Merge 52443ce into 779a221

Author: irby

.github/workflows/keyfactor-bootstrap-workflow.yml

@@ -12,7 +12,7 @@ on:
 jobs:
 
   build:
-    name: Build and Lint
+    name: Build and Check CRDs
     runs-on: ubuntu-latest
     timeout-minutes: 8
     steps:
@@ -23,11 +23,17 @@ jobs:
           cache: true
       - run: go mod download
       - run: go build -v ./cmd/main.go
+      - name: Regenerate CRDs
+        run: make generate manifests
+      - name: Check for CRD drift
+        run: |
+          git diff --compact-summary --exit-code || \
+            (echo; echo "Unexpected difference in directories after code generation. Run 'make generate manifests' and commit."; exit 1)
       # - name: Run linters
       #   uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
       #   with:
       #     version: latest
-
+    
   test:
     name: Go Test
     needs: build

CHANGELOG.md

@@ -1,3 +1,7 @@
+# v2.3.3
+## Features
+- Add a `healthcheck` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
+
 # v2.3.1
 ## Fixes
 - Add a manual dispatch of Helm chart release.

README.md

@@ -251,6 +251,7 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
     | ownerRoleName     | The name of the security role assigned as the certificate owner. The security role must be assigned to the identity context of the issuer. If `ownerRoleId` and `ownerRoleName` are both specified, `ownerRoleId` will take precedence. This field is **required** if the enrollment pattern, certificate template, or system-wide setting requires it. |
     | scopes     | (Optional) Required if using ambient credentials with Azure AKS. If using ambient credentials, these scopes will be put on the access token generated by the ambient credentials' token provider, if applicable.   |
      | audience     | (Optional) If using ambient credentials, this audience will be put on the access token generated by the ambient credentials' token provider, if applicable. Google's ambient credential token provider generates an OIDC ID Token. If this value is not provided, it will default to `command`.  |
+     | healthCheckIntervalSeconds | (Optional) Defines the health check interval, in seconds, for a healthy issuer. If ommitted, defaults to 60 seconds. If set to 0, it will disable the health check. If there is a failure when running the health check, it will retry in 10 seconds with an exponential backoff strategy. Value must not be negative. |
 
     > If a different combination of hostname/certificate authority/certificate template is required, a new Issuer or ClusterIssuer resource must be created. Each resource instantiation represents a single configuration.
 
@@ -282,6 +283,7 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
           # scopes: "openid email https://example.com/.default" # Uncomment if required
           # audience: "https://your-command-url.com" # Uncomment if desired
+          # healthCheckIntervalSeconds: 60 # Uncomment if desired. Setting to 0 disables health check.
         EOF
 
         kubectl -n default apply -f issuer.yaml
@@ -312,6 +314,7 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
           # scopes: "openid email https://example.com/.default" # Uncomment if required
           # audience: "https://your-command-url.com" # Uncomment if desired
+          # healthCheckIntervalSeconds: 60 # Uncomment if desired. Setting to 0 disables health check.
         EOF
 
         kubectl apply -f clusterissuer.yaml

api/v1alpha1/issuer_types.go

@@ -46,6 +46,11 @@ type IssuerSpec struct {
 	// +kubebuilder:default:=KeyfactorAPI
 	APIPath string `json:"apiPath,omitempty"`
 
+	// The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+	// a health check to determine issuer's connectivity to Command instance.
+	// +kubebuilder:validation:Optional
+	HealthCheck *HealthCheckConfig `json:"healthcheck,omitempty"`
+
 	// EnrollmentPatternId is the ID of the enrollment pattern to use. Supported in Keyfactor Command 25.1 and later.
 	// If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
 	// If EnrollmentPatternId and EnrollmentPatternName are both specified, EnrollmentPatternId will take precedence.
@@ -279,6 +284,15 @@ const (
 	ConditionUnknown ConditionStatus = "Unknown"
 )
 
+type HealthCheckConfig struct {
+	// Determines whether to the health check when the issuer is healthy. Default: true
+	Enabled bool `json:"enabled"`
+
+	// The interval at which to health check the issuer when healthy. Defaults to 1 minute. Must not be less than "30s".
+	// +kubebuilder:validation:Optional
+	Interval *metav1.Duration `json:"interval"`
+}
+
 func init() {
 	SchemeBuilder.Register(&Issuer{}, &IssuerList{})
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -68,58 +68,74 @@ spec:
                   CertificateAuthorityLogicalName is the logical name of the certificate authority to use
                   E.g. "Keyfactor Root CA" or "Intermediate CA"
                 type: string
+              certificateTemplate:
+                description: |-
+                  Deprecated. CertificateTemplate is the name of the certificate template to use. If using Keyfactor Command 25.1 or later, use EnrollmentPatternName or EnrollmentPatternId instead.
+                  If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
+                  Enrollment will fail if the specified template is not compatible with the enrollment pattern.
+                  Refer to the Keyfactor Command documentation for more information.
+                type: string
+              commandSecretName:
+                description: |-
+                  A reference to a K8s kubernetes.io/basic-auth Secret containing basic auth
+                  credentials for the Command instance configured in Hostname. The secret must
+                  be in the same namespace as the referent. If the
+                  referent is a ClusterIssuer, the reference instead refers to the resource
+                  with the given name in the configured 'cluster resource namespace', which
+                  is set as a flag on the controller component (and defaults to the
+                  namespace that the controller runs in).
+                type: string
               enrollmentPatternId:
                 description: |-
                   EnrollmentPatternId is the ID of the enrollment pattern to use. Supported in Keyfactor Command 25.1 and later.
                   If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
-                  If both enrollmentPatternId and enrollmentPatternName are specified, enrollmentPatternId will take precedence.
+                  If EnrollmentPatternId and EnrollmentPatternName are both specified, EnrollmentPatternId will take precedence.
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
-                type: integer
                 format: int32
+                type: integer
               enrollmentPatternName:
                 description: |-
                   EnrollmentPatternName is the name of the enrollment pattern to use. Supported in Keyfactor Command 25.1 and later.
                   If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
-                  If both enrollmentPatternId and enrollmentPatternName are specified, enrollmentPatternId will take precedence.
+                  If EnrollmentPatternId and EnrollmentPatternName are both specified, EnrollmentPatternId will take precedence.
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
+              healthcheck:
+                description: |-
+                  The healthcheck configuration for the issuer. This configures the frequency at which the issuer will perform
+                  a health check to determine issuer's connectivity to Command instance.
+                properties:
+                  enabled:
+                    description: 'Determines whether to the health check when the
+                      issuer is healthy. Default: true'
+                    type: boolean
+                  interval:
+                    description: The interval at which to health check the issuer
+                      when healthy. Defaults to 1 minute. Must not be less than "30s".
+                    type: string
+                required:
+                - enabled
+                type: object
+              hostname:
+                description: Hostname is the hostname of a Keyfactor Command instance.
+                type: string
               ownerRoleId:
                 description: |-
                   OwnerRoleId is the ID of the security role assigned as the certificate owner.
                   The specified security role must be assigned to the authorized identity context.
                   If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
                   This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
-                type: integer
                 format: int32
+                type: integer
               ownerRoleName:
                 description: |-
                   OwnerRoleName is the name of the security role assigned as the certificate owner. This name must match the existing name of the security role.
                   The specified security role must be assigned to the authorized identity context.
                   If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
                   This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
                 type: string
-              certificateTemplate:
-                description: |-
-                  CertificateTemplate is the name of the certificate template to use. Deprecated in favor of EnrollmentPattern as of Keyfactor Command 25.1.
-                  If both enrollment pattern and certificate template are specified, enrollment pattern will take precedence.
-                  Enrollment will fail if the specified template is not compatible with the enrollment pattern.
-                  Refer to the Keyfactor Command documentation for more information.
-                type: string
-              commandSecretName:
-                description: |-
-                  A reference to a K8s kubernetes.io/basic-auth Secret containing basic auth
-                  credentials for the Command instance configured in Hostname. The secret must
-                  be in the same namespace as the referent. If the
-                  referent is a ClusterIssuer, the reference instead refers to the resource
-                  with the given name in the configured 'cluster resource namespace', which
-                  is set as a flag on the controller component (and defaults to the
-                  namespace that the controller runs in).
-                type: string
-              hostname:
-                description: Hostname is the hostname of a Keyfactor Command instance.
-                type: string
               scopes:
                 description: |-
                   A list of comma separated scopes used when requesting a Bearer token from an ambient token provider implied