feat: Rekor search-index tls

[bouskaJ]

Summary by Sourcery

Introduce TLS support and password management for the Rekor search-index; refactor CRDs, controller actions, and tests to unify and secure search-index deployments for Redis and MySQL.

New Features:

• Add TLS configuration support to the Rekor search-index for both Redis ('rediss') and MySQL providers.
• Implement automatic Redis password secret generation and injection for search-index deployments.

Bug Fixes:

• Prevent redundant environment variable updates in ensure.Auth by comparing existing values before copying.

Enhancements:

• Refactor search-index parameter injection into a shared EnsureSearchIndex utility used by server, backfill CronJob, and deployment actions.
• Generalize BYODB e2e test setup to use a single createDB function with dynamic namespace and database parameters.
• Streamline CLI argument construction in server and backfill CronJob deployments to structured flag handling.

Documentation:

• Update SearchIndex CRD schemas to remove hardcoded defaults for provider/url, add TLS fields with certificate/privateKey references, include 'rediss' enum option, and enforce URL validation when a provider is specified.

Tests:

• Extend API validation tests to enforce that SearchIndex URL is required when a non-empty provider is specified.
• Update e2e tests to reflect the unified BYODB database secret and connection URL format with TLS support.

Chores:

• Add DeepCopy methods for SearchIndexStatus to propagate TLS and DbPasswordRef fields.

[sourcery-ai]

Reviewer's Guide

This PR augments the Rekor search-index feature with TLS encryption, unifies database provisioning and credentials handling, refactors searchIndex logic into a centralized utility, and extends CRD schemas and controller actions to support secure Redis/MySQL connections.

Sequence diagram for Rekor search-index provisioning with TLS and password

sequenceDiagram
    participant Operator
    participant RekorCR
    participant RedisSecret as "Secret: Redis Password"
    participant RedisTLS as "Secret: Redis TLS"
    participant RedisDeployment
    participant RekorServer
    Operator->>RekorCR: Reconcile
    Operator->>RedisSecret: Create password secret
    Operator->>RedisTLS: Create/resolve TLS secret
    Operator->>RedisDeployment: Deploy Redis with password & TLS
    Operator->>RekorServer: Deploy Rekor Server with secure Redis connection
    RekorServer->>RedisDeployment: Connect using password & TLS

Loading

Entity relationship diagram for updated Rekor SearchIndex and SearchIndexStatus

erDiagram
    RekorSpec ||--o| SearchIndex : has
    RekorStatus ||--o| SearchIndexStatus : has
    SearchIndex {
        BOOL Create
        STRING Provider
        STRING Url
        TLS TLS
    }
    SearchIndexStatus {
        TLS TLS
        SecretKeySelector DbPasswordRef
    }
    TLS {
        SecretKeySelector CertRef
        SecretKeySelector PrivateKeyRef
    }
    SecretKeySelector {
        STRING Name
        STRING Key
    }

Loading

Class diagram for new and updated Rekor types (SearchIndex, SearchIndexStatus, TLS)

classDiagram
    class RekorSpec {
        RekorSigner Signer
        SearchIndex SearchIndex
    }
    class RekorStatus {
        RekorSigner Signer
        SearchIndexStatus SearchIndex
    }
    class SearchIndex {
        +bool* Create
        +string Provider
        +string Url
        +TLS TLS
    }
    class SearchIndexStatus {
        +TLS TLS
        +SecretKeySelector* DbPasswordRef
    }
    class TLS {
        +SecretKeySelector* CertRef
        +SecretKeySelector* PrivateKeyRef
    }
    class SecretKeySelector {
        +string Name
        +string Key
    }
    RekorSpec --> SearchIndex
    RekorStatus --> SearchIndexStatus
    SearchIndex --> TLS
    SearchIndexStatus --> TLS
    SearchIndexStatus --> SecretKeySelector
    TLS --> SecretKeySelector

Loading

Class diagram for new RedisOptions and related utility changes

classDiagram
    class RedisOptions {
        +string Host
        +string Port
        +string Password
        +bool TlsEnabled
    }

Loading

Class diagram for new controller actions: TlsAction and GeneratePasswordAction

classDiagram
    class TlsAction {
        +Name() string
        +CanHandle(ctx, instance) bool
        +Handle(ctx, instance) *Result
    }
    class GeneratePasswordAction {
        +Name() string
        +CanHandle(ctx, instance) bool
        +Handle(ctx, instance) *Result
        -cleanup(ctx, instance, configLabels)
    }

Loading

File-Level Changes

Change	Details	Files
E2E tests and DB setup updated for unified DB auth and TLS-enabled search-index connection	Renamed test constant searchDbAuth to dbAuth Added MYSQL_DB and NAMESPACE environment variables Updated searchIndex URL to include database name and tls=true Replaced separate createSearchMysql/createTrillianDB with a single createDB function	test/e2e/byodb_test.go
CRD schemas extended to define TLS settings for searchIndex providers	Added TLS certificateRef/privateKeyRef properties and validations Allowed rediss provider and XValidation to require URL when provider is set Introduced dbPasswordRef and TLS in status sections	config/crd/bases/rhtas.redhat.com_rekors.yaml config/crd/bases/rhtas.redhat.com_securesigns.yaml
Refactored server and backfill controllers to use centralized searchIndex utility	Removed legacy searchIndexParams methods Integrated EnsureSearchIndex in server deployment and backfill cronjob Standardized command-line argument formatting with strconv	internal/controller/rekor/actions/server/deployment.go internal/controller/rekor/actions/backfillRedis/backfill_redis_cronjob.go internal/controller/rekor/actions/searchIndex/util.go
Enhanced Redis searchIndex controller with password generation and TLS action	Added NewGeneratePasswordAction to create and rotate Redis password secrets Added NewTlsAction to resolve or inject TLS certificates Updated deployment to mount TLS certs via init container and config volume Annotated Service for TLS on OpenShift	internal/controller/rekor/actions/searchIndex/redis/actions/generate_password.go internal/controller/rekor/actions/searchIndex/redis/actions/tls.go internal/controller/rekor/actions/searchIndex/redis/actions/deployment.go internal/controller/rekor/actions/searchIndex/redis/actions/svc.go internal/controller/rekor/rekor_controller.go
Utility and deepcopy updates to support new searchIndex status fields	Enhanced ensure.Auth to skip redundant deep copies Added DeepCopy methods for SearchIndexStatus and embedded TLS/DbPasswordRef Implemented helper functions specTLS, statusTLS, setStatusTLS Introduced RedisTlsSecret constant	internal/utils/kubernetes/ensure/auth.go api/v1alpha1/zz_generated.deepcopy.go api/v1alpha1/rekor_types.go internal/controller/rekor/actions/searchIndex/redis/actions/helper.go internal/controller/rekor/actions/constants.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @bouskaJ - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
operator-v1-0	no kind "ProjectDevelopmentStream" is registered for version "projctl.konflux.dev/v1beta1" in scheme "k8s.io/client-go/kubernetes/scheme/register.go:83"
operator	no kind "Project" is registered for version "projctl.konflux.dev/v1beta1" in scheme "k8s.io/client-go/kubernetes/scheme/register.go:83"
operator-template	no kind "ProjectDevelopmentStreamTemplate" is registered for version "projctl.konflux.dev/v1beta1" in scheme "k8s.io/client-go/kubernetes/scheme/register.go:83"

[osmman]

Please modify commit message based on our standard https://pages.rhtas.com/technical-guides/commit-messages it should be feat: short description of new feature and reference to Jira or Github should be in Refs footer. In your case Refs: SECURESIGN-2557