From 9c0eb79083eab2a1873f1bc243bba5e994da5fd6 Mon Sep 17 00:00:00 2001
From: Firas Ghanmi <fghanmi@redhat.com>
Date: Thu, 6 Nov 2025 15:27:09 +0100
Subject: [PATCH] add ctlog-monitor

---
 .tekton/ctlog-monitor-pull-request.yaml      | 59 ++++++++++++++++++++
 .tekton/ctlog-monitor-push.yaml              | 55 ++++++++++++++++++
 .tekton/rekor-monitor-pull-request.yaml      |  4 +-
 .tekton/rekor-monitor-push.yaml              |  4 +-
 Dockerfile.ctlog-monitor.rh                  | 29 ++++++++++
 Dockerfile.rh => Dockerfile.rekor-monitor.rh |  0
 6 files changed, 147 insertions(+), 4 deletions(-)
 create mode 100644 .tekton/ctlog-monitor-pull-request.yaml
 create mode 100644 .tekton/ctlog-monitor-push.yaml
 create mode 100644 Dockerfile.ctlog-monitor.rh
 rename Dockerfile.rh => Dockerfile.rekor-monitor.rh (100%)

diff --git a/.tekton/ctlog-monitor-pull-request.yaml b/.tekton/ctlog-monitor-pull-request.yaml
new file mode 100644
index 00000000..990131fb
--- /dev/null
+++ b/.tekton/ctlog-monitor-pull-request.yaml
@@ -0,0 +1,59 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/securesign/rekor-monitor?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: "true"
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main"  &&
+      ( "Dockerfile.ctlog-monitor.rh".pathChanged() || ".tekton/ctlog-monitor-pull-request.yaml".pathChanged()|| "go.mod".pathChanged() || "go.sum".pathChanged() || "cmd/ct_monitor/***".pathChanged() || "pkg/***".pathChanged() || "Makefile".pathChanged()  || "trigger-konflux-builds.txt".pathChanged() )
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: rekor-monitor
+    appstudio.openshift.io/component: ctlog-monitor
+    pipelines.appstudio.openshift.io/type: build
+  name: ctlog-monitor-on-pull-request
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/securesign/ctlog-monitor:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: dockerfile
+    value: Dockerfile.ctlog-monitor.rh
+  - name: path-context
+    value: .
+  - name: build-source-image
+    value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}]
+  - name: go_unit_test
+    value: true
+  - name: go_base_image
+    value: registry.redhat.io/ubi9/go-toolset:1.24@sha256:6fd64cd7f38a9b87440f963b6c04953d04de65c35b9672dbd7f1805b0ae20d09
+  pipelineRef:
+    resolver: git
+    params:
+      - name: url
+        value: 'https://github.com/securesign/pipelines.git'
+      - name: revision
+        value: 'main'
+      - name: pathInRepo
+        value: 'pipelines/docker-build-oci-ta.yaml'
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-ctlog-monitor
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/.tekton/ctlog-monitor-push.yaml b/.tekton/ctlog-monitor-push.yaml
new file mode 100644
index 00000000..ee064f7c
--- /dev/null
+++ b/.tekton/ctlog-monitor-push.yaml
@@ -0,0 +1,55 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/securesign/rekor-monitor?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/cancel-in-progress: "false"
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"  &&
+      ( "Dockerfile.ctlog-monitor.rh".pathChanged() || ".tekton/ctlog-monitor-push.yaml".pathChanged()|| "go.mod".pathChanged() || "go.sum".pathChanged() || "cmd/ct_monitor/***".pathChanged() || "pkg/***".pathChanged() || "Makefile".pathChanged() || "trigger-konflux-builds.txt".pathChanged() )
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: rekor-monitor
+    appstudio.openshift.io/component: ctlog-monitor
+    pipelines.appstudio.openshift.io/type: build
+  name: ctlog-monitor-on-push
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/securesign/ctlog-monitor:{{revision}}
+  - name: dockerfile
+    value: Dockerfile.ctlog-monitor.rh
+  - name: path-context
+    value: .
+  - name: build-source-image
+    value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}]
+  - name: go_unit_test
+    value: true
+  - name: go_base_image
+    value: registry.redhat.io/ubi9/go-toolset:1.24@sha256:6fd64cd7f38a9b87440f963b6c04953d04de65c35b9672dbd7f1805b0ae20d09
+  pipelineRef:
+    resolver: git
+    params:
+      - name: url
+        value: 'https://github.com/securesign/pipelines.git'
+      - name: revision
+        value: 'main'
+      - name: pathInRepo
+        value: 'pipelines/docker-build-oci-ta.yaml'
+  taskRunTemplate: {}
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/.tekton/rekor-monitor-pull-request.yaml b/.tekton/rekor-monitor-pull-request.yaml
index b682c6ed..d98cc553 100644
--- a/.tekton/rekor-monitor-pull-request.yaml
+++ b/.tekton/rekor-monitor-pull-request.yaml
@@ -9,7 +9,7 @@ metadata:
     pipelinesascode.tekton.dev/cancel-in-progress: "true"
     pipelinesascode.tekton.dev/max-keep-runs: "3"
     pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main"  &&
-      ( "Dockerfile.rh".pathChanged() || ".tekton/rekor-monitor-pull-request.yaml".pathChanged()|| "go.mod".pathChanged() || "go.sum".pathChanged() || "cmd/rekor_monitor/***".pathChanged() || "cmd/ct_monitor/***".pathChanged() || "pkg/***".pathChanged() || "Makefile".pathChanged()  || "trigger-konflux-builds.txt".pathChanged() )
+      ( "Dockerfile.rekor-monitor.rh".pathChanged() || ".tekton/rekor-monitor-pull-request.yaml".pathChanged()|| "go.mod".pathChanged() || "go.sum".pathChanged() || "cmd/rekor_monitor/***".pathChanged() || "pkg/***".pathChanged() || "Makefile".pathChanged()  || "trigger-konflux-builds.txt".pathChanged() )
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: rekor-monitor
@@ -28,7 +28,7 @@ spec:
   - name: image-expires-after
     value: 5d
   - name: dockerfile
-    value: Dockerfile.rh
+    value: Dockerfile.rekor-monitor.rh
   - name: path-context
     value: .
   - name: build-source-image
diff --git a/.tekton/rekor-monitor-push.yaml b/.tekton/rekor-monitor-push.yaml
index 6700f6e0..e43f4973 100644
--- a/.tekton/rekor-monitor-push.yaml
+++ b/.tekton/rekor-monitor-push.yaml
@@ -8,7 +8,7 @@ metadata:
     pipelinesascode.tekton.dev/cancel-in-progress: "false"
     pipelinesascode.tekton.dev/max-keep-runs: "3"
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"  &&
-      ( "Dockerfile.rh".pathChanged() || ".tekton/rekor-monitor-push.yaml".pathChanged()|| "go.mod".pathChanged() || "go.sum".pathChanged() || "cmd/rekor_monitor/***".pathChanged() || "cmd/ct_monitor/***".pathChanged() || "pkg/***".pathChanged() || "Makefile".pathChanged() || "trigger-konflux-builds.txt".pathChanged() )
+      ( "Dockerfile.rekor-monitor.rh".pathChanged() || ".tekton/rekor-monitor-push.yaml".pathChanged()|| "go.mod".pathChanged() || "go.sum".pathChanged() || "cmd/rekor_monitor/***".pathChanged() || "pkg/***".pathChanged() || "Makefile".pathChanged() || "trigger-konflux-builds.txt".pathChanged() )
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: rekor-monitor
@@ -25,7 +25,7 @@ spec:
   - name: output-image
     value: quay.io/securesign/rekor-monitor:{{revision}}
   - name: dockerfile
-    value: Dockerfile.rh
+    value: Dockerfile.rekor-monitor.rh
   - name: path-context
     value: .
   - name: build-source-image
diff --git a/Dockerfile.ctlog-monitor.rh b/Dockerfile.ctlog-monitor.rh
new file mode 100644
index 00000000..90a60686
--- /dev/null
+++ b/Dockerfile.ctlog-monitor.rh
@@ -0,0 +1,29 @@
+# Build stage
+FROM registry.redhat.io/ubi9/go-toolset:9.6@sha256:7b1828de52c3bac600a71b81996bf748776a456181a45e2b329b39702cf6486f AS builder
+
+WORKDIR /app
+
+COPY . .
+
+RUN go mod vendor
+RUN go build -buildvcs=false -o ctlog_monitor ./cmd/ct_monitor
+
+# Final stage
+FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7
+
+COPY --from=builder /app/ctlog_monitor /ctlog_monitor
+
+LABEL description="ctlog_monitor is a monitoring tool for the certificate transparency log."
+LABEL io.k8s.description="ctlog_monitor is a monitoring tool for the certificate transparency log."
+LABEL io.k8s.display-name="ctlog-monitor container image for Red Hat Trusted Signer"
+LABEL io.openshift.tags="ctlog-monitor trusted-signer"
+LABEL summary="Provides the ctlog_monitor binary for continuously monitoring the transparency log state of a Ctlog server, performing consistency checks."
+LABEL com.redhat.component="ctlog-monitor"
+LABEL name="rhtas/ctlog-monitor-rhel9"
+
+COPY LICENSE /licenses/LICENSE
+
+USER 65532:65532
+
+#ENTRYPOINT
+ENTRYPOINT ["/ctlog_monitor"]
diff --git a/Dockerfile.rh b/Dockerfile.rekor-monitor.rh
similarity index 100%
rename from Dockerfile.rh
rename to Dockerfile.rekor-monitor.rh