Merge pull request #9 from Keyfactor/helm

v1.3.1: Create Helm Chart for EJBCA External Issuer for cert-manager and tidy up permissions

.github/workflows/release.yml

@@ -0,0 +1,43 @@
+name: helm_release
+on:
+  pull_request:
+    branches:
+      - 'v*'
+    types:
+      - closed
+jobs:
+  helm:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+    steps:
+      - name: Extract Version Tag
+        id: extract_version
+        run: /bin/bash -c 'echo ::set-output name=VERSION::$(echo ${GITHUB_REF##*/} | cut -c2-)'
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Change version and appVersion in Chart.yaml to the tag in the closed PR
+      - name: Update Helm App/Chart Version
+        shell: bash
+        run: |
+          sed -i "s/^version: .*/version: ${{ steps.extract_version.outputs.VERSION }}/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"${{ steps.extract_version.outputs.VERSION }}\"/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          pages_branch: gh-pages
+          charts_dir: deploy/charts
+          mark_as_latest: true
+          packages_with_index: true

.gitignore

@@ -16,4 +16,7 @@ vendor/
 .idea
 bin
 
+# Helm
+*.tgz
+
 .DS_Store

CHANGELOG.md

@@ -0,0 +1,9 @@
+# v1.3.1
+
+## Features
+* feat(controller): Implement Kubernetes `client-go` REST client for Secret/ConfigMap retrieval to bypass `controller-runtime` caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.
+* feat(ci): Add GitHub Actions workflows to run unit tests and release container images when appropriate
+* feat(helm): Create Helm chart to deploy the controller to a Kubernetes or OpenShift cluster
+
+## Fixes
+* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.

Makefile

@@ -1,9 +1,9 @@
 # The version which will be reported by the --version argument of each binary
 # and which will be used as the Docker image tag
-VERSION ?= v1.2.2
+VERSION ?= latest
 # The Docker repository name, overridden in CI.
-DOCKER_REGISTRY ?= m8rmclarenkf
-DOCKER_IMAGE_NAME ?= ejbca-cert-manager-external-issuer-controller
+DOCKER_REGISTRY ?= ""
+DOCKER_IMAGE_NAME ?= ""
 # Image URL to use all building/pushing image targets
 IMG ?= ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${VERSION}
 
@@ -78,7 +78,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # (i.e. docker build --platform linux/arm64 ). However, you must enable docker buildKit for it.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
+docker-build: ## Build docker image with the manager.
 	docker build -t ${IMG} .
 
 .PHONY: docker-push
@@ -93,7 +93,7 @@ docker-push: ## Push docker image with the manager.
 # To properly provided solutions that supports more than one platform you should use this option.
 PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le
 .PHONY: docker-buildx
-docker-buildx: test ## Build and push docker image for the manager for cross-platform support
+docker-buildx: ## Build and push docker image for the manager for cross-platform support
 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- docker buildx create --name project-v3-builder

api/v1alpha1/issuer_types.go

@@ -35,12 +35,6 @@ type IssuerSpec struct {
 	// namespace that the controller runs in).
 	EjbcaSecretName string `json:"ejbcaSecretName"`
 
-	// A reference to a Secret in the same namespace as the referent. If the
-	// referent is a ClusterIssuer, the reference instead refers to the resource
-	// with the given name in the configured 'cluster resource namespace', which
-	// is set as a flag on the controller component (and defaults to the
-	// namespace that the controller runs in).
-
 	// The name of the secret containing the CA bundle to use when verifying
 	// EJBCA's server certificate. If specified, the CA bundle will be added to
 	// the client trust roots for the EJBCA issuer.

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: ejbca-issuer-dev
-  newTag: latest
+  newName: keyfactor/ejbca-cert-manager-external-issuer-controller
+  newTag: v1.3.1

config/manager/manager.yaml

@@ -71,7 +71,7 @@ spec:
         args:
         - --leader-elect
         image: controller:latest
-        imagePullPolicy: Never # TODO dev field
+        #imagePullPolicy: Never # TODO dev field
         name: manager
         securityContext:
           allowPrivilegeEscalation: false

deploy/charts/ejbca-cert-manager-issuer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/charts/ejbca-cert-manager-issuer/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+
+name: ejbca-cert-manager-issuer
+description: A helm chart to deploy the cert-manager issuer for Keyfactor EJBCA
+type: application
+
+home: https://github.com/Keyfactor/ejbca-cert-manager-issuer
+maintainers:
+  - name: Hayden Roszell
+    email: [email protected]
+sources: ["https://github.com/Keyfactor/ejbca-cert-manager-issuer"]
+
+version: 0.1.0
+appVersion: "v1.3.1"

deploy/charts/ejbca-cert-manager-issuer/README.md

@@ -0,0 +1,94 @@
+<a href="https://kubernetes.io">
+    <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" alt="Terraform logo" title="K8s" align="left" height="50" />
+</a>
+
+# Keyfactor EJBCA Issuer for cert-manager
+
+[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-cert-manager-issuer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-cert-manager-issuer)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://img.shields.io/badge/License-Apache%202.0-blue.svg)
+![Version: v0.1.0](https://img.shields.io/badge/Version-v0.1.0-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) 
+![AppVersion: v1.3.1](https://img.shields.io/badge/AppVersion-v1.3.1-informational?style=flat-square)
+
+A Helm chart for the Keyfactor EJBCA External Issuer for cert-manager.
+
+The EJBCA external issuer for cert-manager allows users to enroll certificates from Keyfactor EJBCA using cert-manager.
+
+## Installation
+
+### Add Helm Repository
+
+```bash
+helm repo add ejbca-issuer https://keyfactor.github.io/ejbca-cert-manager-issuer
+helm repo update
+```
+
+### Install Chart
+
+```shell
+helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer \
+    --namespace ejbca-issuer-system \
+    --create-namespace \
+    --set image.repository=<your container registry>/keyfactor/ejbca-cert-manager-issuer \
+    --set image.tag=<tag>
+    # --set image.pullPolicy=Never # Only required if using a local image
+```
+
+Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `secretConfig.useClusterRoleForSecretAccess` to configure the chart to use a cluster role for secret access, run the following command:
+
+```shell
+helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer \
+    --namespace ejbca-issuer-system \
+    --create-namespace \
+    --set image.repository=<your container registry>/keyfactor/ejbca-cert-manager-issuer \
+    --set image.tag=<tag>
+    --set replicaCount=2
+```
+
+Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `secretConfig.useClusterRoleForSecretAccess` value to configure the chart to use a cluster role for secret access, modify the `secretConfig.useClusterRoleForSecretAccess` value in the `values.yaml` file by creating an override file:
+
+```yaml
+cat <<EOF > override.yaml
+image:
+    repository: <your container registry>/keyfactor/ejbca-cert-manager-issuer
+    pullPolicy: Never
+    tag: "latest"
+secretConfig:
+    useClusterRoleForSecretAccess: true
+EOF
+```
+
+Then, use the `-f` flag to specify the `values.yaml` file:
+
+```shell
+helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer \
+    --namespace command-issuer-system \
+    -f override.yaml
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the `ejbca-cert-manager-issuer` chart and their default values.
+
+| Parameter                                    | Description                                                                                         | Default                                                      |
+|----------------------------------------------|-----------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
+| `replicaCount`                               | Number of replica ejbca-cert-manager-issuers to run                                                 | `1`                                                          |
+| `image.repository`                           | Image repository                                                                                    | `m8rmclarenkf/ejbca-cert-manager-external-issuer-controller` |
+| `image.pullPolicy`                           | Image pull policy                                                                                   | `IfNotPresent`                                               |
+| `image.tag`                                  | Image tag                                                                                           | `v1.3.1`                                                     |
+| `imagePullSecrets`                           | Image pull secrets                                                                                  | `[]`                                                         |
+| `nameOverride`                               | Name override                                                                                       | `""`                                                         |
+| `fullnameOverride`                           | Full name override                                                                                  | `""`                                                         |
+| `crd.create`                                 | Specifies if CRDs will be created                                                                   | `true`                                                       |
+| `crd.annotations`                            | Annotations to add to the CRD                                                                       | `{}`                                                         |
+| `serviceAccount.create`                      | Specifies if a service account should be created                                                    | `true`                                                       |
+| `serviceAccount.annotations`                 | Annotations to add to the service account                                                           | `{}`                                                         |
+| `serviceAccount.name`                        | Name of the service account to use                                                                  | `""` (uses the fullname template if `create` is true)        |
+| `podAnnotations`                             | Annotations for the pod                                                                             | `{}`                                                         |
+| `podSecurityContext.runAsNonRoot`            | Run pod as non-root                                                                                 | `true`                                                       |
+| `securityContext`                            | Security context for the pod                                                                        | `{}` (with commented out options)                            |
+| `secureMetrics.enabled`                      | Enable secure metrics via the Kube RBAC Proy                                                        | `false`                                                      |
+| `resources`                                  | CPU/Memory resource requests/limits                                                                 | `{}` (with commented out options)                            |
+| `nodeSelector`                               | Node labels for pod assignment                                                                      | `{}`                                                         |
+| `tolerations`                                | Tolerations for pod assignment                                                                      | `[]`                                                         |
+| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false`                                                      |

deploy/charts/ejbca-cert-manager-issuer/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ejbca-cert-manager-issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ejbca-cert-manager-issuer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ejbca-cert-manager-issuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ejbca-cert-manager-issuer.labels" -}}
+helm.sh/chart: {{ include "ejbca-cert-manager-issuer.chart" . }}
+{{ include "ejbca-cert-manager-issuer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ejbca-cert-manager-issuer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ejbca-cert-manager-issuer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ejbca-cert-manager-issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ejbca-cert-manager-issuer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}