Keyfactor · m8rmclaren · Sep 27, 2023 · Sep 22, 2023 · Sep 22, 2023 · Sep 22, 2023
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,43 @@
+name: helm_release
+on:
+  pull_request:
+    branches:
+      - 'v*'
+    types:
+      - closed
+jobs:
+  helm:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+    steps:
+      - name: Extract Version Tag
+        id: extract_version
+        run: /bin/bash -c 'echo ::set-output name=VERSION::$(echo ${GITHUB_REF##*/} | cut -c2-)'
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Change version and appVersion in Chart.yaml to the tag in the closed PR
+      - name: Update Helm App/Chart Version
+        shell: bash
+        run: |
+          sed -i "s/^version: .*/version: ${{ steps.extract_version.outputs.VERSION }}/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"${{ steps.extract_version.outputs.VERSION }}\"/g" deploy/charts/ejbca-cert-manager-issuer/Chart.yaml
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Run chart-releaser
+        uses: helm/chart-releaser-action@v1.5.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          pages_branch: gh-pages
+          charts_dir: deploy/charts
+          mark_as_latest: true
+          packages_with_index: true
diff --git a/.gitignore b/.gitignore
@@ -16,6 +16,7 @@ vendor/
 .idea
 bin
 
-# q: How to remove staged directory from git
-# a: git rm -r --cached .
+# Helm
+*.tgz
+
 .DS_Store
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # The version which will be reported by the --version argument of each binary
 # and which will be used as the Docker image tag
-VERSION ?= 1.0.2
+VERSION ?= 1.0.3
 # The Docker repository name, overridden in CI.
 DOCKER_REGISTRY ?= m8rmclarenkf
 DOCKER_IMAGE_NAME ?= command-cert-manager-external-issuer-controller

diff --git a/deploy/charts/command-cert-manager-issuer/.helmignore b/deploy/charts/command-cert-manager-issuer/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deploy/charts/command-cert-manager-issuer/Chart.yaml b/deploy/charts/command-cert-manager-issuer/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+
+name: command-cert-manager-issuer
+description: A helm chart to deploy the cert-manager issuer for the Keyfactor Command platform for Certificate Lifecycle Management
+type: application
+
+home: https://github.com/Keyfactor/command-cert-manager-issuer
+maintainers:
+  - name: Hayden Roszell
+    email: 49427552+m8rmclaren@users.noreply.github.com
+sources: ["https://github.com/Keyfactor/command-cert-manager-issuer"]
+
+version: 0.1.0
+appVersion: "1.0.3"
diff --git a/deploy/charts/command-cert-manager-issuer/README.md b/deploy/charts/command-cert-manager-issuer/README.md
@@ -0,0 +1,40 @@
+<a href="https://kubernetes.io">
+    <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" alt="Terraform logo" title="K8s" align="left" height="50" />
+</a>
+
+# Keyfactor Command Issuer for cert-manager
+
+[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/command-cert-manager-issuer)](https://goreportcard.com/report/github.com/Keyfactor/command-cert-manager-issuer)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://img.shields.io/badge/License-Apache%202.0-blue.svg)
+![Version: v0.1.0](https://img.shields.io/badge/Version-v0.1.0-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![AppVersion: v1.0.3](https://img.shields.io/badge/AppVersion-v1.0.3-informational?style=flat-square)
+
+A Helm chart for the Keyfactor Command External Issuer for cert-manager.
+
+The Command external issuer for cert-manager allows users to enroll certificates from Keyfactor Command using cert-manager.
+
+## Configuration
+
+The following table lists the configurable parameters of the `command-cert-manager-issuer` chart and their default values.
+
+| Parameter                         | Description                                         | Default                                                      |
+|-----------------------------------|-----------------------------------------------------|--------------------------------------------------------------|
+| `replicaCount`                    | Number of replica command-cert-manager-issuers to run | `1`                                                          |
+| `image.repository`                | Image repository                                    | `m8rmclarenkf/command-cert-manager-external-issuer-controller` |
+| `image.pullPolicy`                | Image pull policy                                   | `IfNotPresent`                                               |
+| `image.tag`                       | Image tag                                           | `v1.3.1`                                                     |
+| `imagePullSecrets`                | Image pull secrets                                  | `[]`                                                         |
+| `nameOverride`                    | Name override                                       | `""`                                                         |
+| `fullnameOverride`                | Full name override                                  | `""`                                                         |
+| `crd.create`                      | Specifies if CRDs will be created                   | `true`                                                       |
+| `crd.annotations`                 | Annotations to add to the CRD                       | `{}`                                                         |
+| `serviceAccount.create`           | Specifies if a service account should be created    | `true`                                                       |
+| `serviceAccount.annotations`      | Annotations to add to the service account           | `{}`                                                         |
+| `serviceAccount.name`             | Name of the service account to use                  | `""` (uses the fullname template if `create` is true)        |
+| `podAnnotations`                  | Annotations for the pod                             | `{}`                                                         |
+| `podSecurityContext.runAsNonRoot` | Run pod as non-root                                 | `true`                                                       |
+| `securityContext`                 | Security context for the pod                        | `{}` (with commented out options)                            |
+| `resources`                       | CPU/Memory resource requests/limits                 | `{}` (with commented out options)                            |
+| `nodeSelector`                    | Node labels for pod assignment                      | `{}`                                                         |
+| `tolerations`                     | Tolerations for pod assignment                      | `[]`                                                         |
diff --git a/deploy/charts/command-cert-manager-issuer/templates/_helpers.tpl b/deploy/charts/command-cert-manager-issuer/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "command-cert-manager-issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "command-cert-manager-issuer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "command-cert-manager-issuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "command-cert-manager-issuer.labels" -}}
+helm.sh/chart: {{ include "command-cert-manager-issuer.chart" . }}
+{{ include "command-cert-manager-issuer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "command-cert-manager-issuer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "command-cert-manager-issuer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "command-cert-manager-issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "command-cert-manager-issuer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml b/deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml
@@ -0,0 +1,87 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificaterequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificaterequests/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - command-issuer.keyfactor.com
+    resources:
+      - clusterissuers
+      - issuers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - command-issuer.keyfactor.com
+    resources:
+      - clusterissuers/status
+      - issuers/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - command-issuer.keyfactor.com
+    resources:
+      - issuers/finalizers
+    verbs:
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-proxy-role
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-metrics-reader
+rules:
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get
diff --git a/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml b/deploy/charts/command-cert-manager-issuer/templates/clusterrolebinding.yaml
@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "command-cert-manager-issuer.name" . }}-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "command-cert-manager-issuer.name" . }}-proxy-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}