Merge pull request #14 from Keyfactor/reconciler

EJBCA K8s CSR Signer v2.0.0 - Source

.github/workflows/release.yml

@@ -1,36 +1,68 @@
-name: Release Charts
-
-on: 
-  push:
+name: Build and Release Helm Chart
+on:
+  pull_request:
     branches:
-      - main
+      - 'release-*'
+    types:
+      # action should run when the pull request is closed
+      # (regardless of whether it was merged or just closed)
+      - closed
+      # Make sure the action runs every time new commits are
+      # pushed to the pull request's branch
+      - synchronize
 
 jobs:
-  release:
-    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
-    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
-    permissions:
-      contents: write
+  helm:
     runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
+      - name: Set IMAGE_NAME
+        run: |
+          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      # Extract metadata (tags, labels) to use in Helm chart
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
         with:
-          fetch-depth: 0
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      - name: Configure Git
+      # Set version from DOCKER_METADATA_OUTPUT_VERSION as environment variable
+      - name: Set Version
         run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "[email protected]"
+          echo "VERSION=${DOCKER_METADATA_OUTPUT_VERSION:8}" >> $GITHUB_ENV
 
+      # Change version and appVersion in Chart.yaml to the tag in the closed PR
+      - name: Update Helm App/Chart Version
+        shell: bash
+        run: |
+          sed -i "s/^version: .*/version: ${{ env.VERSION }}/g" deploy/charts/ejbca-k8s-csr-signer/Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"v${{ env.VERSION }}\"/g" deploy/charts/ejbca-k8s-csr-signer/Chart.yaml
+
+      # Setup Helm
+      # https://github.com/Azure/setup-helm
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
-          version: v3.8.1
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Helm requires an ident name to be set for chart-releaser to work
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
 
+      # Build and release Helm chart to GitHub Pages
+      # https://github.com/helm/chart-releaser-action
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.4.0
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:
-          charts_dir: .
+          charts_dir: deploy/charts

.github/workflows/test.yml

@@ -0,0 +1,76 @@
+name: test
+on: [workflow_dispatch, push, pull_request]
+jobs:
+  build:
+    name: Build and Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      # Setup GoLang build environment
+      # https://github.com/actions/setup-go
+      - name: Set up Go 1.x
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      # Download dependencies
+      - run: go mod download
+
+      # Build Go binary
+      - run: go build -v .
+
+      # Run Go linters
+      # https://github.com/golangci/golangci-lint-action
+      - name: Run linters
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          version: latest
+
+  test:
+    name: Go Test
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      # Setup GoLang build environment
+      # https://github.com/actions/setup-go
+      - name: Set up Go 1.x
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      # Download dependencies
+      - run: go mod download
+
+      # Place the contents of ${{ secrets.EJBCA_CLIENT_CERT_PATH }} into a file at /tmp/certs/ejbca.pem
+      - run: mkdir -p /tmp/certs && echo "${{ secrets.EJBCA_CLIENT_CERT }}" > /tmp/certs/ejbca.pem
+
+      # Place the contents of ${{ secrets.EJBCA_CA_CERT_PATH }} into a file at /tmp/certs/ejbca-ca.pem
+      - run: mkdir -p /tmp/certs && echo "${{ secrets.EJBCA_CA_CERT }}" > /tmp/certs/ejbca-ca.pem
+
+      # Run Go tests
+      - name: Run go test
+        run: go test -v ./...
+        env:
+          EJBCA_CLIENT_CERT_PATH: /tmp/certs/ejbca.pem
+          EJBCA_CA_CERT_PATH: /tmp/certs/ejbca-ca.pem
+          EJBCA_CA_NAME: ${{ vars.EJBCA_CA_NAME }}
+          EJBCA_HOSTNAME: ${{ secrets.EJBCA_HOSTNAME }}
+          EJBCA_CERTIFICATE_PROFILE_NAME: ${{ vars.EJBCA_CERTIFICATE_PROFILE_NAME }}
+          EJBCA_CSR_SUBJECT: ${{ vars.EJBCA_CSR_SUBJECT }}
+          EJBCA_END_ENTITY_PROFILE_NAME: ${{ vars.EJBCA_END_ENTITY_PROFILE_NAME }}
+          EJBCA_EST_ALIAS: ${{ vars.EJBCA_EST_ALIAS }}
+          EJBCA_EST_PASSWORD: ${{ secrets.EJBCA_EST_PASSWORD }}
+          EJBCA_EST_USERNAME: ${{ secrets.EJBCA_EST_USERNAME }}

.gitignore

@@ -369,5 +369,4 @@ FodyWeavers.xsd
 *.key
 credentials.yaml
 
-Makefile
 vendor

CHANGELOG.md

@@ -0,0 +1,22 @@
+# v2.0.0
+## Features
+
+### Reconciler Controller
+- Refactored K8s `CertificateSigningRequest` controller to use a Reconciler pattern using [controller-runtime](https://pkg.go.dev/sigs.k8s.io/controller-runtime)
+- Changed retrieval of authentication, configuration, and CA root certificate to use the Kubernetes API instead of reading from a file
+- Added support for out-of-cluster deployments using the Kubernetes API
+
+### Runtime Customization
+- Added support for customizing the certificate signing process using annotations
+
+### Documentation
+- Added updated documentation for deploying the EJBCA CSR Signer v2.0
+- Added updated documentation for using the EJBCA CSR Signer v2.0 with Istio
+
+### Testing
+- Added unit tests for the Reconciler controller
+- Added unit tests for the CSR Signer
+
+### Actions
+- Added GitHub Actions for building and testing the EJBCA CSR Signer
+- Added GitHub Actions for releasing the EJBCA CSR Signer

Dockerfile

@@ -1,13 +1,33 @@
-FROM golang:1.18-buster as build
+# Build the manager binary
+FROM golang:1.20 as builder
+ARG TARGETOS
+ARG TARGETARCH
 
-WORKDIR /go/src/app
-ADD . /go/src/app
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
 
-RUN go mod tidy
-RUN go mod vendor
+# Copy the go source
+COPY main.go main.go
+COPY pkg/ pkg/
+COPY internal/ internal/
 
-RUN go build -o /go/bin/app
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
 
-FROM gcr.io/distroless/base-debian10
-COPY --from=build /go/bin/app /
-CMD ["/app"]
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+USER 65532:65532
+
+ENTRYPOINT ["/manager"]