securesign · osmman · Jun 2, 2025 · Jun 4, 2025
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -231,6 +231,10 @@ jobs:
           podman save ${{ env.IMG }} -o operator-oci.tar
           kind load image-archive operator-oci.tar
 
+      - name: Add service hosts to /etc/hosts
+        run: |
+          sudo echo "127.0.0.1 keycloak-internal.keycloak-system.svc" | sudo tee -a /etc/hosts
+
       - name: Replace images
         run: make dev-images && cat config/default/images.env
 
@@ -243,9 +247,6 @@ jobs:
         run: |
           kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
 
-      - name: Add service hosts to /etc/hosts
-        run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
       - name: Install cosign
         run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
 
@@ -487,10 +488,6 @@ jobs:
           podman save ${{ env.IMG }} -o operator-oci.tar
           kind load image-archive operator-oci.tar
 
-      - name: Add service hosts to /etc/hosts
-        run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
-
       - name: Replace images
         run: make dev-images generate && cat config/default/images.env
 
@@ -574,7 +571,7 @@ jobs:
 
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local tsa-server.local cli-server.local ${{ steps.kind.outputs.oidc_host }}" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 ${{ steps.kind.outputs.oidc_host }}" | sudo tee -a /etc/hosts
 
       - name: Replace images
         run: make dev-images generate && cat config/default/images.env
@@ -607,7 +604,7 @@ jobs:
           export TSA_URL=$(kubectl get timestampauthorities -o jsonpath='{.items[0].status.url}' -n ${{ env.TEST_NAMESPACE }})/api/v1/timestamp
 
           export  CLI_STRATEGY=cli_server
-          export CLI_SERVER_URL="http://cli-server.local"
+          export CLI_SERVER_URL="http://cli-server.trusted-artifact-signer.traefik.me"
 
           cd e2e
           source ./tas-env-variables.sh

diff --git a/Makefile b/Makefile
@@ -136,7 +136,7 @@ test: manifests generate fmt vet envtest ## Run tests.
 # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
 .PHONY: test-e2e  # Run the e2e tests against a Kind k8s instance that is spun up.
 test-e2e: generate
-	go test -p 1 ./test/e2e/... -tags=integration -timeout 20m
+	go test ./test/e2e/... -tags=integration -timeout 20m
 
 # Switch images from `registry.redhat.io` images to the dev images
 .PHONY: dev-images

diff --git a/cmd/main.go b/cmd/main.go
@@ -101,7 +101,9 @@ func main() {
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	flag.Int64Var(&appconfig.CreateTreeDeadline, "create-tree-deadline", appconfig.CreateTreeDeadline, "The time allowance (in seconds) for the create tree job to run before failing.")
+	flag.StringVar(&appconfig.IngressHostTemplate, "ingress-host-template", appconfig.IngressHostTemplate, "Sprintf-style format string for generating Ingress hostnames when not specified. Where %[1]s is the service name and %[2]s is the namespace.")
 	utils.BoolFlagOrEnv(&appconfig.Openshift, "openshift", "OPENSHIFT", false, "Enable to ensures the operator applies OpenShift specific configurations.")
+
 	utils.RelatedImageFlag("trillian-log-signer-image", images.TrillianLogSigner, "The image used for trillian log signer.")
 	utils.RelatedImageFlag("trillian-log-server-image", images.TrillianServer, "The image used for trillian log server.")
 	utils.RelatedImageFlag("trillian-db-image", images.TrillianDb, "The image used for trillian's database.")

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.24.4
 toolchain go1.24.6
 
 require (
+	github.com/alexflint/go-filemutex v1.3.0
 	github.com/blang/semver/v4 v4.0.0
 	github.com/go-logr/logr v1.4.3
 	github.com/google/certificate-transparency-go v1.3.2

diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/alexflint/go-filemutex v1.3.0 h1:LgE+nTUWnQCyRKbpoceKZsPQbs84LivvgwUymZXdOcM=
+github.com/alexflint/go-filemutex v1.3.0/go.mod h1:U0+VA/i30mGBlLCrFPGtTe9y6wGQfNAWPBTekHQ+c8A=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -156,6 +158,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
@@ -199,6 +202,7 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
 golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
@@ -230,6 +234,7 @@ gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSP
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -3,4 +3,6 @@ package config
 var (
 	CreateTreeDeadline int64 = 1200
 	Openshift          bool
+
+	IngressHostTemplate = "%[1]s.%[2]s.traefik.me"
 )
diff --git a/internal/utils/kubernetes/common.go b/internal/utils/kubernetes/common.go
@@ -86,7 +86,7 @@ func CalculateHostname(ctx context.Context, client client.Client, svcName, ns st
 		}
 		return fmt.Sprintf("%s-%s.%s", svcName, ns, ingress.Spec.Domain), nil
 	}
-	return svcName + ".local", nil
+	return fmt.Sprintf(config.IngressHostTemplate, svcName, ns), nil
 }
 
 func FindByLabelSelector(ctx context.Context, c client.Client, list client.ObjectList, namespace, labelSelector string) error {

diff --git a/test/e2e/benchmark/install_test.go → test/benchmark/install_test.go b/test/e2e/benchmark/install_test.go → test/benchmark/install_test.go
diff --git a/test/e2e/byodb_test.go → test/e2e/byo/database_test.go b/test/e2e/byodb_test.go → test/e2e/byo/database_test.go
@@ -1,6 +1,6 @@
 //go:build integration
 
-package e2e
+package byo
 
 import (
 	"context"

diff --git a/test/e2e/provided_certs_test.go → test/e2e/byo/provided_certs_test.go b/test/e2e/provided_certs_test.go → test/e2e/byo/provided_certs_test.go
@@ -1,6 +1,6 @@
 //go:build integration
 
-package e2e
+package byo
 
 import (
 	"github.com/securesign/operator/test/e2e/support/steps"

diff --git a/test/e2e/byo/suite_test.go b/test/e2e/byo/suite_test.go
@@ -0,0 +1,24 @@
+//go:build integration
+
+package byo
+
+import (
+	"testing"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/format"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+func TestE2e(t *testing.T) {
+	RegisterFailHandler(Fail)
+	log.SetLogger(GinkgoLogr)
+	SetDefaultEventuallyTimeout(time.Duration(3) * time.Minute)
+	EnforceDefaultTimeoutsWhenUsingContexts()
+	RunSpecs(t, "Bring your own")
+
+	// print whole stack in case of failure
+	format.MaxLength = 0
+}
diff --git a/test/e2e/common_install_test.go → test/e2e/deployment/common_test.go b/test/e2e/common_install_test.go → test/e2e/deployment/common_test.go
@@ -1,6 +1,6 @@
 //go:build integration
 
-package e2e
+package deployment
 
 import (
 	"net/http"
@@ -31,7 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 )
 
-var _ = Describe("Securesign install with certificate generation", Ordered, func() {
+var _ = Describe("Install with generated certs and keys", Ordered, func() {
 	cli, _ := support.CreateClient()
 
 	var targetImageName string

diff --git a/test/e2e/key_autodiscovery_test.go → .../e2e/deployment/key_autodiscovery_test.go b/test/e2e/key_autodiscovery_test.go → .../e2e/deployment/key_autodiscovery_test.go
@@ -1,6 +1,6 @@
 //go:build integration
 
-package e2e
+package deployment
 
 import (
 	"github.com/securesign/operator/internal/utils/kubernetes"
@@ -21,7 +21,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 )
 
-var _ = Describe("Securesign key autodiscovery test", Ordered, func() {
+var _ = Describe("Install with auto-discovered keys", Ordered, func() {
 	cli, _ := support.CreateClient()
 
 	var targetImageName string

diff --git a/test/e2e/namespaced.go → test/e2e/deployment/namespaced.go b/test/e2e/namespaced.go → test/e2e/deployment/namespaced.go
@@ -1,18 +1,17 @@
 //go:build integration
 
-package e2e
+package deployment
 
 import (
 	"fmt"
-	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/test/e2e/support"
 	testSupportKubernetes "github.com/securesign/operator/test/e2e/support/kubernetes"
 	"github.com/securesign/operator/test/e2e/support/steps"
-	clients "github.com/securesign/operator/test/e2e/support/tas/cli"
+	"github.com/securesign/operator/test/e2e/support/tas"
 	"github.com/securesign/operator/test/e2e/support/tas/ctlog"
 	"github.com/securesign/operator/test/e2e/support/tas/fulcio"
 	"github.com/securesign/operator/test/e2e/support/tas/rekor"
@@ -346,38 +345,7 @@ var _ = Describe("Install components to separate namespaces", Ordered, func() {
 			ts := tsa.Get(ctx, cli, namespaces["tsa"].Name, tsaObject.Name)
 			Expect(ts).ToNot(BeNil())
 
-			Eventually(func() error {
-				return tsa.GetCertificateChain(ctx, cli, "", "", ts.Status.Url)
-			}).Should(Succeed())
-
-			oidcToken, err := support.OidcToken(ctx)
-			Expect(err).ToNot(HaveOccurred())
-			Expect(oidcToken).ToNot(BeEmpty())
-
-			// sleep for a while to be sure everything has settled down
-			time.Sleep(time.Duration(10) * time.Second)
-
-			Expect(clients.Execute("cosign", "initialize", "--mirror="+t.Status.Url, "--root="+t.Status.Url+"/root.json")).To(Succeed())
-
-			Expect(clients.Execute(
-				"cosign", "sign", "-y",
-				"--fulcio-url="+f.Status.Url,
-				"--rekor-url="+r.Status.Url,
-				"--timestamp-server-url="+ts.Status.Url+"/api/v1/timestamp",
-				"--oidc-issuer="+support.OidcIssuerUrl(),
-				"--oidc-client-id="+support.OidcClientID(),
-				"--identity-token="+oidcToken,
-				targetImageName,
-			)).To(Succeed())
-
-			Expect(clients.Execute(
-				"cosign", "verify",
-				"--rekor-url="+r.Status.Url,
-				"--timestamp-certificate-chain=ts_chain.pem",
-				"--certificate-identity-regexp", ".*@redhat",
-				"--certificate-oidc-issuer-regexp", ".*keycloak.*",
-				targetImageName,
-			)).To(Succeed())
+			tas.VerifyByCosignCustom(ctx, cli, f, r, t, ts, targetImageName)
 		})
 	})
 })
diff --git a/test/e2e/deployment/suite_test.go b/test/e2e/deployment/suite_test.go
@@ -0,0 +1,24 @@
+//go:build integration
+
+package deployment
+
+import (
+	"testing"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/format"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+func TestE2e(t *testing.T) {
+	RegisterFailHandler(Fail)
+	log.SetLogger(GinkgoLogr)
+	SetDefaultEventuallyTimeout(time.Duration(3) * time.Minute)
+	EnforceDefaultTimeoutsWhenUsingContexts()
+	RunSpecs(t, "Deployment Suite")
+
+	// print whole stack in case of failure
+	format.MaxLength = 0
+}
diff --git a/test/e2e/tas_e2e_suite_test.go → test/e2e/suite_test.go b/test/e2e/tas_e2e_suite_test.go → test/e2e/suite_test.go
@@ -15,7 +15,7 @@ func TestE2e(t *testing.T) {
 	log.SetLogger(GinkgoLogr)
 	SetDefaultEventuallyTimeout(time.Duration(3) * time.Minute)
 	EnforceDefaultTimeoutsWhenUsingContexts()
-	RunSpecs(t, "Trusted Artifact Signer E2E Suite")
+	RunSpecs(t, "E2E Suite")
 
 	// print whole stack in case of failure
 	format.MaxLength = 0