Merge pull request #17 from Keyfactor/ci-53985

ab#53985

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,46 @@
+
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the Bug**
+
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected Behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Screenshots and Logs**
+
+If applicable, add screenshots and logs to help explain your problem.
+
+**Product Deployment** 
+
+Please complete the following information:
+ - Deployment format: [e.g. software, container]
+ - Version [e.g. 8.0.0]
+
+**Desktop**
+
+Please complete the following information:
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Additional Context**
+
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,7 @@
+blank_issues_enabled: true
+
+# Update url below as needed. 
+contact_links:
+  - name: GitHub Discussions
+    url: https://github.com/Keyfactor/ejbca-ce/discussions
+    about: Join in-depth discussions or ask questions

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem or specific use case? Please describe.**
+A clear and concise description of the problem or use case. 
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Product deployment**
+Please complete the following information:
+ - Deployment format: [e.g. software, container]
+ - Version [e.g. 8.0.0]
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -0,0 +1,17 @@
+
+## Describe your changes
+
+<!--- Please describe your changes in detail. Include the motivation for the changes, e.g. what problem it solves or if it fixes a bug. -->
+
+## How has this been tested?
+
+<!--- If relevant, please describe any tests you ran to verify your changes. -->
+
+## Checklist before requesting a review
+<!--- To check or uncheck a box, switch between "[x]" and "[ ]" below. -->
+
+- [ ] I have performed a self-review of my code
+- [ ] I have kept the patch limited to only change the parts related to the patch
+- [ ] This change requires a documentation update
+
+See also [Contributing Guidelines](../../CONTRIBUTING.md).

.github/workflows/release.yml → .github/workflows/helm.yml

@@ -2,7 +2,7 @@ name: Build and Release Helm Chart
 on:
   pull_request:
     branches:
-      - 'v*'
+      - 'release-*'
     types:
       # action should run when the pull request is closed
       # (regardless of whether it was merged or just closed)
@@ -36,14 +36,14 @@ jobs:
       # Set version from DOCKER_METADATA_OUTPUT_VERSION as environment variable
       - name: Set Version
         run: |
-          echo "VERSION=${DOCKER_METADATA_OUTPUT_VERSION:1}" >> $GITHUB_ENV
+          echo "VERSION=${DOCKER_METADATA_OUTPUT_VERSION:8}.0" >> $GITHUB_ENV # Eventually will build this into Keyfactor bootstrap
 
       # Change version and appVersion in Chart.yaml to the tag in the closed PR
       - name: Update Helm App/Chart Version
         shell: bash
         run: |
-          sed -i "s/^version: .*/version: ${{ env.VERSION }}/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
-          sed -i "s/^appVersion: .*/appVersion: \"${{ env.DOCKER_METADATA_OUTPUT_VERSION }}\"/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
+          sed -i "s/^version: .*/version: ${{ env.VERSION }}/g" deploy/charts/ejbca-k8s-csr-signer/Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"v${{ env.VERSION }}\"/g" deploy/charts/ejbca-k8s-csr-signer/Chart.yaml
 
       # Setup Helm
       # https://github.com/Azure/setup-helm
@@ -65,4 +65,4 @@ jobs:
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:
-          charts_dir: deploy/charts
+          charts_dir: deploy/charts

.github/workflows/keyfactor-workflow.yml

@@ -0,0 +1,21 @@
+name: Keyfactor Release Workflow
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, closed, synchronize, edited, reopened]
+  push:
+  create:
+    branches:
+      - 'release-*.*'
+
+jobs:
+  call-starter-workflow:
+    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    secrets:
+      token: ${{ secrets.V2BUILDTOKEN}}
+      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      docker-user: ${{ secrets.DOCKER_USER }}
+      docker-token:  ${{ secrets.DOCKER_PWD }}

.github/workflows/test.yml

@@ -30,4 +30,35 @@ jobs:
       - name: Run linters
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
-          version: latest
+          version: latest
+
+  test:
+    name: Go Test
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      # Setup GoLang build environment
+      # https://github.com/actions/setup-go
+      - name: Set up Go 1.x
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      # Deploy an ephemeral EJBCA and SignServer for CI testing
+      - uses: m8rmclaren/ejbca-signserver-k8s@main
+        with:
+          deploy-k8s: 'true'
+          deploy-nginx-ingress: 'true'
+
+      # Run Go tests
+      - name: Run go test
+        run: go test -v ./...
+        env:
+          EJBCA_CSR_SUBJECT: "CN=ejbca_testacc"

CHANGELOG.md

@@ -1,3 +1,11 @@
+# v1.4.0
+
+## Features
+* feat(ci): feat(ci): Deploy ephemeral EJBCA/SignServer server as part of CI/CD test workflow. This enables the controller to be tested against a real CA.
+* feat(ci): Reconcile Keyfactor actions and old workflows to match the new Keyfactor GitHub Actions workflows.
+* feat(helm): Add namespace to resource definitions for helm template generation.
+* feat(signer): Use in-tree cert-manager certificate reconstruction methods when compiling `status`
+
 # v1.3.2
 
 ## Features
@@ -16,4 +24,4 @@
 * feat(helm): Create Helm chart to deploy the controller to a Kubernetes or OpenShift cluster
 
 ## Fixes
-* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
+* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.

CONTRIBUTING.md

@@ -0,0 +1,3 @@
+# Contributing Guidelines
+
+For information on how to contribute to EJBCA and related tools, see [EJBCA Contributing Guidelines](https://github.com/Keyfactor/ejbca-ce/blob/main/CONTRIBUTING.md). 

README.md

@@ -1,5 +1,34 @@
-<a href="https://kubernetes.io">
-    <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" alt="Terraform logo" title="K8s" align="left" height="50" />
+
+# ejbca-cert-manager-issuer
+
+cert-manager external issuer for EJBCA
+
+#### Integration status: Pilot - Ready for use in test environments. Not for use in production.
+
+## About the Keyfactor API Client
+
+This API client allows for programmatic management of Keyfactor resources.
+
+## Support for ejbca-cert-manager-issuer
+
+ejbca-cert-manager-issuer is open source and supported on best effort level for this tool/library/client.  This means customers can report Bugs, Feature Requests, Documentation amendment or questions as well as requests for customer information required for setup that needs Keyfactor access to obtain. Such requests do not follow normal SLA commitments for response or resolution. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com/
+
+###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
+
+---
+
+
+---
+
+
+
+<!--EJBCA Community logo -->
+<a href="https://ejbca.org">
+    <img src=".github/images/community-ejbca.png?raw=true)" alt="EJBCA logo" title="EJBCA" height="70" />
+</a>
+<!--EJBCA Enterprise logo -->
+<a href="https://www.keyfactor.com/products/ejbca-enterprise/">
+    <img src=".github/images/keyfactor-ejbca-enterprise.png?raw=true)" alt="EJBCA logo" title="EJBCA" height="70" />
 </a>
 
 # Keyfactor EJBCA Issuer for cert-manager
@@ -9,26 +38,36 @@
 
 The EJBCA external issuer for cert-manager allows users to enroll certificates from Keyfactor EJBCA using cert-manager.
 
-Cert-manager is a native Kubernetes certificate management controller which allows applications to get their certificates from a variety of CAs (Certification Authorities). It ensures certificates are valid and up to date, it also attempts to renew certificates at a configured time before expiration.
+Cert-manager is a native Kubernetes certificate management controller that allows applications to get their certificates from a variety of CAs (Certification Authorities). It ensures certificates are valid and up to date, it also attempts to renew certificates at a configured time before expiration.
 
-## Community supported
-We welcome contributions.
+## Get started
 
-The cert-manager external issuer for Keyfactor EJBCA is open source and community supported, meaning that there is **no SLA** applicable for these tools.
+* To install the tool, see [Installation](docs/install.md).
+* To configure and use the tool, see: 
+  * [Usage](docs/config_usage.md)
+  * [Customization](docs/annotations.md)
+  * [End Entity Name Selection](docs/endentitynamecustomization.md)
+* To test the tool, see [Testing the Source](docs/testing.md).
 
-###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, see the [contribution guidelines](https://github.com/Keyfactor/ejbca-k8s-csr-signer/blob/main/CONTRIBUTING.md) and use the **[Pull requests](../../pulls)** tab.
+### System Requirements
 
-## EJBCA API Usage
-The EJBCA Issuer for cert-manager requires the following API endpoints:
-* `/ejbca-rest-api/v1/certificate/pkcs10enroll`
-* `/ejbca/ejbca-rest-api/v1/certificate/status`
+For more information, see [Prerequisites](https://github.com/KarolinHem/ejbca-cert-manager-issuer/blob/main/docs/install.md#prerequisites). 
 
-## Docs
+## Community Support
+In the [Keyfactor Community](https://www.keyfactor.com/community/), we welcome contributions. 
+
+The Community software is open-source and community-supported, meaning that **no SLA** is applicable.
+
+* To report a problem or suggest a new feature, go to [Issues](../../issues).
+* If you want to contribute actual bug fixes or proposed enhancements, see the [Contributing Guidelines](CONTRIBUTING.md) and go to [Pull requests](../../pulls).
+
+## Commercial Support
+
+Commercial support is available for [EJBCA Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/).
+
+## License
+For license information, see **[LICENSE](LICENSE)**. 
+
+## Related Projects
+See all [Keyfactor EJBCA GitHub projects](https://github.com/orgs/Keyfactor/repositories?q=ejbca). 
 
-* [Installation](docs/install.md)
-* Usage
-  * [Usage](docs/config_usage.md)
-  * [Customization](docs/annotations.md)
-  * [End Entity Name Selection](docs/endentitynamecustomization.md)
-* [Testing the Source](docs/testing.md)
-* [License](LICENSE)

SECURITY.md

@@ -0,0 +1,3 @@
+# Security Policy
+
+To read our Security Policy, see [EJBCA Security Policy](https://github.com/Keyfactor/ejbca-ce/blob/main/SECURITY.md). 

deploy/charts/ejbca-cert-manager-issuer/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "ejbca-cert-manager-issuer.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
 spec:

deploy/charts/ejbca-cert-manager-issuer/templates/role.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   name: {{ include "ejbca-cert-manager-issuer.name" . }}-leader-election-role
+  namespace: {{ .Release.Namespace }}
 rules:
   - apiGroups:
       - coordination.k8s.io

deploy/charts/ejbca-cert-manager-issuer/templates/rolebinding.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   name: {{ include "ejbca-cert-manager-issuer.name" . }}-leader-election-rolebinding
+  namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

deploy/charts/ejbca-cert-manager-issuer/templates/secretrole.yaml

@@ -4,6 +4,9 @@ metadata:
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   name: {{ include "ejbca-cert-manager-issuer.name" . }}-secret-reader-role
+{{- if not .Values.secretConfig.useClusterRoleForSecretAccess }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
 rules:
   - apiGroups:
       - ""
@@ -20,6 +23,9 @@ metadata:
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   name: {{ include "ejbca-cert-manager-issuer.name" . }}-secret-reader-rolebinding
+{{- if not .Values.secretConfig.useClusterRoleForSecretAccess }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}

deploy/charts/ejbca-cert-manager-issuer/templates/service.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   name: {{ include "ejbca-cert-manager-issuer.name" . }}-metrics-service
+  namespace: {{ .Release.Namespace }}
 spec:
   ports:
     - name: https

deploy/charts/ejbca-cert-manager-issuer/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "ejbca-cert-manager-issuer.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

docs/install.md

@@ -7,7 +7,8 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-cert-manager-issuer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-cert-manager-issuer)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://img.shields.io/badge/License-Apache%202.0-blue.svg)
 
-### Requirements
+### Prerequisites
+Before starting, ensure that the following requirements are met
 * [Git](https://git-scm.com/)
 * [Make](https://www.gnu.org/software/make/)
 * [Docker](https://docs.docker.com/engine/install/) >= v20.10.0
@@ -17,8 +18,12 @@
 * [Keyfactor EJBCA](https://www.keyfactor.com/products/ejbca-enterprise/) >= v7.7
 * [cert-manager](https://cert-manager.io/docs/installation/) >= v1.11.0
 * [cmctl](https://cert-manager.io/docs/reference/cmctl/)
+* Keyfactor EJBCA is properly configured according to the [product docs](https://software.keyfactor.com/Content/MasterTopics/Home.htm). 
+* EJBCA REST API with the following API endpoints:
+    * `/ejbca-rest-api/v1/certificate/pkcs10enroll`
+    * `/ejbca/ejbca-rest-api/v1/certificate/status`
 
-Before starting, ensure that all of the above requirements are met, and that Keyfactor EJBCA is properly configured according to the [product docs](https://software.keyfactor.com/Content/MasterTopics/Home.htm). Additionally, verify that at least one Kubernetes node is running by running the following command:
+Additionally, verify that at least one Kubernetes node is running by running the following command:
 
 ```shell
 kubectl get nodes