You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat: release 2.5.0
2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation
* release: 2.5.1
* feat: release 2.5.0 (#62)
2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation
Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com>
* feat: add client caching to reduce OAuth token requests
Previously, every certificate request reconciliation created a new Command
API client, which meant a new OAuth token was fetched for each request.
For customers with OAuth provider quotas, this caused rate limiting issues.
This change introduces a ClientCache that:
- Caches Command API clients by configuration hash
- Reuses cached clients across reconciliations for the same issuer
- Allows the underlying oauth2 library's token caching to work as intended
- Is thread-safe for concurrent reconciliations
The cache key is a SHA-256 hash of all configuration fields that affect
the client connection (hostname, API path, credentials, scopes, etc.),
ensuring different issuers get different clients while the same issuer
reuses its client.
Fixes: OAuth token re-authentication on every request
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore(scripts): update scripting usability
* feat: update keyfactor-auth-client-go to v1.3.1
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* chore: remove test short circuit
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Revert "Potential fix for pull request finding"
This reverts commit 19bc19b.
* chore: cleanup
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* chore: break build & test into its own workflow
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* fix: remove lint from CI
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* chore(docs): update CHANGELOG
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
---------
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com>
Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add missing namespace specification + address linting issues (#66)
* fix: log errors from Enrollment API call
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* fix: add missing namespaces, add linting to catch issues
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* feat: add linting
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* chore: address lint issues
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* chore: update CHANGELOG
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* chore: apply copilot feedback
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* feat: fix typo
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
* feat: copilot suggestions
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
---------
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
---------
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com>
Co-authored-by: spb <1661003+spbsoluble@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,3 +1,11 @@
1
+
# v2.5.2
2
+
## Fixes
3
+
- Fixes an issue where a namespace may not be properly applied if applying the Helm template without a namespace specified / using `kubectl apply -f` directly with the rendered template.
4
+
- Fixes an issue where the error message from a failed Enrollment API call is not logged.
5
+
## Chores
6
+
- Update GitHub Actions workflow to check for policy enforcement on Helm chart rendered manifests in addition to checking for drift in generated CRDs.
7
+
- Fixes various linting issues in the codebase.
8
+
1
9
# v2.5.1
2
10
## Fixes
3
11
- Fixes an issue where OAuth 2.0 client credentials were being regenerated on every API call.
- helm (>= 3.x) — required to render chart templates for manifest linting ([installation notes](https://helm.sh/docs/intro/install/))
7
+
- conftest — policy testing tool powered by Open Policy Agent; installed automatically by `make lint-manifests`
8
+
9
+
## Installing dependencies
10
+
Project dependencies can be installed by running the following:
11
+
12
+
```bash
13
+
go mod download
14
+
```
15
+
16
+
The following command can be used to add missing requirements or remove unused modules:
17
+
18
+
```bash
19
+
go mod tidy
20
+
```
21
+
22
+
## Running unit tests
23
+
The following command can be run to run the project unit tests:
24
+
25
+
```bash
26
+
go test -v ./...
27
+
```
28
+
29
+
## Running linters
30
+
The project uses golangci-lint to lint the codebase. The following command can be run to run the linters:
31
+
32
+
```bash
33
+
golangci-lint run
34
+
```
35
+
36
+
or, alternatively:
37
+
38
+
```bash
39
+
make lint
40
+
```
41
+
42
+
## Updating generated manifests
43
+
44
+
This command will update the generated custom resource definitions under `config/crd/bases`:
45
+
46
+
```bash
47
+
make generate manifests
48
+
```
49
+
50
+
> [!IMPORTANT]
51
+
> There is no automated process to automatically update the CRDs under `deploy/charts/command-cert-manager-issuer`. If any changes are made to the CRDs, the generated CRDs under `config/crd/bases` must be copied to `deploy/charts/command-cert-manager-issuer/crds` to ensure the Helm chart is up to date.
52
+
53
+
## Linting Helm manifests
54
+
55
+
The Helm chart under `deploy/charts/command-cert-manager-issuer` is linted with two tools on every PR:
56
+
-**conftest** — runs custom Rego policies located in the [`policy/`](policy/) directory against the rendered manifests
57
+
58
+
To run both checks locally:
59
+
60
+
```bash
61
+
make lint-manifests
62
+
```
63
+
64
+
`conftest` is downloaded automatically into `bin/` on first use; no manual installation is required.
65
+
66
+
To inspect the rendered templates without linting:
67
+
68
+
```bash
69
+
make helm-template
70
+
```
71
+
72
+
### Adding or modifying policies
73
+
74
+
Rego policies live in [`policy/`](policy/). Each `.rego` file in that directory is evaluated by conftest against every resource in the rendered chart. Add a new `.rego` file to enforce additional rules. For example, `policy/roles.rego` enforces that all `Role` resources declare an explicit namespace.
75
+
76
+
kube-linter checks can be tuned in [.kube-linter.yaml](.kube-linter.yaml). To exclude a check, add its name under the `exclude` key.
77
+
78
+
## Running end-to-end tests
79
+
A comprehensive end-to-end test suite is available to verify the issuer code works against cert-manager and a Keyfactor Command instance.
80
+
81
+
Instructions on how to run the end-to-end test suite can be found [here](./e2e/README.md).
setupLog.Error(errors.New(fmt.Sprintf("interval %s is invalid, must be greater than or equal to '30s'", healthCheckInterval)), "invalid health check interval")
200
+
setupLog.Error(fmt.Errorf("interval %s is invalid, must be greater than or equal to '30s'", healthCheckInterval), "invalid health check interval")
0 commit comments