From 2cf282bc1b9841919f8d28899e564b486bcf35d0 Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 21 Dec 2023 13:10:35 -0700 Subject: [PATCH 1/3] chore: Upgrade packages, implement Helm port value, update changelog --- .github/workflows/release.yml | 147 +----------------- CHANGELOG.md | 23 ++- Dockerfile | 2 +- .../command-cert-manager-issuer/README.md | 3 +- .../templates/clusterrole.yaml | 2 +- .../templates/clusterrolebinding.yaml | 2 +- .../templates/deployment.yaml | 8 +- .../templates/service.yaml | 2 +- .../command-cert-manager-issuer/values.yaml | 23 ++- go.mod | 10 +- go.sum | 20 +-- 11 files changed, 62 insertions(+), 180 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65f622a..2bf9bfd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,5 @@ -name: Build and Release +name: Build and Release Helm Chart on: - push: - branches: - - '*' pull_request: branches: - 'v*' @@ -14,152 +11,10 @@ on: # pushed to the pull request's branch - synchronize -env: - REGISTRY: ghcr.io - jobs: - build: - name: Build Containers - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - platform: - - linux/arm64 - - linux/amd64 - - linux/s390x - - linux/ppc64le - - permissions: - contents: read - packages: write - - steps: - - - name: Set IMAGE_NAME - run: | - echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - # Checkout code - # https://github.com/actions/checkout - - name: Checkout code - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Set up QEMU - # https://github.com/docker/setup-qemu-action - - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Login to Docker registry - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Build and push Docker image with Buildx - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 - with: - context: . - platforms: ${{ matrix.platform }} - labels: ${{ steps.meta.outputs.labels }} - push: ${{ github.event.pull_request.merged == true }} - outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true - - # Export digest - - name: Export digest - if: github.event.pull_request.merged == true - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - # Upload digest - - name: Upload digest - if: github.event.pull_request.merged == true - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: digests - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - runs-on: ubuntu-latest - if: github.event.pull_request.merged == true - needs: - - build - steps: - - name: Set IMAGE_NAME - run: | - echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - # Download digests - # https://github.com/actions/download-artifact - - name: Download digests - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: digests - path: /tmp/digests - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Login to Docker registry - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Create manifest list and push - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} - helm: runs-on: ubuntu-latest if: github.event.pull_request.merged == true - needs: - - merge steps: - name: Set IMAGE_NAME run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index b7817fc..ada677c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,11 @@ -# v1.0.4 +# v1.0.6 ## Features -* feat(signer): Signer recognizes `metadata.command-issuer.keyfactor.com/: ` annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command. -* feat(release): Container build and release now uses GitHub Actions. +* feat(helm): Add configuration element in Helm chart default values file to configure container ports on the controller manager container. ## Fixes -* fix(helm): CRDs now correspond to correct values for the `command-issuer`. -* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint. -* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate. -* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role. +* fix(deps): Update golang.org/x/net to v0.19.0 +* fix(dockerfile): Upgrade builder image to golang:1.20 to address [CVE-2023-38408](https://scout.docker.com/vulnerabilities/id/CVE-2023-38408?utm_source=hub&utm_medium=ExternalLink&_gl=1*hbs4zp*_ga*MTU5MTQ4Mzk3MC4xNjkxNDI2NjAy*_ga_XJWPQMJYHQ*MTcwMzE4NzcyNC4xMDEuMS4xNzAzMTg4OTUxLjM3LjAuMA..) # v1.0.5 @@ -18,3 +15,15 @@ ## Fixes * fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API * fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration. + +# v1.0.4 + +## Features +* feat(signer): Signer recognizes `metadata.command-issuer.keyfactor.com/: ` annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command. +* feat(release): Container build and release now uses GitHub Actions. + +## Fixes +* fix(helm): CRDs now correspond to correct values for the `command-issuer`. +* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint. +* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate. +* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role. diff --git a/Dockerfile b/Dockerfile index 0598be6..2b3d5df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.19 as builder +FROM golang:1.20 as builder ARG TARGETOS ARG TARGETARCH diff --git a/deploy/charts/command-cert-manager-issuer/README.md b/deploy/charts/command-cert-manager-issuer/README.md index 6f625cb..c9e2642 100644 --- a/deploy/charts/command-cert-manager-issuer/README.md +++ b/deploy/charts/command-cert-manager-issuer/README.md @@ -85,5 +85,6 @@ The following table lists the configurable parameters of the `command-cert-manag | `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) | | `nodeSelector` | Node labels for pod assignment | `{}` | | `tolerations` | Tolerations for pod assignment | `[]` | -| `secureMetrics.enabled` | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false` | +| `metrics.secure` | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false` | | `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false` | +| `containerPorts` | Defines the ports that the controller manager container exposes. If you change this, you will need to configure your Prometheus instance to scrape these metrics. | `[{"containerPort": 8080, "name": "http-metrics", "protocol": "TCP"}]` | diff --git a/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml b/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml index 489c4c1..46d0d38 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml @@ -45,7 +45,7 @@ rules: - issuers/finalizers verbs: - update -{{- if .Values.secureMetrics.enabled }} +{{- if .Values.metrics.secure }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml b/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml index 8a9c2b6..989baa7 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml @@ -12,7 +12,7 @@ subjects: - kind: ServiceAccount name: {{ include "command-cert-manager-issuer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- if .Values.secureMetrics.enabled }} +{{- if .Values.metrics.secure }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml index a42935f..a3fe522 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml @@ -26,7 +26,7 @@ spec: securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - {{- if .Values.secureMetrics.enabled }} + {{- if .Values.metrics.secure }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -53,7 +53,7 @@ spec: {{- end }} - args: - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 + - --metrics-bind-address={{ .Values.metrics.metricsAddress }} - --leader-elect {{- if .Values.secretConfig.useClusterRoleForSecretAccess}} - --secret-access-granted-at-cluster-level @@ -75,6 +75,10 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 + {{- with .Values.containerPorts }} + ports: + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} securityContext: diff --git a/deploy/charts/command-cert-manager-issuer/templates/service.yaml b/deploy/charts/command-cert-manager-issuer/templates/service.yaml index c07551c..7d2c190 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/service.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.secureMetrics.enabled }} +{{- if .Values.metrics.secure }} apiVersion: v1 kind: Service metadata: diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml index 4806cc0..b8f6410 100644 --- a/deploy/charts/command-cert-manager-issuer/values.yaml +++ b/deploy/charts/command-cert-manager-issuer/values.yaml @@ -4,7 +4,7 @@ replicaCount: 1 image: - repository: "" + repository: "keyfactor/command-cert-manager-issuer" pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" @@ -13,10 +13,23 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" -# Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated -# use of the /metrics endpoint by Prometheus. -secureMetrics: - enabled: false +metrics: + # Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated + # use of the /metrics endpoint by Prometheus. + secure: false + # The address and port to expose the metrics endpoint. This will only be configured as a container + # port; you will need to configure your Prometheus instance to scrape this endpoint. + # Example: ":8080" (default) + metricsAddress: ":8080" + +# Define the ports that the controller manager container exposes. +# If you change this, you will need to configure your Prometheus instance to scrape these metrics. +# If metrics.secure is true, Prometheus must scrape port 8443 with HTTPS. +containerPorts: + # Values must be in the format expected by the ports field of the Kubernetes v1 core API type ContainerPort. + - containerPort: 8080 + name: http-metrics + protocol: TCP secretConfig: # If true, when using Issuer resources, the credential secret must be created in the same namespace as the diff --git a/go.mod b/go.mod index 3d54f23..20a3d48 100644 --- a/go.mod +++ b/go.mod @@ -58,12 +58,12 @@ require ( go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/crypto v0.5.0 // indirect - golang.org/x/net v0.8.0 // indirect + golang.org/x/crypto v0.16.0 // indirect + golang.org/x/net v0.19.0 // indirect golang.org/x/oauth2 v0.6.0 // indirect - golang.org/x/sys v0.6.0 // indirect - golang.org/x/term v0.6.0 // indirect - golang.org/x/text v0.8.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/go.sum b/go.sum index f77f643..f0ce80a 100644 --- a/go.sum +++ b/go.sum @@ -188,8 +188,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= -golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= +golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -211,8 +211,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= @@ -234,18 +234,18 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 61bf0f98938d7118432ac2aa6c78ad4b1dbcff5b Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 21 Dec 2023 13:34:28 -0700 Subject: [PATCH 2/3] chore(docs): Update docs for instructions on using pre-built container image --- CHANGELOG.md | 1 + docs/README.md | 18 +++++++++++++ docs/install.markdown | 60 +++++++++++++------------------------------ 3 files changed, 37 insertions(+), 42 deletions(-) create mode 100644 docs/README.md diff --git a/CHANGELOG.md b/CHANGELOG.md index ada677c..e781800 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # v1.0.6 ## Features +* feat(helm): Rename `secureMetrics` to `metrics` and add `metrics.secure` and `metrics.metricsAddress` as configuration values. This way, Prometheus can scrape the controller manager metrics without the secure metrics proxy. * feat(helm): Add configuration element in Helm chart default values file to configure container ports on the controller manager container. ## Fixes diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..5bd852c --- /dev/null +++ b/docs/README.md @@ -0,0 +1,18 @@ + + Terraform logo + + +# Keyfactor Command Issuer for cert-manager + +[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/command-cert-manager-issuer)](https://goreportcard.com/report/github.com/Keyfactor/command-cert-manager-issuer) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://img.shields.io/badge/License-Apache%202.0-blue.svg) + +The Command external issuer for cert-manager allows users to enroll certificates with a CA managed by Keyfactor Command using cert-manager. This allows security administrators to manage the lifecycle of certificates for Kubernetes applications. + +Cert-manager is a native Kubernetes certificate management controller which allows applications to get their certificates from a variety of CAs (Certification Authorities). It ensures certificates are valid and up to date, it also attempts to renew certificates at a configured time before expiration. + +* [Installation](install.markdown) +* [Usage](config_usage.markdown) +* [Example Usage](example.markdown) +* [Customization](annotations.markdown) +* [Testing the Source](testing.markdown) diff --git a/docs/install.markdown b/docs/install.markdown index 9fc4303..ee496fd 100644 --- a/docs/install.markdown +++ b/docs/install.markdown @@ -38,38 +38,7 @@ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/ ###### :pushpin: Running the static cert-manager configuration is not recommended for production use. For more information, see [Installing cert-manager](https://cert-manager.io/docs/installation/). -### Building the Container Image - -The cert-manager external issuer for Keyfactor Command is distributed as source code, and the container must be built manually. The container image can be built using the following command: -```shell -make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=keyfactor/command-cert-manager-issuer VERSION= -``` - -###### :pushpin: The container image can be built using Docker Buildx by running `make docker-buildx`. This will build the image for all supported platforms. - -To push the container image to a container registry, run the following command: -```shell -docker login -make docker-push DOCKER_REGISTRY= DOCKER_IMAGE_NAME=keyfactor/command-cert-manager-issuer VERSION= -``` - -### Installation from Manifests - -The cert-manager external issuer for Keyfactor Command can be installed using the manifests in the `config/` directory. - -1. Install the custom resource definitions (CRDs) for the cert-manager external issuer for Keyfactor Command: - - ```shell - make install - ``` - -2. Finally, deploy the controller to the cluster: - - ```shell - make deploy DOCKER_REGISTRY= DOCKER_IMAGE_NAME=keyfactor/command-cert-manager-issuer VERSION= - ``` - -### Installation from Helm Chart +### Installation from Helm Chart [recommended] The cert-manager external issuer for Keyfactor Command can also be installed using a Helm chart. The chart is available in the [Command cert-manager Helm repository](https://keyfactor.github.io/command-cert-manager-issuer/). @@ -86,10 +55,7 @@ The cert-manager external issuer for Keyfactor Command can also be installed usi helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \ --namespace command-issuer-system \ --create-namespace \ - --set image.repository=/keyfactor/command-cert-manager-issuer \ - --set image.tag= \ - --set crd.create=true \ - # --set image.pullPolicy=Never # Only required if using a local image + --set crd.create=true ``` 1. Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `secretConfig.useClusterRoleForSecretAccess` to configure the chart to use a cluster role for secret access, run the following command: @@ -98,8 +64,6 @@ The cert-manager external issuer for Keyfactor Command can also be installed usi helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \ --namespace command-issuer-system \ --create-namespace \ - --set image.repository=/keyfactor/command-cert-manager-issuer \ - --set image.tag= \ --set crd.create=true \ --set secretConfig.useClusterRoleForSecretAccess=true ``` @@ -108,10 +72,6 @@ The cert-manager external issuer for Keyfactor Command can also be installed usi ```yaml cat < override.yaml - image: - repository: /keyfactor/command-cert-manager-issuer - pullPolicy: Never - tag: "" secretConfig: useClusterRoleForSecretAccess: true EOF @@ -125,4 +85,20 @@ The cert-manager external issuer for Keyfactor Command can also be installed usi -f override.yaml ``` +### Installation from Manifests + +The cert-manager external issuer for Keyfactor Command can be installed using the manifests in the `config/` directory. + +1. Install the custom resource definitions (CRDs) for the cert-manager external issuer for Keyfactor Command: + + ```shell + make install + ``` + +2. Finally, deploy the controller to the cluster: + + ```shell + make deploy DOCKER_REGISTRY= DOCKER_IMAGE_NAME=keyfactor/command-cert-manager-issuer VERSION= + ``` + Next, complete the [Usage](config_usage.markdown) steps to configure the cert-manager external issuer for Keyfactor Command. From 564c07e8b5bbdbfc37d38f178772c18beddc5a80 Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 21 Dec 2023 14:00:42 -0700 Subject: [PATCH 3/3] chore(docs): Grammar in install.markdown --- docs/install.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install.markdown b/docs/install.markdown index ee496fd..9936945 100644 --- a/docs/install.markdown +++ b/docs/install.markdown @@ -40,7 +40,7 @@ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/ ### Installation from Helm Chart [recommended] -The cert-manager external issuer for Keyfactor Command can also be installed using a Helm chart. The chart is available in the [Command cert-manager Helm repository](https://keyfactor.github.io/command-cert-manager-issuer/). +The cert-manager external issuer for Keyfactor Command is installed using a Helm chart. The chart is available in the [Command cert-manager Helm repository](https://keyfactor.github.io/command-cert-manager-issuer/). 1. Add the Helm repository: