Skip to content

Signer recognizes annotation prefix for Command metadata and Role/RoleBinding permissions are audited #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 9, 2023
Merged

Signer recognizes annotation prefix for Command metadata and Role/RoleBinding permissions are audited #12

merged 4 commits into from
Oct 9, 2023

Conversation

@m8rmclaren
Copy link
Contributor

@m8rmclaren m8rmclaren commented Oct 6, 2023

The Command Issuer for cert-manager now recognizes K8s annotations with prefix metadata.command-issuer.keyfactor.com/, and adds <metadata-field-name>: <metadata-value> fields corresponding to metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value> annotations in POST requests to Command for CSR enrollment.

Specifically, the Metadata map is updated with matching annotations at the time of signing:

for metaName, value := range s.customMetadata {
    k8sLog.Info(fmt.Sprintf("Adding metadata %q with value %q", metaName, value))
    modelRequest.Metadata[metaName] = value
}

Additionally, the rules configured on the leader-election-role were audited and the following rule was removed:
https://github.com/Keyfactor/command-cert-manager-issuer/blob/4be4d38bba9395663c38ca85689887596834afe5/deploy/charts/command-cert-manager-issuer/templates/role.yaml#L8C1-L19C15

In early Kubernetes deployments before the coordination.k8s.io group existed, configmaps were commonly used for leader election, whereby obtaining a lock on a specific ConfigMap, a controller instance designates itself as the leader. This is no longer necessary, so the configmap rule was removed.

@m8rmclaren m8rmclaren added bug Something isn't working enhancement New feature or request labels Oct 6, 2023
@m8rmclaren m8rmclaren self-assigned this Oct 6, 2023
@m8rmclaren m8rmclaren requested a review from JDKeyfactor October 6, 2023 19:23
@m8rmclaren m8rmclaren mentioned this pull request Oct 9, 2023
Merged
@m8rmclaren m8rmclaren merged commit baf4658 into main Oct 9, 2023
@m8rmclaren m8rmclaren deleted the metadata branch October 9, 2023 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JDKeyfactor JDKeyfactor JDKeyfactor approved these changes

Assignees

@m8rmclaren m8rmclaren

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@m8rmclaren @JDKeyfactor