Chapter 3. Bug fixes

An update to operator logic when detecting the OpenShift environment

During OpenShift cluster reboots, the RHTAS operator logic to detect the OpenShift environment was unreliable. The operator would mistakenly believe it was running in a non-OpenShift environment, and configured the system improperly. This was causing the APIs to be unavailable, and the Trillian database pods failing to start. This was also causing violations of the OpenShift Security Context Constraints (SCC).

Enterprise Contract is faster and more efficient

Before this update, Enterprise Contract (EC) would download the policy and policy data from a configured source for validating each component. This caused the ec validate image command to run longer by downloading more data than it needed. For this release, when the ec validate image command detects the same policy source to validate different container images, it no longer downloads the policy data more than once.

The operator terminates on a nil pointer exception

When the Certificate Transparency logs' (CTlog) password for fulcio.spec.privateKeyPasswordRef is set incorrectly, the RHTAS operator terminates with no meaningful error messages. With this release, we added more robust error handling for this scenario, and more meaningful operator error messages when the CTlog is not set correctly.

Wrong common name for Fulcio certificates

The sigstore.issuer field was hard-coded to use the common name value specified in spec.certificate.commonName for Fulcio certificates. With this release, we added logic to set the sigstore.issuer field properly. If spec.certificate.commonName is empty, then we set sigstore.issuer based on the spec.externalAccess.host value. If spec.certificate.commonName and spec.externalAccess.host is empty, then we set sigstore.issuer to the OpenShift cluster’s domain name. As a result, we have a properly set common name for Fulcio certificates.

Removed kube-rbac-proxy from the operator

With the deprecating of the --tls-cert-file and --tls-private-key-file flags for kube-rbac-proxy, we removed the role-based access controls (RBAC) HTTP proxy resource when installing the RHTAS operator. Because of this, you need to have a predefined certificate and private key in the namespace of the operator. The default operator namespace is openshift-operators. As a result of this, we no longer use this RBAC HTTP proxy resource to protect the /metrics API endpoint for the operator controller.

Enabled the Rekor search UI by default

With this release, the user is no longer required to manually install the Rekor search user interface (UI). We enable the Rekor search UI by default.

The CreateTree task continues running after a failed installation

When deleting and then reinstalling the RHTAS service, the CreateTree task could continuously run in some scenarios, therefore preventing later installations from succeeding. With this release, if the RHTAS installation process detects the CreateTree task running, then it cleans up the task without any user intervention. See GitHub issue #230 for more details.

Replaced the upstream version of kube-rbac-proxy with the supported version

Red Hat Trusted Artifact Signer 1.0 shipped with the upstream version of the Role-base access controls (RBAC) proxy container, gcr.io/kubebuilder/kube-rbac-proxy. With this release, we replaced the upstream version with the official, supported Red Hat version, registry.redhat.io/openshift4/ose-kube-rbac-proxy.

Trusted Artifact Signer operator can crash when not enough memory is available

During the installation of the RHTAS operator, if there was not enough memory allocated this would cause a CrashLoopBackoff status. This crashing prevented the RHTAS operator from installing properly.

The Enterprise Contract binary download was missing

When a user tried to download the Enterprise Contract (EC) binary, they received a 404 page. Because the path to the EC binary for Windows was set incorrectly, this generated the 404 page. With this release, the path to the EC binary for Windows is set correctly, and no longer gives a 404 page.

The cosign Windows executable was missing the .exe extension

The cosign binary for Windows was missing the .exe file name extension when downloading the binary. Missing the .exe file name extension would not allow the cosign binary to run on Windows. With this release, the cosign binary has the .exe file name extension, and runs as expected on Windows.

Upgrading the Technical Preview version of the Trusted Artifact Signer operator fails

Previously, the Technical Preview version (0.0.2) of the RHTAS operator was automatically upgraded to the generally available version (1.0.0), causing an upgrade failure. Upgrading from the Technical Preview version no longer fails if the Securesign instance, and its custom resources (CR) already exist.

Cluster permissions for segment backup jobs

Previously, a misconfiguration of the role-based access controls (RBAC) for the segment backup service account responsible for gathering Rekor and Fulcio metrics had elevated privileges. When enabling the segment backup jobs, these elevated privileges could read cluster-wide secrets.