You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,3 +1,14 @@
1
+
# v2.5.0
2
+
## Features
3
+
- Add support to specify a ConfigMap for CA trust bundles in Issuer / ClusterIssuer resources via the `caBundleConfigMapName` specification.
4
+
- Add support for specifying a key on a Secret / ConfigMap resource for the CA trust bundle via the `caBundleKey` specification on an Issuer / ClusterIssuer resource.
5
+
- Add a timeout when fetching ambient Azure credentials to move onto other ambient credential methods.
6
+
- Ability to specify environment variables on issuer deployment to set additional configuration options (i.e. HTTP proxy settings, etc.)
7
+
8
+
## Chores
9
+
- Add documentation for how to configure command-cert-manager-issuer with ambient credentials on Google Kubernetes Engine (GKE).
10
+
- Add documentation for configuring CA trust bundles via Secret and ConfigMap resources using trust-manager.
11
+
1
12
# v2.4.0
2
13
## Features
3
14
- Add a `healthcheck` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
Copy file name to clipboardExpand all lines: README.md
+27-9Lines changed: 27 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -144,10 +144,25 @@ Command Issuer is installed using a Helm chart. The chart is available in the [C
144
144
--create-namespace
145
145
```
146
146
147
-
> For all possible configuration values for the command-cert-manager-issuer Helm chart, please refer to [this list](./deploy/charts/command-cert-manager-issuer/README.md#configuration)
147
+
You can also install a specific version of the command-cert-manager-issuer Helm chart:
> For all possible configuration values for the command-cert-manager-issuer Helm chart, please refer to [this list](./deploy/charts/command-cert-manager-issuer/README.md#configuration)
148
161
149
162
> The Helm chart installs the Command Issuer CRDs by default. The CRDs can be installed manually with the `make install` target.
150
163
164
+
> A list of configurable Helm chart parameters can be found [in the Helm chart docs](./deploy/charts/command-cert-manager-issuer/README.md#configuration)
165
+
151
166
# Authentication
152
167
153
168
## Explicit Credentials
@@ -166,6 +181,7 @@ These credentials must be configured using a Kubernetes Secret. By default, the
166
181
Command Issuer also supports ambient authentication, where a token is fetched from an Authorization Server using a cloud provider's auth infrastructure and passed to Command directly. The following methods are supported:
167
182
168
183
- [Managed Identity Using Azure Entra ID Workload Identity](./docs/ambient-providers/azure.md) (if running in [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service))
184
+
- [Workload Identity Using Google Kubernetes Engine](./docs/ambient-providers/google.md) (if running in [GKE](https://cloud.google.com/kubernetes-engine))
169
185
170
186
If you are running your Kubernetes workload in a cloud provider not listed above, you can use workload identity federation with [Azure AD](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation).
171
187
@@ -212,11 +228,7 @@ This section has moved. Please refer to [this link](./docs/ambient-providers/azu
212
228
213
229
# CA Bundle
214
230
215
-
If the Command API is configured to use a self-signed certificate or with a certificate whose issuer isn't widely trusted, the CA certificate must be provided as a Kubernetes secret.
This section has been moved. Please refer to the new [CA Bundle docs](./docs/ca-bundle/README.md) documentation regarding CA trust with command-cert-manager-issuer.
220
232
221
233
# Creating Issuer and ClusterIssuer resources
222
234
@@ -243,7 +255,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
243
255
| hostname | The hostname of the Command API Server. |
244
256
| apiPath | (optional) The base path of the Command REST API. Defaults to `KeyfactorAPI`. |
245
257
| commandSecretName | (optional) The name of the Kubernetes secret containing basic auth credentials or OAuth 2.0 credentials. Omit if using ambient credentials. |
246
-
| caSecretName | (optional) The name of the Kubernetes secret containing the CA certificate. Required if the Command API uses a self-signed certificate or it was signed by a CA that is not widely trusted. |
258
+
| caSecretName | (optional) The name of the Kubernetes secret containing the CA certificate trust chain. See the [CA Bundle docs](./docs/ca-bundle/README.md) for more information. |
259
+
| caBundleConfigMapName | (optional) The name of the Kubernetes ConfigMap containing the CA certificate trust chain. See the [CA Bundle docs](./docs/ca-bundle/README.md) for more information. |
260
+
| caBundleKey | (optional) The name of the key in the ConfigMap or Secret specified by `caSecretName` or `caBundleConfigMapName` that contains the CA bundle. If omitted, the last key of the ConfigMap / Secret resource will be used. |
247
261
| certificateAuthorityLogicalName | The logical name of the Certificate Authority to use in Command. For example, `Sub-CA` |
248
262
| certificateAuthorityHostname | (optional) The hostname of the Certificate Authority specified by `certificateAuthorityLogicalName`. This field is usually only required if the CA in Command is a DCOM (MSCA-like) CA. |
249
263
| enrollmentPatternId | The ID of the [Enrollment Pattern](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Enrollment-Patterns.htm) to use when this Issuer/ClusterIssuer enrolls CSRs. **Supported by Keyfactor Command 25.1 and above**. If `certificateTemplate` and `enrollmentPatternId` are both specified, the enrollment pattern parameter will take precedence. If `enrollmentPatternId` and `enrollmentPatternName` are both specified, `enrollmentPatternId` will take precedence. Enrollment will fail if the specified certificate template is not compatible with the enrollment pattern. |
@@ -276,7 +290,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
276
290
hostname: "$HOSTNAME"
277
291
apiPath: "/KeyfactorAPI" # Preceding & trailing slashes are handled automatically
278
292
commandSecretName: "command-secret" # references the secret created above. Omit if using ambient credentials.
279
-
caSecretName: "command-ca-secret" # references the secret created above
293
+
# caSecretName: "command-ca-secret" # references a secret containing the CA trust chain (see CA Bundle docs for more info)
294
+
# caBundleConfigMapName: "command-ca-configmap" # references a configmap containing the CA trust chain (see CA Bundle docs for more info)
295
+
# caBundleKey: "ca.crt" # references the key in the secret/configmap containing the CA trust chain (see CA Bundle docs for more info)
280
296
281
297
# certificateAuthorityHostname: "$COMMAND_CA_HOSTNAME" # Uncomment if required
"Set this flag to true if the config map access is granted at cluster level. This will allow the controller to access config maps in any namespace. ")
91
94
opts:= zap.Options{
92
95
Development: true,
93
96
}
@@ -130,16 +133,31 @@ func main() {
130
133
}
131
134
132
135
varcacheOpts cache.Options
133
-
ifsecretAccessGrantedAtClusterLevel {
134
-
setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
135
-
} else {
136
-
setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
136
+
137
+
// Build the ByObject map if either resource is namespace-scoped
setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
148
+
}
149
+
150
+
if!configMapAccessGrantedAtClusterLevel {
151
+
setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 ConfigMap resources in the %q namespace", clusterResourceNamespace))
Copy file name to clipboardExpand all lines: deploy/charts/command-cert-manager-issuer/README.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -83,5 +83,6 @@ The following table lists the configurable parameters of the `command-cert-manag
83
83
|`resources`| CPU/Memory resource requests/limits |`{}` (with commented out options) |
84
84
|`nodeSelector`| Node labels for pod assignment |`{}`|
85
85
|`tolerations`| Tolerations for pod assignment |`[]`|
86
+
|`env`| Environmental variables set for pod |`{}`|
86
87
|`secretConfig.useClusterRoleForSecretAccess`| Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole |`false`|
87
88
|`defaultHealthCheckInterval`| Specifies the default health check interval for issuers |`""` (uses the default in the code which is 60s) |
0 commit comments