Add Results configuration in tekton config

This will add the Results configuration to the tekton config and will be
installed by default through tekton config

Signed-off-by: Shiv Verma <[email protected]>

Author: pratap0007

pkg/apis/operator/v1alpha1/tektonconfig_defaults.go

@@ -32,6 +32,7 @@ func (tc *TektonConfig) SetDefaults(ctx context.Context) {
 	tc.Spec.Pipeline.setDefaults()
 	tc.Spec.Trigger.setDefaults()
 	tc.Spec.Chain.setDefaults()
+	tc.Spec.Result.setDefaults()
 
 	if IsOpenShiftPlatform() {
 		if tc.Spec.Platforms.OpenShift.PipelinesAsCode == nil {

pkg/apis/operator/v1alpha1/tektonconfig_types.go

@@ -105,6 +105,9 @@ type TektonConfigSpec struct {
 	// Chain holds the customizable option for chains component
 	// +optional
 	Chain Chain `json:"chain,omitempty"`
+	// Result holds the customize option for results component
+	// +optional
+	Result Result `json:"result,omitempty"`
 	// Dashboard holds the customizable options for dashboards component
 	// +optional
 	Dashboard Dashboard `json:"dashboard,omitempty"`

pkg/apis/operator/v1alpha1/tektonconfig_validation.go

@@ -120,6 +120,7 @@ func (tc *TektonConfig) Validate(ctx context.Context) (errs *apis.FieldError) {
 	errs = errs.Also(tc.Spec.Dashboard.Options.validate("spec.dashboard.options"))
 	errs = errs.Also(tc.Spec.Chain.Options.validate("spec.chain.options"))
 	errs = errs.Also(tc.Spec.Trigger.Options.validate("spec.trigger.options"))
+	errs = errs.Also(tc.Spec.Result.Options.validate("spec.result.options"))
 
 	return errs.Also(tc.Spec.Trigger.TriggersProperties.validate("spec.trigger"))
 }

pkg/apis/operator/v1alpha1/tektonresult_defaults.go

@@ -26,3 +26,8 @@ func (tp *TektonResult) SetDefaults(ctx context.Context) {
 		tp.Spec.TLSHostnameOverride = ""
 	}
 }
+
+// Sets default values of Result
+func (c *Result) setDefaults() {
+	// TODO: Set the other default values for Result
+}

pkg/apis/operator/v1alpha1/tektonresult_types.go

@@ -61,6 +61,15 @@ type LokiStackProperties struct {
 	LokiStackNamespace string `json:"loki_stack_namespace,omitempty"`
 }
 
+// Result defines the field to customize Result component
+type Result struct {
+	// enable or disable Result Component
+	Disabled         bool `json:"disabled"`
+	TektonResultSpec `json:",inline"`
+	// Options holds additions fields and these fields will be updated on the manifests
+	Options AdditionalOptions `json:"options"`
+}
+
 // ResultsAPIProperties defines the fields which are configurable for
 // Results API server config
 type ResultsAPIProperties struct {

pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go

@@ -37,3 +37,18 @@ func (i *InstallerSetClient) ListCustomSet(ctx context.Context, labelSelector st
 	}
 	return is, nil
 }
+
+// ListPreSet return the lists of Pre sets with the provided labelSelector
+func (i *InstallerSetClient) ListPreSet(ctx context.Context, labelSelector string) (*v1alpha1.TektonInstallerSetList, error) {
+	logger := logging.FromContext(ctx)
+	logger.Debugf("%v: checking installer sets with labels: %v", i.resourceKind, labelSelector)
+
+	is, err := i.clientSet.List(ctx, v1.ListOptions{LabelSelector: labelSelector})
+	if err != nil {
+		return nil, err
+	}
+	if len(is.Items) == 0 {
+		logger.Debugf("%v: no installer sets found with labels: %v", i.resourceKind, labelSelector)
+	}
+	return is, nil
+}

pkg/reconciler/kubernetes/tektoninstallerset/client/list.go

@@ -18,8 +18,17 @@ package tektonresult
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/big"
+	"time"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -40,8 +49,11 @@ import (
 )
 
 const (
-	DbSecretName  = "tekton-results-postgres"
-	TlsSecretName = "tekton-results-tls"
+	DbSecretName          = "tekton-results-postgres"
+	TlsSecretName         = "tekton-results-tls"
+	CertificateBlockType  = "CERTIFICATE"
+	PostgresUser          = "result"
+	ECPrivateKeyBlockType = "EC PRIVATE KEY"
 )
 
 // Reconciler implements controller.Reconciler for TektonResult resources.
@@ -145,12 +157,24 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tr *v1alpha1.TektonResul
 		return errors.New(errMsg)
 	}
 
-	// check if the secrets are created
-	// TODO: Create secret automatically if they don't exist
-	// TODO: And remove this check in future release.
-	if err := r.validateSecretsAreCreated(ctx, tr); err != nil {
-		return err
+	// If the external database is disabled, create a default database and a TLS secret.
+	// Otherwise, verify if the default database secret is already created, and ensure the TLS secret is also created.
+	if !tr.Spec.IsExternalDB {
+		if err := r.createDBSecret(ctx, tr); err != nil {
+			return err
+		}
+		if err := r.createTLSSecret(ctx, tr); err != nil {
+			return err
+		}
+	} else {
+		if err := r.validateSecretsAreCreated(ctx, tr, DbSecretName); err != nil {
+			return err
+		}
+		if err := r.createTLSSecret(ctx, tr); err != nil {
+			return err
+		}
 	}
+
 	tr.Status.MarkDependenciesInstalled()
 
 	if err := r.extension.PreReconcile(ctx, tr); err != nil {
@@ -314,17 +338,186 @@ func (r *Reconciler) updateTektonResultsStatus(ctx context.Context, tr *v1alpha1
 }
 
 // TektonResults expects secrets to be created before installing
-func (r *Reconciler) validateSecretsAreCreated(ctx context.Context, tr *v1alpha1.TektonResult) error {
+func (r *Reconciler) validateSecretsAreCreated(ctx context.Context, tr *v1alpha1.TektonResult, secretName string) error {
 	logger := logging.FromContext(ctx)
-	_, err := r.kubeClientSet.CoreV1().Secrets(tr.Spec.TargetNamespace).Get(ctx, DbSecretName, metav1.GetOptions{})
+	_, err := r.kubeClientSet.CoreV1().Secrets(tr.Spec.TargetNamespace).Get(ctx, secretName, metav1.GetOptions{})
 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			logger.Error(err)
-			tr.Status.MarkDependencyMissing(fmt.Sprintf("%s secret is missing", DbSecretName))
+			tr.Status.MarkDependencyMissing(fmt.Sprintf("%s secret is missing", secretName))
 			return err
 		}
 		logger.Error(err)
 		return err
 	}
 	return nil
 }
+
+// Generate the DB secret
+func (r *Reconciler) generateDBSecret(name string, namespace string, tr *v1alpha1.TektonResult) (*corev1.Secret, error) {
+	s := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            name,
+			Namespace:       namespace,
+			OwnerReferences: []metav1.OwnerReference{getOwnerRef(tr)},
+		},
+		Type:       corev1.SecretTypeOpaque,
+		StringData: map[string]string{},
+	}
+	password, err := generateRandomBaseString(20)
+	if err != nil {
+		return nil, err
+	}
+	s.StringData["POSTGRES_PASSWORD"] = password
+	s.StringData["POSTGRES_USER"] = PostgresUser
+	return s, nil
+}
+
+// Create Result default database secret
+func (r *Reconciler) createDBSecret(ctx context.Context, tr *v1alpha1.TektonResult) error {
+	logger := logging.FromContext(ctx)
+
+	// Get the DB secret, if not found then create the DB secret
+	_, err := r.kubeClientSet.CoreV1().Secrets(tr.Spec.TargetNamespace).Get(ctx, DbSecretName, metav1.GetOptions{})
+	if err == nil {
+		return nil
+	}
+	if !apierrors.IsNotFound(err) {
+		logger.Errorf("failed to find default TektonResult database secret %s in namespace %s: %v", DbSecretName, tr.Spec.TargetNamespace, err)
+		return err
+	}
+	newDBSecret, err := r.generateDBSecret(DbSecretName, tr.Spec.TargetNamespace, tr)
+	if err != nil {
+		logger.Errorf("failed to generate default TektonResult database secret %s: %s", DbSecretName, err)
+		return err
+	}
+	_, err = r.kubeClientSet.CoreV1().Secrets(tr.Spec.TargetNamespace).Create(ctx, newDBSecret, metav1.CreateOptions{})
+	if err != nil {
+		logger.Errorf("failed to create default TektonResult database secret %s in namespace %s: %v", DbSecretName, tr.Spec.TargetNamespace, err)
+		tr.Status.MarkDependencyMissing(fmt.Sprintf("Default db %s creation is failing", DbSecretName))
+		return err
+	}
+	return nil
+}
+
+// Create default TLS certificates for the database
+func (r *Reconciler) createTLSSecret(ctx context.Context, tr *v1alpha1.TektonResult) error {
+	logger := logging.FromContext(ctx)
+
+	_, err := r.kubeClientSet.CoreV1().Secrets(tr.Spec.TargetNamespace).Get(ctx, TlsSecretName, metav1.GetOptions{})
+	if err == nil {
+		return nil
+	}
+	if !apierrors.IsNotFound(err) {
+		logger.Errorf("failed to find default TektonResult TLS secret %s in namespace %s: %v", TlsSecretName, tr.Spec.TargetNamespace, err)
+		return err
+	}
+	certPEM, keyPEM, err := generateTLSCertificate(tr.Spec.TargetNamespace)
+	if err != nil {
+		logger.Errorf("failed to generate default TektonResult TLS certificate: %v", err)
+		return err
+	}
+	// Create Kubernetes TLS secret
+	err = r.createKubernetesTLSSecret(ctx, tr.Spec.TargetNamespace, TlsSecretName, certPEM, keyPEM, tr)
+	if err != nil {
+		logger.Errorf("failed to create TLS secret %s in namespace %s: %v", TlsSecretName, tr.Spec.TargetNamespace, err)
+
+	}
+	return nil
+}
+
+// Get an owner reference of Tekton Result
+func getOwnerRef(tr *v1alpha1.TektonResult) metav1.OwnerReference {
+	return *metav1.NewControllerRef(tr, tr.GroupVersionKind())
+}
+
+func generateRandomBaseString(size int) (string, error) {
+	bytes := make([]byte, size)
+
+	// Generate random bytes
+	_, err := rand.Read(bytes)
+	if err != nil {
+		return "", err
+	}
+	// Encode the random bytes into a Base64 string
+	base64String := base64.StdEncoding.EncodeToString(bytes)
+
+	return base64String, nil
+}
+
+// generateTLSCertificate generates a self-signed TLS certificate and private key.
+func generateTLSCertificate(targetNS string) (certPEM, keyPEM []byte, err error) {
+
+	// Define subject and DNS names
+	dnsName := fmt.Sprintf("tekton-results-api-service.%s.svc.cluster.local", targetNS)
+
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(365 * 24 * time.Hour)
+
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Issuer:       pkix.Name{},
+		Subject: pkix.Name{
+			CommonName: dnsName,
+		},
+		DNSNames:              []string{dnsName},
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPEM = pem.EncodeToMemory(&pem.Block{Type: CertificateBlockType, Bytes: certDER})
+
+	privBytes, err := x509.MarshalECPrivateKey(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyPEM = pem.EncodeToMemory(&pem.Block{Type: ECPrivateKeyBlockType, Bytes: privBytes})
+
+	return certPEM, keyPEM, nil
+}
+
+// createKubernetesSecret creates a Kubernetes TLS secret with the given cert and key.
+func (r *Reconciler) createKubernetesTLSSecret(ctx context.Context, namespace, secretName string, certPEM, keyPEM []byte, tr *v1alpha1.TektonResult) error {
+
+	// Define the secret
+	logger := logging.FromContext(ctx)
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: namespace,
+		},
+		Type: corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       certPEM,
+			corev1.TLSPrivateKeyKey: keyPEM,
+		},
+	}
+
+	_, err := r.kubeClientSet.CoreV1().Secrets(tr.Spec.TargetNamespace).Create(ctx, secret, metav1.CreateOptions{})
+	if err != nil {
+		logger.Errorf("failed to create TLS secret %s in namespace %s: %v", secretName, namespace, err)
+		tr.Status.MarkDependencyMissing(fmt.Sprintf("Default TLS Secret %s creation is failing", secretName))
+		return err
+	}
+
+	logger.Infof("Secret '%s' created successfully in namespace '%s'\n", secretName, namespace)
+	return nil
+}

pkg/reconciler/kubernetes/tektonresult/tektonresult.go

@@ -72,7 +72,7 @@ func OpenShiftExtension(ctx context.Context) common.Extension {
 		logger.Fatalf("Failed to fetch logs RBAC manifest: %v", err)
 	}
 
-	ext := openshiftExtension{
+	ext := &openshiftExtension{
 		installerSetClient: client.NewInstallerSetClient(operatorclient.Get(ctx).OperatorV1alpha1().TektonInstallerSets(),
 			version, "results-ext", v1alpha1.KindTektonResult, nil),
 		internalDBManifest: internalDBManifest,
@@ -87,6 +87,7 @@ type openshiftExtension struct {
 	routeManifest      *mf.Manifest
 	internalDBManifest *mf.Manifest
 	logsRBACManifest   *mf.Manifest
+	removePreset       bool
 }
 
 func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
@@ -102,14 +103,20 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 	}
 }
 
-func (oe openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
+func (oe *openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
 	result := tc.(*v1alpha1.TektonResult)
-
 	mf := mf.Manifest{}
+
 	if !result.Spec.IsExternalDB {
 		mf = *oe.internalDBManifest
+		oe.removePreset = true
+	}
+	if result.Spec.IsExternalDB && oe.removePreset {
+		if err := oe.installerSetClient.CleanupPreSet(ctx); err != nil {
+			return err
+		}
+		oe.removePreset = false
 	}
-
 	if (result.Spec.LokiStackName != "" && result.Spec.LokiStackNamespace != "") ||
 		strings.EqualFold(result.Spec.LogsType, "LOKI") {
 		mf = mf.Append(*oe.logsRBACManifest)