Merge release-2.0 [2.0.0 ] to main

Keyfactor · Jun 26, 2024 · 916c228 · 916c228
1 parent 3a106f6
commit 916c228
Show file tree

Hide file tree

Showing 52 changed files with 3,204 additions and 2,269 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,4 +1,3 @@
 # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
 # Ignore build and test binaries.
 bin/
-testbin/
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: 'gomod'
+    # Raise pull requests for version updates
+    # against the `main` branch
+    target-branch: "main"
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+  - package-ecosystem: 'github-actions'
+    # Raise pull requests for version updates
+    # against the `main` branch
+    target-branch: "main"
+    directory: '/'
+    schedule:
+      interval: 'weekly'
diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
@@ -42,8 +42,8 @@ jobs:
       - name: Update Helm App/Chart Version
         shell: bash
         run: |
-          sed -i "s/^version: .*/version: ${{ env.VERSION }}/g" deploy/charts/ejbca-k8s-csr-signer/Chart.yaml
-          sed -i "s/^appVersion: .*/appVersion: \"v${{ env.VERSION }}\"/g" deploy/charts/ejbca-k8s-csr-signer/Chart.yaml
+          sed -i "s/^version: .*/version: ${{ env.VERSION }}/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"v${{ env.VERSION }}\"/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
 
       # Setup Helm
       # https://github.com/Azure/setup-helm

diff --git a/.github/workflows/keyfactor-workflow.yml b/.github/workflows/keyfactor-workflow.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    uses: keyfactor/actions/.github/workflows/starter.yml@ejbca-readme-updates
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
       - run: go mod download
 
       # Build Go binary
-      - run: go build -v .
+      - run: go build -v cmd/main.go
 
       # Run Go linters
       # https://github.com/golangci/golangci-lint-action
@@ -51,14 +51,69 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
-      # Deploy an ephemeral EJBCA and SignServer for CI testing
+      # Run Go tests
+      - name: Run go test
+        run: go test -v ./...
+
+  integration:
+    name: Integration Test with cert-manager
+    needs: test
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        certmanagerversion:
+          - '1.15.0'
+          - '1.14.6'
+          - '1.12.11'
+          - '1.13.6'
+
+    steps:
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - run: sudo apt-get install jq curl openssl
+
+      # Setup GoLang build environment
+      # https://github.com/actions/setup-go
+      - name: Set up Go 1.x
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      # Install cmctl
+      - name: Install cmctl
+        run: |
+          OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -fsSL -o cmctl https://github.com/cert-manager/cmctl/releases/latest/download/cmctl_${OS}_${ARCH}
+          chmod +x cmctl
+          sudo mv cmctl /usr/local/bin
+          cmctl --help
+
+      # Create a single-node K8s cluster with Kind
+      # Then, deploy an ephemeral EJBCA and SignServer
       - uses: m8rmclaren/ejbca-signserver-k8s@main
         with:
           deploy-k8s: 'true'
           deploy-nginx-ingress: 'true'
+          deploy-signserver: 'false'
 
-      # Run Go tests
-      - name: Run go test
-        run: go test -v ./...
-        env:
-          EJBCA_CSR_SUBJECT: "CN=ejbca_testacc"
+      # Set up cert-manager
+      - name: Set up cert-manager
+        run: |
+          helm repo add jetstack https://charts.jetstack.io
+          helm repo update
+          helm install \
+            cert-manager jetstack/cert-manager \
+            --namespace cert-manager \
+            --create-namespace \
+            --version "${{ matrix.certmanagerversion }}" \
+            --set installCRDs=true
+
+      # Run integration test
+      - name: Run integration test
+        run: |
+          chmod +x test/integrationtest.sh
+          ./test/integrationtest.sh
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,31 @@
+run:
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  timeout: 12m
+
+  skip-dirs:
+    - testdata$
+    - test/mock
+
+  skip-files:
+    - ".*\\.pb\\.go"
+
+linters:
+  enable:
+    - bodyclose
+    - durationcheck
+    - errorlint
+    - goimports
+    - revive
+    - gosec
+    - misspell
+    - nakedret
+    - unconvert
+    - unparam
+    - whitespace
+    - gocritic
+    - nolintlint
+
+linters-settings:
+  revive:
+    # minimal confidence for issues, default is 0.8
+    confidence: 0.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,16 @@
+# v2.0.0
+
+## Chores
+* Refactor EJBCA signer module to remove tight dependency on Issuer/ClusterIssuer types.
+* Migrate Kubebuilder from go/v3 to go/v4:
+    * Upgrade kustomize version to v5.3.0.
+    * Upgrade controller-gen to v0.15.0.
+* Refactor test cases to use fake EJBCA API instead of requiring live EJBCA server.
+* Write e2e integration test.
+
+## Features
+* Add support for OAuth2.0 client credential grant flow for EJBCA API authentication.
+
 # v1.4.0
 
 ## Features

diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,11 @@
 # Build the manager binary
-FROM golang:1.20 as builder
+ARG GOIMAGE=golang:1.22.3
+ARG BASEIMAGE=gcr.io/distroless/static:nonroot
 ARG TARGETOS
 ARG TARGETARCH
 
+FROM ${GOIMAGE} as builder
+
 WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
@@ -12,7 +15,7 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY main.go main.go
+COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/ internal/
 
@@ -21,11 +24,11 @@ COPY internal/ internal/
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM ${BASEIMAGE}
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532