diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml index f845fda..ffcf0e4 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml @@ -16,78 +16,125 @@ spec: singular: clusterissuer scope: Cluster versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ClusterIssuer is the Schema for the clusterissuers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec defines the desired state of Issuer - properties: - caSecretName: - description: The name of the secret containing the CA bundle to use when verifying Command's server certificate. If specified, the CA bundle will be added to the client trust roots for the Command issuer. - type: string - certificateAuthorityHostname: - description: CertificateAuthorityHostname is the hostname associated with the Certificate Authority specified by CertificateAuthorityLogicalName E.g. "ca.example.com" - type: string - certificateAuthorityLogicalName: - description: CertificateAuthorityLogicalName is the logical name of the certificate authority to use E.g. "Keyfactor Root CA" or "Intermediate CA" - type: string - certificateTemplate: - description: CertificateTemplate is the name of the certificate template to use. Refer to the Keyfactor Command documentation for more information. - type: string - commandSecretName: - description: A reference to a K8s kubernetes.io/basic-auth Secret containing basic auth credentials for the Command instance configured in Hostname. The secret must be in the same namespace as the referent. If the referent is a ClusterIssuer, the reference instead refers to the resource with the given name in the configured 'cluster resource namespace', which is set as a flag on the controller component (and defaults to the namespace that the controller runs in). - type: string - hostname: - description: Hostname is the hostname of a Keyfactor Command instance. - type: string - type: object - status: - description: IssuerStatus defines the observed state of Issuer - properties: - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} \ No newline at end of file + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterIssuer is the Schema for the clusterissuers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IssuerSpec defines the desired state of Issuer + properties: + apiPath: + default: KeyfactorAPI + description: APIPath is the base path of the Command API. KeyfactorAPI + by default + type: string + caSecretName: + description: |- + The name of the secret containing the CA bundle to use when verifying + Command's server certificate. If specified, the CA bundle will be added to + the client trust roots for the Command issuer. + type: string + certificateAuthorityHostname: + description: |- + CertificateAuthorityHostname is the hostname associated with the Certificate Authority specified by + CertificateAuthorityLogicalName E.g. "ca.example.com" + type: string + certificateAuthorityLogicalName: + description: |- + CertificateAuthorityLogicalName is the logical name of the certificate authority to use + E.g. "Keyfactor Root CA" or "Intermediate CA" + type: string + certificateTemplate: + description: |- + CertificateTemplate is the name of the certificate template to use. + Refer to the Keyfactor Command documentation for more information. + type: string + commandSecretName: + description: |- + A reference to a K8s kubernetes.io/basic-auth Secret containing basic auth + credentials for the Command instance configured in Hostname. The secret must + be in the same namespace as the referent. If the + referent is a ClusterIssuer, the reference instead refers to the resource + with the given name in the configured 'cluster resource namespace', which + is set as a flag on the controller component (and defaults to the + namespace that the controller runs in). + type: string + hostname: + description: Hostname is the hostname of a Keyfactor Command instance. + type: string + scopes: + description: |- + A list of comma separated scopes used when requesting a Bearer token from an ambient token provider implied + by the environment, rather than by commandSecretName. For example, could be set to + api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no + effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret. + type: string + type: object + status: + description: IssuerStatus defines the observed state of Issuer + properties: + conditions: + description: |- + List of status conditions to indicate the status of a CertificateRequest. + Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml index de8de0b..f13ffc9 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml @@ -16,78 +16,125 @@ spec: singular: issuer scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Issuer is the Schema for the issuers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IssuerSpec defines the desired state of Issuer - properties: - caSecretName: - description: The name of the secret containing the CA bundle to use when verifying Command's server certificate. If specified, the CA bundle will be added to the client trust roots for the Command issuer. - type: string - certificateAuthorityHostname: - description: CertificateAuthorityHostname is the hostname associated with the Certificate Authority specified by CertificateAuthorityLogicalName E.g. "ca.example.com" - type: string - certificateAuthorityLogicalName: - description: CertificateAuthorityLogicalName is the logical name of the certificate authority to use E.g. "Keyfactor Root CA" or "Intermediate CA" - type: string - certificateTemplate: - description: CertificateTemplate is the name of the certificate template to use. Refer to the Keyfactor Command documentation for more information. - type: string - commandSecretName: - description: A reference to a K8s kubernetes.io/basic-auth Secret containing basic auth credentials for the Command instance configured in Hostname. The secret must be in the same namespace as the referent. If the referent is a ClusterIssuer, the reference instead refers to the resource with the given name in the configured 'cluster resource namespace', which is set as a flag on the controller component (and defaults to the namespace that the controller runs in). - type: string - hostname: - description: Hostname is the hostname of a Keyfactor Command instance. - type: string - type: object - status: - description: IssuerStatus defines the observed state of Issuer - properties: - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} \ No newline at end of file + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Issuer is the Schema for the issuers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IssuerSpec defines the desired state of Issuer + properties: + apiPath: + default: KeyfactorAPI + description: APIPath is the base path of the Command API. KeyfactorAPI + by default + type: string + caSecretName: + description: |- + The name of the secret containing the CA bundle to use when verifying + Command's server certificate. If specified, the CA bundle will be added to + the client trust roots for the Command issuer. + type: string + certificateAuthorityHostname: + description: |- + CertificateAuthorityHostname is the hostname associated with the Certificate Authority specified by + CertificateAuthorityLogicalName E.g. "ca.example.com" + type: string + certificateAuthorityLogicalName: + description: |- + CertificateAuthorityLogicalName is the logical name of the certificate authority to use + E.g. "Keyfactor Root CA" or "Intermediate CA" + type: string + certificateTemplate: + description: |- + CertificateTemplate is the name of the certificate template to use. + Refer to the Keyfactor Command documentation for more information. + type: string + commandSecretName: + description: |- + A reference to a K8s kubernetes.io/basic-auth Secret containing basic auth + credentials for the Command instance configured in Hostname. The secret must + be in the same namespace as the referent. If the + referent is a ClusterIssuer, the reference instead refers to the resource + with the given name in the configured 'cluster resource namespace', which + is set as a flag on the controller component (and defaults to the + namespace that the controller runs in). + type: string + hostname: + description: Hostname is the hostname of a Keyfactor Command instance. + type: string + scopes: + description: |- + A list of comma separated scopes used when requesting a Bearer token from an ambient token provider implied + by the environment, rather than by commandSecretName. For example, could be set to + api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no + effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret. + type: string + type: object + status: + description: IssuerStatus defines the observed state of Issuer + properties: + conditions: + description: |- + List of status conditions to indicate the status of a CertificateRequest. + Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml index 4806cc0..49169d7 100644 --- a/deploy/charts/command-cert-manager-issuer/values.yaml +++ b/deploy/charts/command-cert-manager-issuer/values.yaml @@ -1,10 +1,10 @@ -# Default values for ejbca-cert-manager-issuer chart. +# Default values for command-cert-manager-issuer chart. -# The number of replica ejbca-cert-manager-issuers to run +# The number of replica command-cert-manager-issuers to run replicaCount: 1 image: - repository: "" + repository: "keyfactor/command-cert-manager-issuer" pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" diff --git a/internal/command/command.go b/internal/command/command.go index cee0bc4..53a3f13 100644 --- a/internal/command/command.go +++ b/internal/command/command.go @@ -256,9 +256,6 @@ func (s *SignConfig) validate() error { if s.CertificateAuthorityLogicalName == "" { return errors.New("certificateAuthorityLogicalName is required") } - if s.CertificateAuthorityHostname == "" { - return errors.New("certificateAuthorityHostname is required") - } return nil } diff --git a/internal/command/command_test.go b/internal/command/command_test.go index c429e99..27f8e64 100644 --- a/internal/command/command_test.go +++ b/internal/command/command_test.go @@ -209,11 +209,6 @@ func TestSignConfigValidate(t *testing.T) { config: &SignConfig{CertificateTemplate: "myTemplate", CertificateAuthorityLogicalName: "", CertificateAuthorityHostname: "ca.example.com"}, wantErr: "certificateAuthorityLogicalName is required", }, - { - name: "missing certificateAuthorityHostname", - config: &SignConfig{CertificateTemplate: "myTemplate", CertificateAuthorityLogicalName: "ca-logical", CertificateAuthorityHostname: ""}, - wantErr: "certificateAuthorityHostname is required", - }, { name: "all valid fields", config: &SignConfig{CertificateTemplate: "myTemplate", CertificateAuthorityLogicalName: "ca-logical", CertificateAuthorityHostname: "ca.example.com"},