replicas greater than 1."
 // +kubebuilder:validation:XValidation:rule="!(self.tuf.replicas > 1) || ('ReadWriteMany' in self.tuf.pvc.accessModes)",message="For TUF deployments with more than 1 replica, tuf.pvc.accessModes must include 'ReadWriteMany'."
 type SecuresignSpec struct {
@@ -35,6 +35,8 @@ type SecuresignSpec struct {
 	Tuf                TufSpec                 `json:"tuf,omitempty"`
 	Ctlog              CTlogSpec               `json:"ctlog,omitempty"`
 	TimestampAuthority *TimestampAuthoritySpec `json:"tsa,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // SecuresignStatus defines the observed state of Securesign

diff --git a/api/v1alpha1/timestampauthority_types.go b/api/v1alpha1/timestampauthority_types.go
@@ -42,6 +42,8 @@ type TimestampAuthoritySpec struct {
 	//+kubebuilder:default:=1048576
 	//+optional
 	MaxRequestBodySize *int64 `json:"maxRequestBodySize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // TimestampAuthoritySigner defines the desired state of the Timestamp Authority Signer

diff --git a/api/v1alpha1/trillian_types.go b/api/v1alpha1/trillian_types.go
@@ -42,6 +42,8 @@ type TrillianSpec struct {
 	//+kubebuilder:default:=153600
 	//+optional
 	MaxRecvMessageSize *int64 `json:"maxRecvMessageSize,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 type trillianService struct {

diff --git a/api/v1alpha1/tuf_types.go b/api/v1alpha1/tuf_types.go
@@ -29,6 +29,8 @@ type TufSpec struct {
 	// You can use ReadWriteOnce accessMode if you don't have suitable storage provider but your deployment will not support HA mode
 	//+kubebuilder:default:={size: "100Mi",retain: true,accessModes: {ReadWriteOnce}}
 	Pvc TufPvc `json:"pvc,omitempty"`
+
+	ServiceAccountRequirements `json:",inline"`
 }
 
 // TufPvc configuration of the persistent storage claim for deployment in the cluster.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml
@@ -956,6 +956,26 @@ spec:
                         x-kubernetes-list-type: atomic
                     type: object
                 type: object
+              imagePullSecrets:
+                description: ImagePullSecrets is an optional list of references to
+                  secrets for pulling container images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               maxCertChainSize:
                 default: 153600
                 description: Max certificate chain size in bytes. Passed as --max_cert_chain_size.

diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml
@@ -1280,6 +1280,26 @@ spec:
                 required:
                 - enabled
                 type: object
+              imagePullSecrets:
+                description: ImagePullSecrets is an optional list of references to
+                  secrets for pulling container images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               monitoring:
                 description: Enable Service monitors for fulcio
                 properties:

diff --git a/config/crd/bases/rhtas.redhat.com_rekors.yaml b/config/crd/bases/rhtas.redhat.com_rekors.yaml
@@ -1247,6 +1247,26 @@ spec:
                 required:
                 - enabled
                 type: object
+              imagePullSecrets:
+                description: ImagePullSecrets is an optional list of references to
+                  secrets for pulling container images.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
               maxRequestBodySize:
                 default: 10485760
                 description: MaxRequestBodySize sets the maximum size in bytes for