feat: use kubernetes lease election for Trillian log signer

[osmman]

PoC uses latest build of upstream Trillian log signer

Summary by Sourcery

Enable Kubernetes lease-based leader election for the Trillian log signer and update related deployment and RBAC configuration.

New Features:

• Use Kubernetes coordination.k8s.io leases for Trillian log signer leader election.

Enhancements:

• Inject POD_NAME and NAMESPACE environment variables into signer pods.
• Replace the --force_master flag with --election_system=k8s, --lock_namespace, and --lock_holder_identity flags in the signer deployment.
• Grant coordination.k8s.io/leases permissions and add corresponding kubebuilder RBAC annotations.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: osmman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [osmman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[osmman]

/test all

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[osmman]

@sourcery-ai review

[sourcery-ai]

Reviewer's Guide

This PR upgrades the Trillian log signer to use Kubernetes lease-based leader election by injecting pod identity into the server deployment, switching to k8s election flags, and extending RBAC and controller markers to allow coordination.k8s.io/leases access.

Sequence Diagram: Trillian Log Signer Acquiring Kubernetes Lease

sequenceDiagram
    participant SignerPod as Trillian Log Signer Pod
    participant K8sAPI as Kubernetes API Server

    SignerPod->>SignerPod: Initialize with election flags:<br>--election_system=k8s<br>--lock_namespace=$(NAMESPACE)<br>--lock_holder_identity=$(POD_NAME)
    SignerPod->>SignerPod: Read POD_NAME & NAMESPACE from Env Vars

    alt Attempt to acquire leader lease
        SignerPod->>K8sAPI: GET Lease (name: configured-lease, ns: $(NAMESPACE))
        K8sAPI-->>SignerPod: Lease not found or available
        SignerPod->>K8sAPI: CREATE Lease (name: configured-lease, ns: $(NAMESPACE), holderIdentity: $(POD_NAME))
        K8sAPI-->>SignerPod: Lease Created (Pod is Leader)
        SignerPod->>SignerPod: Become Leader

        loop Periodic Renewal
            SignerPod->>K8sAPI: UPDATE Lease (Renew, holderIdentity: $(POD_NAME))
            K8sAPI-->>SignerPod: Lease Renewed
        end
    else Lease held by another pod
        SignerPod->>K8sAPI: GET/CREATE Lease
        K8sAPI-->>SignerPod: Lease Conflict (Held by another)
        SignerPod->>SignerPod: Remain Standby / Retry / Watch Lease
    end

Loading

File-Level Changes

Change	Details	Files
Inject pod identity env vars for leader election	Find or create POD_NAME and NAMESPACE environment variables in container spec Set ValueFrom to fieldRef metadata.name and metadata.namespace	internal/controller/trillian/utils/server-deployment.go
Switch log signer to Kubernetes lease election flags	Replace --force_master flag with --election_system=k8s Add --lock_namespace=$(NAMESPACE) and --lock_holder_identity=$(POD_NAME)	internal/controller/trillian/actions/logsigner/deployment.go
Grant and declare coordination.k8s.io/leases permissions	Add PolicyRule for leases in log signer RBAC action Extend Role manifest with leases apiGroup and verbs Add kubebuilder marker for leases in controller	internal/controller/trillian/actions/logsigner/rbac.go config/rbac/role.yaml internal/controller/trillian/trillian_controller.go
Regenerate operator CSV icon block	Replace base64-encoded icon data in clusterserviceversion.yaml	config/manifests/bases/rhtas-operator.clusterserviceversion.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @osmman - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟢 Security: all looks good
• 🟢 Review instructions: all looks good
• 🟢 Testing: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

Hey @osmman - I've reviewed your changes - here's some feedback:

• Verify that passing --lock_namespace=$(NAMESPACE) and --lock_holder_identity=$(POD_NAME) in the Deployment args actually triggers env‐var expansion at runtime (Kubernetes won’t substitute env vars in args without a shell).
• Add the new coordination.k8s.io/leases rules to the CSV’s spec.install.spec.permissions/clusterPermissions so OLM installs the lease RBAC correctly.
• The re-generated CSV icon blobs bloat this PR; consider reverting or moving the icon update into its own commit to keep the lease-election changes focused.

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Review instructions: all looks good
• 🟢 Testing: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}