Chapter 3. Bug fixes
In this release of Red Hat Trusted Artifact Signer (RHTAS), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
An update to operator logic when detecting the OpenShift environment
During OpenShift cluster reboots, the RHTAS operator logic to detect the OpenShift environment was unreliable. The operator would mistakenly believe it was running in a non-OpenShift environment, and configured the system improperly. This was causing the APIs to be unavailable, and the Trillian database pods failing to start. This was also causing violations of the OpenShift Security Context Constraints (SCC).
With this release, we removed the dynamic detection of the OpenShift environment in the RHTAS operator. The target environment must be explicitly configured during the installation of the RHTAS operator by using the new OPENSHIFT
environment variable. Doing this ensure that the RHTAS operator consistently applies the correct configuration for the deployment. Deploying the RHTAS operator by using the Operator Lifecycle Manager (OLM) has the OPENSHIFT
environment variable set to true
by default. As a result, the RHTAS operator consistently configures the system properly preventing service startup issues on reboot, and no longer violates the OpenShift SCC.
Enterprise Contract is faster and more efficient
Before this update, Enterprise Contract (EC) would download the policy and policy data from a configured source for validating each component. This caused the ec validate image
command to run longer by downloading more data than it needed. For this release, when the ec validate image
command detects the same policy source to validate different container images, it no longer downloads the policy data more than once.
The operator terminates on a nil pointer exception
When the Certificate Transparency logs' (CTlog) password for fulcio.spec.privateKeyPasswordRef
is set incorrectly, the RHTAS operator terminates with no meaningful error messages. With this release, we added more robust error handling for this scenario, and more meaningful operator error messages when the CTlog is not set correctly.
Wrong common name for Fulcio certificates
The sigstore.issuer
field was hard-coded to use the common name value specified in spec.certificate.commonName
for Fulcio certificates. With this release, we added logic to set the sigstore.issuer
field properly. If spec.certificate.commonName
is empty, then we set sigstore.issuer
based on the spec.externalAccess.host
value. If spec.certificate.commonName
and spec.externalAccess.host
is empty, then we set sigstore.issuer
to the OpenShift cluster’s domain name. As a result, we have a properly set common name for Fulcio certificates.
Removed kube-rbac-proxy
from the operator
With the deprecating of the --tls-cert-file
and --tls-private-key-file
flags for kube-rbac-proxy
, we removed the role-based access controls (RBAC) HTTP proxy resource when installing the RHTAS operator. Because of this, you need to have a predefined certificate and private key in the namespace of the operator. The default operator namespace is openshift-operators
. As a result of this, we no longer use this RBAC HTTP proxy resource to protect the /metrics
API endpoint for the operator controller.
Enabled the Rekor search UI by default
With this release, the user is no longer required to manually install the Rekor search user interface (UI). We enable the Rekor search UI by default.
The CreateTree
task continues running after a failed installation
When deleting and then reinstalling the RHTAS service, the CreateTree
task could continuously run in some scenarios, therefore preventing later installations from succeeding. With this release, if the RHTAS installation process detects the CreateTree
task running, then it cleans up the task without any user intervention. See GitHub issue #230 for more details.
Replaced the upstream version of kube-rbac-proxy
with the supported version
Red Hat Trusted Artifact Signer 1.0 shipped with the upstream version of the Role-base access controls (RBAC) proxy container, gcr.io/kubebuilder/kube-rbac-proxy
. With this release, we replaced the upstream version with the official, supported Red Hat version, registry.redhat.io/openshift4/ose-kube-rbac-proxy
.
Trusted Artifact Signer operator can crash when not enough memory is available
During the installation of the RHTAS operator, if there was not enough memory allocated this would cause a CrashLoopBackoff
status. This crashing prevented the RHTAS operator from installing properly.
With this release, we increased the memory allocation for the RHTAS operator, allowing it to install successfully.
The Enterprise Contract binary download was missing
When a user tried to download the Enterprise Contract (EC) binary, they received a 404 page. Because the path to the EC binary for Windows was set incorrectly, this generated the 404 page. With this release, the path to the EC binary for Windows is set correctly, and no longer gives a 404 page.
The cosign
Windows executable was missing the .exe
extension
The cosign
binary for Windows was missing the .exe
file name extension when downloading the binary. Missing the .exe
file name extension would not allow the cosign
binary to run on Windows. With this release, the cosign
binary has the .exe
file name extension, and runs as expected on Windows.
Upgrading the Technical Preview version of the Trusted Artifact Signer operator fails
Previously, the Technical Preview version (0.0.2) of the RHTAS operator was automatically upgraded to the generally available version (1.0.0), causing an upgrade failure. Upgrading from the Technical Preview version no longer fails if the Securesign instance, and its custom resources (CR) already exist.
Cluster permissions for segment backup jobs
Previously, a misconfiguration of the role-based access controls (RBAC) for the segment backup service account responsible for gathering Rekor and Fulcio metrics had elevated privileges. When enabling the segment backup jobs, these elevated privileges could read cluster-wide secrets.
With this release of RHTAS, we fixed the misconfiguration by limiting the privileges for the segment backup service account. We now enable the gathering of these metrics by default.