v1.0.6: Upgrade packages, implement metrics.metricsAddress and containerPorts in Helm chart, refactor release process

.github/workflows/release.yml

@@ -1,8 +1,5 @@
-name: Build and Release
+name: Build and Release Helm Chart
 on:
-  push:
-    branches:
-      - '*'
   pull_request:
     branches:
       - 'v*'
@@ -14,152 +11,10 @@ on:
       # pushed to the pull request's branch
       - synchronize
 
-env:
-  REGISTRY: ghcr.io
-
 jobs:
-  build:
-    name: Build Containers
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - linux/arm64
-          - linux/amd64
-          - linux/s390x
-          - linux/ppc64le
-
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-
-      - name: Set IMAGE_NAME
-        run: |
-          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-
-      # Checkout code
-      # https://github.com/actions/checkout
-      - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Set up QEMU
-      # https://github.com/docker/setup-qemu-action
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      # Login to Docker registry
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Build and push Docker image with Buildx
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-        with:
-          context: .
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: ${{ github.event.pull_request.merged == true }}
-          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true
-
-      # Export digest
-      - name: Export digest
-        if: github.event.pull_request.merged == true
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-
-      # Upload digest
-      - name: Upload digest
-        if: github.event.pull_request.merged == true
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: digests
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  merge:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.merged == true
-    needs:
-      - build
-    steps:
-      - name: Set IMAGE_NAME
-        run: |
-          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-
-      # Download digests
-      # https://github.com/actions/download-artifact
-      - name: Download digests
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-        with:
-          name: digests
-          path: /tmp/digests
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Login to Docker registry
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Create manifest list and push
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
-
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
-
   helm:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true
-    needs:
-      - merge
     steps:
       - name: Set IMAGE_NAME
         run: |

CHANGELOG.md

@@ -1,14 +1,12 @@
-# v1.0.4
+# v1.0.6
 
 ## Features
-* feat(signer): Signer recognizes `metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value>` annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command.
-* feat(release): Container build and release now uses GitHub Actions.
+* feat(helm): Rename `secureMetrics` to `metrics` and add `metrics.secure` and `metrics.metricsAddress` as configuration values. This way, Prometheus can scrape the controller manager metrics without the secure metrics proxy.
+* feat(helm): Add configuration element in Helm chart default values file to configure container ports on the controller manager container.
 
 ## Fixes
-* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
-* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
-* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
-* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.
+* fix(deps): Update golang.org/x/net to v0.19.0
+* fix(dockerfile): Upgrade builder image to golang:1.20 to address [CVE-2023-38408](https://scout.docker.com/vulnerabilities/id/CVE-2023-38408?utm_source=hub&utm_medium=ExternalLink&_gl=1*hbs4zp*_ga*MTU5MTQ4Mzk3MC4xNjkxNDI2NjAy*_ga_XJWPQMJYHQ*MTcwMzE4NzcyNC4xMDEuMS4xNzAzMTg4OTUxLjM3LjAuMA..)
 
 # v1.0.5
 
@@ -18,3 +16,15 @@
 ## Fixes
 * fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
 * fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
+
+# v1.0.4
+
+## Features
+* feat(signer): Signer recognizes `metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value>` annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command.
+* feat(release): Container build and release now uses GitHub Actions.
+
+## Fixes
+* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
+* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
+* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
+* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.20 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

deploy/charts/command-cert-manager-issuer/README.md

@@ -85,5 +85,6 @@ The following table lists the configurable parameters of the `command-cert-manag
 | `resources`                                  | CPU/Memory resource requests/limits                                                                                                      | `{}` (with commented out options)                     |
 | `nodeSelector`                               | Node labels for pod assignment                                                                                                           | `{}`                                                  |
 | `tolerations`                                | Tolerations for pod assignment                                                                                                           | `[]`                                                  |
-| `secureMetrics.enabled`                      | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false`                                               |
+| `metrics.secure`                      | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false`                                               |
 | `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole                                      | `false`                                               |
+| `containerPorts`                               | Defines the ports that the controller manager container exposes. If you change this, you will need to configure your Prometheus instance to scrape these metrics. | `[{"containerPort": 8080, "name": "http-metrics", "protocol": "TCP"}]` |

deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml

@@ -45,7 +45,7 @@ rules:
       - issuers/finalizers
     verbs:
       - update
-{{- if .Values.secureMetrics.enabled }}
+{{- if .Values.metrics.secure }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml

@@ -12,7 +12,7 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- if .Values.secureMetrics.enabled }}
+{{- if .Values.metrics.secure }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

deploy/charts/command-cert-manager-issuer/templates/deployment.yaml

@@ -26,7 +26,7 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        {{- if .Values.secureMetrics.enabled }}
+        {{- if .Values.metrics.secure }}
         - args:
             - --secure-listen-address=0.0.0.0:8443
             - --upstream=http://127.0.0.1:8080/
@@ -53,7 +53,7 @@ spec:
         {{- end }}
         - args:
             - --health-probe-bind-address=:8081
-            - --metrics-bind-address=127.0.0.1:8080
+            - --metrics-bind-address={{ .Values.metrics.metricsAddress }}
             - --leader-elect
             {{- if .Values.secretConfig.useClusterRoleForSecretAccess}}
             - --secret-access-granted-at-cluster-level
@@ -75,6 +75,10 @@ spec:
               port: 8081
             initialDelaySeconds: 5
             periodSeconds: 10
+          {{- with .Values.containerPorts }}
+          ports:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:

deploy/charts/command-cert-manager-issuer/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.secureMetrics.enabled }}
+{{- if .Values.metrics.secure }}
 apiVersion: v1
 kind: Service
 metadata:

deploy/charts/command-cert-manager-issuer/values.yaml

@@ -4,7 +4,7 @@
 replicaCount: 1
 
 image:
-  repository: ""
+  repository: "keyfactor/command-cert-manager-issuer"
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
@@ -13,10 +13,23 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-# Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated
-# use of the /metrics endpoint by Prometheus.
-secureMetrics:
-  enabled: false
+metrics:
+  # Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated
+  # use of the /metrics endpoint by Prometheus.
+  secure: false
+  # The address and port to expose the metrics endpoint. This will only be configured as a container
+  # port; you will need to configure your Prometheus instance to scrape this endpoint.
+  # Example: ":8080" (default)
+  metricsAddress: ":8080"
+
+# Define the ports that the controller manager container exposes.
+# If you change this, you will need to configure your Prometheus instance to scrape these metrics.
+# If metrics.secure is true, Prometheus must scrape port 8443 with HTTPS.
+containerPorts:
+  # Values must be in the format expected by the ports field of the Kubernetes v1 core API type ContainerPort.
+  - containerPort: 8080
+    name: http-metrics
+    protocol: TCP
 
 secretConfig:
   # If true, when using Issuer resources, the credential secret must be created in the same namespace as the

docs/README.md

@@ -0,0 +1,18 @@
+<a href="https://kubernetes.io">
+    <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" alt="Terraform logo" title="K8s" align="left" height="50" />
+</a>
+
+# Keyfactor Command Issuer for cert-manager
+
+[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/command-cert-manager-issuer)](https://goreportcard.com/report/github.com/Keyfactor/command-cert-manager-issuer)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://img.shields.io/badge/License-Apache%202.0-blue.svg)
+
+The Command external issuer for cert-manager allows users to enroll certificates with a CA managed by Keyfactor Command using cert-manager. This allows security administrators to manage the lifecycle of certificates for Kubernetes applications.
+
+Cert-manager is a native Kubernetes certificate management controller which allows applications to get their certificates from a variety of CAs (Certification Authorities). It ensures certificates are valid and up to date, it also attempts to renew certificates at a configured time before expiration.
+
+* [Installation](install.markdown)
+* [Usage](config_usage.markdown)
+* [Example Usage](example.markdown)
+* [Customization](annotations.markdown)
+* [Testing the Source](testing.markdown)