Merge pull request #331 from slauger/develop

slauger · web-flow · commit 60fa24ddbbde · 2026-04-23T21:20:52.000+02:00
Release v0.5.0 (minor)
diff --git a/.github/workflows/_container-build.yaml b/.github/workflows/_container-build.yaml
@@ -168,7 +168,7 @@ jobs:
 
       - name: Install cosign
         if: inputs.sign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@v4.1.1
 
       - name: Create and push manifest
         run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -40,7 +40,7 @@ jobs:
 
       - name: Run semantic-release
         id: semantic
-        uses: cycjimmy/semantic-release-action@v4
+        uses: cycjimmy/semantic-release-action@v6.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/api/v1alpha1/config_types.go b/api/v1alpha1/config_types.go
@@ -361,9 +361,24 @@ type PuppetSpec struct {
 	// +optional
 	Reports string `json:"reports,omitempty"`
 
-	// ExtraConfig is a map of additional puppet.conf entries.
+	// ExtraConfig adds additional puppet.conf entries to specific INI sections.
 	// +optional
-	ExtraConfig map[string]string `json:"extraConfig,omitempty"`
+	ExtraConfig *PuppetExtraConfig `json:"extraConfig,omitempty"`
+}
+
+// PuppetExtraConfig holds additional puppet.conf entries per INI section.
+type PuppetExtraConfig struct {
+	// Main adds entries to the [main] section.
+	// +optional
+	Main map[string]string `json:"main,omitempty"`
+
+	// Server adds entries to the [server] section.
+	// +optional
+	Server map[string]string `json:"server,omitempty"`
+
+	// Agent adds entries to the [agent] section.
+	// +optional
+	Agent map[string]string `json:"agent,omitempty"`
 }
 
 // PuppetDBSpec defines the OpenVox DB connection.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/openvox-operator/crds/openvox.voxpupuli.org_configs.yaml b/charts/openvox-operator/crds/openvox.voxpupuli.org_configs.yaml
@@ -211,9 +211,24 @@ spec:
                       When unset, Puppet's default (0 = no caching) is used.
                     type: string
                   extraConfig:
-                    additionalProperties:
-                      type: string
-                    description: ExtraConfig is a map of additional puppet.conf entries.
+                    description: ExtraConfig adds additional puppet.conf entries to
+                      specific INI sections.
+                    properties:
+                      agent:
+                        additionalProperties:
+                          type: string
+                        description: Agent adds entries to the [agent] section.
+                        type: object
+                      main:
+                        additionalProperties:
+                          type: string
+                        description: Main adds entries to the [main] section.
+                        type: object
+                      server:
+                        additionalProperties:
+                          type: string
+                        description: Server adds entries to the [server] section.
+                        type: object
                     type: object
                   hieraConfig:
                     default: $confdir/hiera.yaml
diff --git a/charts/openvox-stack/tests/config_test.yaml b/charts/openvox-stack/tests/config_test.yaml
@@ -180,20 +180,27 @@ tests:
           path: spec.puppet.storeBackend
           value: puppetdb
 
-  - it: should propagate puppet extraConfig
+  - it: should propagate puppet extraConfig sections
     set:
       config:
         puppet:
           extraConfig:
-            strict_variables: "true"
-            parser: future
+            main:
+              environment: staging
+            server:
+              strict_variables: "true"
+            agent:
+              noop: "true"
     asserts:
       - equal:
-          path: spec.puppet.extraConfig.strict_variables
+          path: spec.puppet.extraConfig.main.environment
+          value: staging
+      - equal:
+          path: spec.puppet.extraConfig.server.strict_variables
           value: "true"
       - equal:
-          path: spec.puppet.extraConfig.parser
-          value: future
+          path: spec.puppet.extraConfig.agent.noop
+          value: "true"
 
   - it: should propagate puppetserver settings
     set:
diff --git a/charts/openvox-stack/values.yaml b/charts/openvox-stack/values.yaml
@@ -22,8 +22,11 @@ config:
     reports: store
     extraConfig: {}
     # extraConfig:
-    #   strict_variables: "true"
-    #   parser: future
+    #   main:
+    #     environment: production
+    #   server:
+    #     strict_variables: "true"
+    #   agent: {}
   code:
     image: ""
     imagePullPolicy: IfNotPresent
diff --git a/config/crd/bases/openvox.voxpupuli.org_configs.yaml b/config/crd/bases/openvox.voxpupuli.org_configs.yaml
@@ -211,9 +211,24 @@ spec:
                       When unset, Puppet's default (0 = no caching) is used.
                     type: string
                   extraConfig:
-                    additionalProperties:
-                      type: string
-                    description: ExtraConfig is a map of additional puppet.conf entries.
+                    description: ExtraConfig adds additional puppet.conf entries to
+                      specific INI sections.
+                    properties:
+                      agent:
+                        additionalProperties:
+                          type: string
+                        description: Agent adds entries to the [agent] section.
+                        type: object
+                      main:
+                        additionalProperties:
+                          type: string
+                        description: Main adds entries to the [main] section.
+                        type: object
+                      server:
+                        additionalProperties:
+                          type: string
+                        description: Server adds entries to the [server] section.
+                        type: object
                     type: object
                   hieraConfig:
                     default: $confdir/hiera.yaml
diff --git a/docs/concepts/architecture.md b/docs/concepts/architecture.md
@@ -138,6 +138,8 @@ Server pods can optionally use `readOnlyRootFilesystem: true` for security harde
 | `logback-xml` | ConfigMap | `.../puppetserver/logback.xml` | Yes | Logging configuration |
 | `metrics-conf` | ConfigMap | `.../conf.d/metrics.conf` | Yes | Metrics endpoint configuration |
 | `puppetserver-data` | emptyDir | `/run/puppetserver` | No | Server runtime data (`server-var-dir`) |
+| `puppet-cache` | emptyDir | `/opt/puppetlabs/puppet/cache` | No | Puppet vardir (facts, state, lib) |
+| `puppet-run` | emptyDir | `/var/run/puppetlabs` | No | Puppet rundir (PID files) |
 | `tmp` | emptyDir | `/tmp` | No | Temporary files |
 | `var-log` | emptyDir | `/var/log/puppetlabs` | No | Server logs |
 
@@ -240,7 +242,7 @@ The operator uses a minimal container image:
 
 **Included:**
 
-- UBI9 + JDK 17
+- UBI9 + JDK 21
 - Tarball installation (puppet-server-release.jar, CLI tools, vendored JRuby gems)
 - OpenVox DB termini
 - OpenShift random-UID pattern (chgrp 0, chmod g=u)
diff --git a/docs/reference/config.md b/docs/reference/config.md
@@ -49,7 +49,28 @@ spec:
 | `storeconfigs` | bool | `true` | Enable storeconfigs |
 | `storeBackend` | string | `puppetdb` | Storeconfigs backend |
 | `reports` | string | `puppetdb` | Report processors |
-| `extraConfig` | map[string]string | - | Additional puppet.conf entries |
+| `extraConfig` | [PuppetExtraConfig](#puppetextraconfig) | - | Additional puppet.conf entries per INI section |
+
+### PuppetExtraConfig
+
+Additional puppet.conf entries grouped by INI section.
+
+| Field | Type | Default | Description |
+|---|---|---|---|
+| `main` | map[string]string | - | Entries for the `[main]` section |
+| `server` | map[string]string | - | Entries for the `[server]` section |
+| `agent` | map[string]string | - | Entries for the `[agent]` section |
+
+Example:
+
+```yaml
+puppet:
+  extraConfig:
+    main:
+      environment: staging
+    server:
+      strict_variables: "true"
+```
 
 ### PuppetDBSpec
 
diff --git a/images/openvox-agent/Containerfile b/images/openvox-agent/Containerfile
@@ -9,7 +9,7 @@
 # renovate: datasource=github-releases depName=OpenVoxProject/openvox
 ARG OPENVOX_AGENT_VERSION=8.26.2
 
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776834047
 
 ARG OPENVOX_AGENT_VERSION
 
diff --git a/images/openvox-db/Containerfile b/images/openvox-db/Containerfile
@@ -14,9 +14,9 @@ ARG OPENVOXDB_VERSION=8.12.1
 ################################################################################
 # Stage: base — JRE + minimal runtime deps
 ################################################################################
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994 AS base
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776834047 AS base
 
-ARG JDK_VERSION=17
+ARG JDK_VERSION=21
 
 RUN dnf install -y --allowerasing --setopt=install_weak_deps=False \
         java-${JDK_VERSION}-openjdk-headless \
diff --git a/images/openvox-e2e-code/Containerfile b/images/openvox-e2e-code/Containerfile
@@ -8,7 +8,7 @@
 #   podman build -t openvox-e2e-code:latest -f images/openvox-e2e-code/Containerfile .
 
 # Stage 1: Install modules with r10k
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994 AS builder
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776834047 AS builder
 
 RUN dnf module enable ruby:3.3 -y \
     && dnf install -y --setopt=install_weak_deps=False ruby ruby-devel rubygem-bundler git gcc make redhat-rpm-config libffi-devel \
diff --git a/images/openvox-mock/Containerfile b/images/openvox-mock/Containerfile
@@ -11,7 +11,7 @@ RUN go mod download
 COPY cmd/mock/ cmd/mock/
 RUN CGO_ENABLED=0 go build -o /openvox-mock ./cmd/mock/
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776645941
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776833838
 
 LABEL org.opencontainers.image.title="OpenVox Mock" \
       org.opencontainers.image.description="Mock ENC/Report/OpenVox DB receiver for E2E tests" \
diff --git a/images/openvox-operator/Containerfile b/images/openvox-operator/Containerfile
@@ -9,7 +9,7 @@ COPY internal/ internal/
 ARG TARGETARCH
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o manager ./cmd/main.go
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776645941
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776833838
 
 LABEL org.opencontainers.image.title="OpenVox Operator" \
       org.opencontainers.image.description="OpenVox Operator for Kubernetes/OpenShift" \
diff --git a/images/openvox-server-reference/Containerfile b/images/openvox-server-reference/Containerfile
@@ -4,7 +4,7 @@
 # Build:
 #   podman build -t openvox-server-reference:latest images/openvox-server-reference/
 
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776834047
 
 RUN rpm -Uvh https://yum.voxpupuli.org/openvox8-release-el-9.noarch.rpm \
     && dnf install -y --setopt=install_weak_deps=False openvox-server \
diff --git a/images/openvox-server/Containerfile b/images/openvox-server/Containerfile
@@ -17,9 +17,9 @@ ARG OPENVOX_VERSION=8.26.2
 ################################################################################
 # Stage: base — JRE + minimal runtime deps (no Ruby)
 ################################################################################
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994 AS base
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776834047 AS base
 
-ARG JDK_VERSION=17
+ARG JDK_VERSION=21
 
 RUN dnf install -y --allowerasing --setopt=install_weak_deps=False \
         java-${JDK_VERSION}-openjdk-headless \
diff --git a/internal/controller/certificate_controller.go b/internal/controller/certificate_controller.go
@@ -164,6 +164,22 @@ func (r *CertificateReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 	tlsSecretName := fmt.Sprintf("%s-tls", cert.Name)
 
+	// Handle renewal phase before anything else - a Renewing cert must not
+	// be overridden by the adopt-existing-secret block below.
+	if cert.Status.Phase == openvoxv1alpha1.CertificatePhaseRenewing {
+		return r.reconcileCertRenewal(ctx, cert, ca)
+	}
+
+	// If the certificate is already signed, just schedule renewal checks.
+	// This avoids re-adopting the TLS Secret on every reconcile, which would
+	// reset the phase and prevent entering the Renewing state.
+	if cert.Status.Phase == openvoxv1alpha1.CertificatePhaseSigned {
+		if cert.Status.NotAfter == nil {
+			return ctrl.Result{RequeueAfter: RequeueIntervalShort}, nil
+		}
+		return r.scheduleRenewalCheck(ctx, cert)
+	}
+
 	// Check if TLS Secret already exists (may have been created by CA setup job)
 	if isSecretReady(ctx, r.Client, tlsSecretName, cert.Namespace, "cert.pem") {
 		if err := r.adoptTLSSecret(ctx, cert, tlsSecretName); err != nil {
@@ -192,11 +208,6 @@ func (r *CertificateReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return r.scheduleRenewalCheck(ctx, cert)
 	}
 
-	// Handle renewal phase
-	if cert.Status.Phase == openvoxv1alpha1.CertificatePhaseRenewing {
-		return r.reconcileCertRenewal(ctx, cert, ca)
-	}
-
 	// Sign certificate via CA HTTP API
 	return r.reconcileCertSigning(ctx, cert, ca)
 }
diff --git a/internal/controller/certificate_controller_test.go b/internal/controller/certificate_controller_test.go
@@ -235,6 +235,36 @@ func TestCertReconcile_RenewalTriggered(t *testing.T) {
 	}
 }
 
+func TestCertReconcile_RenewingPhaseNotOverriddenByAdopt(t *testing.T) {
+	// Regression test: a cert already in Renewing phase must not be reset to
+	// Signed by the adopt-existing-secret block on the next reconcile.
+	certPEM, keyPEM := generateTestCertWithExpiry(t, 30*24*time.Hour)
+
+	cert := newCertificate("my-cert", "test-ca", openvoxv1alpha1.CertificatePhaseRenewing)
+	cert.Status.NotAfter = parseCertNotAfter(testCtx(), certPEM)
+	cert.Status.SecretName = "my-cert-tls"
+	ca := newCertificateAuthority("test-ca")
+	tlsSecret := newSecret("my-cert-tls", map[string][]byte{
+		"cert.pem": certPEM,
+		"key.pem":  keyPEM,
+	})
+
+	c := setupTestClient(cert, ca, tlsSecret)
+	r := newCertificateReconciler(c)
+
+	// Reconcile should enter reconcileCertRenewal, not the adopt block.
+	// It will fail (no actual CA server) but must NOT reset the phase to Signed.
+	_, _ = r.Reconcile(testCtx(), testRequest("my-cert"))
+
+	updated := &openvoxv1alpha1.Certificate{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "my-cert", Namespace: testNamespace}, updated); err != nil {
+		t.Fatalf("failed to get Certificate: %v", err)
+	}
+	if updated.Status.Phase != openvoxv1alpha1.CertificatePhaseRenewing {
+		t.Errorf("expected phase %q to be preserved, got %q", openvoxv1alpha1.CertificatePhaseRenewing, updated.Status.Phase)
+	}
+}
+
 func TestCertReconcile_SignedCertNoRequeue_BecomesRequeue(t *testing.T) {
 	// Verify that a signed cert with valid NotAfter now returns RequeueAfter > 0
 	// (the old behavior was ctrl.Result{} with no requeue)
diff --git a/internal/controller/config_controller_test.go b/internal/controller/config_controller_test.go
diff --git a/internal/controller/config_rendering.go b/internal/controller/config_rendering.go
diff --git a/internal/controller/server_deployment.go b/internal/controller/server_deployment.go
diff --git a/tests/e2e/autosign-policy/chainsaw-test.yaml b/tests/e2e/autosign-policy/chainsaw-test.yaml
