diff --git a/.github/ISSUE_TEMPLATE/BUG-REPORT.yml b/.github/ISSUE_TEMPLATE/BUG-REPORT.yml new file mode 100644 index 0000000..9eb336d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/BUG-REPORT.yml @@ -0,0 +1,24 @@ +--- +name: Bug report +about: Help us improve by reporting a bug +title: '[BUG]' +labels: '' +assignees: '' + +--- + +**Describe the bug** + +A short description of the bug. + +**To reproduce** + +Steps to reproduce the behavior and/or a minimal code sample. + +**Expected behavior** + +A description of what you expected to happen. + +**Additional information** + +Any additional information that is relevant to the problem. diff --git a/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml b/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml new file mode 100644 index 0000000..9eb336d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml @@ -0,0 +1,24 @@ +--- +name: Bug report +about: Help us improve by reporting a bug +title: '[BUG]' +labels: '' +assignees: '' + +--- + +**Describe the bug** + +A short description of the bug. + +**To reproduce** + +Steps to reproduce the behavior and/or a minimal code sample. + +**Expected behavior** + +A description of what you expected to happen. + +**Additional information** + +Any additional information that is relevant to the problem. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..bd9dfe4 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,2 @@ +--- +blank_issues_enabled: false diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..1e55b4d --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,32 @@ + + + + +#### Description + + +#### Motivation and Context + + +Closes # + +#### Screenshots (if appropriate): + +#### How Has This Been Tested? + + + + +#### Checklist: + + +- [ ] I have updated the documentation accordingly. +- [ ] I have updated the tests accordingly. +- [ ] I have run `make generate` and checked in the results. +- [ ] I have run `make manifests` and checked in the results. + +For new code releases: +- [ ] I have bumped the `appVersion` in the Helm chart. + +For new Helm chart releases: +- [ ] I have bumped the Helm chart version. diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..77d2ac1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json +--- +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + labels: + - dependencies + - golang + reviewers: + - djkormo + open-pull-requests-limit: 3 + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + labels: + - dependencies + - github-actions + reviewers: + - djkormo + open-pull-requests-limit: 3 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 939d652..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,59 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CI - ADCS-Issuer - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the master branch -on: - push: - tags: - - "v*" - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - build: - name: Build, release and upload assets - runs-on: ubuntu-latest - steps: - - name: Set up GO - uses: actions/setup-go@v1 - with: - go-version: 1.22 - - - name: Checkout code - uses: actions/checkout@master - - - name: Get the version from tag - id: get_version - run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/} - - - name: Build - run: | - export GOBIN=$(pwd)/bin - export PATH=$PATH:$GOBIN - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager-$VERSION-linux-amd64 main.go - echo manager-$VERSION - env: - VERSION: ${{ steps.get_version.outputs.VERSION }} - - - name: Create release - id: create_release - uses: actions/create-release@v1.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: Release ${{ github.ref }} - draft: false - prerelease: false - - - name: Upload linux-amd64 - id: upload_release_asset_linux - uses: actions/upload-release-asset@v1.0.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./manager-${{ steps.get_version.outputs.VERSION }}-linux-amd64 - asset_name: manager-${{ steps.get_version.outputs.VERSION }}-linux-amd64 - asset_content_type: application/octet-stream diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index f81034a..a57fb0a 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -1,4 +1,4 @@ -name: "Code scanning - action" +name: CodeQL on: push: diff --git a/.github/workflows/helm-chart-releaser.yaml b/.github/workflows/helm-release.yaml similarity index 76% rename from .github/workflows/helm-chart-releaser.yaml rename to .github/workflows/helm-release.yaml index 8817426..e924b45 100644 --- a/.github/workflows/helm-chart-releaser.yaml +++ b/.github/workflows/helm-release.yaml @@ -1,13 +1,12 @@ -name: Release helm charts +name: Release (Helm) on: push: - branches: - - main - - master + tags: + - 'helm/v[0-9]+.[0-9]+.[0-9]+' + - 'helm/v[0-9]+.[0-9]+.[0-9]+rc[0-9]+' paths: - - 'charts/**.yaml' - - 'charts/**.yml' + - 'charts/*/Chart.yaml' jobs: release: diff --git a/.github/workflows/helm-chart-lint-test.yaml b/.github/workflows/helm-test.yaml similarity index 88% rename from .github/workflows/helm-chart-lint-test.yaml rename to .github/workflows/helm-test.yaml index a5d5125..0e15209 100644 --- a/.github/workflows/helm-chart-lint-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -1,5 +1,5 @@ -name: Lint and Test Charts -on: +name: Test (Helm) +on: - pull_request - workflow_dispatch @@ -40,28 +40,30 @@ jobs: if [[ -n "$changed" ]]; then echo "changed=true" >> $GITHUB_OUTPUT fi - + - name: Run chart-testing (lint) run: ct lint --config ct.yaml --lint-conf lintconf.yaml --chart-yaml-schema chart_schema.yaml --debug - name: Create kind cluster uses: helm/kind-action@v1.10.0 - if: steps.list-changed.outputs.changed == 'true' - run: | - kubectl cluster-info + kubectl cluster-info kubectl get nodes -v=6 helm version helm repo add jetstack https://charts.jetstack.io --force-update helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.14.2 --set installCRDs=true --set enableCertificateOwnerRef=true helm repo add fairwinds-stable https://charts.fairwinds.com/stable --force-update helm upgrade --install polaris fairwinds-stable/polaris --namespace demo --create-namespace --set webhook.enable=false --set dashboard.enable=false + if: steps.list-changed.outputs.changed == 'true' - - name: Use command polatis + - name: Use command polaris run: polaris version + if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) run: ct install --config ct.yaml --namespace default + if: steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 6a19f59..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Publish Docker image on Release - -on: - workflow_dispatch: - branches: [ master ] - release: - types: [published] - - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - - name: Get the tag version for building image - id: get_version - #run: echo ::set-env name=VERSION::$(git tag --sort=taggerdate -l [0-9]* | tail -n1) - run: echo ::set-env name=VERSION::$(echo $GITHUB_REF | cut -d / -f 3) - - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - - - name: Get current date for building image - id: get_date - run: echo "::set-output name=BUILD_TIME::$(date -u '+%Y-%m-%d_%H:%M:%S')" - - - name: Get commit hash for building image - id: get_commit - run: echo "::set-output name=COMMIT::$(git rev-parse --short HEAD)" - - - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@master - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - PROJECT: github.com/nokia/adcs-issuer - - with: - name: djkormo/adcs-issuer - buildargs: PROJECT,COMMIT,BUILD_TIME,VERSION - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - tags: "latest,${{ env.VERSION }}" diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml deleted file mode 100644 index baa01e7..0000000 --- a/.github/workflows/pipeline.yaml +++ /dev/null @@ -1,78 +0,0 @@ -name: operator pipeline -on: - workflow_dispatch: - push: - paths: - - 'api/**.go' - - 'config/**.go' - - 'controllers/**.go' - - '**.go' - - 'Dockerfile' - - -jobs: - - buildDocker: - runs-on: ubuntu-latest - env: - APP_NAME: adcs-issuer - - steps: - - uses: actions/checkout@v2 - name: Checkout - with: - - ref: dev - - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - - with: - # list of Docker images to use as base name for tags - images: | - djkormo/adcs-issuer - # generate Docker tags based on the following events/attributes - tags: | - type=schedule - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - - - name: Login to DockerHub - if: github.event_name != 'pull_request' - - uses: docker/login-action@v2 - - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build and push - - uses: docker/build-push-action@v3 - - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - - image-ref: djkormo/adcs-issuer:master - - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - - - diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a8654f9..0b24e6d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,48 +1,46 @@ -name: Publish Docker image on Release +name: Release on: workflow_dispatch: - branches: [ main ] - release: - types: [published] + push: + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + - 'v[0-9]+.[0-9]+.[0-9]+rc[0-9]+' +permissions: + contents: write + packages: write jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - - name: Get the tag version for building image - id: get_version - run: echo "VERSION=$(echo $GITHUB_REF | cut -d / -f 3)" >> $GITHUB_OUTPUT - - - - name: Get current date for building image - id: get_date - run: echo "BUILD_TIME=$(date -u '+%Y-%m-%d_%H:%M:%S')" >> $GITHUB_OUTPUT - - - name: Get commit hash for building image - id: get_commit - run: echo "COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - - - name: Print name - id: print_args - run: echo "Hello VERSION. ${{ steps.get_version.outputs.VERSION }} . COMMIT. ${{ steps.get_commit.outputs.COMMIT }} BUILD_TIME. ${{steps.get_date.outputs.BUILD_TIME }}" + - uses: actions/checkout@v4 + with: + # Needed for goreleaser + fetch-depth: 0 + - uses: actions/setup-go@v5 + with: + go-version: '1.22' - - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - PROJECT: github.com/djkormo/adcs-issuer - COMMIT: ${{ steps.get_commit.outputs.COMMIT }} - VERSION: ${{ steps.get_version.outputs.VERSION }} - BUILD_TIME: ${{steps.get_date.outputs.BUILD_TIME }} + - uses: docker/login-action@v3 with: - name: djkormo/adcs-issuer - buildargs: PROJECT,COMMIT,BUILD_TIME,VERSION username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - tags: "latest,${{ env.VERSION }}" - tag_semver: true + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # goreleaser will: + # 1. compile the binaries + # 2. create & push the docker image using `ko` + # 3. create a GitHub release + - uses: goreleaser/goreleaser-action@v6 + with: + version: '~> v2' + args: --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/test.yaml similarity index 59% rename from .github/workflows/golangci-lint.yaml rename to .github/workflows/test.yaml index 05bec50..fddd71a 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/test.yaml @@ -1,19 +1,6 @@ -name: Golang lint issuer +name: Test on: workflow_dispatch: - push: - paths: - - 'api/**.go' - - 'cmd/**.go' - - 'globals/**.go' - - 'config/**.go' - - 'controllers/**.go' - - 'internal/**.go' - - 'version/**.go' - - '**.go' - - branches: - - main pull_request: permissions: @@ -33,8 +20,13 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v6 with: - args: --timeout=3m + args: --timeout=3m version: v1.58 skip-cache: true skip-save-cache: true - cache-invalidation-interval: 15 \ No newline at end of file + cache-invalidation-interval: 15 + # TODO: + # - codecov (ideally with PR comment) + # - run `make test` + # - `make generate` & make sure there is no diff + # - vulnerability scanner? \ No newline at end of file diff --git a/.gitignore b/.gitignore index 29d1aa5..f4905e8 100644 --- a/.gitignore +++ b/.gitignore @@ -26,14 +26,20 @@ bin .vscode examples/* +issuers/testdata/ca/ issuers/testdata/pkcs7.pem issuers/testdata/x509.pem minikube_downloads/ *.logs *.tar.gz -adcs-sim *.crt *.key *-all.yaml -*.exe \ No newline at end of file +*.exe +/adcs-issuer +/adcs-sim +/deploy.env + +# Added by goreleaser init: +dist/ \ No newline at end of file diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..86dcff7 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,67 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json +# vim: set ts=2 sw=2 tw=0 fo=cnqoj + +version: 2 + +project_name: adcs-issuer + +git: + ignore_tags: + - helm/* + +builds: + - env: + - CGO_ENABLED=0 + goos: + - linux + goarch: + - amd64 + - arm64 + main: . + binary: adcs-issuer + mod_timestamp: "{{.CommitTimestamp}}" + flags: + - -trimpath + ldflags: + - -s -w + - -X {{.ModulePath}}/version.Release={{.Version}} + - -X {{.ModulePath}}/version.Commit={{.Commit}} + # NOTE: the Makefile uses time of build but that is non-reproducible + - -X {{.ModulePath}}/version.BuildTime={{.CommitTimestamp}} + +# Build a Docker image using `ko` +kos: + - id: adcs-issuer + bare: true + repositories: + - docker.io/djkormo/adcs-issuer + - ghcr.io/djkormo/adcs-issuer + platforms: + - linux/amd64 + - linux/arm64 + tags: + - latest + - "{{.Tag}}" + annotations: + # https://github.com/opencontainers/image-spec/blob/main/annotations.md + org.opencontainers.image.created: "{{.CommitTimestamp}}" + org.opencontainers.image.authors: djkormo + org.opencontainers.image.source: "https://{{.ModulePath}}" + org.opencontainers.image.version: "{{.Tag}}" + org.opencontainers.image.revision: "{{.Commit}}" + +release: + prerelease: auto + draft: false + header: | + ## {{.ProjectName}} {{.Tag}} + +checksum: + name_template: 'checksums.txt' + algorithm: sha256 + +archives: + - name_template: '{{.ProjectName}}_{{.Os}}_{{.Arch}}' + files: + - LICENSE + - README.md diff --git a/LICENSE b/LICENSE index 24798ed..f38fd1d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,8 @@ +# License 1 + BSD 3-Clause License -Copyright (c) 2019, Nokia +Copyright (c) 2022 - present, adcs-issuer contributors All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,3 +30,34 @@ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# License 2 + +BSD 3-Clause License + +Copyright (c) 2019, Nokia +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Makefile b/Makefile index d5fa5a1..132dcd3 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ ENVTEST_K8S_VERSION = 1.29.0 COMMIT?=$(shell git rev-parse --short HEAD) BUILD_TIME?=$(shell date -u '+%Y-%m-%d_%H:%M:%S') -PROJECT?=github.com/nokia/adcs-issuer +PROJECT?=github.com/djkormo/adcs-issuer # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -60,7 +60,7 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." + $(CONTROLLER_GEN) object paths="./..." .PHONY: fmt fmt: ## Run go fmt against code. @@ -70,8 +70,11 @@ fmt: ## Run go fmt against code. vet: ## Run go vet against code. go vet ./... +issuers/testdata/ca: + @./scripts/generate-certs.sh + .PHONY: test -test: manifests generate fmt vet envtest ## Run tests. +test: manifests generate fmt vet envtest issuers/testdata/ca ## Run tests. KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors. diff --git a/Makefile.old b/Makefile.old deleted file mode 100644 index dd76aab..0000000 --- a/Makefile.old +++ /dev/null @@ -1,133 +0,0 @@ - -# Image URL to use all building/pushing image targets -IMG ?= controller:latest -# Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true" - -# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) -ifeq (,$(shell go env GOBIN)) -GOBIN=$(shell go env GOPATH)/bin -else -GOBIN=$(shell go env GOBIN) -endif - -all: manager - -# Run tests -# test: generate fmt vet manifests -# go test ./controllers/... ./issuers/... -coverprofile cover.out - -# Setting SHELL to bash allows bash commands to be executed by recipes. -# This is a requirement for 'setup-envtest.sh' in the test target. -# Options are set to exit when a recipe line exits non-zero or a piped command fails. -SHELL = /usr/bin/env bash -o pipefail -.SHELLFLAGS = -ec - -ENVTEST_ASSETS_DIR=$(shell pwd)/testbin -test: manifests generate fmt vet ## Run tests. - mkdir -p ${ENVTEST_ASSETS_DIR} - test -f ${ENVTEST_ASSETS_DIR}/setup-envtest.sh || curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.8.3/hack/setup-envtest.sh - source ${ENVTEST_ASSETS_DIR}/setup-envtest.sh; fetch_envtest_tools $(ENVTEST_ASSETS_DIR); setup_envtest_env $(ENVTEST_ASSETS_DIR); go test ./... -coverprofile cover.out - - -# e2e tests (requires simulator, see sim target) -teste2e: - go test ./test/... -coverprofile cover.out - -# Build manager binary -manager: generate fmt vet - go build -ldflags="-X 'main.version=$(shell git describe --tags)' -X 'main.buildTime=$(shell date)'" -o bin/manager main.go - -# Run against the configured Kubernetes cluster in ~/.kube/config -run: generate fmt vet manifests - go run ./main.go - -# Uninstall CRDs from a cluster -uninstall: - kustomize build config/crd | kubectl delete -f - - -# Install CRDs into a cluster -install: - kustomize build config/crd | kubectl apply -f - - -# Deploy controller in the configured Kubernetes cluster in ~/.kube/config -deploy: - cd config/manager && kustomize edit set image controller=${IMG} - kustomize build config/default | kubectl apply -f - - -# Generate manifests e.g. CRD, RBAC etc. -manifests: controller-gen - $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases - -# Generate template -template: manifests - kustomize build config/crd > template.yaml - echo "---" >> template.yaml - kustomize build config/default >> template.yaml - -# Run go fmt against code -fmt: - go fmt ./... - -# Run go vet against code -vet: - go vet ./... - -# Generate code -generate: controller-gen -# $(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./..." - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases - -# Build the docker image -docker-build: test - docker build . -t ${IMG} - -# Push the docker image -docker-push: - docker push ${IMG} - -# find or download controller-gen -# download controller-gen if necessary -controller-gen: -ifeq (, $(shell which controller-gen)) - go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0 -CONTROLLER_GEN=$(GOBIN)/controller-gen -else -CONTROLLER_GEN=$(shell which controller-gen) -endif - - -##@ Build Dependencies - -## Location to install dependencies to -#LOCALBIN ?= $(shell pwd)/bin -#$(LOCALBIN): ## Ensure that the directory exists -# mkdir -p $(LOCALBIN) - -## Tool Binaries -#KUSTOMIZE ?= $(LOCALBIN)/kustomize -#CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen - -## Tool Versions -#KUSTOMIZE_VERSION ?= v3.8.7 -#CONTROLLER_TOOLS_VERSION ?= v0.8.0 - -#KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" -#.PHONY: kustomize -#kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. -#$(KUSTOMIZE): -# curl -s $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN) - -#.PHONY: controller-gen -#controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. -#$(CONTROLLER_GEN): -# GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) - -# Build ADCS simulator -sim: - go build -o bin/adcs-sim test/adcs-sim/main.go - -sim-install: sim - cp bin/adcs-sim /usr/local/bin - mkdir -p /usr/local/adcs-sim - cp -R test/adcs-sim/ca test/adcs-sim/templates /usr/local/adcs-sim diff --git a/Makefile_old b/Makefile_old deleted file mode 100644 index 5ec2dca..0000000 --- a/Makefile_old +++ /dev/null @@ -1,311 +0,0 @@ - -dpl ?= deploy.env -include $(dpl) -export $(shell sed 's/=.*//' $(dpl)) -# VERSION defines the project version for the bundle. -# Update this value when you upgrade the version of your project. -# To re-generate a bundle for another specific version without changing the standard setup, you can: -# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) -# - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 0.0.1 - -COMMIT?=$(shell git rev-parse --short HEAD) -BUILD_TIME?=$(shell date -u '+%Y-%m-%d_%H:%M:%S') - -PROJECT?=github.com/nokia/adcs-issuer - -# CHANNELS define the bundle channels used in the bundle. -# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") -# To re-generate a bundle for other specific channels without changing the standard setup, you can: -# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) -# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") -ifneq ($(origin CHANNELS), undefined) -BUNDLE_CHANNELS := --channels=$(CHANNELS) -endif - -# DEFAULT_CHANNEL defines the default channel used in the bundle. -# Add a new line here if you would like to change its default config. (E.g DEFAULT_CHANNEL = "stable") -# To re-generate a bundle for any other default channel without changing the default setup, you can: -# - use the DEFAULT_CHANNEL as arg of the bundle target (e.g make bundle DEFAULT_CHANNEL=stable) -# - use environment variables to overwrite this value (e.g export DEFAULT_CHANNEL="stable") -ifneq ($(origin DEFAULT_CHANNEL), undefined) -BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL) -endif -BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL) - -# IMAGE_TAG_BASE defines the docker.io namespace and part of the image name for remote images. -# This variable is used to construct full image tags for bundle and catalog images. -# -# For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both -# djkormo.github.io/go-project-operator-bundle:$VERSION and djkormo.github.io/go-project-operator-catalog:$VERSION. -IMAGE_TAG_BASE ?= docker.io/djkormo/adcs-issuer - -# BUNDLE_IMG defines the image:tag used for the bundle. -# You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=/:) -BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION) - -# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command -BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS) - -# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests -# You can enable this value if you would like to use SHA Based Digests -# To enable set flag to true -USE_IMAGE_DIGESTS ?= false -ifeq ($(USE_IMAGE_DIGESTS), true) - BUNDLE_GEN_FLAGS += --use-image-digests -endif - -# Image URL to use all building/pushing image targets -IMG ?= controller:latest -# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION = 1.23 - -# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) -ifeq (,$(shell go env GOBIN)) -GOBIN=$(shell go env GOPATH)/bin -else -GOBIN=$(shell go env GOBIN) -endif - -# Setting SHELL to bash allows bash commands to be executed by recipes. -# This is a requirement for 'setup-envtest.sh' in the test target. -# Options are set to exit when a recipe line exits non-zero or a piped command fails. -SHELL = /usr/bin/env bash -o pipefail -.SHELLFLAGS = -ec - -.PHONY: all -all: build - -##@ General - -# The help target prints out all targets with their descriptions organized -# beneath their categories. The categories are represented by '##@' and the -# target descriptions by '##'. The awk commands is responsible for reading the -# entire set of makefiles included in this invocation, looking for lines of the -# file as xyz: ## something, and then pretty-format the target and help. Then, -# if there's a line with ##@ something, that gets pretty-printed as a category. -# More info on the usage of ANSI control characters for terminal formatting: -# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters -# More info on the awk command: -# http://linuxcommand.org/lc3_adv_awk.php - -.PHONY: help -help: ## Display this help. - @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) - -##@ Development - -.PHONY: manifests -manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases - -.PHONY: generate -generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. - $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." - -.PHONY: fmt -fmt: ## Run go fmt against code. - go fmt ./... - -.PHONY: vet -vet: ## Run go vet against code. - go vet ./... - -.PHONY: test -test: manifests generate fmt vet envtest ## Run tests. - KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out - -.PHONY clean: - go clean - -##@ Build - -.PHONY: build -build: clean generate - go fmt vet ## Build manager binary. - go build -o bin/manager main.go - -.PHONY: run -run: manifests generate fmt vet ## Run a controller from your host. - go run ./main.go - - -##@ Deployment - -ifndef ignore-not-found - ignore-not-found = false -endif - -.PHONY: install -install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - - -.PHONY: uninstall -uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - -.PHONY: deploy -deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} - $(KUSTOMIZE) build config/default | kubectl apply -f - - -.PHONY: undeploy -undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - -CONTROLLER_GEN = $(shell pwd)/bin/controller-gen -.PHONY: controller-gen -controller-gen: ## Download controller-gen locally if necessary. - $(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0) - -KUSTOMIZE = $(shell pwd)/bin/kustomize -.PHONY: kustomize -kustomize: ## Download kustomize locally if necessary. - $(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v3@v3.8.7) - -ENVTEST = $(shell pwd)/bin/setup-envtest -.PHONY: envtest -envtest: ## Download envtest-setup locally if necessary. - $(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest) - -# go-get-tool will 'go get' any package $2 and install it to $1. -PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) -define go-get-tool -@[ -f $(1) ] || { \ -set -e ;\ -TMP_DIR=$$(mktemp -d) ;\ -cd $$TMP_DIR ;\ -go mod init tmp ;\ -echo "Downloading $(2)" ;\ -GOBIN=$(PROJECT_DIR)/bin go get $(2) ;\ -rm -rf $$TMP_DIR ;\ -} -endef - -.PHONY: bundle -bundle: manifests kustomize ## Generate bundle manifests and metadata, then validate generated files. - operator-sdk generate kustomize manifests -q - cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) - $(KUSTOMIZE) build config/manifests | operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) - operator-sdk bundle validate ./bundle - -.PHONY: bundle-build -bundle-build: ## Build the bundle image. - docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . - -.PHONY: bundle-push -bundle-push: ## Push the bundle image. - $(MAKE) docker-push IMG=$(BUNDLE_IMG) - -.PHONY: opm -OPM = ./bin/opm -opm: ## Download opm locally if necessary. -ifeq (,$(wildcard $(OPM))) -ifeq (,$(shell which opm 2>/dev/null)) - @{ \ - set -e ;\ - mkdir -p $(dir $(OPM)) ;\ - OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.19.1/$${OS}-$${ARCH}-opm ;\ - chmod +x $(OPM) ;\ - } -else -OPM = $(shell which opm) -endif -endif - -# A comma-separated list of bundle images (e.g. make catalog-build BUNDLE_IMGS=example.com/operator-bundle:v0.1.0,example.com/operator-bundle:v0.2.0). -# These images MUST exist in a registry and be pull-able. -BUNDLE_IMGS ?= $(BUNDLE_IMG) - -# The image tag given to the resulting catalog image (e.g. make catalog-build CATALOG_IMG=example.com/operator-catalog:v0.2.0). -CATALOG_IMG ?= $(IMAGE_TAG_BASE)-catalog:v$(VERSION) - -# Set CATALOG_BASE_IMG to an existing catalog image tag to add $BUNDLE_IMGS to that image. -ifneq ($(origin CATALOG_BASE_IMG), undefined) -FROM_INDEX_OPT := --from-index $(CATALOG_BASE_IMG) -endif - -# Build a catalog image by adding bundle images to an empty catalog using the operator package manager tool, 'opm'. -# This recipe invokes 'opm' in 'semver' bundle add mode. For more information on add modes, see: -# https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator -.PHONY: catalog-build -catalog-build: opm ## Build a catalog image. - $(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) - -# Push the catalog image. -.PHONY: catalog-push -catalog-push: ## Push a catalog image. - $(MAKE) docker-push IMG=$(CATALOG_IMG) - -.PHONY: dry-run -dry-run: manifests - cd config/manager - $(KUSTOMIZE) build config/default > all-manifests.yaml - -.PHONY: helmify -HELMIFY = $(shell pwd)/bin/helmify -helmify: - $(call go-get-tool,$(HELMIFY),github.com/arttor/helmify/cmd/helmify@v0.3.10) -helm: manifests kustomize helmify - $(KUSTOMIZE) build config/default | $(HELMIFY) - -# Build ADCS simulator -sim: - go build -o bin/adcs-sim test/adcs-sim/main.go - -sim-install: sim - cp bin/adcs-sim /usr/local/bin - mkdir -p /usr/local/adcs-sim - cp -R test/adcs-sim/ca test/adcs-sim/templates /usr/local/adcs-sim - - - -.PHONY: operator-build -operator-build: - go clean - go fmt ## Build manager binary. - go vet - CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} go build \ - -ldflags "-s -w -X ${PROJECT}/version.Release=${VERSION} \ - -X ${PROJECT}/version.Commit=${COMMIT} -X ${PROJECT}/version.BuildTime=${BUILD_TIME}" \ - -o ${APP_NAME} - - - -.PHONY: docker-build -docker-build: ## Build docker image with the manager. - DOCKER_BUILDKIT=1 docker build -t $(APP_NAME) . --progress=plain - -.PHONY: docker-push -docker-push: ## Push docker image with the manager. - docker push $(APP_NAME) - -# Docker publish -publish: repo-login publish-latest publish-version ## Publish the `{version}` ans `latest` tagged containers to ECR - -publish-latest: tag-latest ## Publish the `latest` taged container to ECR - @echo 'publish latest to $(DOCKER_REPO)' - docker push $(DOCKER_REPO)/$(APP_NAME):latest - -publish-version: tag-version ## Publish the `{version}` taged container to ECR - @echo 'publish $(VERSION) to $(DOCKER_REPO)' - docker push $(DOCKER_REPO)/$(APP_NAME):$(VERSION) - -# Docker tagging -tag: tag-latest tag-version ## Generate container tags for the `{version}` ans `latest` tags - -tag-latest: ## Generate container `{version}` tag - @echo 'create tag latest' - docker tag $(APP_NAME) $(DOCKER_REPO)/$(APP_NAME):latest - -tag-version: ## Generate container `latest` tag - @echo 'create tag $(VERSION)' - docker tag $(APP_NAME) $(DOCKER_REPO)/$(APP_NAME):$(VERSION) - - - -inspect: ## Generate container `latest` tag - @echo 'inspect $(APP_NAME)' - docker history $(APP_NAME) - docker inspect $(APP_NAME) \ No newline at end of file diff --git a/PROJECT b/PROJECT index 4b12b93..d384e86 100644 --- a/PROJECT +++ b/PROJECT @@ -3,7 +3,7 @@ layout: - go.kubebuilder.io/v3 version: "3" domain: certmanager.csf.nokia.com -repo: github.com/nokia/adcs-issuer +repo: github.com/djkormo/adcs-issuer resources: diff --git a/README.md b/README.md index 2a37d3c..a75065d 100644 --- a/README.md +++ b/README.md @@ -1,323 +1,23 @@ # ADCS Issuer -ADCS Issuer is a [cert-manager's](https://github.com/jetstack/cert-manager) CertificateRequest controller that uses MS Active Directory Certificate Service to sign certificates -(see [this design document](https://github.com/jetstack/cert-manager/blob/master/design/20190708.certificate-request-crd.md) for details on CertificateRequest CRD). +![Badge1](https://github.com/djkormo/adcs-issuer/actions/workflows/test.yaml/badge.svg) ![Badge2](https://github.com/djkormo/adcs-issuer/actions/workflows/codeql.yaml/badge.svg) ![Badge3](https://github.com/djkormo/adcs-issuer/actions/workflows/release.yaml/badge.svg) ![Badge4](https://github.com/djkormo/adcs-issuer/actions/workflows/helm-test.yaml/badge.svg) ![Badge5](https://github.com/djkormo/adcs-issuer/actions/workflows/helm-release.yaml/badge.svg) -ADCS provides HTTP GUI that can be normally used to request new certificates or see status of existing requests. -This implementation is simply a HTTP client that interacts with the ADCS server sending appropriately prepared HTTP requests and interpretting the server's HTTP responses -(the approach inspired by [this Python ADCS client](https://github.com/magnuswatn/certsrv)). +ADCS Issuer is a [Kubernetes](https://kubernetes.io/) [`cert-manager`](https://cert-manager.io) +[`CertificateRequest`](https://cert-manager.io/docs/concepts/certificaterequest/) controller +that uses [Microsoft Active Directory Certificate Services](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview) +to sign certificate requests. It supports NTLM authentication. +This project is a community maintained fork of the [original implementation by Nokia](https://github.com/nokia/adcs-issuer/). -Build statuses: +## Getting started +TODO: a short summary of installing and configuring the issuer +## Documentation -[![Code scanning - action](https://github.com/djkormo/adcs-issuer/actions/workflows/codeql.yaml/badge.svg)](https://github.com/djkormo/adcs-issuer/actions/workflows/codeql.yaml) - - -[![Publish Docker image on Release](https://github.com/djkormo/adcs-issuer/actions/workflows/main.yml/badge.svg)](https://github.com/djkormo/adcs-issuer/actions/workflows/main.yml) - - -[![Release helm charts](https://github.com/djkormo/adcs-issuer/actions/workflows/helm-chart-releaser.yaml/badge.svg)](https://github.com/djkormo/adcs-issuer/actions/workflows/helm-chart-releaser.yaml) - - -[![Golang lint issuer](https://github.com/djkormo/adcs-issuer/actions/workflows/golangci-lint.yaml/badge.svg)](https://github.com/djkormo/adcs-issuer/actions/workflows/golangci-lint.yaml) - - - -## Current documentation for this issuer - -=========================== - -https://djkormo.github.io/adcs-issuer/ - -=========================== - -**All below information will be removed in next few releases** - - - - - -################################# - -## Description - -### Requirements -ADCS Issuer has been tested with cert-manager v1.9.x, v1.12.x and currently supports CertificateRequest CRD API version v1 only. - -## Configuration and usage - -### Issuers -The ADCS service data can be configured in `AdcsIssuer` or `ClusterAdcsIssuer` CRD objects e.g.: -``` -apiVersion: adcs.certmanager.csf.nokia.com/v1 -kind: AdcsIssuer -metadata: - name: test-adcs - namespace: -spec: - caBundle: - credentialsRef: - name: test-adcs-issuer-credentials - statusCheckInterval: 6h - retryInterval: 1h - url: - templateName: -``` - -The `caBundle` parameter is BASE64-encoded CA certificate which is used by the ADCS server itself, which may not be the same certificate that will be used to sign your request. - -The `statusCheckInterval` indicates how often the status of the request should be tested. Typically, it can take a few hours or even days before the certificate is issued. - -The `retryInterval` says how long to wait before retrying requests that errored. - -The `credentialsRef.name` is name of a secret that stores user credentials used for NTLM authentication. The secret must be `Opaque` and contain `password` and `username` fields only e.g.: - -``` -apiVersion: v1 -data: - password: cGFzc3dvcmQ= - username: dXNlcm5hbWU= -kind: Secret -metadata: - name: test-adcs-issuer-credentials - namespace: -type: Opaque -``` - -If cluster level issuer configuration is needed then ClusterAdcsUssuer can be defined like this: - -``` -apiVersion: adcs.certmanager.csf.nokia.com/v1 -kind: ClusterAdcsIssuer -metadata: - name: test-adcs -spec: - caBundle: - credentialsRef: - name: test-adcs-issuer-credentials - statusCheckInterval: 6h - retryInterval: 1h - url: - templateName: -``` - -The secret used by the `ClusterAdcsIssuer` to authenticate (`credentialsRef`), must be defined in the namespace where the controller's pod is running, or in the namespace specified by the flag `-clusterResourceNamespace` (default: `kube-system`). - -### Requesting certificates - -To request a certificate with `AdcsIssuer` the standard `certificate.cert-manager.io` object needs to be created. The `issuerRef` must be set to point to `AdcsIssuer` or `ClusterAdcsIssuer` object -from group `adcs.certmanager.csf.nokie.com` e.g.: - -``` -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - annotations: - name: adcs-cert - namespace: -spec: - commonName: example.com - dnsNames: - - service1.example.com - - service2.example.com - issuerRef: - group: adcs.certmanager.csf.nokia.com - kind: AdcsIssuer - name: test-adcs - organization: - - Your organization - secretName: adcs-cert -``` - -Cert-manager is responsible for creating the `Secret` with a key and `CertificateRequest` with proper CSR data. - - -ADCS Issuer creates `AdcsRequest` CRD object that keep actual state of the processing. Its name is always the same as the corresponding `CertificateRequest` object (there is strict one-to-one mapping). -The `AdcsRequest` object stores the ID of request assigned by the ADCS server as wall as the current status which can be one of: -* **Pending** - the request has been sent to ADCS and is waiting for acceptance (status will be checked periodically), -* **Ready** - the request has been successfully processed and the certificate is ready and stored in secret defined in the original `Certificate` object, -* **Rejected** - the request was rejected by ADCS and will be re-tried unless the `Certificate` is updated, -* **Errored** - unrecoverable problem occured. - - -``` -apiVersion: adcs.certmanager.csf.nokia.com/v1 -kind: AdcsRequest -metadata: - name: adcs-cert-3831834799 - namespace: c1 - ownerReferences: - - apiVersion: cert-manager.io/v1 - blockOwnerDeletion: true - controller: true - kind: CertificateRequest - name: adcs-cert-3831834799 - uid: f5cf630d-f4cf-11e9-95eb-fa163e038ef8 - uid: f5d22b47-f4cf-11e9-95eb-fa163e038ef8 -spec: - csr: - issuerRef: - group: adcs.certmanager.csf.nokia.com - kind: AdcsIssuer - name: test-adcs -status: - id: "18" - state: ready -``` - -#### Auto-request certificate from ingress -Add the following to an `Ingress` for cert-manager to auto-generate a -`Certificate` using `Ingress` information with ingress-shim - -``` -metadata: - name: test-ingress - annotations: - cert-manager.io/issuer: "adcs-issuer" #use specific name of issuer - cert-manager.io/issuer-kind: "AdcsIssuer" #or AdcsClusterIssuer - cert-manager.io/issuer-group: "adcs.certmanager.csf.nokia.com" -``` -in addition to -``` -spec: - tls: - - hosts: - - test-host.com - secretName: ingress-secret # secret cert-manager stores certificate in -``` - -## Installation - -This controller is implemented using [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder). Automatically generated Makefile contains targets needed for build and installation. -Generated CRD manifests are stored in `config/crd`. RBAC roles and bindings can be found in config/rbac. There's also a Make target to build controller's Docker image and -store it in local docker repo (Docker must be installed). - -More specific install instructions can be found in `README-DEV.md` - - -### Disable Approval Check - -The ADCS Issuer will wait for CertificateRequests to have an [approved condition -set](https://cert-manager.io/docs/concepts/certificaterequest/#approval) before -signing. If using an older version of cert-manager (pre v1.3), you can disable -this check by supplying the command line flag `-enable-approved-check=false` to -the Issuer Deployment. - -## Testing considerations - -### ADCS Simulator -The test/adcs-sim directory contains a simple ADCS simulator that can be used for basic tests -(see `make sim`). - -The simulator can be started on the host and work ad ADCS server that will sign certificates using provided -self-signed certificate and key (`root.pem` and `root.key` files). -If needed the certificate can be replaced with any other available. - -The simulator accepts directives to control its behavior. The directives are set as additional domain names in the certificate request: -* **delay.