Skip to content

feat: add support for image pull secrets for all components #1427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+963 −25
Open

feat: add support for image pull secrets for all components #1427

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .crdify.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
validations:
- name: description
enforcement: None
16 changes: 8 additions & 8 deletions .github/workflows/linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,27 +31,27 @@ jobs:
go-version-file: 'go.mod'
- name: Install crdifi
run: |
go install sigs.k8s.io/crdify@v0.4.0
go install sigs.k8s.io/crdify@v0.5.0
- name: Compare CTlog CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_ctlogs.yaml"
- name: Compare Fulcio CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_fulcios.yaml"
- name: Compare Rekor CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_rekors.yaml"
- name: Compare TSA CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_timestampauthorities.yaml"
- name: Compare Trillian CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_trillians.yaml"
- name: Compare TUF CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_tufs.yaml"
- name: Compare Securesign CRD
run: |
crdify "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml"
crdify --config .crdify.yaml "git://${{ github.event.pull_request.base.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml" "git://${{ github.event.pull_request.head.sha }}?path=config/crd/bases/rhtas.redhat.com_securesigns.yaml"


6 changes: 6 additions & 0 deletions api/v1alpha1/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,3 +159,9 @@ type PodRequirements struct {
Resources *core.ResourceRequirements `json:"resources,omitempty"`
Tolerations []core.Toleration `json:"tolerations,omitempty"`
}

type ServiceAccountRequirements struct {
// ImagePullSecrets is an optional list of references to secrets for pulling container images.
//+optional
ImagePullSecrets []core.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}
2 changes: 2 additions & 0 deletions api/v1alpha1/ctlog_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ type CTlogSpec struct {
//+kubebuilder:default:=153600
//+optional
MaxCertChainSize *int64 `json:"maxCertChainSize,omitempty"`

ServiceAccountRequirements `json:",inline"`
}

// CTlogStatus defines the observed state of CTlog component
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/fulcio_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ type FulcioSpec struct {
// ConfigMap with additional bundle of trusted CA
//+optional
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`

ServiceAccountRequirements `json:",inline"`
}

// FulcioCert defines fields for system-generated certificate
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/rekor_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ type RekorSpec struct {
//+kubebuilder:default:=10485760
//+optional
MaxRequestBodySize *int64 `json:"maxRequestBodySize,omitempty"`

ServiceAccountRequirements `json:",inline"`
}

// RekorAttestations defines the configuration for storing attestations.
Expand Down
5 changes: 4 additions & 1 deletion api/v1alpha1/securesign_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ import (
// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.

// SecuresignSpec defines the desired state of Securesign
// SecuresignSpec defines the desired state of Securesign.
// Service account settings defined at this level (such as imagePullSecrets) are inherited by all components.
// +kubebuilder:validation:XValidation:rule="(has(self.rekor.attestations.enabled) && !self.rekor.attestations.enabled) || !self.rekor.attestations.url.startsWith('file://') || (!(self.rekor.replicas > 1) || ('ReadWriteMany' in self.rekor.pvc.accessModes))",message="When Rekor's rich attestation storage is enabled, and it's URL starts with 'file://', then PVC accessModes must contain 'ReadWriteMany' for replicas greater than 1."
// +kubebuilder:validation:XValidation:rule="!(self.tuf.replicas > 1) || ('ReadWriteMany' in self.tuf.pvc.accessModes)",message="For TUF deployments with more than 1 replica, tuf.pvc.accessModes must include 'ReadWriteMany'."
type SecuresignSpec struct {
Expand All @@ -35,6 +36,8 @@ type SecuresignSpec struct {
Tuf TufSpec `json:"tuf,omitempty"`
Ctlog CTlogSpec `json:"ctlog,omitempty"`
TimestampAuthority *TimestampAuthoritySpec `json:"tsa,omitempty"`

ServiceAccountRequirements `json:",inline"`
Copy link
Collaborator

@osmman osmman Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ImagePullSecrets for this CRD behave differently compare to other CRDs. It will require document that behavior and it will be good to provide some tests to not broke it in feature changes.

Copy link
Contributor Author

@knrc knrc Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes to documentation, I've already reached out to Aron about creating the docs issues. Or are you referring to having a comment?

I'll add some tests

Copy link
Contributor Author

@knrc knrc Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I add a comment to SecuresignSpec and some higher level tests to complement the lower level ones

Copy link
Collaborator

@osmman osmman Nov 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately adding comment like you dud will not modify CRD's OpenAPI which is main source for documentation of CRDs.

For example:

oc explain securesign.spec

Copy link
Contributor Author

@knrc knrc Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay, now I understand what you are after. I'll take a look

Copy link
Contributor Author

@knrc knrc Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@osmman crdify is complaining about the extra text, so I've reverted that

Copy link
Collaborator

@osmman osmman Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know about the limitations of inlining that is reason why I give you two options how it could be solved. I do not see any changes in SecuresignSpec which will document usage of that parameter for Securesign CRD.

Crdify failures in descriptions aro not problem, these are mainly introduces from kubernetes changes in API spec and most of time could be waived.

Copy link
Contributor Author

@knrc knrc Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay, I can waive them.

Copy link
Contributor Author

@knrc knrc Nov 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at this previous changes, it seems to be a different issue and I rushed the change while at KubeCon. I'll fix it properly and update the PR.

Update: double checking the change it was correct, so it does need waiving

Copy link
Contributor Author

@knrc knrc Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@osmman I've worked out how to waive the crdify checks for documentation, the PR has been updated to include that change

}

// SecuresignStatus defines the observed state of Securesign
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/timestampauthority_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ type TimestampAuthoritySpec struct {
//+kubebuilder:default:=1048576
//+optional
MaxRequestBodySize *int64 `json:"maxRequestBodySize,omitempty"`

ServiceAccountRequirements `json:",inline"`
}

// TimestampAuthoritySigner defines the desired state of the Timestamp Authority Signer
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/trillian_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ type TrillianSpec struct {
//+kubebuilder:default:=153600
//+optional
MaxRecvMessageSize *int64 `json:"maxRecvMessageSize,omitempty"`

ServiceAccountRequirements `json:",inline"`
}

type trillianService struct {
Expand Down
2 changes: 2 additions & 0 deletions api/v1alpha1/tuf_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ type TufSpec struct {
// You can use ReadWriteOnce accessMode if you don't have suitable storage provider but your deployment will not support HA mode
//+kubebuilder:default:={size: "100Mi",retain: true,accessModes: {ReadWriteOnce}}
Pvc TufPvc `json:"pvc,omitempty"`

ServiceAccountRequirements `json:",inline"`
}

// TufPvc configuration of the persistent storage claim for deployment in the cluster.
Expand Down
27 changes: 27 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 20 additions & 0 deletions config/crd/bases/rhtas.redhat.com_ctlogs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -956,6 +956,26 @@ spec:
x-kubernetes-list-type: atomic
type: object
type: object
imagePullSecrets:
description: ImagePullSecrets is an optional list of references to
secrets for pulling container images.
items:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
type: array
maxCertChainSize:
default: 153600
description: Max certificate chain size in bytes. Passed as --max_cert_chain_size.
Expand Down
20 changes: 20 additions & 0 deletions config/crd/bases/rhtas.redhat.com_fulcios.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1280,6 +1280,26 @@ spec:
required:
- enabled
type: object
imagePullSecrets:
description: ImagePullSecrets is an optional list of references to
secrets for pulling container images.
items:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
type: array
monitoring:
description: Enable Service monitors for fulcio
properties:
Expand Down
20 changes: 20 additions & 0 deletions config/crd/bases/rhtas.redhat.com_rekors.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1247,6 +1247,26 @@ spec:
required:
- enabled
type: object
imagePullSecrets:
description: ImagePullSecrets is an optional list of references to
secrets for pulling container images.
items:
description: |-
LocalObjectReference contains enough information to let you locate the
referenced object inside the same namespace.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
type: array
maxRequestBodySize:
default: 10485760
description: MaxRequestBodySize sets the maximum size in bytes for
Expand Down
Loading
Loading