You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,3 +1,9 @@
1
+
# v2.6.1
2
+
## Features
3
+
- Added [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) as an optional specification on the Deployment resource.
4
+
## Chores
5
+
- Updated the `CONTRIBUTING.md` guide with notes for how external contributors can contribute to this project.
6
+
1
7
# v2.6.0
2
8
## Features
3
9
- Allow `certificateAuthorityLogicalName` to be optional when using an enrollment pattern.
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+20-8Lines changed: 20 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,24 @@
1
1
# Command Cert Manager Issuer Contribution Guide
2
2
3
-
## Requirements
3
+
## How to contribute
4
+
5
+
### External Contributors - Submitting a PR
6
+
7
+
Since external contributors can't create branches directly on our repositories, go ahead and open your PR against `main`. Our team will handle retargeting it to the appropriate release branch as part of our internal review process. You may see your PR retargeted or, in some cases, closed and replaced with an internal PR carrying your commits. In either case, your contribution will be preserved.
8
+
9
+
### Release cadence
10
+
11
+
We have an internal review process for every release we make. This process can sometimes take a few days or weeks depending on resourcing.
- helm (>= 3.x) — required to render chart templates for manifest linting ([installation notes](https://helm.sh/docs/intro/install/))
7
19
- conftest — policy testing tool powered by Open Policy Agent; installed automatically by `make lint-manifests`
8
20
9
-
## Installing dependencies
21
+
###Installing dependencies
10
22
Project dependencies can be installed by running the following:
11
23
12
24
```bash
@@ -19,14 +31,14 @@ The following command can be used to add missing requirements or remove unused m
19
31
go mod tidy
20
32
```
21
33
22
-
## Running unit tests
34
+
###Running unit tests
23
35
The following command can be run to run the project unit tests:
24
36
25
37
```bash
26
38
go test -v ./...
27
39
```
28
40
29
-
## Running linters
41
+
###Running linters
30
42
The project uses golangci-lint to lint the codebase. The following command can be run to run the linters:
31
43
32
44
```bash
@@ -39,7 +51,7 @@ or, alternatively:
39
51
make lint
40
52
```
41
53
42
-
## Updating generated manifests
54
+
###Updating generated manifests
43
55
44
56
This command will update the generated custom resource definitions under `config/crd/bases`:
45
57
@@ -50,7 +62,7 @@ make generate manifests
50
62
> [!IMPORTANT]
51
63
> There is no automated process to automatically update the CRDs under `deploy/charts/command-cert-manager-issuer`. If any changes are made to the CRDs, the generated CRDs under `config/crd/bases` must be copied to `deploy/charts/command-cert-manager-issuer/crds` to ensure the Helm chart is up to date.
52
64
53
-
## Linting Helm manifests
65
+
###Linting Helm manifests
54
66
55
67
The Helm chart under `deploy/charts/command-cert-manager-issuer` is linted with two tools on every PR:
56
68
-**conftest** — runs custom Rego policies located in the [`policy/`](policy/) directory against the rendered manifests
@@ -69,13 +81,13 @@ To inspect the rendered templates without linting:
69
81
make helm-template
70
82
```
71
83
72
-
### Adding or modifying policies
84
+
####Adding or modifying policies
73
85
74
86
Rego policies live in [`policy/`](policy/). Each `.rego` file in that directory is evaluated by conftest against every resource in the rendered chart. Add a new `.rego` file to enforce additional rules. For example, `policy/roles.rego` enforces that all `Role` resources declare an explicit namespace.
75
87
76
88
kube-linter checks can be tuned in [.kube-linter.yaml](.kube-linter.yaml). To exclude a check, add its name under the `exclude` key.
77
89
78
-
## Running end-to-end tests
90
+
###Running end-to-end tests
79
91
A comprehensive end-to-end test suite is available to verify the issuer code works against cert-manager and a Keyfactor Command instance.
80
92
81
93
Instructions on how to run the end-to-end test suite can be found [here](./e2e/README.md).
|`secretConfig.useClusterRoleForSecretAccess`| Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole |`false`|
76
+
|`secretConfig.useClusterRoleForConfigMapAccess`| Specifies if the ServiceAccount should be granted access to the ConfigMap resource using a ClusterRole |`false`|
77
+
|`crd.create`| Specifies if CRDs will be created |`true`|
78
+
|`crd.annotations`| Annotations to add to the CRD |`{}`|
79
+
|`serviceAccount.create`| Specifies if a service account should be created |`true`|
80
+
|`serviceAccount.labels`| Labels to add to the service account |`{}`|
81
+
|`serviceAccount.annotations`| Annotations to add to the service account |`{}`|
82
+
|`serviceAccount.name`| Name of the service account to use |`""` (uses the fullname template if `create` is true) |
80
83
|`serviceAccount.automountServiceAccountToken`| Controls whether Kubernetes automatically mounts the service account token into the pod. When `false` (default), a projected volume is used instead, giving explicit control over token expiration and file permissions. Setting to `true` uses Kubernetes' default token mount, which has no expiration and is less restrictive — only recommended if the projected volume approach causes compatibility issues. |`false`|
81
84
|`serviceAccount.projectedTokenVolume.expirationSeconds`| Lifetime in seconds of the projected service account token. The kubelet will rotate the token before it expires. Only applies when `automountServiceAccountToken` is `false`. |`3607`|
82
-
|`serviceAccount.projectedTokenVolume.defaultMode`| File permission bits for the projected token volume. Only applies when `automountServiceAccountToken` is `false`. |`0444`|
83
-
|`podAnnotations`| Annotations for the pod |`{}`|
84
-
|`podSecurityContext.runAsNonRoot`| Run pod as non-root |`true`|
85
-
|`securityContext`| Security context for the pod |`{}` (with commented out options) |
86
-
|`resources`| CPU/Memory resource requests/limits |`{}` (with commented out options) |
87
-
|`nodeSelector`| Node labels for pod assignment |`{}`|
88
-
|`tolerations`| Tolerations for pod assignment |`[]`|
89
-
|`env`| Environmental variables set for pod |`{}`|
90
-
|`secretConfig.useClusterRoleForSecretAccess`| Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole |`false`|
91
-
|`defaultHealthCheckInterval`| Specifies the default health check interval for issuers |`""` (uses the default in the code which is 10 minutes) |
85
+
|`serviceAccount.projectedTokenVolume.defaultMode`| File permission bits for the projected token volume. Only applies when `automountServiceAccountToken` is `false`. |`0444`|
86
+
|`podLabels`| Labels for the pod |`{}`|
87
+
|`podAnnotations`| Annotations for the pod |`{}`|
88
+
|`podSecurityContext.runAsNonRoot`| Run pod as non-root |`true`|
89
+
|`securityContext`| Security context for the pod |`{}` (with commented out options) |
90
+
|`resources`| CPU/Memory resource requests/limits |`{}` (with commented out options) |
91
+
|`nodeSelector`| Node labels for pod assignment |`{}`|
92
+
|`tolerations`| Tolerations for pod assignment |`[]`|
93
+
|`priorityClassName`| Priority class to set for pod |`""`|
94
+
|`defaultHealthCheckInterval`| Specifies the default health check interval for issuers |`""` (uses the default in the code which is 10 minutes)|
95
+
|`env`| Environmental variables set for pod |`{}`|
0 commit comments