You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+10Lines changed: 10 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,3 +1,13 @@
1
+
# v2.5.0
2
+
## Features
3
+
- Add support to specify a ConfigMap for CA trust bundles in Issuer / ClusterIssuer resources via the `caBundleConfigMapName` specification.
4
+
- Add support for specifying a key on a Secret / ConfigMap resource for the CA trust bundle via the `caBundleKey` specification on an Issuer / ClusterIssuer resource.
5
+
- Add a timeout when fetching ambient Azure credentials to move onto other ambient credential methods.
6
+
7
+
## Chores
8
+
- Add documentation for how to configure command-cert-manager-issuer with ambient credentials on Google Kubernetes Engine (GKE).
9
+
- Add documentation for configuring CA trust bundles via Secret and ConfigMap resources using trust-manager.
10
+
1
11
# v2.4.0
2
12
## Features
3
13
- Add a `healthcheck` specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.
> For all possible configuration values for the command-cert-manager-issuer Helm chart, please refer to [this list](./deploy/charts/command-cert-manager-issuer/README.md#configuration)
147
161
> For all possible configuration values for the command-cert-manager-issuer Helm chart, please refer to [this list](./deploy/charts/command-cert-manager-issuer/README.md#configuration)
148
162
149
163
> The Helm chart installs the Command Issuer CRDs by default. The CRDs can be installed manually with the `make install` target.
150
164
165
+
> A list of configurable Helm chart parameters can be found [in the Helm chart docs](./deploy/charts/command-cert-manager-issuer/README.md#configuration)
166
+
151
167
# Authentication
152
168
153
169
## Explicit Credentials
@@ -166,6 +182,7 @@ These credentials must be configured using a Kubernetes Secret. By default, the
166
182
Command Issuer also supports ambient authentication, where a token is fetched from an Authorization Server using a cloud provider's auth infrastructure and passed to Command directly. The following methods are supported:
167
183
168
184
- [Managed Identity Using Azure Entra ID Workload Identity](./docs/ambient-providers/azure.md) (if running in [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service))
185
+
- [Workload Identity Using Google Kubernetes Engine](./docs/ambient-providers/google.md) (if running in [GKE](https://cloud.google.com/kubernetes-engine))
169
186
170
187
If you are running your Kubernetes workload in a cloud provider not listed above, you can use workload identity federation with [Azure AD](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation).
171
188
@@ -212,11 +229,7 @@ This section has moved. Please refer to [this link](./docs/ambient-providers/azu
212
229
213
230
# CA Bundle
214
231
215
-
If the Command API is configured to use a self-signed certificate or with a certificate whose issuer isn't widely trusted, the CA certificate must be provided as a Kubernetes secret.
This section has been moved. Please refer to the new [CA Bundle docs](./docs/ca-bundle/README.md) documentation regarding CA trust with command-cert-manager-issuer.
220
233
221
234
# Creating Issuer and ClusterIssuer resources
222
235
@@ -243,7 +256,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
243
256
| hostname | The hostname of the Command API Server. |
244
257
| apiPath | (optional) The base path of the Command REST API. Defaults to `KeyfactorAPI`. |
245
258
| commandSecretName | (optional) The name of the Kubernetes secret containing basic auth credentials or OAuth 2.0 credentials. Omit if using ambient credentials. |
246
-
| caSecretName | (optional) The name of the Kubernetes secret containing the CA certificate. Required if the Command API uses a self-signed certificate or it was signed by a CA that is not widely trusted. |
259
+
| caSecretName | (optional) The name of the Kubernetes secret containing the CA certificate trust chain. See the [CA Bundle docs](./docs/ca-bundle/README.md) for more information. |
260
+
| caBundleConfigMapName | (optional) The name of the Kubernetes ConfigMap containing the CA certificate trust chain. See the [CA Bundle docs](./docs/ca-bundle/README.md) for more information. |
261
+
| caBundleKey | (optional) The name of the key in the ConfigMap or Secret specified by `caSecretName` or `caBundleConfigMapName` that contains the CA bundle. If omitted, the last key of the ConfigMap / Secret resource will be used. |
247
262
| certificateAuthorityLogicalName | The logical name of the Certificate Authority to use in Command. For example, `Sub-CA` |
248
263
| certificateAuthorityHostname | (optional) The hostname of the Certificate Authority specified by `certificateAuthorityLogicalName`. This field is usually only required if the CA in Command is a DCOM (MSCA-like) CA. |
249
264
| enrollmentPatternId | The ID of the [Enrollment Pattern](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Enrollment-Patterns.htm) to use when this Issuer/ClusterIssuer enrolls CSRs. **Supported by Keyfactor Command 25.1 and above**. If `certificateTemplate` and `enrollmentPatternId` are both specified, the enrollment pattern parameter will take precedence. If `enrollmentPatternId` and `enrollmentPatternName` are both specified, `enrollmentPatternId` will take precedence. Enrollment will fail if the specified certificate template is not compatible with the enrollment pattern. |
@@ -276,7 +291,9 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
276
291
hostname: "$HOSTNAME"
277
292
apiPath: "/KeyfactorAPI" # Preceding & trailing slashes are handled automatically
278
293
commandSecretName: "command-secret" # references the secret created above. Omit if using ambient credentials.
279
-
caSecretName: "command-ca-secret" # references the secret created above
294
+
# caSecretName: "command-ca-secret" # references a secret containing the CA trust chain (see CA Bundle docs for more info)
295
+
# caBundleConfigMapName: "command-ca-configmap" # references a configmap containing the CA trust chain (see CA Bundle docs for more info)
296
+
# caBundleKey: "ca.crt" # references the key in the secret/configmap containing the CA trust chain (see CA Bundle docs for more info)
280
297
281
298
# certificateAuthorityHostname: "$COMMAND_CA_HOSTNAME" # Uncomment if required
"Set this flag to true if the config map access is granted at cluster level. This will allow the controller to access config maps in any namespace. ")
91
94
opts:= zap.Options{
92
95
Development: true,
93
96
}
@@ -130,16 +133,31 @@ func main() {
130
133
}
131
134
132
135
varcacheOpts cache.Options
133
-
ifsecretAccessGrantedAtClusterLevel {
134
-
setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
135
-
} else {
136
-
setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
136
+
137
+
// Build the ByObject map if either resource is namespace-scoped
setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
148
+
}
149
+
150
+
if!configMapAccessGrantedAtClusterLevel {
151
+
setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 ConfigMap resources in the %q namespace", clusterResourceNamespace))
0 commit comments