Skip to content

Commit

Permalink
Merge pull request #20 from Keyfactor/v1.0.5
Browse files Browse the repository at this point in the history 
V1.0.5
  • Loading branch information
@m8rmclaren
m8rmclaren authored Dec 20, 2023
2 parents 037e9d9 + 2f3bf59 commit 31dd7dd
Show file tree
Hide file tree
Showing 24 changed files with 581 additions and 136 deletions.
11 changes: 10 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,13 @@
* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.
* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.

# v1.0.5

## Features
* feat(controller): Implement Kubernetes `client-go` REST client for Secret/ConfigMap retrieval to bypass `controller-runtime` caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.

## Fixes
* fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
2 changes: 1 addition & 1 deletion api/v1alpha1/clusterissuer_types.go
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2023 The Keyfactor Command Authors.
Copyright © 2023 Keyfactor
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/groupversion_info.go
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2023 The Keyfactor Command Authors.
Copyright © 2023 Keyfactor
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/issuer_types.go
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2023 The Keyfactor Command Authors.
Copyright © 2023 Keyfactor
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
74 changes: 45 additions & 29 deletions deploy/charts/command-cert-manager-issuer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,56 +18,72 @@ The Command external issuer for cert-manager allows users to enroll certificates

### Add Helm Repository

```bash
```shell
helm repo add command-issuer https://keyfactor.github.io/command-cert-manager-issuer
helm repo update
```

### Install Chart

```bash
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer
```shell
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
--namespace command-issuer-system \
--create-namespace \
--set image.repository=<your container registry>/keyfactor/command-cert-manager-issuer \
--set image.tag=<tag> \
--set crd.create=true \
# --set image.pullPolicy=Never # Only required if using a local image
```

Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `replicaCount` value, run the following command:
```bash
Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `secretConfig.useClusterRoleForSecretAccess` to configure the chart to use a cluster role for secret access, run the following command:

```shell
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
--set replicaCount=2
--namespace command-issuer-system \
--create-namespace \
--set image.repository=<your container registry>/keyfactor/command-cert-manager-issuer \
--set image.tag=<tag> \
--set crd.create=true \
--set secretConfig.useClusterRoleForSecretAccess=true
```

Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `replicaCount` value, modify the `replicaCount` value in the `values.yaml` file:
Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `secretConfig.useClusterRoleForSecretAccess` value to configure the chart to use a cluster role for secret access, modify the `secretConfig.useClusterRoleForSecretAccess` value in the `values.yaml` file by creating an override file:
```yaml
cat <<EOF > override.yaml
replicaCount: 2
secretConfig:
useClusterRoleForSecretAccess: true
EOF
```
Then, use the `-f` flag to specify the `values.yaml` file:
```bash
```shell
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
--namespace command-issuer-system \
-f override.yaml
```

## Configuration

The following table lists the configurable parameters of the `command-cert-manager-issuer` chart and their default values.

| Parameter | Description | Default |
|-----------------------------------|-------------------------------------------------------|-------------------------------------------------------|
| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` |
| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.tag` | Image tag | `""` |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Name override | `""` |
| `fullnameOverride` | Full name override | `""` |
| `crd.create` | Specifies if CRDs will be created | `true` |
| `crd.annotations` | Annotations to add to the CRD | `{}` |
| `serviceAccount.create` | Specifies if a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) |
| `podAnnotations` | Annotations for the pod | `{}` |
| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` |
| `securityContext` | Security context for the pod | `{}` (with commented out options) |
| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| Parameter | Description | Default |
|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` |
| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.tag` | Image tag | `""` |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Name override | `""` |
| `fullnameOverride` | Full name override | `""` |
| `crd.create` | Specifies if CRDs will be created | `true` |
| `crd.annotations` | Annotations to add to the CRD | `{}` |
| `serviceAccount.create` | Specifies if a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) |
| `podAnnotations` | Annotations for the pod | `{}` |
| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` |
| `securityContext` | Security context for the pod | `{}` (with commented out options) |
| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `secureMetrics.enabled` | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false` |
| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false` |
8 changes: 0 additions & 8 deletions deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,6 @@ metadata:
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
name: {{ include "command-cert-manager-issuer.name" . }}-manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
Expand Down
3 changes: 3 additions & 0 deletions deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ spec:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
{{- if .Values.secretConfig.useClusterRoleForSecretAccess}}
- --secret-access-granted-at-cluster-level
{{- end}}
command:
- /manager
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
Expand Down
30 changes: 30 additions & 0 deletions deploy/charts/command-cert-manager-issuer/templates/secretrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
metadata:
labels:
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRoleBinding{{ else }}RoleBinding{{ end }}
metadata:
labels:
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
subjects:
- kind: ServiceAccount
name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
10 changes: 10 additions & 0 deletions deploy/charts/command-cert-manager-issuer/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,16 @@ fullnameOverride: ""
secureMetrics:
enabled: false

secretConfig:
# If true, when using Issuer resources, the credential secret must be created in the same namespace as the
# Issuer resource. This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret
# API at the cluster level.
#
# If false, both Issuer and ClusterIssuer must reference a secret in the same namespace as the chart/reconciler.
# This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret API only for the
# namespace the chart is deployed in.
useClusterRoleForSecretAccess: false

crd:
# Specifies whether CRDs will be created
create: true
Expand Down
3 changes: 2 additions & 1 deletion docs/config_usage.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ cat <<EOF >> metadata.json
{
"AllowAPI": true,
"DataType": 1,
"Description": "The namespace that the issuer resource was created in.",
"Description": "The namespace that the issuer resource was created in that .",
"Name": "Issuer-Namespace"
},
{
Expand Down Expand Up @@ -83,6 +83,7 @@ kfutil import --metadata --file metadata.json

### Authentication
Authentication to the Command platform is done using basic authentication. The credentials must be provided as a Kubernetes `kubernetes.io/basic-auth` secret. These credentials should be for a user with "Certificate Enrollment: Enroll CSR" and "API: Read" permissions in Command.
If the Helm chart was deployed with the `--set "secretConfig.useClusterRoleForSecretAccess=true"` flag, the secret must be created in the same namespace as any Issuer resources deployed. Otherwise, the secret must be created in the same namespace as the controller.

Create a `kubernetes.io/basic-auth` secret with the Keyfactor Command username and password:
```shell
Expand Down
Loading

0 comments on commit 31dd7dd

Please sign in to comment.