Skip to content

Commit b8b9709

Browse files
indrorairbyspbsolubleclaudeCopilot
authored
Merge 2.5.3 to main (#69)
* feat: release 2.5.0 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation * release: 2.5.1 * feat: release 2.5.0 (#62) 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> * feat: add client caching to reduce OAuth token requests Previously, every certificate request reconciliation created a new Command API client, which meant a new OAuth token was fetched for each request. For customers with OAuth provider quotas, this caused rate limiting issues. This change introduces a ClientCache that: - Caches Command API clients by configuration hash - Reuses cached clients across reconciliations for the same issuer - Allows the underlying oauth2 library's token caching to work as intended - Is thread-safe for concurrent reconciliations The cache key is a SHA-256 hash of all configuration fields that affect the client connection (hostname, API path, credentials, scopes, etc.), ensuring different issuers get different clients while the same issuer reuses its client. Fixes: OAuth token re-authentication on every request Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore(scripts): update scripting usability * feat: update keyfactor-auth-client-go to v1.3.1 Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: remove test short circuit Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Revert "Potential fix for pull request finding" This reverts commit 19bc19b. * chore: cleanup Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: break build & test into its own workflow Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: remove lint from CI Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(docs): update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add missing namespace specification + address linting issues (#66) * fix: log errors from Enrollment API call Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: add missing namespaces, add linting to catch issues Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: add linting Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: address lint issues Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: apply copilot feedback Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: fix typo Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: copilot suggestions Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * v2.5.3: Patch vulnerable dependencies (#68) * feat: release 2.5.0 (#62) 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> * Merge 2.5.1 to main (#65) * feat: release 2.5.0 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation * release: 2.5.1 * feat: release 2.5.0 (#62) 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> * feat: add client caching to reduce OAuth token requests Previously, every certificate request reconciliation created a new Command API client, which meant a new OAuth token was fetched for each request. For customers with OAuth provider quotas, this caused rate limiting issues. This change introduces a ClientCache that: - Caches Command API clients by configuration hash - Reuses cached clients across reconciliations for the same issuer - Allows the underlying oauth2 library's token caching to work as intended - Is thread-safe for concurrent reconciliations The cache key is a SHA-256 hash of all configuration fields that affect the client connection (hostname, API path, credentials, scopes, etc.), ensuring different issuers get different clients while the same issuer reuses its client. Fixes: OAuth token re-authentication on every request Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore(scripts): update scripting usability * feat: update keyfactor-auth-client-go to v1.3.1 Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: remove test short circuit Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Revert "Potential fix for pull request finding" This reverts commit 19bc19b. * chore: cleanup Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: break build & test into its own workflow Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: remove lint from CI Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(docs): update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: spb <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Merge 2.5.2 to main (#67) * feat: release 2.5.0 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation * release: 2.5.1 * feat: release 2.5.0 (#62) 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> * feat: add client caching to reduce OAuth token requests Previously, every certificate request reconciliation created a new Command API client, which meant a new OAuth token was fetched for each request. For customers with OAuth provider quotas, this caused rate limiting issues. This change introduces a ClientCache that: - Caches Command API clients by configuration hash - Reuses cached clients across reconciliations for the same issuer - Allows the underlying oauth2 library's token caching to work as intended - Is thread-safe for concurrent reconciliations The cache key is a SHA-256 hash of all configuration fields that affect the client connection (hostname, API path, credentials, scopes, etc.), ensuring different issuers get different clients while the same issuer reuses its client. Fixes: OAuth token re-authentication on every request Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore(scripts): update scripting usability * feat: update keyfactor-auth-client-go to v1.3.1 Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: remove test short circuit Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Revert "Potential fix for pull request finding" This reverts commit 19bc19b. * chore: cleanup Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: break build & test into its own workflow Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: remove lint from CI Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(docs): update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add missing namespace specification + address linting issues (#66) * fix: log errors from Enrollment API call Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: add missing namespaces, add linting to catch issues Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: add linting Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: address lint issues Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: apply copilot feedback Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: fix typo Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: copilot suggestions Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: spb <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * chore(deps): patch vulnerable dependencies Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix(tests): fix test failures caused by merge conflict resolution issue Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(docs): update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(ci): update trigger for dependency review Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(ci): address copilot feedback Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: spb <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: spb <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
1 parent 9d03316 commit b8b9709

7 files changed

Lines changed: 89 additions & 727 deletions

File tree

.github/workflows/test.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,3 +72,16 @@ jobs:
7272
7373
- name: Lint Helm manifests
7474
run: make lint-manifests
75+
76+
dependency-review:
77+
name: Dependency Review
78+
runs-on: ubuntu-latest
79+
if: github.event_name == 'pull_request'
80+
steps:
81+
- name: Checkout code
82+
uses: actions/checkout@v5
83+
84+
- name: Dependency Review
85+
uses: actions/dependency-review-action@v5
86+
with:
87+
fail-on-severity: critical

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
# v2.5.3
2+
## Security
3+
- Updated dependencies to address various security vulnerabilities:
4+
- google.golang.org/grpc -> v1.79.3 (CVE-2026-33186)
5+
- github.com/Azure/go-ntlmssp -> v0.1.1 (CVE-2026-32952)
6+
- golang.org/x/crypto -> v0.46.0 (CVE-2025-58181 & CVE-2025-47914)
7+
18
# v2.5.2
29
## Fixes
310
- Fixes an issue where a namespace may not be properly applied if applying the Helm template without a namespace specified / using `kubectl apply -f` directly with the rendered template.

Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,10 @@ lint: golangci-lint ## Run golangci-lint linter & yamllint
8383
lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
8484
$(GOLANGCI_LINT) run --fix
8585

86+
.PHONY: fix
87+
fix:
88+
go fix ./...
89+
8690
.PHONY: helm-template
8791
helm-template: ## Render Helm chart templates to stdout (includes CRDs).
8892
helm template $(HELM_RELEASE_NAME) $(HELM_CHART_DIR) --include-crds

go.mod

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,9 @@ require (
66
github.com/Keyfactor/keyfactor-auth-client-go v1.3.1
77
github.com/Keyfactor/keyfactor-go-client-sdk/v25 v25.0.2
88
github.com/cert-manager/cert-manager v1.16.2
9-
github.com/go-logr/logr v1.4.2
10-
github.com/stretchr/testify v1.10.0
11-
golang.org/x/oauth2 v0.30.0
9+
github.com/go-logr/logr v1.4.3
10+
github.com/stretchr/testify v1.11.1
11+
golang.org/x/oauth2 v0.34.0
1212
k8s.io/api v0.31.1
1313
k8s.io/apimachinery v0.31.1
1414
k8s.io/client-go v0.31.1
@@ -24,23 +24,23 @@ require (
2424
github.com/google/s2a-go v0.1.9 // indirect
2525
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
2626
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
27-
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
27+
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
2828
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
29-
go.opentelemetry.io/otel v1.34.0 // indirect
30-
go.opentelemetry.io/otel/metric v1.34.0 // indirect
31-
go.opentelemetry.io/otel/trace v1.34.0 // indirect
32-
google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
33-
google.golang.org/grpc v1.70.0 // indirect
29+
go.opentelemetry.io/otel v1.39.0 // indirect
30+
go.opentelemetry.io/otel/metric v1.39.0 // indirect
31+
go.opentelemetry.io/otel/trace v1.39.0 // indirect
32+
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
33+
google.golang.org/grpc v1.79.3 // indirect
3434
)
3535

3636
require (
37-
cloud.google.com/go/compute/metadata v0.6.0 // indirect
37+
cloud.google.com/go/compute/metadata v0.9.0 // indirect
3838
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
3939
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
4040
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
4141
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 // indirect
4242
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
43-
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
43+
github.com/Azure/go-ntlmssp v0.1.1 // indirect
4444
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
4545
github.com/beorn7/perks v1.0.1 // indirect
4646
github.com/blang/semver/v4 v4.0.0 // indirect
@@ -86,16 +86,16 @@ require (
8686
github.com/x448/float16 v0.8.4 // indirect
8787
go.uber.org/multierr v1.11.0 // indirect
8888
go.uber.org/zap v1.27.0 // indirect
89-
golang.org/x/crypto v0.39.0 // indirect
89+
golang.org/x/crypto v0.46.0 // indirect
9090
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
91-
golang.org/x/net v0.41.0
92-
golang.org/x/sys v0.33.0 // indirect
93-
golang.org/x/term v0.32.0 // indirect
94-
golang.org/x/text v0.26.0 // indirect
91+
golang.org/x/net v0.48.0
92+
golang.org/x/sys v0.39.0 // indirect
93+
golang.org/x/term v0.38.0 // indirect
94+
golang.org/x/text v0.32.0 // indirect
9595
golang.org/x/time v0.10.0 // indirect
9696
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
9797
google.golang.org/api v0.223.0
98-
google.golang.org/protobuf v1.36.5 // indirect
98+
google.golang.org/protobuf v1.36.10 // indirect
9999
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
100100
gopkg.in/inf.v0 v0.9.1 // indirect
101101
gopkg.in/yaml.v2 v2.4.0 // indirect

0 commit comments

Comments
 (0)