feat: add validating webhook for run-levels

[SequeI]

User description

Summary by Sourcery

Enforce a run-level policy for Securesign CRs by adding a validating webhook, configure its TLS infrastructure across Kubernetes and OpenShift overlays, update the manager deployment to serve the webhook, and expand CI and test suites to install and validate the webhook components.

New Features:

• Add a validating webhook to block Securesign installations in the default namespace or reserved OpenShift run-level namespaces
• Register the SecureSignValidator webhook with the controller manager and annotate the CRD for webhook generation

Enhancements:

• Introduce certificate resources, service, and configuration patches for webhook TLS and automate their application in e2e custom install tests
• Update manager deployment manifest to mount webhook TLS secret and expose the webhook port

Build:

• Remove webhook generation from controller-gen in Makefile

CI:

• Install Cert-Manager in the Kind-cluster GitHub Action before running tests
• Update Tekton pipeline triggers to include retest-all-comment events

Tests:

• Add unit tests for SecureSignValidator using a fake client to verify namespace policy enforcement
• Enhance e2e suite to install and validate webhook infrastructure in custom install mode

---

PR Type

Enhancement

---

Description

• Implement validating webhook to enforce namespace policies for Securesign CRs

  • Block creation in default namespace
  • Block creation in reserved OpenShift run-level namespaces (0, 1, 9)

• Register webhook in manager and add kubebuilder marker to Securesign CRD

• Add webhook service and ValidatingWebhookConfiguration resources with kustomize overlays

• Mount webhook TLS certificate in manager deployment and configure cert-manager integration

• Add comprehensive unit tests for webhook validation logic

---

Diagram Walkthrough

flowchart LR
  A["Securesign CR"] -->|ValidateCreate/Update| B["SecureSignValidator"]
  B -->|Check namespace| C["Namespace Policy"]
  C -->|Block default| D["Reject"]
  C -->|Block reserved run-levels| D
  C -->|Allow other| E["Accept"]
  F["Webhook Service"] -->|HTTPS:9443| B
  G["TLS Certificate"] -->|Mount| F

Loading

File Walkthrough

	Relevant files
Configuration changes	15 files securesign_types.go Add kubebuilder webhook marker to Securesign CRD                  +1/-0      kustomization.yaml Create webhook kustomization overlay configuration              +3/-0      service.yaml Define webhook service for HTTPS communication                      +15/-0    webhook.yaml Define ValidatingWebhookConfiguration for Securesign CRs  +25/-0    manager.yaml Mount webhook TLS certificate in manager deployment            +8/-0      kustomization.yaml Enable webhook overlay in default kustomization                    +1/-3      cert_resources.yaml Add cert-manager Issuer and Certificate resources                +21/-0    kubernetes_webhook_patch.yaml Add cert-manager annotation patch for webhook configuration +6/-0      kustomization.yaml Configure Kubernetes environment with cert-manager resources +9/-0      serving_cert_annotation_patch.yaml Add OpenShift serving certificate annotation for webhook service +9/-0      inject_ca_bundle_annotation_patch.yaml Add OpenShift CA bundle injection annotation for webhook  +6/-0      kustomization.yaml Configure OpenShift environment patches for webhook            +10/-0    action.yml Install cert-manager in KinD cluster for webhook testing  +7/-0      rhtas-operator-bundle-pull-request.yaml Add retest-all-comment event type to pipeline selector      +1/-1      Makefile Remove webhook generation flag from manifests target          +2/-2
Enhancement	4 files main.go Register validating webhook in manager initialization        +12/-0    webhooks.go Define SecureSignValidator with reserved run-levels map    +20/-0    securesign_validator.go Implement namespace policy validation logic for Securesign +64/-0    proxy_test.go Add private network ranges to no-proxy configuration          +2/-0
Tests	2 files webhook_test.go Add comprehensive unit tests for webhook validation            +104/-0  suite_test.go Add webhook infrastructure setup and cert-manager integration to e2e tests +167/-5
Dependencies	1 files go.mod Add testify dependency for webhook unit tests                        +1/-0

---

[sourcery-ai]

Reviewer's Guide

This PR introduces a validating admission webhook for Securesign CRs by implementing a SecureSignValidator in Go, registering it with controller-runtime, generating and patching Kubernetes webhook and certificate manifests using kustomize overlays, updating the operator deployment to mount TLS secrets, and enhancing CI/test configurations to support and verify the new webhook functionality.

Entity relationship diagram for webhook and certificate resources

erDiagram
  "ValidatingWebhookConfiguration" ||--o| "Service" : uses
  "Service" ||--o| "Certificate" : secured_by
  "Certificate" ||--o| "Issuer" : issued_by
  "ValidatingWebhookConfiguration" {
    string name
    string[] admissionReviewVersions
    string failurePolicy
    string[] rules
    string sideEffects
  }
  "Service" {
    string name
    string namespace
    string[] ports
    string selector
  }
  "Certificate" {
    string name
    string secretName
    string[] dnsNames
    string issuerRef
  }
  "Issuer" {
    string name
    string kind
  }

Loading

Class diagram for SecureSignValidator and related types

classDiagram
  class SecureSignValidator {
    +client.Client Client
    +ValidateCreate(ctx, obj)
    +ValidateUpdate(ctx, oldObj, newObj)
    +ValidateDelete(ctx, obj)
    -validateNamespacePolicy(ctx, operandCR)
  }
  class Securesign {
    +GetNamespace()
    <<CRD>>
  }
  SecureSignValidator --> Securesign : validates
  SecureSignValidator ..> client.Client : uses

Loading

File-Level Changes

Change	Details	Files
Implement SecureSignValidator for namespace policy enforcement	Define SecureSignValidator struct and reservedRunLevels map Implement validateNamespacePolicy to block 'default' and reserved run-level namespaces Add ValidateCreate, ValidateUpdate, ValidateDelete methods	internal/webhook/securesign_validator.go internal/webhook/webhooks.go
Register validating webhook in the controller manager	Add kubebuilder:webhook marker to Securesign CRD Invoke ctrl.NewWebhookManagedBy in main.go with custom /validate path	api/v1alpha1/securesign_types.go cmd/main.go
Add and configure webhook and TLS manifests via kustomize	Create service.yaml, webhook.yaml, and kustomization under config/webhook Add cert-manager Issuer and Certificate in cert_resources.yaml Define annotation patch overlays for kubernetes and openshift environments	config/webhook/service.yaml config/webhook/webhook.yaml config/webhook/kustomization.yaml config/env/kubernetes/cert_resources.yaml config/env/kubernetes/kubernetes_webhook_patch.yaml config/env/openshift/serving_cert_annotation_patch.yaml config/env/openshift/inject_ca_bundle_annotation_patch.yaml
Mount webhook TLS secret in operator deployment and test harness	Add volume and volumeMount entries for webhook-cert in manager.yaml Update test suite's managerPod: ports, labels, volume mounts, import yamlutil, include webhookInfra Sleep to wait for webhook server readiness	config/manager/manager.yaml test/e2e/custom_install/suite_test.go
Adjust build and CI for webhook and cert-manager	Update Makefile manifests target to drop webhook flags and include overlay Install and wait for cert-manager in GitHub Actions kind-cluster workflow Add unit tests for SecureSignValidator and introduce testify dependency	Makefile .github/actions/kind-cluster/action.yml go.mod internal/webhook/test/webhook_test.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[knrc]

Do we need a webhook for this? It doesn't look as if the webhook is doing anything too complicated, would CEL not be a better choice?

[knrc]

Do we need a webhook for this? It doesn't look as if the webhook is doing anything too complicated, would CEL not be a better choice?

Never mind, it looks as if we are still supporting 1.27 until end of October.

[qodo-merge-pro]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Validation bypass on 404 Description: The validator allows creation when the target namespace is not found, which could bypass run-level checks if a malicious user times creation with namespace creation or relies on eventual consistency; consider failing closed or requeuing until the namespace exists. securesign_validator.go [25-33] Referred Code ns := &corev1.Namespace{} if err := v.Client.Get(ctx, types.NamespacedName{Name: targetNamespace}, ns); err != nil { if apierrors.IsNotFound(err) { return nil, nil } reqLog.Error(err, "Failed to retrieve target namespace object for validation.") return nil, fmt.Errorf("failed to retrieve target namespace %s: %w", targetNamespace, err) }
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The new validating webhook performs critical admission decisions without emitting structured audit logs capturing who/what/why beyond brief info messages, which may not satisfy comprehensive audit trail requirements. Referred Code func (v *SecureSignValidator) validateNamespacePolicy(ctx context.Context, operandCR *rhtasv1alpha1.Securesign) (admission.Warnings, error) { reqLog := logf.FromContext(ctx) targetNamespace := operandCR.GetNamespace() if targetNamespace == "default" { reqLog.Info("Validation failed: Deployment blocked in 'default' namespace.") return nil, fmt.Errorf("installation into the 'default' namespace is prohibited by RHTAS policy") } ns := &corev1.Namespace{} if err := v.Client.Get(ctx, types.NamespacedName{Name: targetNamespace}, ns); err != nil { if apierrors.IsNotFound(err) { return nil, nil } reqLog.Error(err, "Failed to retrieve target namespace object for validation.") return nil, fmt.Errorf("failed to retrieve target namespace %s: %w", targetNamespace, err) } runLevel, found := ns.Labels["openshift.io/run-level"] if found && reservedRunLevels[runLevel] { ... (clipped 4 lines)
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Generic type error: The validator returns generic type assertion errors (e.g., "expected SecureSign CR but got %T") and does not include request context (namespace/name) or handle absent labels map defensively, which may limit actionable debugging information. Referred Code func (v *SecureSignValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { operandCR, ok := obj.(*rhtasv1alpha1.Securesign) if !ok { return nil, fmt.Errorf("expected SecureSign CR but got %T", obj) } return v.validateNamespacePolicy(ctx, operandCR) } func (v *SecureSignValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) { operandCR, ok := newObj.(*rhtasv1alpha1.Securesign) if !ok { return nil, fmt.Errorf("expected SecureSign CR but got %T", newObj) } return v.validateNamespacePolicy(ctx, operandCR)
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Block creation in non-existent namespaces Modify validateNamespacePolicy to return an error if the target namespace is not found, preventing Securesign resources from being created in non-existent namespaces. internal/webhook/securesign_validator.go [16-43] func (v *SecureSignValidator) validateNamespacePolicy(ctx context.Context, operandCR *rhtasv1alpha1.Securesign) (admission.Warnings, error) { reqLog := logf.FromContext(ctx) targetNamespace := operandCR.GetNamespace() if targetNamespace == "default" { reqLog.Info("Validation failed: Deployment blocked in 'default' namespace.") return nil, fmt.Errorf("installation into the 'default' namespace is prohibited by RHTAS policy") } ns := &corev1.Namespace{} if err := v.Client.Get(ctx, types.NamespacedName{Name: targetNamespace}, ns); err != nil { if apierrors.IsNotFound(err) { - return nil, nil + return nil, fmt.Errorf("target namespace %s does not exist", targetNamespace) } reqLog.Error(err, "Failed to retrieve target namespace object for validation.") return nil, fmt.Errorf("failed to retrieve target namespace %s: %w", targetNamespace, err) } runLevel, found := ns.Labels["openshift.io/run-level"] if found && reservedRunLevels[runLevel] { reqLog.Info("Validation failed: Deployment blocked in reserved namespace.", "namespace", targetNamespace, "run-level", runLevel) return nil, fmt.Errorf("installation into reserved OpenShift namespace '%s' (run-level %s) is prohibited by RHTAS policy", targetNamespace, runLevel) } return nil, nil } Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion addresses a security loophole where a resource could be created in a non-existent namespace, bypassing validation, which is a significant correctness and security improvement.	Medium
Possible issue	Enable webhook validation on update operations Add update to the list of verbs in the //+kubebuilder:webhook marker to ensure the validation webhook is triggered on resource updates, not just creations. api/v1alpha1/securesign_types.go [76] -//+kubebuilder:webhook:path=/validate,mutating=false,failurePolicy=fail,groups=rhtas.redhat.com,resources=securesigns,verbs=create,versions=v1alpha1,name=securesign.rhtas.redhat.com,sideEffects=None,admissionReviewVersions=v1 +//+kubebuilder:webhook:path=/validate,mutating=false,failurePolicy=fail,groups=rhtas.redhat.com,resources=securesigns,verbs=create;update,versions=v1alpha1,name=securesign.rhtas.redhat.com,sideEffects=None,admissionReviewVersions=v1 Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the webhook should also validate update operations to ensure consistent policy enforcement, as the validator implementation already handles them.	Medium
General	Replace fixed sleep with robust readiness checks Replace the fixed time.Sleep(1 * time.Minute) in the installOperator test function with Eventually blocks to poll for the readiness of the manager pod and webhook service. test/e2e/custom_install/suite_test.go [65-86] func installOperator(ctx context.Context, cli runtimeCli.Client, ns string, opts ...optManagerPod) { for _, o := range rbac(ns) { c := o.DeepCopyObject().(runtimeCli.Object) if e := cli.Get(ctx, runtimeCli.ObjectKeyFromObject(o), c); !apierrors.IsNotFound(e) { Expect(cli.Delete(ctx, o)).To(Succeed()) } Expect(cli.Create(ctx, o)).To(Succeed()) } for _, o := range webhookInfra(ns) { c := o.DeepCopyObject().(runtimeCli.Object) if e := cli.Get(ctx, runtimeCli.ObjectKeyFromObject(o), c); !apierrors.IsNotFound(e) { Expect(cli.Delete(ctx, o)).To(Succeed()) } Expect(cli.Create(ctx, o)).To(Succeed()) } Expect(cli.Create(ctx, managerPod(ns, opts...))).To(Succeed()) - time.Sleep(1 * time.Minute) + // Wait for manager pod to be running + Eventually(func(g Gomega) { + pod := &v1.Pod{} + g.Expect(cli.Get(ctx, runtimeCli.ObjectKey{Name: managerPodName, Namespace: ns}, pod)).To(Succeed()) + g.Expect(pod.Status.Phase).To(Equal(v1.PodRunning)) + }).WithTimeout(2 * time.Minute).WithPolling(1 * time.Second).Should(Succeed()) + // Wait for webhook service endpoint to be available + Eventually(func(g Gomega) { + endpoints := &v1.Endpoints{} + g.Expect(cli.Get(ctx, runtimeCli.ObjectKey{Name: "controller-manager-webhook-service", Namespace: ns}, endpoints)).To(Succeed()) + g.Expect(endpoints.Subsets).ToNot(BeEmpty()) + g.Expect(endpoints.Subsets[0].Addresses).ToNot(BeEmpty()) + }).WithTimeout(1 * time.Minute).WithPolling(1 * time.Second).Should(Succeed()) } Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that using a fixed time.Sleep in tests can lead to flakiness and proposes a more robust solution using Eventually to check for readiness.	Medium
Update

[qodo-merge-pro]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Execute securesign/sigstore-e2e

Failed stage: Run tests [❌]

Failed test name: TestManualTUFRepoTest - TUF manual repo test [It] should verify workdir structure

Failure summary: The action failed because the TUF manual repo test reported a missing expected file in the workdir: - Test "TUF manual repo test [It] should verify workdir structure" failed at e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:286 (triggered from line 68) - Failure message: "Expected at least one file with suffix .signing_config.v0.2.json, found 0" - This indicates the TUF manual repository setup did not produce the required .signing_config.v0.2.json file in the working directory, causing the test suite to exit with code 1.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 454: configmap/ingress-nginx-controller created 455: service/ingress-nginx-controller created 456: service/ingress-nginx-controller-admission created 457: deployment.apps/ingress-nginx-controller created 458: job.batch/ingress-nginx-admission-create created 459: job.batch/ingress-nginx-admission-patch created 460: ingressclass.networking.k8s.io/nginx created 461: validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created 462: pod/ingress-nginx-controller-bcdf75cfc-b5bgb condition met 463: ##[group]Run # Download the bundle.yaml 464: �[36;1m# Download the bundle.yaml�[0m 465: �[36;1mcurl -sL https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.84.0/bundle.yaml -o bundle.yaml �[0m 466: �[36;1m�[0m 467: �[36;1m# Check if the download was successful and the file is not empty�[0m 468: �[36;1mif [ ! -s "bundle.yaml" ]; then�[0m 469: �[36;1m echo "Error: Downloaded bundle.yaml is empty or failed to download."�[0m 470: �[36;1m exit 1�[0m ... 820: BUNDLE_IMG: ghcr.io/securesign/secure-sign-operator-bundle:dev-047f5d5eba9656b8ed2bb26325fb163635a1eaa2 821: CATALOG_IMG: ghcr.io/securesign/secure-sign-operator-fbc:dev-047f5d5eba9656b8ed2bb26325fb163635a1eaa2 822: NEW_OLM_CHANNEL: rhtas-operator.v1.4.0 823: OCP_VERSION: v4.19 824: TEST_NAMESPACE: test 825: REGISTRY_AUTH_FILE: /tmp/config.json 826: OPENSHIFT: false 827: ##[endgroup] 828: /home/runner/work/secure-sign-operator/secure-sign-operator/bin/controller-gen-v0.17.0 rbac:roleName=manager-role crd paths="./..." output:crd:artifacts:config=config/crd/bases 829: Downloading sigs.k8s.io/kustomize/kustomize/[email protected] 830: go: downloading sigs.k8s.io/kustomize/kustomize/v5 v5.6.0 831: go: downloading github.com/spf13/cobra v1.8.0 832: go: downloading sigs.k8s.io/kustomize/api v0.19.0 833: go: downloading sigs.k8s.io/kustomize/cmd/config v0.19.0 834: go: downloading sigs.k8s.io/kustomize/kyaml v0.19.0 835: go: downloading github.com/go-errors/errors v1.4.2 836: go: downloading github.com/davecgh/go-spew v1.1.1 ... 1009: {"status":"Pull complete","progressDetail":{},"id":"2d35ebdb57d9"} 1010: {"status":"Digest: sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"} 1011: {"status":"Status: Downloaded newer image for mirror.gcr.io/alpine:latest"} 1012: {"status":"The push refers to repository [ttl.sh/6b4a5e39-4256-40d0-a394-14e835b3cf3a]"} 1013: {"status":"Preparing","progressDetail":{},"id":"256f393e029f"} 1014: {"status":"Pushing","progressDetail":{"current":101376,"total":8317404},"progress":"[\u003e ] 101.4kB/8.317MB","id":"256f393e029f"} 1015: {"status":"Pushing","progressDetail":{"current":199680,"total":8317404},"progress":"[=\u003e ] 199.7kB/8.317MB","id":"256f393e029f"} 1016: {"status":"Pushing","progressDetail":{"current":1838080,"total":8317404},"progress":"[===========\u003e ] 1.838MB/8.317MB","id":"256f393e029f"} 1017: {"status":"Pushing","progressDetail":{"current":3542016,"total":8317404},"progress":"[=====================\u003e ] 3.542MB/8.317MB","id":"256f393e029f"} 1018: {"status":"Pushing","progressDetail":{"current":5606400,"total":8317404},"progress":"[=================================\u003e ] 5.606MB/8.317MB","id":"256f393e029f"} 1019: {"status":"Pushing","progressDetail":{"current":7873024,"total":8317404},"progress":"[===============================================\u003e ] 7.873MB/8.317MB","id":"256f393e029f"} 1020: {"status":"Pushing","progressDetail":{"current":8607232,"total":8317404},"progress":"[==================================================\u003e] 8.607MB","id":"256f393e029f"} 1021: {"status":"Pushed","progressDetail":{},"id":"256f393e029f"} 1022: {"status":"5m: digest: sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64 size: 527"} 1023: {"progressDetail":{},"aux":{"Tag":"5m","Digest":"sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64","Size":527}} 1024: t=l=error app=cosign m=WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument. 1025: t=l=info app=cosign m=Root status: 1026: t=l=info app=cosign m= { 1027: t=l=info app=cosign m= "local": "/home/runner/.sigstore/root", 1028: t=l=info app=cosign m= "remote": "http://tuf.local", 1029: t=l=info app=cosign m= "metadata": { 1030: t=l=info app=cosign m= "root.json": { 1031: t=l=info app=cosign m= "version": 1, 1032: t=l=info app=cosign m= "len": 4128, 1033: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1034: t=l=info app=cosign m= "error": "" 1035: t=l=info app=cosign m= }, 1036: t=l=info app=cosign m= "snapshot.json": { 1037: t=l=info app=cosign m= "version": 1, 1038: t=l=info app=cosign m= "len": 994, 1039: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1040: t=l=info app=cosign m= "error": "" 1041: t=l=info app=cosign m= }, 1042: t=l=info app=cosign m= "targets.json": { 1043: t=l=info app=cosign m= "version": 1, 1044: t=l=info app=cosign m= "len": 2416, 1045: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1046: t=l=info app=cosign m= "error": "" 1047: t=l=info app=cosign m= }, 1048: t=l=info app=cosign m= "timestamp.json": { 1049: t=l=info app=cosign m= "version": 1, 1050: t=l=info app=cosign m= "len": 995, 1051: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1052: t=l=info app=cosign m= "error": "" 1053: t=l=info app=cosign m= } 1054: t=l=info app=cosign m= }, 1055: t=l=info app=cosign m= "targets": [ 1056: t=l=info app=cosign m= "fulcio_v1.crt.pem", 1057: t=l=info app=cosign m= "trusted_root.json", 1058: t=l=info app=cosign m= "tsa.certchain.pem", 1059: t=l=info app=cosign m= "ctfe.pub", 1060: t=l=info app=cosign m= "rekor.pub" 1061: t=l=info app=cosign m= ] 1062: t=l=info app=cosign m=} 1063: �[38;5;10m•�[0mt=l=error app=cosign m=Generating ephemeral keys... 1064: t=l=error app=cosign m=Retrieving signed certificate... 1065: t=l=error app=cosign m=Successfully verified SCT... 1066: t=l=error app=cosign m=WARNING: Image reference ttl.sh/6b4a5e39-4256-40d0-a394-14e835b3cf3a:5m uses a tag, not a digest, to identify the image to sign. 1067: t=l=error app=cosign m= This can lead you to sign a different image than the intended one. Please use a 1068: t=l=error app=cosign m= digest (example.com/ubuntu@sha256:abc123...) rather than tag 1069: t=l=error app=cosign m= (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 1070: t=l=error app=cosign m= images by tag will be removed in a future release. 1071: t=l=error app=cosign 1072: t=l=error app=cosign 1073: t=l=error app=cosign m= The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 1074: t=l=error app=cosign m= Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 1075: t=l=error app=cosign m= This may include the email address associated with the account with which you authenticate your contractual Agreement. 1076: t=l=error app=cosign m= This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 1077: t=l=error app=cosign 1078: t=l=error app=cosign m=By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. 1079: t=l=error app=cosign m=Timestamp fetched with time: 2025-11-05 15:52:13 +0000 UTC 1080: t=l=error app=cosign m=tlog entry created with index: 2 1081: t=l=error app=cosign m=Pushing signature to: ttl.sh/6b4a5e39-4256-40d0-a394-14e835b3cf3a 1082: �[38;5;10m•�[0m�[38;5;10m•�[0mt=l=error app=cosign 1083: t=l=error app=cosign m=Verification for ttl.sh/6b4a5e39-4256-40d0-a394-14e835b3cf3a:5m -- 1084: t=l=error app=cosign m=The following checks were performed on each of these signatures: 1085: t=l=error app=cosign m= - The cosign claims were validated 1086: t=l=error app=cosign m= - Existence of the claims in the transparency log was verified offline 1087: t=l=error app=cosign m= - The code-signing certificate was verified using trusted certificate authority certificates 1088: t=l=info app=cosign ... 1141: t=l=info app=ec m=OPA v1.6.0 1142: t=l=info app=ec m=Conftest v0.62.0 1143: t=l=info app=ec m=Cosign v2.4.1 1144: t=l=info app=ec m=Sigstore v1.8.9 1145: t=l=info app=ec m=Rekor v1.3.6 1146: t=l=info app=ec m=Tekton Pipeline v0.66.0 1147: t=l=info app=ec m=Kubernetes Client v0.32.3 1148: {"status":"Pulling from alpine","id":"latest"} 1149: {"status":"Digest: sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"} 1150: {"status":"Status: Image is up to date for mirror.gcr.io/alpine:latest"} 1151: {"status":"The push refers to repository [ttl.sh/55ed0808-88a6-4ecd-b0f4-5541e2252489]"} 1152: {"status":"Preparing","progressDetail":{},"id":"256f393e029f"} 1153: {"status":"Mounted from 6b4a5e39-4256-40d0-a394-14e835b3cf3a","progressDetail":{},"id":"256f393e029f"} 1154: {"status":"5m: digest: sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64 size: 527"} 1155: {"progressDetail":{},"aux":{"Tag":"5m","Digest":"sha256:9d04ae17046f42ec0cd37d0429fff0edd799d7159242938cc5a964dcd38c1b64","Size":527}} 1156: t=l=error app=cosign m=WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument. 1157: t=l=info app=cosign m=Root status: 1158: t=l=info app=cosign m= { 1159: t=l=info app=cosign m= "local": "/home/runner/.sigstore/root", 1160: t=l=info app=cosign m= "remote": "http://tuf.local", 1161: t=l=info app=cosign m= "metadata": { 1162: t=l=info app=cosign m= "root.json": { 1163: t=l=info app=cosign m= "version": 1, 1164: t=l=info app=cosign m= "len": 4128, 1165: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1166: t=l=info app=cosign m= "error": "" 1167: t=l=info app=cosign m= }, 1168: t=l=info app=cosign m= "snapshot.json": { 1169: t=l=info app=cosign m= "version": 1, 1170: t=l=info app=cosign m= "len": 994, 1171: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1172: t=l=info app=cosign m= "error": "" 1173: t=l=info app=cosign m= }, 1174: t=l=info app=cosign m= "targets.json": { 1175: t=l=info app=cosign m= "version": 1, 1176: t=l=info app=cosign m= "len": 2416, 1177: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1178: t=l=info app=cosign m= "error": "" 1179: t=l=info app=cosign m= }, 1180: t=l=info app=cosign m= "timestamp.json": { 1181: t=l=info app=cosign m= "version": 1, 1182: t=l=info app=cosign m= "len": 995, 1183: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1184: t=l=info app=cosign m= "error": "" 1185: t=l=info app=cosign m= } 1186: t=l=info app=cosign m= }, 1187: t=l=info app=cosign m= "targets": [ 1188: t=l=info app=cosign m= "trusted_root.json", 1189: t=l=info app=cosign m= "tsa.certchain.pem", 1190: t=l=info app=cosign m= "ctfe.pub", 1191: t=l=info app=cosign m= "rekor.pub", 1192: t=l=info app=cosign m= "fulcio_v1.crt.pem" 1193: t=l=info app=cosign m= ] 1194: t=l=info app=cosign m=} 1195: �[38;5;10m•�[0mt=l=error app=cosign m=Generating ephemeral keys... 1196: t=l=error app=cosign m=Retrieving signed certificate... 1197: t=l=error app=cosign m=Successfully verified SCT... 1198: t=l=error app=cosign m=WARNING: Image reference ttl.sh/55ed0808-88a6-4ecd-b0f4-5541e2252489:5m uses a tag, not a digest, to identify the image to sign. 1199: t=l=error app=cosign m= This can lead you to sign a different image than the intended one. Please use a 1200: t=l=error app=cosign m= digest (example.com/ubuntu@sha256:abc123...) rather than tag 1201: t=l=error app=cosign m= (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 1202: t=l=error app=cosign m= images by tag will be removed in a future release. 1203: t=l=error app=cosign 1204: t=l=error app=cosign 1205: t=l=error app=cosign m= The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 1206: t=l=error app=cosign m= Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 1207: t=l=error app=cosign m= This may include the email address associated with the account with which you authenticate your contractual Agreement. 1208: t=l=error app=cosign m= This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 1209: t=l=error app=cosign 1210: t=l=error app=cosign m=By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. 1211: t=l=error app=cosign m=tlog entry created with index: 3 1212: t=l=error app=cosign m=Pushing signature to: ttl.sh/55ed0808-88a6-4ecd-b0f4-5541e2252489 1213: �[38;5;10m•�[0mt=l=info app=cosign m= ... 1245: t=l=info app=rekor-cli m=4 1246: t=l=info app=rekor-cli m=J16Opz5GAqaow9nEplIzj2sRA/YBc3rihM94gHLcwGE= 1247: t=l=info app=rekor-cli 1248: t=l=info app=rekor-cli m=— rekor-server-555d6576c8-6527h gfxSFjBFAiEAi8k7f/ZaFCp5b7KlYs3AYZ1F6qtTejXeOLfuYo5dzY8CIHWa2ihiPU4cP3LpUpG11QHsQBjAXkru1OWZDJRBQLIR 1249: t=l=info app=rekor-cli 1250: t=l=info app=rekor-cli 1251: t=l=info app=rekor-cli m=Inclusion Proof: 1252: t=l=info app=rekor-cli m=SHA256(0x01 | 08e98c94ae69b60bdf9e819e9c9dffd06323a402c7a387c3d971020c72c70995 | a6d4ce3dfda9ed3da107e00f9cff7c4ffadf8052486387096ab8feff9157a2cb) = 1253: t=l=info app=rekor-cli m= e1c0230759e43dbdca75c3a7d63b0a2cc18540bf438ba6a36765fcf8ce026dfe 1254: t=l=info app=rekor-cli 1255: t=l=info app=rekor-cli m=SHA256(0x01 | 7f9402b9dc4bbb2fbcaf56c3bfa63e0c88e7758aba7263d88acbc85fab11cad9 | e1c0230759e43dbdca75c3a7d63b0a2cc18540bf438ba6a36765fcf8ce026dfe) = 1256: t=l=info app=rekor-cli m= 275e8ea73e4602a6a8c3d9c4a652338f6b1103f601737ae284cf788072dcc061 1257: t=l=info app=rekor-cli 1258: t=l=info app=rekor-cli m=Computed Root Hash: 275e8ea73e4602a6a8c3d9c4a652338f6b1103f601737ae284cf788072dcc061 1259: t=l=info app=rekor-cli m=Expected Root Hash: 275e8ea73e4602a6a8c3d9c4a652338f6b1103f601737ae284cf788072dcc061 1260: �[38;5;10m•�[0m�[38;5;10m•�[0mt=l=error app=cosign m=WARNING: Image reference ttl.sh/55ed0808-88a6-4ecd-b0f4-5541e2252489:5m uses a tag, not a digest, to identify the image to sign. 1261: t=l=error app=cosign m= This can lead you to sign a different image than the intended one. Please use a 1262: t=l=error app=cosign m= digest (example.com/ubuntu@sha256:abc123...) rather than tag 1263: t=l=error app=cosign m= (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 1264: t=l=error app=cosign m= images by tag will be removed in a future release. 1265: t=l=error app=cosign 1266: t=l=error app=cosign m=Generating ephemeral keys... 1267: t=l=error app=cosign m=Retrieving signed certificate... 1268: t=l=error app=cosign m=Successfully verified SCT... 1269: t=l=error app=cosign m=Using payload from: /tmp/tmp2388000279/predicate.json 1270: t=l=error app=cosign 1271: t=l=error app=cosign m= The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 1272: t=l=error app=cosign m= Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 1273: t=l=error app=cosign m= This may include the email address associated with the account with which you authenticate your contractual Agreement. 1274: t=l=error app=cosign m= This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 1275: t=l=error app=cosign 1276: t=l=error app=cosign m=By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. 1277: t=l=error app=cosign m=tlog entry created with index: 4 1278: �[38;5;10m•�[0mt=l=info app=cosign m=📦 Supply Chain Security Related artifacts for an image: ttl.sh/55ed0808-88a6-4ecd-b0f4-5541e2252489:5m ... 1386: code: builtin.attestation.signature_check 1387: msg: Pass 1388: - metadata: 1389: code: builtin.attestation.syntax_check 1390: msg: Pass 1391: - metadata: 1392: code: builtin.image.signature_check 1393: msg: Pass 1394: ec-version: v0.7.156+redhat 1395: effective-time: "2025-11-05T15:52:38.852751448Z" 1396: key: "" 1397: policy: {} 1398: success: true 1399: �[38;5;10m•�[0m 1400: �[38;5;10m�[1mRan 13 of 13 Specs in 41.034 seconds�[0m 1401: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m13 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1402: --- PASS: TestCosignTest (41.03s) ... 1470: t=l=info app=rekor-cli m= | |_) | | _| | ' / | | | | | |_) | _____ | | | | | | 1471: t=l=info app=rekor-cli m= | _ < | |___ | . \ | |_| | | _ < |_____| | |___ | |___ | | 1472: t=l=info app=rekor-cli m= |_| \_\ |_____| |_|\_\ \___/ |_| \_\ \____| |_____| |___| 1473: t=l=info app=rekor-cli m=rekor-cli: Rekor CLI 1474: t=l=info app=rekor-cli 1475: t=l=info app=rekor-cli m=GitVersion: v0.0.0-20251021131950-daf32a2da885+dirty 1476: t=l=info app=rekor-cli m=GitCommit: daf32a2da885d84226af755191bc2b72b72dc917 1477: t=l=info app=rekor-cli m=GitTreeState: clean 1478: t=l=info app=rekor-cli m=BuildDate: t=l=info app=rekor-cli m=GoVersion: go1.24.6 (Red Hat 1.24.6-1.el9_6) X:strictfipsruntime 1479: t=l=info app=rekor-cli m=Compiler: gc 1480: t=l=info app=rekor-cli m=Platform: linux/amd64 1481: t=l=info app=rekor-cli 1482: �[38;5;10m•�[0m�[38;5;10m•�[0m�[38;5;10m•�[0mt=l=info app=git m=[master (root-commit) 91a59a4] CI commit 2025-11-05 15:52:04.287635509 +0000 UTC m=+2.498030393 1483: t=l=info app=git m= 1 file changed, 1 insertion(+) 1484: t=l=info app=git m= create mode 100644 testFile.txt 1485: �[38;5;10m•�[0m�[38;5;10m•�[0mt=l=error app=cosign m=WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument. 1486: t=l=info app=cosign m=Root status: 1487: t=l=info app=cosign m= { 1488: t=l=info app=cosign m= "local": "/home/runner/.sigstore/root", 1489: t=l=info app=cosign m= "remote": "http://tuf.local", 1490: t=l=info app=cosign m= "metadata": { 1491: t=l=info app=cosign m= "root.json": { 1492: t=l=info app=cosign m= "version": 1, 1493: t=l=info app=cosign m= "len": 4128, 1494: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1495: t=l=info app=cosign m= "error": "" 1496: t=l=info app=cosign m= }, 1497: t=l=info app=cosign m= "snapshot.json": { 1498: t=l=info app=cosign m= "version": 1, 1499: t=l=info app=cosign m= "len": 994, 1500: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1501: t=l=info app=cosign m= "error": "" 1502: t=l=info app=cosign m= }, 1503: t=l=info app=cosign m= "targets.json": { 1504: t=l=info app=cosign m= "version": 1, 1505: t=l=info app=cosign m= "len": 2416, 1506: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1507: t=l=info app=cosign m= "error": "" 1508: t=l=info app=cosign m= }, 1509: t=l=info app=cosign m= "timestamp.json": { 1510: t=l=info app=cosign m= "version": 1, 1511: t=l=info app=cosign m= "len": 995, 1512: t=l=info app=cosign m= "expiration": "04 Nov 26 15:50 UTC", 1513: t=l=info app=cosign m= "error": "" 1514: t=l=info app=cosign m= } ... 1554: t=l=info app=rekor-cli m=rekor-server-555d6576c8-6527h - 2887959862881025654 1555: t=l=info app=rekor-cli m=2 1556: t=l=info app=rekor-cli m=f5QCudxLuy+8r1bDv6Y+DIjndYq6cmPYisvIX6sRytk= 1557: t=l=info app=rekor-cli 1558: t=l=info app=rekor-cli m=— rekor-server-555d6576c8-6527h gfxSFjBFAiAFYpvIEDZnkNE5U/8+8vs4oNeC458WHF9jqZkF5Mk0rgIhAP8LQ6bZcs5V2TsevdfGfB7qcJkmZcfHr3H4BWjJyO+K 1559: t=l=info app=rekor-cli 1560: t=l=info app=rekor-cli 1561: t=l=info app=rekor-cli m=Inclusion Proof: 1562: t=l=info app=rekor-cli m=SHA256(0x01 | 43fd501448248259d5291fda64eea4e3eed6c9e80e05c492b6a7dbe8fb88fe97 | 426b30c0d6d4ddf9d412d1dfcfc8ebb3bf0a907b27d1d47971d3bc0d522da693) = 1563: t=l=info app=rekor-cli m= 7f9402b9dc4bbb2fbcaf56c3bfa63e0c88e7758aba7263d88acbc85fab11cad9 1564: t=l=info app=rekor-cli 1565: t=l=info app=rekor-cli m=Computed Root Hash: 7f9402b9dc4bbb2fbcaf56c3bfa63e0c88e7758aba7263d88acbc85fab11cad9 1566: t=l=info app=rekor-cli m=Expected Root Hash: 7f9402b9dc4bbb2fbcaf56c3bfa63e0c88e7758aba7263d88acbc85fab11cad9 1567: �[38;5;10m•�[0m 1568: �[38;5;10m�[1mRan 9 of 9 Specs in 3.305 seconds�[0m 1569: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m9 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1570: --- PASS: TestGitsignE2E (3.31s) ... 1699: Total Tree Size: 1 1700: Root Hash: 43fd501448248259d5291fda64eea4e3eed6c9e80e05c492b6a7dbe8fb88fe97 1701: TreeID: 2887959862881025654 1702: [78 111 32 112 114 101 118 105 111 117 115 32 108 111 103 32 115 116 97 116 101 32 115 116 111 114 101 100 44 32 117 110 97 98 108 101 32 116 111 32 112 114 111 118 101 32 99 111 110 115 105 115 116 101 110 99 121 10 86 101 114 105 102 105 99 97 116 105 111 110 32 83 117 99 99 101 115 115 102 117 108 33 10 65 99 116 105 118 101 32 84 114 101 101 32 83 105 122 101 58 32 32 32 32 32 32 32 49 10 84 111 116 97 108 32 84 114 101 101 32 83 105 122 101 58 32 32 32 32 32 32 32 32 49 10 82 111 111 116 32 72 97 115 104 58 32 32 32 32 32 32 32 32 32 32 32 32 32 32 52 51 102 100 53 48 49 52 52 56 50 52 56 50 53 57 100 53 50 57 49 102 100 97 54 52 101 101 97 52 101 51 101 101 100 54 99 57 101 56 48 101 48 53 99 52 57 50 98 54 97 55 100 98 101 56 102 98 56 56 102 101 57 55 10 84 114 101 101 73 68 58 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 50 56 56 55 57 53 57 56 54 50 56 56 49 48 50 53 54 53 52 10] 1703: �[38;5;10m•�[0mt=l=info app=rekor-cli m=Found matching entries (listed by UUID): 1704: 28141831b89bfe7643fd501448248259d5291fda64eea4e3eed6c9e80e05c492b6a7dbe8fb88fe97 1705: [70 111 117 110 100 32 109 97 116 99 104 105 110 103 32 101 110 116 114 105 101 115 32 40 108 105 115 116 101 100 32 98 121 32 85 85 73 68 41 58 10 50 56 49 52 49 56 51 49 98 56 57 98 102 101 55 54 52 51 102 100 53 48 49 52 52 56 50 52 56 50 53 57 100 53 50 57 49 102 100 97 54 52 101 101 97 52 101 51 101 101 100 54 99 57 101 56 48 101 48 53 99 52 57 50 98 54 97 55 100 98 101 56 102 98 56 56 102 101 57 55 10] 1706: �[38;5;10m•�[0mt=l=info app=rekor-cli m=Found matching entries (listed by UUID): 1707: 28141831b89bfe7643fd501448248259d5291fda64eea4e3eed6c9e80e05c492b6a7dbe8fb88fe97 1708: [70 111 117 110 100 32 109 97 116 99 104 105 110 103 32 101 110 116 114 105 101 115 32 40 108 105 115 116 101 100 32 98 121 32 85 85 73 68 41 58 10 50 56 49 52 49 56 51 49 98 56 57 98 102 101 55 54 52 51 102 100 53 48 49 52 52 56 50 52 56 50 53 57 100 53 50 57 49 102 100 97 54 52 101 101 97 52 101 51 101 101 100 54 99 57 101 56 48 101 48 53 99 52 57 50 98 54 97 55 100 98 101 56 102 98 56 56 102 101 57 55 10] 1709: �[38;5;10m•�[0mt=l=info app=rekor-cli m=Found matching entries (listed by UUID): 1710: 28141831b89bfe7643fd501448248259d5291fda64eea4e3eed6c9e80e05c492b6a7dbe8fb88fe97 1711: [70 111 117 110 100 32 109 97 116 99 104 105 110 103 32 101 110 116 114 105 101 115 32 40 108 105 115 116 101 100 32 98 121 32 85 85 73 68 41 58 10 50 56 49 52 49 56 51 49 98 56 57 98 102 101 55 54 52 51 102 100 53 48 49 52 52 56 50 52 56 50 53 57 100 53 50 57 49 102 100 97 54 52 101 101 97 52 101 51 101 101 100 54 99 57 101 56 48 101 48 53 99 52 57 50 98 54 97 55 100 98 101 56 102 98 56 56 102 101 57 55 10] 1712: �[38;5;10m•�[0m 1713: �[38;5;10m�[1mRan 9 of 9 Specs in 0.972 seconds�[0m 1714: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m9 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1715: --- PASS: TestRekorCliE2E (0.97s) ... 1726: t=l=info m=SIGSTORE_FULCIO_URL=http://fulcio-server.local 1727: t=l=info m=SIGSTORE_REKOR_URL=http://rekor-server.local 1728: t=l=info m=TUF_URL=http://tuf.local 1729: t=l=info m=TSA_URL=http://tsa-server.local/api/v1/timestamp 1730: t=l=info m=KEYCLOAK_REALM=trusted-artifact-signer 1731: t=l=info m=Getting binary 'updatetree' from CLI serverServer URLhttp://cli-server.local 1732: t=l=info m=Downloading updatetree from http://cli-server.local/clients/linux/updatetree-amd64.gz 1733: t=l=info m=Getting binary 'createtree' from CLI serverServer URLhttp://cli-server.local 1734: t=l=info m=Downloading createtree from http://cli-server.local/clients/linux/createtree-amd64.gz 1735: t=l=info app=createtree m=Usage of /tmp/createtree2139975303/createtree: 1736: -add_dir_header 1737: If true, adds the file directory to the header of the log messages 1738: -admin_server string 1739: Address of the gRPC Trillian Admin Server (host:port) 1740: -alsologtostderr 1741: log to standard error as well as files (no effect when -logtostderr=true) 1742: -config string 1743: Config file containing flags, file contents can be overridden by command line flags 1744: -description string 1745: Description of the new tree 1746: -display_name string 1747: Display name of the new tree 1748: -log_backtrace_at value 1749: when logging hits line file:N, emit a stack trace 1750: -log_dir string 1751: If non-empty, write log files in this directory (no effect when -logtostderr=true) 1752: -log_file string 1753: If non-empty, use this log file (no effect when -logtostderr=true) 1754: -log_file_max_size uint 1755: Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) 1756: -logtostderr 1757: log to standard error instead of files (default true) 1758: -max_root_duration duration ... 1771: Path to the file containing the Trillian server's PEM-encoded public TLS certificate. If unset, unsecured connections will be used 1772: -tree_state string 1773: State of the new tree (default "ACTIVE") 1774: -tree_type string 1775: Type of the new tree (default "LOG") 1776: -v value 1777: number for the log level verbosity 1778: -vmodule value 1779: comma-separated list of pattern=N settings for file-filtered logging 1780: �[38;5;10m•�[0mt=l=info app=updatetree m=Usage of /tmp/updatetree2651040816/updatetree: 1781: -add_dir_header 1782: If true, adds the file directory to the header of the log messages 1783: -admin_server string 1784: Address of the gRPC Trillian Admin Server (host:port) 1785: -alsologtostderr 1786: log to standard error as well as files (no effect when -logtostderr=true) 1787: -log_backtrace_at value 1788: when logging hits line file:N, emit a stack trace 1789: -log_dir string 1790: If non-empty, write log files in this directory (no effect when -logtostderr=true) 1791: -log_file string 1792: If non-empty, use this log file (no effect when -logtostderr=true) 1793: -log_file_max_size uint 1794: Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) 1795: -logtostderr 1796: log to standard error instead of files (default true) 1797: -one_output ... 1808: logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2) 1809: -tls_cert_file string 1810: Path to the file containing the Trillian server's PEM-encoded public TLS certificate. If unset, unsecured connections will be used 1811: -tree_id int 1812: The ID of the tree to be set updated 1813: -tree_state string 1814: If set the tree state will be updated 1815: -tree_type string 1816: If set the tree type will be updated 1817: -v value 1818: number for the log level verbosity 1819: -vmodule value 1820: comma-separated list of pattern=N settings for file-filtered logging 1821: �[38;5;10m•�[0m 1822: �[38;5;10m�[1mRan 2 of 2 Specs in 0.623 seconds�[0m 1823: �[38;5;10m�[1mSUCCESS!�[0m -- �[38;5;10m�[1m2 Passed�[0m | �[38;5;9m�[1m0 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1824: --- PASS: TestTrillianTest (0.62s) ... 1828: Running Suite: Create tuf repo manually - /home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool 1829: ====================================================================================================================== 1830: Random Seed: �[1m1762357924�[0m 1831: Will run �[1m2�[0m of �[1m2�[0m specs 1832: t=l=info m=Getting binary 'tuftool' from CLI serverServer URLhttp://cli-server.local 1833: t=l=info m=Downloading tuftool from http://cli-server.local/clients/linux/tuftool-amd64.gz 1834: t=l=info m=Done. Using '/tmp/tuftool3163773378/tuftool' with version: 1835: t=l=info app=tuftool m=tuftool 0.12.0 1836: t=l=info m=Created temporary directory: /tmp/trustroot_example1748044725 1837: t=l=info app=tuftool m=e602c69bbc5f828d8254dda934cf407fb66de5e2efbe3a0c64da45796d52dea4 1838: t=l=info app=tuftool m=11ef2ace62933e58a93acfb99f0193131bdfa2d7fe28e7e2bea9274a8e78abe6 1839: t=l=info app=tuftool m=6eb1f9dd020d75031ec635005e8200a1d00b9b89a01d424e6ac011a924666584 1840: t=l=info app=tuftool m=05932f692baab18f3d7fb9cd02fe3ab9ce8076c3633ffcbb3267af21e585137d 1841: �[38;5;10m•�[0m 1842: �[38;5;243m------------------------------�[0m 1843: �[38;5;9m• [FAILED] [0.001 seconds]�[0m 1844: �[0mTUF manual repo test �[38;5;9m�[1m[It] should verify workdir structure�[0m 1845: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:68�[0m 1846: �[38;5;9m[FAILED] Expected at least one file with suffix .signing_config.v0.2.json, found 0 1847: Expected 1848: <int>: 0 1849: to be >= 1850: <int>: 1�[0m 1851: �[38;5;9mIn �[1m[It]�[0m�[38;5;9m at: �[1m/home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:286�[0m �[38;5;243m@ 11/05/25 15:52:06.194�[0m 1852: �[38;5;243m------------------------------�[0m 1853: �[38;5;9m�[1mSummarizing 1 Failure:�[0m 1854: �[38;5;9m[FAIL]�[0m �[0mTUF manual repo test �[38;5;9m�[1m[It] should verify workdir structure�[0m 1855: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/e2e/test/tuftool/tuftool_manual_tuf_repo_test.go:286�[0m 1856: �[38;5;9m�[1mRan 2 of 2 Specs in 1.540 seconds�[0m 1857: �[38;5;9m�[1mFAIL!�[0m -- �[38;5;10m�[1m1 Passed�[0m | �[38;5;9m�[1m1 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m0 Skipped�[0m 1858: --- FAIL: TestManualTUFRepoTest (1.54s) 1859: FAIL 1860: FAIL github.com/securesign/sigstore-e2e/test/tuftool 1.558s 1861: FAIL 1862: ##[error]Process completed with exit code 1. 1863: ##[group]Run kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager ... 1929: I1105 15:48:06.968405 1 controller.go:286] "Starting Controller" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" 1930: I1105 15:48:06.968486 1 controller.go:289] "Starting workers" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" worker count=1 1931: I1105 15:48:06.968409 1 controller.go:286] "Starting Controller" controller="securesign" controllerGroup="rhtas.redhat.com" controllerKind="Securesign" 1932: I1105 15:48:06.968539 1 controller.go:289] "Starting workers" controller="securesign" controllerGroup="rhtas.redhat.com" controllerKind="Securesign" worker count=1 1933: I1105 15:48:06.968412 1 controller.go:286] "Starting Controller" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" 1934: I1105 15:48:06.968575 1 controller.go:289] "Starting workers" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" worker count=1 1935: I1105 15:48:06.968437 1 controller.go:286] "Starting Controller" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" 1936: I1105 15:48:06.968613 1 controller.go:289] "Starting workers" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" worker count=1 1937: I1105 15:48:06.968629 1 controller.go:286] "Starting Controller" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" 1938: I1105 15:48:06.968637 1 controller.go:289] "Starting workers" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" worker count=1 1939: I1105 15:48:06.969524 1 controller.go:286] "Starting Controller" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" 1940: I1105 15:48:06.969542 1 controller.go:286] "Starting Controller" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" 1941: I1105 15:48:06.969544 1 controller.go:289] "Starting workers" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" worker count=1 1942: I1105 15:48:06.969555 1 controller.go:289] "Starting workers" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" worker count=1 1943: I1105 15:48:20.121861 1 warning_handler.go:64] "metadata.finalizers: \"tas.rhtas.redhat.com\": prefer a domain-qualified finalizer name including a path (/) to avoid accidental conflicts with other finalizer writers" controller="securesign" controllerGroup="rhtas.redhat.com" controllerKind="Securesign" Securesign="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="9daf1c19-ee26-4d5f-84b4-d3cfde5d79d4" 1944: I1105 15:48:20.770637 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="6e122ed9-7808-4342-a409-1267f5b55419" error="deployment not ready(tsa-server): not available" 1945: I1105 15:48:20.770756 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="6e122ed9-7808-4342-a409-1267f5b55419" 1946: I1105 15:48:20.778958 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="19762003-adbb-4b2a-8761-38bbc34a8d6d" error="deployment not ready(tsa-server): not available" 1947: I1105 15:48:20.779040 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="19762003-adbb-4b2a-8761-38bbc34a8d6d" 1948: I1105 15:48:20.782786 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="c8edcec7-ebdb-416a-af99-eaf97651962e" error="deployment not ready(fulcio-server): not available" 1949: I1105 15:48:20.782820 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="c8edcec7-ebdb-416a-af99-eaf97651962e" 1950: I1105 15:48:20.795931 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="66d9c7c7-479a-4b69-b15b-00e9240b788b" error="deployment not ready(fulcio-server): not available" 1951: I1105 15:48:20.795973 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="66d9c7c7-479a-4b69-b15b-00e9240b788b" 1952: I1105 15:48:21.342950 1 initialize.go:40] "deployment is not ready" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="50cf0ab4-09b5-4869-97cc-5d4ab654ea31" error="deployment not ready(trillian-db): not available" 1953: I1105 15:48:21.342975 1 initialize.go:45] "Waiting for deployment" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="50cf0ab4-09b5-4869-97cc-5d4ab654ea31" 1954: I1105 15:48:21.354195 1 initialize.go:40] "deployment is not ready" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="91e525ca-eafb-454f-87f4-6e83aae81592" error="deployment not ready(trillian-db): not available" 1955: I1105 15:48:21.354219 1 initialize.go:45] "Waiting for deployment" logger="db initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="91e525ca-eafb-454f-87f4-6e83aae81592" 1956: I1105 15:48:28.418889 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="52ef5d64-be57-4a5d-8172-703a3c55311a" error="deployment not ready(tsa-server): not available" 1957: I1105 15:48:28.419011 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="timestampauthority" controllerGroup="rhtas.redhat.com" controllerKind="TimestampAuthority" TimestampAuthority="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="52ef5d64-be57-4a5d-8172-703a3c55311a" 1958: I1105 15:48:28.418889 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="03e6d966-4551-43bb-ad56-2408c0177f85" error="deployment not ready(fulcio-server): not available" 1959: I1105 15:48:28.419921 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="fulcio" controllerGroup="rhtas.redhat.com" controllerKind="Fulcio" Fulcio="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="03e6d966-4551-43bb-ad56-2408c0177f85" 1960: I1105 15:49:03.889903 1 initialize.go:38] "deployment is not ready" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="2d0c5d4d-fd39-4302-921e-e43404d2140c" error="deployment not ready(trillian-logserver): not available" 1961: I1105 15:49:03.889928 1 initialize.go:43] "Waiting for deployment" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="2d0c5d4d-fd39-4302-921e-e43404d2140c" 1962: I1105 15:49:03.897545 1 initialize.go:38] "deployment is not ready" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="4b1e37a2-53a7-43a9-8ecc-19a6275d13a7" error="deployment not ready(trillian-logserver): not available" 1963: I1105 15:49:03.897572 1 initialize.go:43] "Waiting for deployment" logger="server initialize" controller="trillian" controllerGroup="rhtas.redhat.com" controllerKind="Trillian" Trillian="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="4b1e37a2-53a7-43a9-8ecc-19a6275d13a7" 1964: I1105 15:49:45.973264 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="90c33d94-7c62-476e-99ca-486de5c84d08" error="deployment not ready(ctlog): not available" 1965: I1105 15:49:45.973291 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="90c33d94-7c62-476e-99ca-486de5c84d08" 1966: I1105 15:49:45.979094 1 initialize.go:42] "deployment is not ready" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="eeed2fd2-b2ea-49b7-b344-7f1d4ba9207a" error="deployment not ready(ctlog): not available" 1967: I1105 15:49:45.979117 1 initialize.go:47] "Waiting for deployment" logger="initialize" controller="ctlog" controllerGroup="rhtas.redhat.com" controllerKind="CTlog" CTlog="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="eeed2fd2-b2ea-49b7-b344-7f1d4ba9207a" 1968: I1105 15:49:46.741086 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="971ce5a6-0cf6-4b6b-84b6-02acde500308" error="deployment not ready(rekor-server): not available" 1969: I1105 15:49:46.741111 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="971ce5a6-0cf6-4b6b-84b6-02acde500308" 1970: I1105 15:49:46.750994 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="19ce06af-2f44-45f0-9c31-4b750a5f6167" error="deployment not ready(rekor-server): not available" 1971: I1105 15:49:46.751053 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="19ce06af-2f44-45f0-9c31-4b750a5f6167" 1972: I1105 15:50:00.073589 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="a63a98d5-367f-4fd7-8a3a-a7445a0e7ad8" error="deployment not ready(rekor-server): not available" 1973: I1105 15:50:00.073616 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="a63a98d5-367f-4fd7-8a3a-a7445a0e7ad8" 1974: I1105 15:50:06.008108 1 initialize.go:44] "deployment is not ready" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="fbb15fa5-b331-4d8f-9d54-cf3d5675eede" error="deployment not ready(rekor-server): not available" 1975: I1105 15:50:06.008133 1 initialize.go:49] "Waiting for deployment" logger="initialize" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="fbb15fa5-b331-4d8f-9d54-cf3d5675eede" 1976: I1105 15:50:39.069391 1 resolve_pub_key.go:152] "retrying to get rekor public key" logger="resolve public key" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="26f41d5f-46a1-435c-9766-f3aa8992b8bf" 1977: E1105 15:50:39.076840 1 base_action.go:92] "error during action execution" err="ResolvePubKey: unable to resolve public key: Get \"http://rekor-server.test.svc/api/v1/log/publicKey\": dial tcp 10.96.30.190:80: i/o timeout" logger="resolve public key" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="26f41d5f-46a1-435c-9766-f3aa8992b8bf" 1978: E1105 15:50:39.076918 1 controller.go:474] "Reconciler error" err="ResolvePubKey: unable to resolve public key: Get \"http://rekor-server.test.svc/api/v1/log/publicKey\": dial tcp 10.96.30.190:80: i/o timeout" controller="rekor" controllerGroup="rhtas.redhat.com" controllerKind="Rekor" Rekor="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="26f41d5f-46a1-435c-9766-f3aa8992b8bf" 1979: I1105 15:50:45.732612 1 tuf_init_job.go:62] "Tuf tuf-repository-init is present." logger="controller.tuf.tuf-init job" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="80799bc3-53b5-4ff9-b756-d741592aa153" Succeeded=0 Failures=0 1980: I1105 15:50:50.738686 1 tuf_init_job.go:62] "Tuf tuf-repository-init is present." logger="controller.tuf.tuf-init job" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1d1fe4d8-3047-490e-9f8e-cf259ba3e867" Succeeded=0 Failures=0 1981: I1105 15:50:55.744323 1 tuf_init_job.go:62] "Tuf tuf-repository-init is present." logger="controller.tuf.tuf-init job" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="34cc3a13-22cc-4e2b-892f-3b04179d1549" Succeeded=1 Failures=0 1982: I1105 15:50:55.860464 1 initialize.go:43] "deployment is not ready" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1af8b3d6-3048-488c-bad6-7511fb4e6457" error="deployment not ready(tuf): not available" 1983: I1105 15:50:55.860500 1 initialize.go:48] "Waiting for deployment" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="1af8b3d6-3048-488c-bad6-7511fb4e6457" 1984: I1105 15:50:55.867567 1 initialize.go:43] "deployment is not ready" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="18046601-dfdc-4e5a-a9eb-d12e03e2ca7b" error="deployment not ready(tuf): not available" 1985: I1105 15:50:55.867598 1 initialize.go:48] "Waiting for deployment" logger="controller.tuf.initialize" controller="tuf" controllerGroup="rhtas.redhat.com" controllerKind="Tuf" Tuf="test/securesign-sample" namespace="test" name="securesign-sample" reconcileID="18046601-dfdc-4e5a-a9eb-d12e03e2ca7b"