fix: SECURESIGN-3246: restrict SBJ to OpenShift environments

[knrc]

This PR adds guards around the SBJ integration, since this requires resources within the openshift-monitoring namespace

Summary by Sourcery

Guard SBJ integration to only operate in OpenShift environments and disable related actions on non-OpenShift clusters

Enhancements:

• Add kubernetes.IsOpenShift guard around Role and RoleBinding cleanup in openshift-monitoring namespace
• Restrict segment backup CronJob, backup Job, and RBAC actions to OpenShift clusters only

[sourcery-ai]

Reviewer's Guide

This PR restricts SBJ integration to OpenShift clusters by introducing runtime guards using the kubernetes.IsOpenShift() utility in both the reconciler's cleanup logic and the action handlers' CanHandle methods.

Sequence diagram for SBJ resource cleanup with OpenShift guard

sequenceDiagram
    participant Reconciler
    participant kubernetes
    participant Role
    participant RoleBinding
    Reconciler->>kubernetes: IsOpenShift()
    alt IsOpenShift == true
        Reconciler->>Role: DeleteAllOf (in openshift-monitoring)
        Reconciler->>RoleBinding: DeleteAllOf (in openshift-monitoring)
    else IsOpenShift == false
        Reconciler-->>Role: (no action)
        Reconciler-->>RoleBinding: (no action)
    end

Loading

Class diagram for updated SBJ action handlers with OpenShift guard

classDiagram
    class segmentBackupCronJob {
        +Name() string
        +CanHandle(ctx, instance) bool
    }
    class segmentBackupJob {
        +Name() string
        +CanHandle(ctx, instance) bool
    }
    class rbacAction {
        +Name() string
        +CanHandle(ctx, instance) bool
    }
    class kubernetes {
        +IsOpenShift() bool
    }
    segmentBackupCronJob ..> kubernetes : uses
    segmentBackupJob ..> kubernetes : uses
    rbacAction ..> kubernetes : uses

Loading

File-Level Changes

Change	Details	Files
Guard resource cleanup for OpenShift only	Imported kubernetes utility to detect OpenShift clusters Wrapped Role DeleteAllOf call in an IsOpenShift() check Wrapped RoleBinding DeleteAllOf call in an IsOpenShift() check	internal/controller/securesign/securesign_controller.go
Restrict action handlers to OpenShift clusters	Added !IsOpenShift() pre-check in CanHandle for segment_backup_cronjob Added !IsOpenShift() pre-check in CanHandle for segment_backup_job Added !IsOpenShift() pre-check in CanHandle for segment_rbac	internal/controller/securesign/actions/segment_backup_cronjob.go internal/controller/securesign/actions/segment_backup_job.go internal/controller/securesign/actions/segment_rbac.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-merge-pro]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: Newly added environment guard and conditional deletions do not include audit-grade logging for the decision to skip or perform deletions, making it unclear who/what triggered these critical actions. Referred Code if kubernetes.IsOpenShift() { if err := r.DeleteAllOf(ctx, &v1.Role{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { log.Error(err, "problem with removing Role resource in %s", actions.OpenshiftMonitoringNS) } if err := r.DeleteAllOf(ctx, &v1.RoleBinding{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { log.Error(err, "problem with removing RoleBinding resource in %s", actions.OpenshiftMonitoringNS) } } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Limited error context: The new conditional deletions on OpenShift wrap errors with generic messages and omit contextual details (e.g., instance identifiers, label selectors), making debugging harder. Referred Code if kubernetes.IsOpenShift() { if err := r.DeleteAllOf(ctx, &v1.Role{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { log.Error(err, "problem with removing Role resource in %s", actions.OpenshiftMonitoringNS) } if err := r.DeleteAllOf(ctx, &v1.RoleBinding{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { log.Error(err, "problem with removing RoleBinding resource in %s", actions.OpenshiftMonitoringNS) } } Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Centralize duplicated condition checks The duplicated condition-checking logic in the CanHandle methods of three actions should be extracted into a shared utility function. This will improve maintainability. Examples: internal/controller/securesign/actions/segment_backup_cronjob.go [38-55] func (i segmentBackupCronJob) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool { if !kubernetes.IsOpenShift() { return false } c := meta.FindStatusCondition(instance.Status.Conditions, MetricsCondition) if c == nil || c.Reason == constants.Ready { return false } val, found := instance.Annotations[annotations.Metrics] ... (clipped 8 lines) internal/controller/securesign/actions/segment_backup_job.go [37-55] func (i segmentBackupJob) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool { if !kubernetes.IsOpenShift() { return false } c := meta.FindStatusCondition(instance.Status.Conditions, MetricsCondition) if c == nil || c.Reason == constants.Ready { return false } ... (clipped 9 lines) Solution Walkthrough: Before: // In segment_backup_cronjob.go func (i segmentBackupCronJob) CanHandle(...) bool { if !kubernetes.IsOpenShift() { return false } // ... duplicated logic ... } // In segment_backup_job.go func (i segmentBackupJob) CanHandle(...) bool { if !kubernetes.IsOpenShift() { return false } // ... duplicated logic ... } // In segment_rbac.go func (i rbacAction) CanHandle(...) bool { if !kubernetes.IsOpenShift() { return false } // ... duplicated logic ... } After: // In a new utility file, e.g., actions/utils.go func CanHandleSegmentActions(instance *rhtasv1alpha1.Securesign) bool { if !kubernetes.IsOpenShift() { return false } // ... common logic for metrics condition and annotation ... return true } // In all three action files (cronjob, job, rbac) func (i ...) CanHandle(_ context.Context, instance *rhtasv1alpha1.Securesign) bool { return CanHandleSegmentActions(instance) } Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies duplicated logic in CanHandle methods across three files, which this PR adds to, and proposes a valid refactoring that would improve code quality and maintainability.	Medium
Possible issue	Fix incorrect structured logging usage Correct the log.Error calls to use structured logging with key-value pairs instead of printf-style format strings to ensure log messages are properly formatted. internal/controller/securesign/securesign_controller.go [103-110] if kubernetes.IsOpenShift() { if err := r.DeleteAllOf(ctx, &v1.Role{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { - log.Error(err, "problem with removing Role resource in %s", actions.OpenshiftMonitoringNS) + log.Error(err, "problem with removing Role resource", "namespace", actions.OpenshiftMonitoringNS) } if err := r.DeleteAllOf(ctx, &v1.RoleBinding{}, client.InNamespace(actions.OpenshiftMonitoringNS), client.MatchingLabels(instanceLabels)); err != nil { - log.Error(err, "problem with removing RoleBinding resource in %s", actions.OpenshiftMonitoringNS) + log.Error(err, "problem with removing RoleBinding resource", "namespace", actions.OpenshiftMonitoringNS) } } Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that log.Error is being used with printf-style formatting, which is incorrect for the structured logger and would result in malformed logs.	Low
More

[qodo-merge-pro]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Execute securesign/sigstore-e2e

Failed stage: Run tests [❌]

Failed test name: TestManualTUFRepoTest - TUF manual repo test [It] should verify workdir structure

Failure summary: The action failed because an end-to-end test for TUF manual repo verification failed: - Test: TUF manual repo test "[It] should verify workdir structure" - File/Line: e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:286 - Error: Expected at least one file with suffix .signing_config.v0.2.json, found 0 This indicates the TUF workdir did not contain the required signing config file after setup.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 457: configmap/ingress-nginx-controller created 458: service/ingress-nginx-controller created 459: service/ingress-nginx-controller-admission created 460: deployment.apps/ingress-nginx-controller created 461: job.batch/ingress-nginx-admission-create created 462: job.batch/ingress-nginx-admission-patch created 463: ingressclass.networking.k8s.io/nginx created 464: validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created 465: pod/ingress-nginx-controller-bcdf75cfc-vqfsf condition met 466: ##[group]Run # Download the bundle.yaml 467: �[36;1m# Download the bundle.yaml�[0m 468: �[36;1mcurl -sL https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.84.0/bundle.yaml -o bundle.yaml �[0m 469: �[36;1m�[0m 470: �[36;1m# Check if the download was successful and the file is not empty�[0m 471: �[36;1mif [ ! -s "bundle.yaml" ]; then�[0m 472: �[36;1m echo "Error: Downloaded bundle.yaml is empty or failed to download."�[0m 473: �[36;1m exit 1�[0m ... 752: IMG: ghcr.io/securesign/secure-sign-operator:dev-8b0b8b9649e6b92c136b7d663dee73c40f8321b5 753: BUNDLE_IMG: ghcr.io/securesign/secure-sign-operator-bundle:dev-8b0b8b9649e6b92c136b7d663dee73c40f8321b5 754: CATALOG_IMG: ghcr.io/securesign/secure-sign-operator-fbc:dev-8b0b8b9649e6b92c136b7d663dee73c40f8321b5 755: NEW_OLM_CHANNEL: rhtas-operator.v1.4.0 756: OCP_VERSION: v4.19 757: TEST_NAMESPACE: test 758: REGISTRY_AUTH_FILE: /tmp/config.json 759: ##[endgroup] 760: /home/runner/work/secure-sign-operator/secure-sign-operator/bin/controller-gen-v0.17.0 rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases 761: Downloading sigs.k8s.io/kustomize/kustomize/v5@v5.6.0 762: go: downloading sigs.k8s.io/kustomize/kustomize/v5 v5.6.0 763: go: downloading github.com/spf13/cobra v1.8.0 764: go: downloading sigs.k8s.io/kustomize/api v0.19.0 765: go: downloading sigs.k8s.io/kustomize/cmd/config v0.19.0 766: go: downloading sigs.k8s.io/kustomize/kyaml v0.19.0 767: go: downloading github.com/go-errors/errors v1.4.2 768: go: downloading github.com/davecgh/go-spew v1.1.1 ... 965: {"status":"Digest: sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"} 966: {"status":"Status: Downloaded newer image for mirror.gcr.io/alpine:latest"} 967: {"status":"The push refers to repository [ttl.sh/9e2abc1b-967e-4619-ba0c-79b1bbbc1ee7]"} 968: {"status":"Preparing","progressDetail":{},"id":"256f393e029f"} 969: {"status":"Pushing","progressDetail":{"current":101376,"total":8317404},"progress":"[\u003e ] 101.4kB/8.317MB","id":"256f393e029f"} 970: {"status":"Pushing","progressDetail":{"current":199680,"total":8317404},"progress":"[=\u003e ] 199.7kB/8.317MB","id":"256f393e029f"} 971: {"status":"Pushing","progressDetail":{"current":494592,"total":8317404},"progress":"[==\u003e ] 494.6kB/8.317MB","id":"256f393e029f"} 972: {"status":"Pushing","progressDetail":{"current":1149708,"total":8317404},"progress":"[======\u003e ] 1.15MB/8.317MB","id":"256f393e029f"} 973: {"status":"Pushing","progressDetail":{"current":2558976,"total":8317404},"progress":"[===============\u003e ] 2.559MB/8.317MB","id":"256f393e029f"} 974: {"status":"Pushing","progressDetail":{"current":5114880,"total":8317404},"progress":"[==============================\u003e ] 5.115MB/8.317MB","id":"256f393e029f"} 975: {"status":"Pushing","progressDetail":{"current":7676416,"total":8317404},"progress":"[==============================================\u003e ] 7.676MB/8.317MB","id":"256f393e029f"} 976: {"status":"Pushing","progressDetail":{"current":8607232,"total":8317404},"progress":"[==================================================\u003e] 8.607MB","id":"256f393e029f"} 977: {"status":"Pushed","progressDetail":{},"id":"256f393e029f"} 978: {"status":"5m: digest: sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64 size: 527"} 979: {"progressDetail":{},"aux":{"Tag":"5m","Digest":"sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64","Size":527}} 980: t=l=error app=cosign m=WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument. 981: t=l=info app=cosign m=Root status: 982: t=l=info app=cosign m= { 983: t=l=info app=cosign m= "local": "/home/runner/.sigstore/root", 984: t=l=info app=cosign m= "remote": "http://tuf.local", 985: t=l=info app=cosign m= "metadata": { 986: t=l=info app=cosign m= "root.json": { 987: t=l=info app=cosign m= "version": 1, 988: t=l=info app=cosign m= "len": 4128, 989: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 990: t=l=info app=cosign m= "error": "" 991: t=l=info app=cosign m= }, 992: t=l=info app=cosign m= "snapshot.json": { 993: t=l=info app=cosign m= "version": 1, 994: t=l=info app=cosign m= "len": 994, 995: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 996: t=l=info app=cosign m= "error": "" 997: t=l=info app=cosign m= }, 998: t=l=info app=cosign m= "targets.json": { 999: t=l=info app=cosign m= "version": 1, 1000: t=l=info app=cosign m= "len": 2416, 1001: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1002: t=l=info app=cosign m= "error": "" 1003: t=l=info app=cosign m= }, 1004: t=l=info app=cosign m= "timestamp.json": { 1005: t=l=info app=cosign m= "version": 1, 1006: t=l=info app=cosign m= "len": 995, 1007: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1008: t=l=info app=cosign m= "error": "" 1009: t=l=info app=cosign m= } 1010: t=l=info app=cosign m= }, 1011: t=l=info app=cosign m= "targets": [ 1012: t=l=info app=cosign m= "fulcio_v1.crt.pem", 1013: t=l=info app=cosign m= "trusted_root.json", 1014: t=l=info app=cosign m= "tsa.certchain.pem", 1015: t=l=info app=cosign m= "ctfe.pub", 1016: t=l=info app=cosign m= "rekor.pub" 1017: t=l=info app=cosign m= ] 1018: t=l=info app=cosign m=} 1019: �[38;5;10m•�[0mt=l=error app=cosign m=Generating ephemeral keys... 1020: t=l=error app=cosign m=Retrieving signed certificate... 1021: t=l=error app=cosign m=Successfully verified SCT... 1022: t=l=error app=cosign m=WARNING: Image reference ttl.sh/9e2abc1b-967e-4619-ba0c-79b1bbbc1ee7:5m uses a tag, not a digest, to identify the image to sign. 1023: t=l=error app=cosign m= This can lead you to sign a different image than the intended one. Please use a 1024: t=l=error app=cosign m= digest (example.com/ubuntu@sha256:abc123...) rather than tag 1025: t=l=error app=cosign m= (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 1026: t=l=error app=cosign m= images by tag will be removed in a future release. 1027: t=l=error app=cosign 1028: t=l=error app=cosign 1029: t=l=error app=cosign m= The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 1030: t=l=error app=cosign m= Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 1031: t=l=error app=cosign m= This may include the email address associated with the account with which you authenticate your contractual Agreement. 1032: t=l=error app=cosign m= This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 1033: t=l=error app=cosign 1034: t=l=error app=cosign m=By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. 1035: t=l=error app=cosign m=tlog entry created with index: 2 1036: t=l=error app=cosign m=Pushing signature to: ttl.sh/9e2abc1b-967e-4619-ba0c-79b1bbbc1ee7 1037: �[38;5;10m•�[0mt=l=info app=cosign m= ... 1066: t=l=info app=rekor-cli m=Current Tree Size: 3 1067: t=l=info app=rekor-cli m=Checkpoint: 1068: t=l=info app=rekor-cli m=rekor-server-847c55c597-bslph - 4280618434264250457 1069: t=l=info app=rekor-cli m=3 1070: t=l=info app=rekor-cli m=pOyJ9hN4TUTuL+g+TN/XPkO6JchIwHo20Nq+JJgIddA= 1071: t=l=info app=rekor-cli 1072: t=l=info app=rekor-cli m=— rekor-server-847c55c597-bslph aEn6nDBFAiEA9+YZaajRN9TD9gSf1XAd2jvkqy3PYxynhzKnOlKwhfcCIH5dPn6kD4aDmPf6Ds+ZSPr5PtWBt94kn9IL6TlEA1Tx 1073: t=l=info app=rekor-cli 1074: t=l=info app=rekor-cli 1075: t=l=info app=rekor-cli m=Inclusion Proof: 1076: t=l=info app=rekor-cli m=SHA256(0x01 | b217e0d2dfa2cceb26e2e116158a1bfe3fc0438590cb0e87234db388561d7a81 | 859b90c4c939d834fc7f41b716392867c5b382bf002a430a28d93f3def4a29d4) = 1077: t=l=info app=rekor-cli m= a4ec89f613784d44ee2fe83e4cdfd73e43ba25c848c07a36d0dabe24980875d0 1078: t=l=info app=rekor-cli 1079: t=l=info app=rekor-cli m=Computed Root Hash: a4ec89f613784d44ee2fe83e4cdfd73e43ba25c848c07a36d0dabe24980875d0 1080: t=l=info app=rekor-cli m=Expected Root Hash: a4ec89f613784d44ee2fe83e4cdfd73e43ba25c848c07a36d0dabe24980875d0 1081: �[38;5;10m•�[0m�[38;5;10m•�[0mt=l=error app=cosign m=WARNING: Image reference ttl.sh/9e2abc1b-967e-4619-ba0c-79b1bbbc1ee7:5m uses a tag, not a digest, to identify the image to sign. 1082: t=l=error app=cosign m= This can lead you to sign a different image than the intended one. Please use a 1083: t=l=error app=cosign m= digest (example.com/ubuntu@sha256:abc123...) rather than tag 1084: t=l=error app=cosign m= (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 1085: t=l=error app=cosign m= images by tag will be removed in a future release. 1086: t=l=error app=cosign 1087: t=l=error app=cosign m=Generating ephemeral keys... 1088: t=l=error app=cosign m=Retrieving signed certificate... 1089: t=l=error app=cosign m=Successfully verified SCT... 1090: t=l=error app=cosign m=Using payload from: /tmp/tmp2039501024/predicate.json 1091: t=l=error app=cosign 1092: t=l=error app=cosign m= The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 1093: t=l=error app=cosign m= Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 1094: t=l=error app=cosign m= This may include the email address associated with the account with which you authenticate your contractual Agreement. 1095: t=l=error app=cosign m= This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 1096: t=l=error app=cosign 1097: t=l=error app=cosign m=By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. 1098: t=l=error app=cosign m=tlog entry created with index: 3 1099: �[38;5;10m•�[0mt=l=info app=cosign m=📦 Supply Chain Security Related artifacts for an image: ttl.sh/9e2abc1b-967e-4619-ba0c-79b1bbbc1ee7:5m ... 1240: t=l=info app=cosign m=GitVersion: a24041b7 1241: t=l=info app=cosign m=GitCommit: a24041b7b57f3d62ef38c633c1533aa76bd2d8a1 1242: t=l=info app=cosign m=GitTreeState: clean 1243: t=l=info app=cosign m=BuildDate: t=l=info app=cosign m=GoVersion: go1.24.6 (Red Hat 1.24.6-1.el9_6) X:strictfipsruntime 1244: t=l=info app=cosign m=Compiler: gc 1245: t=l=info app=cosign m=Platform: linux/amd64 1246: t=l=info app=cosign 1247: {"status":"Pulling from alpine","id":"latest"} 1248: {"status":"Digest: sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"} 1249: {"status":"Status: Image is up to date for mirror.gcr.io/alpine:latest"} 1250: {"status":"The push refers to repository [ttl.sh/2e8447e6-4720-4aa8-a431-b5d25571ebe4]"} 1251: {"status":"Preparing","progressDetail":{},"id":"256f393e029f"} 1252: {"status":"Mounted from 9e2abc1b-967e-4619-ba0c-79b1bbbc1ee7","progressDetail":{},"id":"256f393e029f"} 1253: {"status":"5m: digest: sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64 size: 527"} 1254: {"progressDetail":{},"aux":{"Tag":"5m","Digest":"sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64","Size":527}} 1255: t=l=error app=cosign m=WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument. 1256: t=l=info app=cosign m=Root status: 1257: t=l=info app=cosign m= { 1258: t=l=info app=cosign m= "local": "/home/runner/.sigstore/root", 1259: t=l=info app=cosign m= "remote": "http://tuf.local", 1260: t=l=info app=cosign m= "metadata": { 1261: t=l=info app=cosign m= "root.json": { 1262: t=l=info app=cosign m= "version": 1, 1263: t=l=info app=cosign m= "len": 4128, 1264: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1265: t=l=info app=cosign m= "error": "" 1266: t=l=info app=cosign m= }, 1267: t=l=info app=cosign m= "snapshot.json": { 1268: t=l=info app=cosign m= "version": 1, 1269: t=l=info app=cosign m= "len": 994, 1270: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1271: t=l=info app=cosign m= "error": "" 1272: t=l=info app=cosign m= }, 1273: t=l=info app=cosign m= "targets.json": { 1274: t=l=info app=cosign m= "version": 1, 1275: t=l=info app=cosign m= "len": 2416, 1276: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1277: t=l=info app=cosign m= "error": "" 1278: t=l=info app=cosign m= }, 1279: t=l=info app=cosign m= "timestamp.json": { 1280: t=l=info app=cosign m= "version": 1, 1281: t=l=info app=cosign m= "len": 995, 1282: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1283: t=l=info app=cosign m= "error": "" 1284: t=l=info app=cosign m= } 1285: t=l=info app=cosign m= }, 1286: t=l=info app=cosign m= "targets": [ 1287: t=l=info app=cosign m= "ctfe.pub", 1288: t=l=info app=cosign m= "rekor.pub", 1289: t=l=info app=cosign m= "fulcio_v1.crt.pem", 1290: t=l=info app=cosign m= "trusted_root.json", 1291: t=l=info app=cosign m= "tsa.certchain.pem" 1292: t=l=info app=cosign m= ] 1293: t=l=info app=cosign m=} 1294: �[38;5;10m•�[0mt=l=error app=cosign m=Generating ephemeral keys... 1295: t=l=error app=cosign m=Retrieving signed certificate... 1296: t=l=error app=cosign m=Successfully verified SCT... 1297: t=l=error app=cosign m=WARNING: Image reference ttl.sh/2e8447e6-4720-4aa8-a431-b5d25571ebe4:5m uses a tag, not a digest, to identify the image to sign. 1298: t=l=error app=cosign m= This can lead you to sign a different image than the intended one. Please use a 1299: t=l=error app=cosign m= digest (example.com/ubuntu@sha256:abc123...) rather than tag 1300: t=l=error app=cosign m= (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 1301: t=l=error app=cosign m= images by tag will be removed in a future release. 1302: t=l=error app=cosign 1303: t=l=error app=cosign 1304: t=l=error app=cosign m= The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 1305: t=l=error app=cosign m= Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 1306: t=l=error app=cosign m= This may include the email address associated with the account with which you authenticate your contractual Agreement. 1307: t=l=error app=cosign m= This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 1308: t=l=error app=cosign 1309: t=l=error app=cosign m=By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. 1310: t=l=error app=cosign m=Timestamp fetched with time: 2025-11-10 15:24:47 +0000 UTC 1311: t=l=error app=cosign m=tlog entry created with index: 4 1312: t=l=error app=cosign m=Pushing signature to: ttl.sh/2e8447e6-4720-4aa8-a431-b5d25571ebe4 1313: �[38;5;10m•�[0m�[38;5;10m•�[0mt=l=error app=cosign 1314: t=l=error app=cosign m=Verification for ttl.sh/2e8447e6-4720-4aa8-a431-b5d25571ebe4:5m -- 1315: t=l=info app=cosign 1316: t=l=info app=cosign m=[{"critical":{"identity":{"docker-reference":"ttl.sh/2e8447e6-4720-4aa8-a431-b5d25571ebe4"},"image":{"docker-manifest-digest":"sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"http://keycloak-internal.keycloak-system.svc/auth/realms/trusted-artifact-signer","Bundle":{"SignedEntryTimestamp":"MEUCIQDRoZpML8wrwtdY3jBb7ZjJT/3wFZmt2Tq6tww007g2MQIgTg8D5GQk1J6PIihMwT9MEXivd+DVseyYrXjSyNlyzFQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkNDBiYTVhYTE2MTM0MWNkMTAzNWFkNDBhY2Y4YjNiMjUwMzNmOTU5M2ViYzcxOWM4NjZkOTE0OWQ2MjFmNzZkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQzByaUNsdG4rbUpMK1oxWElPM2lxSHJoK09VS1JBYVNSVUJSeUxIZG9mY0FpQlF4OWkwcnBTRmY2dm9uVkdCaWxPNVB3MGQyRTFNRFJqdGZyWFVBaXVMUFE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUkxWRU5EUVhFMlowRjNTVUpCWjBsVlFsQkNlV05HZDNsNFYyVTVMemxHVUdSck5IbHhaVFJSYTBwM2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RFUkZVVTFCTkVkQk1WVkZRMmhOU0ZWdFZtdEpSV2hvWkVSRldVMUNXVWRCTVZWRlFYaE5VRnB1Vm5OWk1teDJURzFvZG1NelVuVlpWekZzVFVJMFdBcEVWRWt4VFZSRmVFMUVSVEZOYWxFd1RteHZXRVJVU1RGTlZFVjRUVVJGTVUxNlVUQk9iRzkzUVVSQ1drMUNUVWRDZVhGSFUwMDBPVUZuUlVkRFEzRkhDbE5OTkRsQmQwVklRVEJKUVVKSlYybEZVRWhTZG1SS1ZscE1jMlJKVUZaamNGSnJVV05WYUc1dFoyWnVOWEJzY200ck1tZHdVREpoWjBGV1RGZGxlVTRLYXpSUFJtWnNabEZEVUV0UFdFbDRNV3R0VjA0Mk1UZFBNWGR3YUhodFNqRTVkR1ZxWjJkSVdVMUpTVUl4UkVGUFFtZE9Wa2hST0VKQlpqaEZRa0ZOUXdwQ05FRjNSWGRaUkZaU01HeENRWGQzUTJkWlNVdDNXVUpDVVZWSVFYZE5kMGhSV1VSV1VqQlBRa0paUlVaRk1IZHlMMk5vZDI5MlRrNUxiMGMzYUVVckNsWklWMDV3UjFrNVRVSTRSMEV4VldSSmQxRlpUVUpoUVVaQmJWUm5iWGMyUW1WSmJVdENka1JxYkV0blMzbFJaV0ozY0dWTlFqQkhRVEZWWkVWUlJVSUtMM2RSVkUxQ1IwSkVNbkJyWWpKV1FXTnRWbXRoUjBZd1RHMU9kbUpVUW1WQ1oyOXlRbWRGUlVGWlR5OU5RVVZDUWtaQ2IyUklVbmRQYVRoMllUSldOUXBaTW5oMldWZHpkR0ZYTlRCYVdFcDFXVmQzZFdFeVZqVlpNbmgyV1ZkemRHTXpiSHBrUjFaMFRHNU9NbGw1T1doa1dGSnZURE5LYkZsWGVIUmplVGt3Q21OdVZucGtSMVpyVEZkR2VXUkhiRzFaVjA0d1RGaE9jRm95Tld4amFrSm5RbWR2Y2tKblJVVkJXVTh2VFVGRlNVSkdTVTFWUjJnd1pFaEJOa3g1T1hJS1dsaHNhbUpIT1doaGVURndZbTVTYkdOdE5XaGlRelZ5V2xoc2FtSkhPV2hoZVRGNlpWaE9NRnBYTUhWak0xcHFUREpHTVdSSFozWmpiVlpvWWtjeGVncE1NMUo1WkZoT01GcFhVWFJaV0Vvd1lWZGFhRmt6VVhSak1teHVZbTFXZVUxSlIweENaMjl5UW1kRlJVRmtXalZCWjFGRFFrZ3dSV1YzUWpWQlNHTkJDalpKYUZoa2NVcEVPVFJ6YkhVMUsyUjFaRTU1VkVodk9WTllWakprYWpWcWNqWXJjMkpKVG5aWVpIZEJRVUZIWVdKc05tWjRkMEZCUWtGTlFWTkVRa2NLUVdsRlFUZGhkbEpSY1dOSWRubEVMMmQxTkROWFRqUmhUazVMUjBoVVVVVlBibGRWTjFaQ2VHaFBMelJ2WXpCRFNWRkRTM1p5TDNKcUwyMUhRMU5OUVFwTU4wbHBkekJDUzBVclNsTkxTREZ4TDFsbFRGWnFaemt5ZGxVMldGUkJTMEpuWjNGb2EycFBVRkZSUkVGM1RuQkJSRUp0UVdwRlFYWm9ZMFZzV2xsRkNqVnljWFZZVkRsRVpIZFJkMHRoVjA1T2RYWXhWMHBDVDJrcllYTXpOVTVTV0ZKTVYyVnZRbEo0ZDNCRGNXcGlWMEpzZFc1dGRFZ3lRV3BGUVhjeVNXY0tXRVp6VjBWWmRWSlZTa1ZST1ZGak0ydGlZMFZHWW5WWFIweEJVMGd3ZFhSNVMzVXdiR1UxWkd4bFRsRjFjbll6Ym0xVlJWaFNVMVZHWkRjMUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19","integratedTime":1762788287,"logIndex":4,"logID":"6849fa9cdbdee89bc268e1c4449700cbca769d21b6c44d7b5a7d39dadc8fb653"}},"Issuer":"http://keycloak-internal.keycloak-system.svc/auth/realms/trusted-artifact-signer","RFC3161Timestamp":{"SignedRFC3161Timestamp":"MIIEvTADAgEAMIIEtAYJKoZIhvcNAQcCoIIEpTCCBKECAQMxDTALBglghkgBZQMEAgEwgc0GCyqGSIb3DQEJEAEEoIG9BIG6MIG3AgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgJq1DviBvLKFSvIFL+rTa0e/m865FVXQtKpD6DDpPXWMCFFi+JBpjwRqZPS2hpYgA8zHg1sgfGA8yMDI1MTExMDE1MjQ0N1owAwIBAQIUUfMfttTLUn22Af4OE/8I1LeMyXOgMqQwMC4xEDAOBgNVBAoTB1JlZCBIYXQxGjAYBgNVBAMTEXRzYS5ob3N0bmFtZS1sZWFmoIIB8jCCAe4wggF1oAMCAQICFAomUllTzjAG1whJ9zHmt9co+tlOMAoGCCqGSM49BAMDMC4xEDAOBgNVBAoTB1JlZCBIYXQxGjAYBgNVBAMTEXRzYS5ob3N0bmFtZS1yb290MB4XDTI1MTExMDE1MTk0OVoXDTM1MTEwODE1MTk0OVowLjEQMA4GA1UEChMHUmVkIEhhdDEaMBgGA1UEAxMRdHNhLmhvc3RuYW1lLWxlYWYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATi0kb9lZl8a2jR/zkvMxNeHAebDwsLsGKOl0sOE80lm1XqhMltqtwreUORlcTevU50VBizxJIRl8KeYfjpmML1G0xT2SPhYppDPi9z12ABzNA8duc9LBqKWFnR9AsIjK2jVDBSMA4GA1UdDwEB/wQEAwIBBjAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGBD2pkb2VAcmVkaGF0LmNvbTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAKBggqhkjOPQQDAwNnADBkAjBfbgUH4qoU7sTPWjnvXC9Y0OIR7m71xU+vjoiPcHBoPOP7KBHyRuA9PQolpu7JxYkCMDH38b97DG3Ak6LUDNUCgLeILCnuBIUxtoIj6Un0lMsxpl6iL9Xvs1vk3EID3XjuODGCAcUwggHBAgEBMEYwLjEQMA4GA1UEChMHUmVkIEhhdDEaMBgGA1UEAxMRdHNhLmhvc3RuYW1lLXJvb3QCFAomUllTzjAG1whJ9zHmt9co+tlOMAsGCWCGSAFlAwQCAaCB8TAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1MTExMDE1MjQ0N1owLwYJKoZIhvcNAQkEMSIEIDQgVhzFBybffXl0wwvIs5g6YoRAzJwg0mqwIl4H19I5MIGDBgsqhkiG9w0BCRACLzF0MHIwcDBuBCDdwF4sRLuGJUcZH98Ld27BpXKdSiMA6dczZvb9/4BUbDBKMDKkMDAuMRAwDgYDVQQKEwdSZWQgSGF0MRowGAYDVQQDExF0c2EuaG9zdG5hbWUtcm9vdAIUCiZSWVPOMAbXCEn3Mea31yj62U4wCgYIKoZIzj0EAwIEZzBlAjBXnQsewFNUSIW0WpM7DmoihhjXE7eGTpy31Gfg3QHNljxnkZCywch1H6RWyRHyvqoCMQDPlLzpVmZNAfd2RCUIzDdB8dDdDqz8iRUZbyvrmy1s4+rl5JBJsXLCwFDMfcWXnEM="},"Subject":"jdoe@redhat.com"}}] 1317: t=l=error app=cosign m=The following checks were performed on each of these signatures: 1318: t=l=error app=cosign m= - The cosign claims were validated 1319: t=l=error app=cosign m= - Existence of the claims in the transparency log was verified offline 1320: t=l=error app=cosign m= - The code-signing certificate was verified using trusted certificate authority certificates 1321: �[38;5;10m•�[0m 1322: �[38;5;10m�[1mRan 13 of 13 Specs in 72.667 seconds�[0m 1323: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m13 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1324: --- PASS: TestCosignTest (72.67s) ... 1392: t=l=info app=rekor-cli m= | |_) | | _| | ' / | | | | | |_) | _____ | | | | | | 1393: t=l=info app=rekor-cli m= | _ < | |___ | . \ | |_| | | _ < |_____| | |___ | |___ | | 1394: t=l=info app=rekor-cli m= |_| \_\ |_____| |_|\_\ \___/ |_| \_\ \____| |_____| |___| 1395: t=l=info app=rekor-cli m=rekor-cli: Rekor CLI 1396: t=l=info app=rekor-cli 1397: t=l=info app=rekor-cli m=GitVersion: v0.0.0-20251021131950-daf32a2da885+dirty 1398: t=l=info app=rekor-cli m=GitCommit: daf32a2da885d84226af755191bc2b72b72dc917 1399: t=l=info app=rekor-cli m=GitTreeState: clean 1400: t=l=info app=rekor-cli m=BuildDate: t=l=info app=rekor-cli m=GoVersion: go1.24.6 (Red Hat 1.24.6-1.el9_6) X:strictfipsruntime 1401: t=l=info app=rekor-cli m=Compiler: gc 1402: t=l=info app=rekor-cli m=Platform: linux/amd64 1403: t=l=info app=rekor-cli 1404: �[38;5;10m•�[0m�[38;5;10m•�[0m�[38;5;10m•�[0mt=l=info app=git m=[master (root-commit) 382c2ae] CI commit 2025-11-10 15:23:47.546132934 +0000 UTC m=+2.756767057 1405: t=l=info app=git m= 1 file changed, 1 insertion(+) 1406: t=l=info app=git m= create mode 100644 testFile.txt 1407: �[38;5;10m•�[0m�[38;5;10m•�[0mt=l=error app=cosign m=WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument. 1408: t=l=info app=cosign m=Root status: 1409: t=l=info app=cosign m= { 1410: t=l=info app=cosign m= "local": "/home/runner/.sigstore/root", 1411: t=l=info app=cosign m= "remote": "http://tuf.local", 1412: t=l=info app=cosign m= "metadata": { 1413: t=l=info app=cosign m= "root.json": { 1414: t=l=info app=cosign m= "version": 1, 1415: t=l=info app=cosign m= "len": 4128, 1416: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1417: t=l=info app=cosign m= "error": "" 1418: t=l=info app=cosign m= }, 1419: t=l=info app=cosign m= "snapshot.json": { 1420: t=l=info app=cosign m= "version": 1, 1421: t=l=info app=cosign m= "len": 994, 1422: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1423: t=l=info app=cosign m= "error": "" 1424: t=l=info app=cosign m= }, 1425: t=l=info app=cosign m= "targets.json": { 1426: t=l=info app=cosign m= "version": 1, 1427: t=l=info app=cosign m= "len": 2416, 1428: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1429: t=l=info app=cosign m= "error": "" 1430: t=l=info app=cosign m= }, 1431: t=l=info app=cosign m= "timestamp.json": { 1432: t=l=info app=cosign m= "version": 1, 1433: t=l=info app=cosign m= "len": 995, 1434: t=l=info app=cosign m= "expiration": "09 Nov 26 15:22 UTC", 1435: t=l=info app=cosign m= "error": "" 1436: t=l=info app=cosign m= } ... 1476: t=l=info app=rekor-cli m=rekor-server-847c55c597-bslph - 4280618434264250457 1477: t=l=info app=rekor-cli m=2 1478: t=l=info app=rekor-cli m=shfg0t+izOsm4uEWFYob/j/AQ4WQyw6HI02ziFYdeoE= 1479: t=l=info app=rekor-cli 1480: t=l=info app=rekor-cli m=— rekor-server-847c55c597-bslph aEn6nDBFAiEAlw0zhuJNPBn72Wl2cMF7D7u2Idb0DHCwiuireYWLpLECIDqfv9oc7XwjlDk/paBaSRPpCodJpfp4pdomZFV8LySq 1481: t=l=info app=rekor-cli 1482: t=l=info app=rekor-cli 1483: t=l=info app=rekor-cli m=Inclusion Proof: 1484: t=l=info app=rekor-cli m=SHA256(0x01 | a8482d62524b40e132c158de92763a47e0db175d016a1046f566eaced2cded33 | 96618283f4745e8498cce40de9ef5491be28723183d7ada8ecf6c99e26ebd30b) = 1485: t=l=info app=rekor-cli m= b217e0d2dfa2cceb26e2e116158a1bfe3fc0438590cb0e87234db388561d7a81 1486: t=l=info app=rekor-cli 1487: t=l=info app=rekor-cli m=Computed Root Hash: b217e0d2dfa2cceb26e2e116158a1bfe3fc0438590cb0e87234db388561d7a81 1488: t=l=info app=rekor-cli m=Expected Root Hash: b217e0d2dfa2cceb26e2e116158a1bfe3fc0438590cb0e87234db388561d7a81 1489: �[38;5;10m•�[0m 1490: �[38;5;10m�[1mRan 9 of 9 Specs in 3.434 seconds�[0m 1491: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m9 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1492: --- PASS: TestGitsignE2E (3.43s) ... 1621: Total Tree Size: 1 1622: Root Hash: a8482d62524b40e132c158de92763a47e0db175d016a1046f566eaced2cded33 1623: TreeID: 4280618434264250457 1624: [78 111 32 112 114 101 118 105 111 117 115 32 108 111 103 32 115 116 97 116 101 32 115 116 111 114 101 100 44 32 117 110 97 98 108 101 32 116 111 32 112 114 111 118 101 32 99 111 110 115 105 115 116 101 110 99 121 10 86 101 114 105 102 105 99 97 116 105 111 110 32 83 117 99 99 101 115 115 102 117 108 33 10 65 99 116 105 118 101 32 84 114 101 101 32 83 105 122 101 58 32 32 32 32 32 32 32 49 10 84 111 116 97 108 32 84 114 101 101 32 83 105 122 101 58 32 32 32 32 32 32 32 32 49 10 82 111 111 116 32 72 97 115 104 58 32 32 32 32 32 32 32 32 32 32 32 32 32 32 97 56 52 56 50 100 54 50 53 50 52 98 52 48 101 49 51 50 99 49 53 56 100 101 57 50 55 54 51 97 52 55 101 48 100 98 49 55 53 100 48 49 54 97 49 48 52 54 102 53 54 54 101 97 99 101 100 50 99 100 101 100 51 51 10 84 114 101 101 73 68 58 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 52 50 56 48 54 49 56 52 51 52 50 54 52 50 53 48 52 53 55 10] 1625: �[38;5;10m•�[0mt=l=info app=rekor-cli m=Found matching entries (listed by UUID): 1626: 3b67cfc9494f3859a8482d62524b40e132c158de92763a47e0db175d016a1046f566eaced2cded33 1627: [70 111 117 110 100 32 109 97 116 99 104 105 110 103 32 101 110 116 114 105 101 115 32 40 108 105 115 116 101 100 32 98 121 32 85 85 73 68 41 58 10 51 98 54 55 99 102 99 57 52 57 52 102 51 56 53 57 97 56 52 56 50 100 54 50 53 50 52 98 52 48 101 49 51 50 99 49 53 56 100 101 57 50 55 54 51 97 52 55 101 48 100 98 49 55 53 100 48 49 54 97 49 48 52 54 102 53 54 54 101 97 99 101 100 50 99 100 101 100 51 51 10] 1628: �[38;5;10m•�[0mt=l=info app=rekor-cli m=Found matching entries (listed by UUID): 1629: 3b67cfc9494f3859a8482d62524b40e132c158de92763a47e0db175d016a1046f566eaced2cded33 1630: [70 111 117 110 100 32 109 97 116 99 104 105 110 103 32 101 110 116 114 105 101 115 32 40 108 105 115 116 101 100 32 98 121 32 85 85 73 68 41 58 10 51 98 54 55 99 102 99 57 52 57 52 102 51 56 53 57 97 56 52 56 50 100 54 50 53 50 52 98 52 48 101 49 51 50 99 49 53 56 100 101 57 50 55 54 51 97 52 55 101 48 100 98 49 55 53 100 48 49 54 97 49 48 52 54 102 53 54 54 101 97 99 101 100 50 99 100 101 100 51 51 10] 1631: �[38;5;10m•�[0mt=l=info app=rekor-cli m=Found matching entries (listed by UUID): 1632: 3b67cfc9494f3859a8482d62524b40e132c158de92763a47e0db175d016a1046f566eaced2cded33 1633: [70 111 117 110 100 32 109 97 116 99 104 105 110 103 32 101 110 116 114 105 101 115 32 40 108 105 115 116 101 100 32 98 121 32 85 85 73 68 41 58 10 51 98 54 55 99 102 99 57 52 57 52 102 51 56 53 57 97 56 52 56 50 100 54 50 53 50 52 98 52 48 101 49 51 50 99 49 53 56 100 101 57 50 55 54 51 97 52 55 101 48 100 98 49 55 53 100 48 49 54 97 49 48 52 54 102 53 54 54 101 97 99 101 100 50 99 100 101 100 51 51 10] 1634: �[38;5;10m•�[0m 1635: �[38;5;10m�[1mRan 9 of 9 Specs in 1.250 seconds�[0m 1636: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m9 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1637: --- PASS: TestRekorCliE2E (1.25s) ... 1648: t=l=info m=SIGSTORE_FULCIO_URL=http://fulcio-server.local 1649: t=l=info m=SIGSTORE_REKOR_URL=http://rekor-server.local 1650: t=l=info m=TUF_URL=http://tuf.local 1651: t=l=info m=TSA_URL=http://tsa-server.local/api/v1/timestamp 1652: t=l=info m=KEYCLOAK_REALM=trusted-artifact-signer 1653: t=l=info m=Getting binary 'updatetree' from CLI serverServer URLhttp://cli-server.local 1654: t=l=info m=Downloading updatetree from http://cli-server.local/clients/linux/updatetree-amd64.gz 1655: t=l=info m=Getting binary 'createtree' from CLI serverServer URLhttp://cli-server.local 1656: t=l=info m=Downloading createtree from http://cli-server.local/clients/linux/createtree-amd64.gz 1657: t=l=info app=createtree m=Usage of /tmp/createtree2724046454/createtree: 1658: -add_dir_header 1659: If true, adds the file directory to the header of the log messages 1660: -admin_server string 1661: Address of the gRPC Trillian Admin Server (host:port) 1662: -alsologtostderr 1663: log to standard error as well as files (no effect when -logtostderr=true) 1664: -config string 1665: Config file containing flags, file contents can be overridden by command line flags 1666: -description string 1667: Description of the new tree 1668: -display_name string 1669: Display name of the new tree 1670: -log_backtrace_at value 1671: when logging hits line file:N, emit a stack trace 1672: -log_dir string 1673: If non-empty, write log files in this directory (no effect when -logtostderr=true) 1674: -log_file string 1675: If non-empty, use this log file (no effect when -logtostderr=true) 1676: -log_file_max_size uint 1677: Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) 1678: -logtostderr 1679: log to standard error instead of files (default true) 1680: -max_root_duration duration ... 1693: Path to the file containing the Trillian server's PEM-encoded public TLS certificate. If unset, unsecured connections will be used 1694: -tree_state string 1695: State of the new tree (default "ACTIVE") 1696: -tree_type string 1697: Type of the new tree (default "LOG") 1698: -v value 1699: number for the log level verbosity 1700: -vmodule value 1701: comma-separated list of pattern=N settings for file-filtered logging 1702: �[38;5;10m•�[0mt=l=info app=updatetree m=Usage of /tmp/updatetree3985583907/updatetree: 1703: -add_dir_header 1704: If true, adds the file directory to the header of the log messages 1705: -admin_server string 1706: Address of the gRPC Trillian Admin Server (host:port) 1707: -alsologtostderr 1708: log to standard error as well as files (no effect when -logtostderr=true) 1709: -log_backtrace_at value 1710: when logging hits line file:N, emit a stack trace 1711: -log_dir string 1712: If non-empty, write log files in this directory (no effect when -logtostderr=true) 1713: -log_file string 1714: If non-empty, use this log file (no effect when -logtostderr=true) 1715: -log_file_max_size uint 1716: Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) 1717: -logtostderr 1718: log to standard error instead of files (default true) 1719: -one_output ... 1730: logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2) 1731: -tls_cert_file string 1732: Path to the file containing the Trillian server's PEM-encoded public TLS certificate. If unset, unsecured connections will be used 1733: -tree_id int 1734: The ID of the tree to be set updated 1735: -tree_state string 1736: If set the tree state will be updated 1737: -tree_type string 1738: If set the tree type will be updated 1739: -v value 1740: number for the log level verbosity 1741: -vmodule value 1742: comma-separated list of pattern=N settings for file-filtered logging 1743: �[38;5;10m•�[0m 1744: �[38;5;10m�[1mRan 2 of 2 Specs in 0.472 seconds�[0m 1745: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m2 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1746: --- PASS: TestTrillianTest (0.47s) ... 1750: Running Suite: Create tuf repo manually - /home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool 1751: ====================================================================================================================== 1752: Random Seed: �[1m1762788227�[0m 1753: Will run �[1m2�[0m of �[1m2�[0m specs 1754: t=l=info m=Getting binary 'tuftool' from CLI serverServer URLhttp://cli-server.local 1755: t=l=info m=Downloading tuftool from http://cli-server.local/clients/linux/tuftool-amd64.gz 1756: t=l=info m=Done. Using '/tmp/tuftool2514637978/tuftool' with version: 1757: t=l=info app=tuftool m=tuftool 0.12.0 1758: t=l=info m=Created temporary directory: /tmp/trustroot_example2758841486 1759: t=l=info app=tuftool m=bc0989f033b47483bff37f5891833e1831c1e7680dac73a58603f358e14567cc 1760: t=l=info app=tuftool m=2a7812e63945e6c26e17c60b5473cee285114bde7db937b26eba17ede484aa21 1761: t=l=info app=tuftool m=b624223fc6ceedc6de1d949d6e8a75f8997e432e7e9f32cc006a875449ab5a96 1762: t=l=info app=tuftool m=b2b50c3dc4195eea82a6ad9e3c731089f2a6d295b73d81e38eae40094e86e6ce 1763: �[38;5;10m•�[0m 1764: �[38;5;243m------------------------------�[0m 1765: �[38;5;9m• [FAILED] [0.001 seconds]�[0m 1766: �[0mTUF manual repo test �[38;5;9m�[1m[It] should verify workdir structure�[0m 1767: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:68�[0m 1768: �[38;5;9m[FAILED] Expected at least one file with suffix .signing_config.v0.2.json, found 0 1769: Expected 1770: <int>: 0 1771: to be >= 1772: <int>: 1�[0m 1773: �[38;5;9mIn �[1m[It]�[0m�[38;5;9m at: �[1m/home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:286�[0m �[38;5;243m@ 11/10/25 15:23:49.118�[0m 1774: �[38;5;243m------------------------------�[0m 1775: �[38;5;9m�[1mSummarizing 1 Failure:�[0m 1776: �[38;5;9m[FAIL]�[0m �[0mTUF manual repo test �[38;5;9m�[1m[It] should verify workdir structure�[0m 1777: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:286�[0m 1778: �[38;5;9m�[1mRan 2 of 2 Specs in 1.264 seconds�[0m 1779: �[38;5;9m�[1mFAIL!�[0m -- �[38;5;10m�[1m1 Passed�[0m | �[38;5;9m�[1m1 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1780: --- FAIL: TestManualTUFRepoTest (1.26s) 1781: FAIL 1782: FAIL github.com/securesign/sigstore-e2e/test/tuftool 1.278s 1783: FAIL 1784: ##[error]Process completed with exit code 1. 1785: ##[group]Run kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager ... 1844: I1110 15:19:35.242284 1 controller.go:286] "Starting Controller" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" 1845: I1110 15:19:35.242372 1 controller.go:286] "Starting Controller" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" 1846: I1110 15:19:35.242250 1 controller.go:286] "Starting Controller" controller="securesign" controllerGroup="rhtas.redhat.com" controllerKind="Securesign" 1847: I1110 15:19:35.242606 1 controller.go:289] "Starting workers" controller="securesign" controllerGroup="rhtas.redhat.com" controllerKind="Securesign" worker count=1 1848: I1110 15:19:35.242375 1 controller.go:289] "Starting workers" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" worker count=1 1849: I1110 15:19:35.242291 1 controller.go:286] "Starting Controller" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" 1850: I1110 15:19:35.242634 1 controller.go:289] "Starting workers" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" worker count=1 1851: I1110 15:19:35.242308 1 controller.go:286] "Starting Controller" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" 1852: I1110 15:19:35.242646 1 controller.go:289] "Starting workers" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" worker count=1 1853: I1110 15:19:35.242310 1 controller.go:286] "Starting Controller" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" 1854: I1110 15:19:35.242671 1 controller.go:289] "Starting workers" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" worker count=1 1855: I1110 15:19:35.242287 1 controller.go:286] "Starting Controller" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" 1856: I1110 15:19:35.242419 1 controller.go:289] "Starting workers" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" worker count=1 1857: I1110 15:19:35.242684 1 controller.go:289] "Starting workers" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" worker count=1 1858: I1110 15:19:48.642912 1 warning_handler.go:64] "metadata.finalizers: \"tas.rhtas.redhat.com\": prefer a domain-qualified finalizer name including a path (/) to avoid accidental conflicts with other finalizer writers" controller="securesign" controllerGroup="rhtas.redhat.com" controllerKind="Securesign" Securesign="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="c16ab6f7-a0db-4167-9a25-08c597e7e1cb" 1859: I1110 15:19:49.479152 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="8a78c8c6-6300-4fbb-a59f-e53a3c85dc7c" error="deployment not ready(fulcio-server): not available" 1860: I1110 15:19:49.479196 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="8a78c8c6-6300-4fbb-a59f-e53a3c85dc7c" 1861: I1110 15:19:49.490013 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="226b0336-f0bb-41e3-8591-139c3e468469" error="deployment not ready(fulcio-server): not available" 1862: I1110 15:19:49.490041 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="226b0336-f0bb-41e3-8591-139c3e468469" 1863: I1110 15:19:49.656122 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="a3600fcc-7008-433c-8d04-b8489e55fd8c" error="deployment not ready(tsa-server): not available" 1864: I1110 15:19:49.656208 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="a3600fcc-7008-433c-8d04-b8489e55fd8c" 1865: I1110 15:19:49.729178 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1cbc383e-88e3-4c03-a9e9-31599bffc525" error="deployment not ready(tsa-server): not available" 1866: I1110 15:19:49.729259 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1cbc383e-88e3-4c03-a9e9-31599bffc525" 1867: I1110 15:19:50.231293 1 initialize.go:40] "deployment is not ready" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="6c998b2a-64a3-4450-b520-e3b8cb4b71e2" error="deployment not ready(trillian-db): not available" 1868: I1110 15:19:50.231321 1 initialize.go:45] "Waiting for deployment" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="6c998b2a-64a3-4450-b520-e3b8cb4b71e2" 1869: I1110 15:19:50.251211 1 initialize.go:40] "deployment is not ready" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="b4d6206b-3b57-4dff-a8a1-de3ee1b7e725" error="deployment not ready(trillian-db): not available" 1870: I1110 15:19:50.251234 1 initialize.go:45] "Waiting for deployment" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="b4d6206b-3b57-4dff-a8a1-de3ee1b7e725" 1871: I1110 15:20:26.654406 1 initialize.go:38] "deployment is not ready" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1093d815-3d3e-4e3c-bfb8-0251ae43b60a" error="deployment not ready(trillian-logserver): not available" 1872: I1110 15:20:26.654437 1 initialize.go:43] "Waiting for deployment" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1093d815-3d3e-4e3c-bfb8-0251ae43b60a" 1873: I1110 15:20:26.660633 1 initialize.go:38] "deployment is not ready" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="8edf7984-1dee-405a-8b9a-c2cd019844f7" error="deployment not ready(trillian-logserver): not available" 1874: I1110 15:20:26.660652 1 initialize.go:43] "Waiting for deployment" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="8edf7984-1dee-405a-8b9a-c2cd019844f7" 1875: I1110 15:20:45.668760 1 initialize.go:38] "deployment is not ready" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="b5407781-7ed1-48e2-96f9-c52adfdc6e0d" error="deployment not ready(trillian-logsigner): not available" 1876: I1110 15:20:45.668789 1 initialize.go:43] "Waiting for deployment" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="b5407781-7ed1-48e2-96f9-c52adfdc6e0d" 1877: I1110 15:20:45.676302 1 initialize.go:38] "deployment is not ready" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="4eb858c3-dfd5-48d4-bef5-df864f54f9c1" error="deployment not ready(trillian-logsigner): not available" 1878: I1110 15:20:45.676323 1 initialize.go:43] "Waiting for deployment" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="4eb858c3-dfd5-48d4-bef5-df864f54f9c1" 1879: I1110 15:21:24.638203 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="e5a9e5b5-3e51-483d-85a2-e39258baf697" error="deployment not ready(ctlog): not available" 1880: I1110 15:21:24.640698 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="e5a9e5b5-3e51-483d-85a2-e39258baf697" 1881: I1110 15:21:24.657778 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="4d5d5a7f-62c3-4ba2-be78-dca8cfc9859b" error="deployment not ready(ctlog): not available" 1882: I1110 15:21:24.657892 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="4d5d5a7f-62c3-4ba2-be78-dca8cfc9859b" 1883: I1110 15:21:25.501129 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="e1b24268-735f-4ffd-bc2d-cca975488aa6" error="deployment not ready(rekor-server): not available" 1884: I1110 15:21:25.501159 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="e1b24268-735f-4ffd-bc2d-cca975488aa6" 1885: I1110 15:21:25.514665 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="78dfcf46-931b-4fef-8403-d9b476564e89" error="deployment not ready(rekor-server): not available" 1886: I1110 15:21:25.514693 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="78dfcf46-931b-4fef-8403-d9b476564e89" 1887: I1110 15:21:40.850340 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="cc1c9a52-94e1-498c-b3bc-4ca127213af5" error="deployment not ready(rekor-server): not available" 1888: I1110 15:21:40.850371 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="cc1c9a52-94e1-498c-b3bc-4ca127213af5" 1889: I1110 15:21:48.776442 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="71f809a2-9be3-4e2b-b12d-9f9d01d19e26" error="deployment not ready(rekor-server): not available" 1890: I1110 15:21:48.776703 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="71f809a2-9be3-4e2b-b12d-9f9d01d19e26" 1891: I1110 15:22:19.865967 1 resolve_pub_key.go:152] "retrying to get rekor public key" logger="resolve public key" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="9814daae-0b1f-43e7-bfea-9226e6db1761" 1892: E1110 15:22:19.873821 1 base_action.go:92] "error during action execution" err="ResolvePubKey: unable to resolve public key: Get \"http://rekor-server.test.svc/api/v1/log/publicKey\": dial tcp 10.96.199.179:80: i/o timeout" logger="resolve public key" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="9814daae-0b1f-43e7-bfea-9226e6db1761" 1893: E1110 15:22:19.873880 1 controller.go:474] "Reconciler error" err="ResolvePubKey: unable to resolve public key: Get \"http://rekor-server.test.svc/api/v1/log/publicKey\": dial tcp 10.96.199.179:80: i/o timeout" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="9814daae-0b1f-43e7-bfea-9226e6db1761" 1894: I1110 15:22:29.301710 1 tuf_init_job.go:62] "Tuf tuf-repository-init is present." logger="controller.tuf.tuf-init job" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="415ca6f5-609d-435b-9e68-26d2acad8f88" Succeeded=0 Failures=0 1895: I1110 15:22:34.307363 1 tuf_init_job.go:62] "Tuf tuf-repository-init is present." logger="controller.tuf.tuf-init job" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="803285b6-aff9-43d0-b645-a3e58a1ec208" Succeeded=0 Failures=0 1896: I1110 15:22:39.312740 1 tuf_init_job.go:62] "Tuf tuf-repository-init is present." logger="controller.tuf.tuf-init job" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="ad5038f1-ab1a-49d1-94ef-753ba9018e01" Succeeded=1 Failures=0 1897: I1110 15:22:39.423056 1 initialize.go:43] "deployment is not ready" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="71c79ba8-a251-4175-9c2b-fe894e4632c2" error="deployment not ready(tuf): not available" 1898: I1110 15:22:39.423084 1 initialize.go:48] "Waiting for deployment" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="71c79ba8-a251-4175-9c2b-fe894e4632c2" 1899: I1110 15:22:39.429052 1 initialize.go:43] "deployment is not ready" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="311cf254-16d1-40da-a12d-c57a16748b63" error="deployment not ready(tuf): not available" 1900: I1110 15:22:39.429082 1 initialize.go:48] "Waiting for deployment" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="311cf254-16d1-40da-a12d-c57a16748b63"

[osmman]

Segment Backup Job has been removed from operator by #1457