[SECURESIGN-3109] Add ctlog monitoring

api/v1alpha1/ctlog_types.go

@@ -38,7 +38,7 @@ type CTlogSpec struct {
 	RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"`
 
 	//Enable Service monitors for ctlog
-	Monitoring MonitoringConfig `json:"monitoring,omitempty"`
+	Monitoring MonitoringWithTLogConfig `json:"monitoring,omitempty"`
 
 	// Trillian service configuration
 	//+kubebuilder:default:={port: 8091}

cmd/main.go

@@ -118,6 +118,7 @@ func main() {
 	utils.RelatedImageFlag("client-server-image", images.ClientServer, "The image used to serve cosign and gitsign.")
 	utils.RelatedImageFlag("timestamp-authority-image", images.TimestampAuthority, "The image used for Timestamp Authority")
 	utils.RelatedImageFlag("rekor-monitor-image", images.RekorMonitor, "The image used for rekor monitor.")
+	utils.RelatedImageFlag("ctlog-monitor-image", images.CTLogMonitor, "The image used for ctlog monitor.")
 	flag.StringVar(&clidownload.CliHostName, "cli-server-hostname", "", "The hostname for the cli server")
 
 	klog.InitFlags(flag.CommandLine)

config/crd/bases/rhtas.redhat.com_ctlogs.yaml

@@ -971,6 +971,37 @@ spec:
                     x-kubernetes-validations:
                     - message: Feature cannot be disabled
                       rule: (self || !oldSelf)
+                  tlog:
+                    description: Configuration for Rekor transparency log monitoring
+                    properties:
+                      enabled:
+                        default: false
+                        description: If true, the Operator will create the Rekor log
+                          monitor resources
+                        type: boolean
+                        x-kubernetes-validations:
+                        - message: Feature cannot be disabled
+                          rule: (self || !oldSelf)
+                      interval:
+                        default: 10m
+                        description: Interval between log monitoring checks
+                        type: string
+                    required:
+                    - enabled
+                    type: object
+                  tuf:
+                    description: TUF service configuration
+                    properties:
+                      address:
+                        description: Address to TUF Server End point
+                        type: string
+                      port:
+                        description: Port of TUF Server End point
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                    type: object
                 required:
                 - enabled
                 type: object

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -994,6 +994,37 @@ spec:
                         x-kubernetes-validations:
                         - message: Feature cannot be disabled
                           rule: (self || !oldSelf)
+                      tlog:
+                        description: Configuration for Rekor transparency log monitoring
+                        properties:
+                          enabled:
+                            default: false
+                            description: If true, the Operator will create the Rekor
+                              log monitor resources
+                            type: boolean
+                            x-kubernetes-validations:
+                            - message: Feature cannot be disabled
+                              rule: (self || !oldSelf)
+                          interval:
+                            default: 10m
+                            description: Interval between log monitoring checks
+                            type: string
+                        required:
+                        - enabled
+                        type: object
+                      tuf:
+                        description: TUF service configuration
+                        properties:
+                          address:
+                            description: Address to TUF Server End point
+                            type: string
+                          port:
+                            description: Port of TUF Server End point
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                        type: object
                     required:
                     - enabled
                     type: object

config/default/images.env

@@ -14,3 +14,4 @@ RELATED_IMAGE_HTTP_SERVER=registry.redhat.io/ubi9/httpd-24@sha256:8536169e5537fe
 RELATED_IMAGE_TIMESTAMP_AUTHORITY=registry.redhat.io/rhtas/timestamp-authority-rhel9@sha256:be623422f3f636c39397a66416b02a79f1d59cf593ca258e1701d1728755dde9
 RELATED_IMAGE_CLIENT_SERVER=registry.redhat.io/rhtas/client-server-rhel9@sha256:c81aaa8f300021d7cdbb964524fc5e89ea2c79fdab5507f0ec036bf96b219332
 RELATED_IMAGE_REKOR_MONITOR=registry.redhat.io/rhtas/rekor-monitor-rhel9@sha256:b7f9f8b24fe7db4e124f9e5e9289bc2d180a810e253f48feb7e1177bbef6d4d0
+RELATED_IMAGE_CTLOG_MONITOR=registry.redhat.io/rhtas/ctlog-monitor-rhel9@sha256:27aedf86251e0b75aaa971599728e9b38699bfe1dfb400649844ba0f627ab499

config/default/kustomization.yaml

@@ -200,6 +200,17 @@ replacements:
     select:
       kind: Deployment
       name: operator-controller-manager
+- source:
+    fieldPath: data.RELATED_IMAGE_CTLOG_MONITOR
+    kind: ConfigMap
+    name: related-images
+    version: v1
+  targets:
+  - fieldPaths:
+    - spec.template.spec.containers.[name=^manager$].env.[name=^RELATED_IMAGE_CTLOG_MONITOR$].value
+    select:
+      kind: Deployment
+      name: operator-controller-manager
 - source:
     fieldPath: data.RELATED_IMAGE_TIMESTAMP_AUTHORITY
     kind: ConfigMap

config/default/manager_images_patch.yaml

@@ -40,3 +40,5 @@ spec:
               value: PLACEHOLDER
             - name: RELATED_IMAGE_CLIENT_SERVER
               value: PLACEHOLDER
+            - name: RELATED_IMAGE_CTLOG_MONITOR
+              value: PLACEHOLDER

internal/controller/ctlog/actions/constants.go

@@ -5,22 +5,27 @@ import (
 )
 
 const (
-	DeploymentName     = "ctlog"
-	ComponentName      = "ctlog"
-	RBACName           = "ctlog"
-	MonitoringRoleName = "prometheus-k8s-ctlog"
+	DeploymentName         = "ctlog"
+	ComponentName          = "ctlog"
+	RBACName               = "ctlog"
+	MonitoringRoleName     = "prometheus-k8s-ctlog"
+	MonitorStatefulSetName = "ctlog-monitor"
+	MonitorComponentName   = "ctlog-monitor"
 
-	CertCondition   = "FulcioCertAvailable"
-	TLSCondition    = "ServerTLS"
-	ConfigCondition = "ServerConfigAvailable"
-	SignerKeyReason = "SignerKey"
-	FulcioReason    = "FulcioCertificate"
+	CertCondition    = "FulcioCertAvailable"
+	TLSCondition     = "ServerTLS"
+	ConfigCondition  = "ServerConfigAvailable"
+	SignerKeyReason  = "SignerKey"
+	FulcioReason     = "FulcioCertificate"
+	MonitorCondition = "MonitorAvailable"
 
-	ServerPortName   = "http"
-	ServerTargetPort = 6962
-	MetricsPortName  = "metrics"
-	MetricsPort      = 6963
-	TLSSecret        = "%s-ctlog-tls"
+	ServerPortName         = "http"
+	ServerTargetPort       = 6962
+	MetricsPortName        = "metrics"
+	MetricsPort            = 6963
+	TLSSecret              = "%s-ctlog-tls"
+	MonitorMetricsPortName = "monitor-metrics"
+	MonitorMetricsPort     = 9464
 
 	CTLPubLabel       = labels.LabelNamespace + "/ctfe.pub"
 	CTLogPrivateLabel = labels.LabelNamespace + "/ctfe.private"

internal/controller/ctlog/actions/monitor/helper.go

@@ -0,0 +1,10 @@
+package monitor
+
+import (
+	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/utils"
+)
+
+func enabled(instance *v1alpha1.CTlog) bool {
+	return utils.IsEnabled(&instance.Spec.Monitoring.TLog.Enabled)
+}

internal/controller/ctlog/actions/monitor/monitoring.go

@@ -0,0 +1,63 @@
+package monitor
+
+import (
+	"context"
+	"fmt"
+	"maps"
+	"slices"
+
+	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/action"
+	"github.com/securesign/operator/internal/constants"
+	"github.com/securesign/operator/internal/controller/ctlog/actions"
+	"github.com/securesign/operator/internal/labels"
+	"github.com/securesign/operator/internal/utils/kubernetes"
+	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func NewCreateMonitorAction() action.Action[*rhtasv1alpha1.CTlog] {
+	return &monitoringAction{}
+}
+
+type monitoringAction struct {
+	action.BaseAction
+}
+
+func (i monitoringAction) Name() string {
+	return "create monitoring"
+}
+
+func (i monitoringAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.CTlog) bool {
+	c := meta.FindStatusCondition(instance.Status.Conditions, constants.Ready)
+	return (c.Reason == constants.Creating || c.Reason == constants.Ready) && enabled(instance)
+}
+
+func (i monitoringAction) Handle(ctx context.Context, instance *rhtasv1alpha1.CTlog) *action.Result {
+	var (
+		err error
+	)
+
+	monitoringLabels := labels.For(actions.MonitorComponentName, actions.MonitoringRoleName, instance.Name)
+
+	if _, err = kubernetes.CreateOrUpdate(ctx, i.Client, kubernetes.CreateServiceMonitor(instance.Namespace, actions.MonitorStatefulSetName),
+		ensure.ControllerReference[*unstructured.Unstructured](instance, i.Client),
+		ensure.Labels[*unstructured.Unstructured](slices.Collect(maps.Keys(monitoringLabels)), monitoringLabels),
+		kubernetes.EnsureServiceMonitorSpec(
+			labels.ForComponent(actions.MonitorComponentName, instance.Name),
+			kubernetes.ServiceMonitorEndpoint(actions.MonitorMetricsPortName),
+		),
+	); err != nil {
+		return i.Error(ctx, fmt.Errorf("could not create serviceMonitor: %w", err), instance, metav1.Condition{
+			Type:    actions.MonitorCondition,
+			Status:  metav1.ConditionFalse,
+			Reason:  constants.Failure,
+			Message: err.Error(),
+		})
+	}
+
+	// monitors & RBAC are not watched - do not need to re-enqueue
+	return i.Continue()
+}