Merge 2.3.0 to main

Author: doebrowsk

CHANGELOG.md

@@ -1,3 +1,11 @@
+# v2.3.0
+## Features
+- Added support for `OwnerRoleName` and `OwnerRoleId` to Issuer specification, which will specify the owner of the enrolling certificate.
+
+## Chores
+- Update e2e tests to test ClusterIssuer resource
+- Refactor code for better unit testability
+
 # v2.2.0
 ## Features
 - Added support for enrolling CSRs with [Enrollment Patterns](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Enrollment-Patterns.htm), a new feature introduced in Keyfactor Command 25.1. [Release notes](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReleaseNotes/Release2511.htm)

README.md

@@ -231,6 +231,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
     export CERTIFICATE_TEMPLATE_SHORT_NAME="<certificateTemplateShortName>"
     export ENROLLMENT_PATTERN_NAME="<enrollmentPatternName>"
     export ENROLLMENT_PATTERN_ID="<enrollmentPatternId>"
+    export OWNER_ROLE_ID="<ownerRoleId>"
+    export OWNER_ROLE_NAME="<ownerRoleName>"
     ```
 
     The `spec` field of both the Issuer and ClusterIssuer resources use the following fields:
@@ -245,6 +247,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
     | enrollmentPatternId     | The ID of the [Enrollment Pattern](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Enrollment-Patterns.htm) to use when this Issuer/ClusterIssuer enrolls CSRs. **Supported by Keyfactor Command 25.1 and above**. If `certificateTemplate` and `enrollmentPatternId` are both specified, the enrollment pattern parameter will take precedence. If `enrollmentPatternId` and `enrollmentPatternName` are both specified, `enrollmentPatternId` will take precedence. Enrollment will fail if the specified certificate template is not compatible with the enrollment pattern.                                                                        |
     | enrollmentPatternName     | The Name of the [Enrollment Pattern](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Enrollment-Patterns.htm) to use when this Issuer/ClusterIssuer enrolls CSRs. **Supported by Keyfactor Command 25.1 and above**. If `certificateTemplate` and `enrollmentPatternName` are both specified, the enrollment pattern parameter will take precedence. If `enrollmentPatternId` and `enrollmentPatternName` are both specified, `enrollmentPatternId` will take precedence. Enrollment will fail if the specified certificate template is not compatible with the enrollment pattern. If using `enrollmentPatternName`, your security role must have `/enrollment_pattern/read/` permission.                                                                       |
     | certificateTemplate     | The Short Name of the Certificate Template to use when this Issuer/ClusterIssuer enrolls CSRs. **Deprecated in favor of [Enrollment Patterns](https://software.keyfactor.com/Core-OnPrem/Current/Content/WebAPI/KeyfactorAPI/Enrollment-Patterns.htm) as of Keyfactor Command 25.1**. If `certificateTemplate` and either `enrollmentPatternName` or `enrollmentPatternId` are specified, the enrollment pattern parameter will take precedence. Enrollment will fail if the specified certificate template is not compatible with the enrollment pattern.                                                                      |
+    | ownerRoleId     | The ID of the security role assigned as the certificate owner. The security role must be assigned to the identity context of the issuer. If `ownerRoleId` and `ownerRoleName` are both specified, `ownerRoleId` will take precedence. This field is **required** if the enrollment pattern, certificate template, or system-wide setting requires it. |
+    | ownerRoleName     | The name of the security role assigned as the certificate owner. The security role must be assigned to the identity context of the issuer. If `ownerRoleId` and `ownerRoleName` are both specified, `ownerRoleId` will take precedence. This field is **required** if the enrollment pattern, certificate template, or system-wide setting requires it. |
     | scopes     | (Optional) Required if using ambient credentials with Azure AKS. If using ambient credentials, these scopes will be put on the access token generated by the ambient credentials' token provider, if applicable.   |
      | audience     | (Optional) If using ambient credentials, this audience will be put on the access token generated by the ambient credentials' token provider, if applicable. Google's ambient credential token provider generates an OIDC ID Token. If this value is not provided, it will default to `command`.  |
 
@@ -274,6 +278,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           enrollmentPatternId: "$ENROLLMENT_PATTERN_ID" # Only supported on Keyfactor Command 25.1 and above.
           certificateTemplate: "$CERTIFICATE_TEMPLATE_SHORT_NAME" # Required if using Keyfactor Command 24.4 and below.
           # enrollmentPatternName: "$ENROLLMENT_PATTERN_NAME" # Only supported on Keyfactor Command 25.1 and above.
+          # ownerRoleId: "$OWNER_ROLE_ID" # Uncomment if required
+          # ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
           # scopes: "openid email https://example.com/.default" # Uncomment if required
           # audience: "https://your-command-url.com" # Uncomment if desired
         EOF
@@ -302,6 +308,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           enrollmentPatternId: "$ENROLLMENT_PATTERN_ID" # Only supported on Keyfactor Command 25.1 and above.
           certificateTemplate: "$CERTIFICATE_TEMPLATE_SHORT_NAME" # Required if using Keyfactor Command 24.4 and below.
           # enrollmentPatternName: "$ENROLLMENT_PATTERN_NAME" # Only supported on Keyfactor Command 25.1 and above.
+          # ownerRoleId: "$OWNER_ROLE_ID" # Uncomment if required
+          # ownerRoleName: "$OWNER_ROLE_NAME" # Uncomment if required
           # scopes: "openid email https://example.com/.default" # Uncomment if required
           # audience: "https://your-command-url.com" # Uncomment if desired
         EOF
@@ -372,13 +380,15 @@ kubectl get secret command-certificate -o jsonpath='{.data.tls\.crt}' | base64 -
 
 ## Overriding the Issuer/ClusterIssuer `spec` using Kubernetes Annotations on CertificateRequest Resources
 
-Command Issuer allows you to override the `certificateAuthorityHostname`, `certificateAuthorityLogicalName`, `certificateTemplate`, `enrollmentPatternName`, and `enrollmentPatternId` by setting Kubernetes Annotations on CertificateRequest resources. This may be useful if certain enrollment scenarios require a different Certificate Authority or Certificate Template, but you don't want to create a new Issuer/ClusterIssuer.
+Command Issuer allows you to override the `certificateAuthorityHostname`, `certificateAuthorityLogicalName`, `certificateTemplate`, `enrollmentPatternName`,`enrollmentPatternId`, `ownerRoleId`, and `ownerRoleName` by setting Kubernetes Annotations on CertificateRequest resources. This may be useful if certain enrollment scenarios require a different Certificate Authority or Certificate Template, but you don't want to create a new Issuer/ClusterIssuer.
 
 - `command-issuer.keyfactor.com/certificateAuthorityHostname` overrides `certificateAuthorityHostname`
 - `command-issuer.keyfactor.com/certificateAuthorityLogicalName` overrides `certificateAuthorityLogicalName`
 - `command-issuer.keyfactor.com/certificateTemplate` overrides `certificateTemplate`
 - `command-issuer.keyfactor.com/enrollmentPatternName` overrides `enrollmentPatternName`
 - `command-issuer.keyfactor.com/enrollmentPatternId` overrides `enrollmentPatternId`. Needs to be in string format.
+- `command-issuer.keyfactor.com/ownerRoleId` overrides `ownerRoleId`. Needs to be in string format.
+- `command-issuer.keyfactor.com/ownerRoleName` overrides `ownerRoleName`.
 
 > cert-manager copies Annotations set on Certificate resources to the corresponding CertificateRequest.
 
@@ -392,6 +402,8 @@ Command Issuer allows you to override the `certificateAuthorityHostname`, `certi
 > kind: Certificate
 > metadata:
 >   annotations:
+>     command-issuer.keyfactor.com/ownerRoleId: "1234"
+>     command-issuer.keyfactor.com/ownerRoleName: "Certificate Admin"
 >     command-issuer.keyfactor.com/enrollmentPatternId: "1234"
 >     command-issuer.keyfactor.com/enrollmentPatternName: "Kubernetes Enrollment Pattern"
 >     command-issuer.keyfactor.com/certificateTemplate: "Ephemeral2day"

api/v1alpha1/issuer_types.go

@@ -66,6 +66,20 @@ type IssuerSpec struct {
 	// Refer to the Keyfactor Command documentation for more information.
 	CertificateTemplate string `json:"certificateTemplate,omitempty"`
 
+	// OwnerRoleId is the ID of the security role assigned as the certificate owner.
+	// The specified security role must be assigned to the authorized identity context.
+	// If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+	// This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+	// + optional
+	OwnerRoleId int32 `json:"ownerRoleId,omitempty"`
+
+	// OwnerRoleName is the name of the security role assigned as the certificate owner. This name must match the existing name of the security role.
+	// The specified security role must be assigned to the authorized identity context.
+	// If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+	// This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+	// + optional
+	OwnerRoleName string `json:"ownerRoleName,omitempty"`
+
 	// CertificateAuthorityLogicalName is the logical name of the certificate authority to use
 	// E.g. "Keyfactor Root CA" or "Intermediate CA"
 	CertificateAuthorityLogicalName string `json:"certificateAuthorityLogicalName,omitempty"`

config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml

@@ -85,6 +85,21 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
+              ownerRoleId:
+                description: |-
+                  OwnerRoleId is the ID of the security role assigned as the certificate owner.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: integer
+                format: int32
+              ownerRoleName:
+                description: |-
+                  OwnerRoleName is the name of the security role assigned as the certificate owner. This name must match the existing name of the security role.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: string
               certificateTemplate:
                 description: |-
                   CertificateTemplate is the name of the certificate template to use. Deprecated in favor of EnrollmentPattern as of Keyfactor Command 25.1.

config/crd/bases/command-issuer.keyfactor.com_issuers.yaml

@@ -85,6 +85,21 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
+              ownerRoleId:
+                description: |-
+                  OwnerRoleId is the ID of the security role assigned as the certificate owner.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: integer
+                format: int32
+              ownerRoleName:
+                description: |-
+                  OwnerRoleName is the name of the security role assigned as the certificate owner. This name must match the existing name of the security role.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: string
               certificateTemplate:
                 description: |-
                   CertificateTemplate is the name of the certificate template to use. Deprecated in favor of EnrollmentPattern as of Keyfactor Command 25.1.

deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml

@@ -79,6 +79,21 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
+              ownerRoleId:
+                description: |-
+                  OwnerRoleId is the ID of the security role assigned as the certificate owner.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: integer
+                format: int32
+              ownerRoleName:
+                description: |-
+                  OwnerRoleName is the name of the security role assigned as the certificate owner. This name must match the existing name of the security role.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: string
               certificateTemplate:
                 description: |-
                   CertificateTemplate is the name of the certificate template to use. Deprecated in favor of EnrollmentPattern as of Keyfactor Command 25.1.

deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml

@@ -79,6 +79,21 @@ spec:
                   Enrollment will fail if the specified template is not compatible with the enrollment pattern.
                   Refer to the Keyfactor Command documentation for more information.
                 type: string
+              ownerRoleId:
+                description: |-
+                  OwnerRoleId is the ID of the security role assigned as the certificate owner.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: integer
+                format: int32
+              ownerRoleName:
+                description: |-
+                  OwnerRoleName is the name of the security role assigned as the certificate owner. This name must match the existing name of the security role.
+                  The specified security role must be assigned to the authorized identity context.
+                  If OwnerRoleId and OwnerRoleName are both specified, OwnerRoleId will take precedence.
+                  This field is required if the enrollment pattern, certificate template, or system-wide settings has been configured as Required.
+                type: string
               certificateTemplate:
                 description: |-
                   CertificateTemplate is the name of the certificate template to use. Deprecated in favor of EnrollmentPattern as of Keyfactor Command 25.1.