diff --git a/api/v1alpha1/ctlog_types.go b/api/v1alpha1/ctlog_types.go index 6cdd333da..5962128dc 100644 --- a/api/v1alpha1/ctlog_types.go +++ b/api/v1alpha1/ctlog_types.go @@ -38,7 +38,7 @@ type CTlogSpec struct { RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"` //Enable Service monitors for ctlog - Monitoring MonitoringConfig `json:"monitoring,omitempty"` + Monitoring MonitoringWithTLogConfig `json:"monitoring,omitempty"` // Trillian service configuration //+kubebuilder:default:={port: 8091} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 703888a57..25e185a71 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -186,6 +186,7 @@ func (in *CTlogSpec) DeepCopyInto(out *CTlogSpec) { } out.Monitoring = in.Monitoring in.Trillian.DeepCopyInto(&out.Trillian) + in.Monitoring.Tuf.DeepCopyInto(&out.Monitoring.Tuf) if in.ServerConfigRef != nil { in, out := &in.ServerConfigRef, &out.ServerConfigRef *out = new(LocalObjectReference) diff --git a/cmd/main.go b/cmd/main.go index a65feed09..0e48a5083 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -118,6 +118,7 @@ func main() { utils.RelatedImageFlag("client-server-image", images.ClientServer, "The image used to serve cosign and gitsign.") utils.RelatedImageFlag("timestamp-authority-image", images.TimestampAuthority, "The image used for Timestamp Authority") utils.RelatedImageFlag("rekor-monitor-image", images.RekorMonitor, "The image used for rekor monitor.") + utils.RelatedImageFlag("ctlog-monitor-image", images.CTLogMonitor, "The image used for ctlog monitor.") flag.StringVar(&clidownload.CliHostName, "cli-server-hostname", "", "The hostname for the cli server") klog.InitFlags(flag.CommandLine) diff --git a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml index 08bcdacae..1cea28b3b 100644 --- a/config/crd/bases/rhtas.redhat.com_ctlogs.yaml +++ b/config/crd/bases/rhtas.redhat.com_ctlogs.yaml @@ -971,6 +971,37 @@ spec: x-kubernetes-validations: - message: Feature cannot be disabled rule: (self || !oldSelf) + tlog: + description: Configuration for Rekor transparency log monitoring + properties: + enabled: + default: false + description: If true, the Operator will create the Rekor log + monitor resources + type: boolean + x-kubernetes-validations: + - message: Feature cannot be disabled + rule: (self || !oldSelf) + interval: + default: 10m + description: Interval between log monitoring checks + type: string + required: + - enabled + type: object + tuf: + description: TUF service configuration + properties: + address: + description: Address to TUF Server End point + type: string + port: + description: Port of TUF Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object required: - enabled type: object diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml index d0a8c1963..57f3ee318 100644 --- a/config/crd/bases/rhtas.redhat.com_securesigns.yaml +++ b/config/crd/bases/rhtas.redhat.com_securesigns.yaml @@ -994,6 +994,37 @@ spec: x-kubernetes-validations: - message: Feature cannot be disabled rule: (self || !oldSelf) + tlog: + description: Configuration for Rekor transparency log monitoring + properties: + enabled: + default: false + description: If true, the Operator will create the Rekor + log monitor resources + type: boolean + x-kubernetes-validations: + - message: Feature cannot be disabled + rule: (self || !oldSelf) + interval: + default: 10m + description: Interval between log monitoring checks + type: string + required: + - enabled + type: object + tuf: + description: TUF service configuration + properties: + address: + description: Address to TUF Server End point + type: string + port: + description: Port of TUF Server End point + format: int32 + maximum: 65535 + minimum: 1 + type: integer + type: object required: - enabled type: object diff --git a/config/default/images.env b/config/default/images.env index 7e94faeb5..10927d8f6 100644 --- a/config/default/images.env +++ b/config/default/images.env @@ -14,3 +14,4 @@ RELATED_IMAGE_HTTP_SERVER=registry.redhat.io/ubi9/httpd-24@sha256:8536169e5537fe RELATED_IMAGE_TIMESTAMP_AUTHORITY=registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:be623422f3f636c39397a66416b02a79f1d59cf593ca258e1701d1728755dde9 RELATED_IMAGE_CLIENT_SERVER=registry.redhat.io/rhtas/client-server-rhel9@sha256:c81aaa8f300021d7cdbb964524fc5e89ea2c79fdab5507f0ec036bf96b219332 RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:b7f9f8b24fe7db4e124f9e5e9289bc2d180a810e253f48feb7e1177bbef6d4d0 +RELATED_IMAGE_CTLOG_MONITOR=registry.redhat.io/rhtas/ctlog-monitor-rhel9@sha256:27aedf86251e0b75aaa971599728e9b38699bfe1dfb400649844ba0f627ab499 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index bf0f05a80..c94594df3 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -200,6 +200,17 @@ replacements: select: kind: Deployment name: operator-controller-manager +- source: + fieldPath: data.RELATED_IMAGE_CTLOG_MONITOR + kind: ConfigMap + name: related-images + version: v1 + targets: + - fieldPaths: + - spec.template.spec.containers.[name=^manager$].env.[name=^RELATED_IMAGE_CTLOG_MONITOR$].value + select: + kind: Deployment + name: operator-controller-manager - source: fieldPath: data.RELATED_IMAGE_TIMESTAMP_AUTHORITY kind: ConfigMap diff --git a/config/default/manager_images_patch.yaml b/config/default/manager_images_patch.yaml index 624ccf163..47ee95198 100644 --- a/config/default/manager_images_patch.yaml +++ b/config/default/manager_images_patch.yaml @@ -40,3 +40,5 @@ spec: value: PLACEHOLDER - name: RELATED_IMAGE_CLIENT_SERVER value: PLACEHOLDER + - name: RELATED_IMAGE_CTLOG_MONITOR + value: PLACEHOLDER diff --git a/internal/controller/ctlog/actions/constants.go b/internal/controller/ctlog/actions/constants.go index b9a8fa777..6793ef353 100644 --- a/internal/controller/ctlog/actions/constants.go +++ b/internal/controller/ctlog/actions/constants.go @@ -5,22 +5,27 @@ import ( ) const ( - DeploymentName = "ctlog" - ComponentName = "ctlog" - RBACName = "ctlog" - MonitoringRoleName = "prometheus-k8s-ctlog" + DeploymentName = "ctlog" + ComponentName = "ctlog" + RBACName = "ctlog" + MonitoringRoleName = "prometheus-k8s-ctlog" + MonitorStatefulSetName = "ctlog-monitor" + MonitorComponentName = "ctlog-monitor" - CertCondition = "FulcioCertAvailable" - TLSCondition = "ServerTLS" - ConfigCondition = "ServerConfigAvailable" - SignerKeyReason = "SignerKey" - FulcioReason = "FulcioCertificate" + CertCondition = "FulcioCertAvailable" + TLSCondition = "ServerTLS" + ConfigCondition = "ServerConfigAvailable" + SignerKeyReason = "SignerKey" + FulcioReason = "FulcioCertificate" + MonitorCondition = "MonitorAvailable" - ServerPortName = "http" - ServerTargetPort = 6962 - MetricsPortName = "metrics" - MetricsPort = 6963 - TLSSecret = "%s-ctlog-tls" + ServerPortName = "http" + ServerTargetPort = 6962 + MetricsPortName = "metrics" + MetricsPort = 6963 + TLSSecret = "%s-ctlog-tls" + MonitorMetricsPortName = "monitor-metrics" + MonitorMetricsPort = 9464 CTLPubLabel = labels.LabelNamespace + "/ctfe.pub" CTLogPrivateLabel = labels.LabelNamespace + "/ctfe.private" diff --git a/internal/controller/ctlog/actions/monitor/helper.go b/internal/controller/ctlog/actions/monitor/helper.go new file mode 100644 index 000000000..776de8772 --- /dev/null +++ b/internal/controller/ctlog/actions/monitor/helper.go @@ -0,0 +1,10 @@ +package monitor + +import ( + "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/utils" +) + +func enabled(instance *v1alpha1.CTlog) bool { + return utils.IsEnabled(&instance.Spec.Monitoring.TLog.Enabled) +} diff --git a/internal/controller/ctlog/actions/monitor/monitoring.go b/internal/controller/ctlog/actions/monitor/monitoring.go new file mode 100644 index 000000000..1b52484bb --- /dev/null +++ b/internal/controller/ctlog/actions/monitor/monitoring.go @@ -0,0 +1,63 @@ +package monitor + +import ( + "context" + "fmt" + "maps" + "slices" + + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/action" + "github.com/securesign/operator/internal/constants" + "github.com/securesign/operator/internal/controller/ctlog/actions" + "github.com/securesign/operator/internal/labels" + "github.com/securesign/operator/internal/utils/kubernetes" + "github.com/securesign/operator/internal/utils/kubernetes/ensure" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +func NewCreateMonitorAction() action.Action[*rhtasv1alpha1.CTlog] { + return &monitoringAction{} +} + +type monitoringAction struct { + action.BaseAction +} + +func (i monitoringAction) Name() string { + return "create monitoring" +} + +func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.CTlog) bool { + c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && enabled(instance) +} + +func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { + var ( + err error + ) + + monitoringLabels := labels.For(actions.MonitorComponentName, actions.MonitoringRoleName, instance.Name) + + if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, kubernetes.CreateServiceMonitor(instance.Namespace, actions.MonitorStatefulSetName), + ensure.ControllerReference[*unstructured.Unstructured](instance, i.Client), + ensure.Labels[*unstructured.Unstructured](slices.Collect(maps.Keys(monitoringLabels)), monitoringLabels), + kubernetes.EnsureServiceMonitorSpec( + labels.ForComponent(actions.MonitorComponentName, instance.Name), + kubernetes.ServiceMonitorEndpoint(actions.MonitorMetricsPortName), + ), + ); err != nil { + return i.Error(ctx, fmt.Errorf("could not create serviceMonitor: %w", err), instance, metav1.Condition{ + Type: actions.MonitorCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }) + } + + // monitors & RBAC are not watched - do not need to re-enqueue + return i.Continue() +} diff --git a/internal/controller/ctlog/actions/monitor/statefulset.go b/internal/controller/ctlog/actions/monitor/statefulset.go new file mode 100644 index 000000000..85f630e83 --- /dev/null +++ b/internal/controller/ctlog/actions/monitor/statefulset.go @@ -0,0 +1,236 @@ +package monitor + +import ( + "context" + "fmt" + "maps" + "slices" + + "github.com/securesign/operator/internal/images" + + "github.com/securesign/operator/internal/action" + "github.com/securesign/operator/internal/constants" + "github.com/securesign/operator/internal/controller/ctlog/actions" + "github.com/securesign/operator/internal/labels" + cutils "github.com/securesign/operator/internal/utils" + "github.com/securesign/operator/internal/utils/kubernetes" + "github.com/securesign/operator/internal/utils/kubernetes/ensure" + "github.com/securesign/operator/internal/utils/tls" + v1 "k8s.io/api/apps/v1" + core "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/api/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/controller/ctlog/utils" + tlsensure "github.com/securesign/operator/internal/utils/tls/ensure" +) + +const ( + storageVolumeName = "monitor-storage" + tufRepoVolumeName = "tuf-repository" + mountPath = "/data" + ctlogLogPrefix = "trusted-artifact-signer" +) + +func NewStatefulSetAction() action.Action[*rhtasv1alpha1.CTlog] { + return &statefulSetAction{} +} + +type statefulSetAction struct { + action.BaseAction +} + +func (i statefulSetAction) Name() string { + return "statefulset" +} + +func (i statefulSetAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.CTlog) bool { + c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && enabled(instance) +} + +func (i statefulSetAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { + var ( + err error + result controllerutil.OperationResult + ) + + var protocol string + if tls.UseTlsClient(instance) { + protocol = "https" + } else { + protocol = "http" + } + + tufServerHost := i.resolveTufUrl(instance) + ctlogServerHost := fmt.Sprintf("%s://%s.%s.svc", protocol, actions.ComponentName, instance.Namespace) + + labels := labels.For(actions.MonitorComponentName, actions.MonitorStatefulSetName, instance.Name) + if result, err = kubernetes.CreateOrUpdate(ctx, i.Client, + &v1.StatefulSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: actions.MonitorStatefulSetName, + Namespace: instance.Namespace, + }, + }, + i.ensureMonitorStatefulSet(instance, actions.RBACName, labels, ctlogServerHost, tufServerHost), + i.ensureInitContainer(ctlogServerHost, tufServerHost), + ensure.ControllerReference[*v1.StatefulSet](instance, i.Client), + ensure.Labels[*v1.StatefulSet](slices.Collect(maps.Keys(labels)), labels), + ensure.Optional( + utils.TlsEnabled(instance), + i.ensureTLS(instance.Status.TLS, actions.MonitorStatefulSetName), + ), + func(object *v1.StatefulSet) error { + return ensure.PodSecurityContext(&object.Spec.Template.Spec) + }, + ); err != nil { + return i.Error(ctx, fmt.Errorf("could not create %s statefulset: %w", actions.MonitorStatefulSetName, err), instance, + metav1.Condition{ + Type: actions.MonitorCondition, + Status: metav1.ConditionFalse, + Reason: constants.Failure, + Message: err.Error(), + }, + ) + } + + if result != controllerutil.OperationResultNone { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: actions.MonitorCondition, + Status: metav1.ConditionFalse, + Reason: constants.Creating, + Message: "Monitor created", + }) + _ = i.StatusUpdate(ctx, instance) + } + return i.Continue() +} + +func (i statefulSetAction) ensureTLS(tlsConfig rhtasv1alpha1.TLS, name string) func(sts *v1.StatefulSet) error { + return func(sts *v1.StatefulSet) error { + if err := tlsensure.TLS(tlsConfig, name)(&sts.Spec.Template); err != nil { + return err + } + return nil + } +} + +func (i statefulSetAction) resolveTufUrl(instance *rhtasv1alpha1.CTlog) string { + if instance.Spec.Monitoring.Tuf.Address != "" { + url := instance.Spec.Monitoring.Tuf.Address + if instance.Spec.Monitoring.Tuf.Port != nil { + url = fmt.Sprintf("%s:%d", url, *instance.Spec.Monitoring.Tuf.Port) + } + return url + } + return fmt.Sprintf("http://tuf.%s.svc", instance.Namespace) +} + +func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.CTlog, sa string, labels map[string]string, ctlogServerHost string, tufServerHost string) func(*v1.StatefulSet) error { + return func(ss *v1.StatefulSet) error { + + spec := &ss.Spec + spec.Replicas = cutils.Pointer[int32](1) + spec.Selector = &metav1.LabelSelector{ + MatchLabels: labels, + } + + template := &spec.Template + template.Labels = labels + template.Spec.ServiceAccountName = sa + + container := kubernetes.FindContainerByNameOrCreate(&template.Spec, actions.MonitorStatefulSetName) + container.Image = images.Registry.Get(images.CTLogMonitor) + + interval := instance.Spec.Monitoring.TLog.Interval.Duration + container.Command = []string{ + "/bin/sh", + "-c", + fmt.Sprintf( + `/ctlog_monitor --file=%s/checkpoint_log.txt --once=false --interval=%s --url=%s/%s --tuf-repository=%s --tuf-root-path="%s/root.json"`, + mountPath, interval.String(), ctlogServerHost, ctlogLogPrefix, tufServerHost, mountPath), + } + + container.Ports = []core.ContainerPort{ + { + ContainerPort: actions.MonitorMetricsPort, + Name: actions.MonitorMetricsPortName, + Protocol: core.ProtocolTCP, + }, + } + + container.Env = []core.EnvVar{ + { + Name: "HOME", + Value: mountPath, + }, + } + + if utils.TlsEnabled(instance) { + container.Env = append(container.Env, core.EnvVar{ + Name: "SSL_CERT_DIR", + Value: constants.SecretMountPath, + }) + } + + volumeMount := kubernetes.FindVolumeMountByNameOrCreate(container, storageVolumeName) + volumeMount.MountPath = mountPath + + spec.VolumeClaimTemplates = []core.PersistentVolumeClaim{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: storageVolumeName, + }, + Spec: core.PersistentVolumeClaimSpec{ + AccessModes: []core.PersistentVolumeAccessMode{ + core.ReadWriteOnce, + }, + Resources: core.VolumeResourceRequirements{ + Requests: core.ResourceList{ + core.ResourceStorage: resource.MustParse("5Mi"), + }, + }, + }, + }, + } + return nil + } +} + +func (i statefulSetAction) ensureInitContainer(ctlogServerHost string, tufHost string) func(*v1.StatefulSet) error { + return func(ss *v1.StatefulSet) error { + initContainer := kubernetes.FindInitContainerByNameOrCreate(&ss.Spec.Template.Spec, "tuf-init") + + initContainer.Image = images.Registry.Get(images.CTLogMonitor) + volumeMount := kubernetes.FindVolumeMountByNameOrCreate(initContainer, storageVolumeName) + volumeMount.MountPath = mountPath + + initContainer.Command = []string{ + "/bin/sh", + "-c", + fmt.Sprintf(` + echo "Waiting for ctlog-server..."; + until curl -sSf -k %s > /dev/null 2>&1; do + echo "ctlog-server not ready..."; + sleep 5; + done; + + echo "Waiting for TUF server..."; + until curl %s > /dev/null 2>&1; do + echo "TUF server not ready..."; + sleep 5; + done; + + echo "Downloading root.json"; + curl %s/root.json > %s/root.json + + echo "tuf-init completed." + `, ctlogServerHost, tufHost, tufHost, mountPath), + } + return nil + } +} diff --git a/internal/controller/ctlog/actions/monitor/svc.go b/internal/controller/ctlog/actions/monitor/svc.go new file mode 100644 index 000000000..9e5ac87aa --- /dev/null +++ b/internal/controller/ctlog/actions/monitor/svc.go @@ -0,0 +1,81 @@ +package monitor + +import ( + "context" + "fmt" + "maps" + "slices" + + "github.com/securesign/operator/internal/action" + "github.com/securesign/operator/internal/constants" + "github.com/securesign/operator/internal/controller/ctlog/actions" + "github.com/securesign/operator/internal/labels" + "github.com/securesign/operator/internal/utils/kubernetes" + "github.com/securesign/operator/internal/utils/kubernetes/ensure" + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + + rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" +) + +func NewCreateServiceAction() action.Action[*rhtasv1alpha1.CTlog] { + return &createServiceAction{} +} + +type createServiceAction struct { + action.BaseAction +} + +func (i createServiceAction) Name() string { + return "create service" +} + +func (i createServiceAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.CTlog) bool { + c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready) + return (c.Reason == constants.Creating || c.Reason == constants.Ready) && enabled(instance) +} + +func (i createServiceAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result { + + var ( + err error + result controllerutil.OperationResult + ) + + labels := labels.For(actions.MonitorComponentName, actions.MonitorComponentName, instance.Name) + + ports := []v1.ServicePort{ + { + Name: actions.MonitorMetricsPortName, + Protocol: v1.ProtocolTCP, + Port: actions.MonitorMetricsPort, + TargetPort: intstr.FromInt32(actions.MonitorMetricsPort), + }, + } + + if result, err = kubernetes.CreateOrUpdate(ctx, i.Client, + &v1.Service{ + ObjectMeta: metav1.ObjectMeta{Name: actions.MonitorComponentName, Namespace: instance.Namespace}, + }, + kubernetes.EnsureServiceSpec(labels, ports...), + ensure.ControllerReference[*v1.Service](instance, i.Client), + ensure.Labels[*v1.Service](slices.Collect(maps.Keys(labels)), labels), + ); err != nil { + return i.Error(ctx, fmt.Errorf("could not create service: %w", err), instance) + } + + if result != controllerutil.OperationResultNone { + meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{ + Type: actions.MonitorCondition, + Status: metav1.ConditionFalse, + Reason: constants.Creating, + Message: "Service created", + }) + return i.StatusUpdate(ctx, instance) + } else { + return i.Continue() + } +} diff --git a/internal/controller/ctlog/ctlog_controller.go b/internal/controller/ctlog/ctlog_controller.go index f800eefe9..37022c074 100644 --- a/internal/controller/ctlog/ctlog_controller.go +++ b/internal/controller/ctlog/ctlog_controller.go @@ -45,6 +45,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/reconcile" rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1" + "github.com/securesign/operator/internal/controller/ctlog/actions/monitor" ) // ctlogReconciler reconciles a CTlog object @@ -116,6 +117,10 @@ func (r *ctlogReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl actions.NewServiceAction(), actions.NewCreateMonitorAction(), + monitor.NewStatefulSetAction(), + monitor.NewCreateServiceAction(), + monitor.NewCreateMonitorAction(), + transitions.NewToInitializePhaseAction[*rhtasv1alpha1.CTlog](), actions.NewInitializeAction(), diff --git a/internal/controller/rekor/actions/monitor/statefulset.go b/internal/controller/rekor/actions/monitor/statefulset.go index eb3a7c9ca..2ef17442b 100644 --- a/internal/controller/rekor/actions/monitor/statefulset.go +++ b/internal/controller/rekor/actions/monitor/statefulset.go @@ -126,8 +126,8 @@ func (i statefulSetAction) ensureMonitorStatefulSet(instance *rhtasv1alpha1.Reko "/bin/sh", "-c", fmt.Sprintf( - `/rekor_monitor --file=/data/checkpoint_log.txt --once=false --interval=%s --url=%s --tuf-repository=%s --tuf-root-path="%s/root.json"`, - interval.String(), rekorServerHost, tufServerHost, mountPath), + `/rekor_monitor --file=%s/checkpoint_log.txt --once=false --interval=%s --url=%s --tuf-repository=%s --tuf-root-path="%s/root.json"`, + mountPath, interval.String(), rekorServerHost, tufServerHost, mountPath), } container.Ports = []core.ContainerPort{ diff --git a/internal/images/images.go b/internal/images/images.go index 4f5674c71..99b5363bc 100644 --- a/internal/images/images.go +++ b/internal/images/images.go @@ -34,6 +34,7 @@ const ( HttpServer Image = "RELATED_IMAGE_HTTP_SERVER" ClientServer Image = "RELATED_IMAGE_CLIENT_SERVER" + CTLogMonitor Image = "RELATED_IMAGE_CTLOG_MONITOR" ) var Images = []Image{ @@ -53,6 +54,7 @@ var Images = []Image{ TimestampAuthority, HttpServer, ClientServer, + CTLogMonitor, } //go:generate cp ../../config/default/images.env embed/images.env