diff --git a/CHANGELOG.md b/CHANGELOG.md index 382671b..fdde3c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# v2.6.1 +## Features +- Added [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) as an optional specification on the Deployment resource. +## Chores +- Updated the `CONTRIBUTING.md` guide with notes for how external contributors can contribute to this project. + # v2.6.0 ## Features - Allow `certificateAuthorityLogicalName` to be optional when using an enrollment pattern. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2669087..1c95169 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,12 +1,24 @@ # Command Cert Manager Issuer Contribution Guide -## Requirements -- Go (>= 1.24) +## How to contribute + +### External Contributors - Submitting a PR + +Since external contributors can't create branches directly on our repositories, go ahead and open your PR against `main`. Our team will handle retargeting it to the appropriate release branch as part of our internal review process. You may see your PR retargeted or, in some cases, closed and replaced with an internal PR carrying your commits. In either case, your contribution will be preserved. + +### Release cadence + +We have an internal review process for every release we make. This process can sometimes take a few days or weeks depending on resourcing. + +## Development + +### Requirements +- Go (>= 1.26.2) - golangci-lint (>= 2.4.0) ([installation notes](https://github.com/golangci/golangci-lint?tab=readme-ov-file#install-golangci-lint)) - helm (>= 3.x) — required to render chart templates for manifest linting ([installation notes](https://helm.sh/docs/intro/install/)) - conftest — policy testing tool powered by Open Policy Agent; installed automatically by `make lint-manifests` -## Installing dependencies +### Installing dependencies Project dependencies can be installed by running the following: ```bash @@ -19,14 +31,14 @@ The following command can be used to add missing requirements or remove unused m go mod tidy ``` -## Running unit tests +### Running unit tests The following command can be run to run the project unit tests: ```bash go test -v ./... ``` -## Running linters +### Running linters The project uses golangci-lint to lint the codebase. The following command can be run to run the linters: ```bash @@ -39,7 +51,7 @@ or, alternatively: make lint ``` -## Updating generated manifests +### Updating generated manifests This command will update the generated custom resource definitions under `config/crd/bases`: @@ -50,7 +62,7 @@ make generate manifests > [!IMPORTANT] > There is no automated process to automatically update the CRDs under `deploy/charts/command-cert-manager-issuer`. If any changes are made to the CRDs, the generated CRDs under `config/crd/bases` must be copied to `deploy/charts/command-cert-manager-issuer/crds` to ensure the Helm chart is up to date. -## Linting Helm manifests +### Linting Helm manifests The Helm chart under `deploy/charts/command-cert-manager-issuer` is linted with two tools on every PR: - **conftest** — runs custom Rego policies located in the [`policy/`](policy/) directory against the rendered manifests @@ -69,13 +81,13 @@ To inspect the rendered templates without linting: make helm-template ``` -### Adding or modifying policies +#### Adding or modifying policies Rego policies live in [`policy/`](policy/). Each `.rego` file in that directory is evaluated by conftest against every resource in the rendered chart. Add a new `.rego` file to enforce additional rules. For example, `policy/roles.rego` enforces that all `Role` resources declare an explicit namespace. kube-linter checks can be tuned in [.kube-linter.yaml](.kube-linter.yaml). To exclude a check, add its name under the `exclude` key. -## Running end-to-end tests +### Running end-to-end tests A comprehensive end-to-end test suite is available to verify the issuer code works against cert-manager and a Keyfactor Command instance. Instructions on how to run the end-to-end test suite can be found [here](./e2e/README.md). \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/README.md b/deploy/charts/command-cert-manager-issuer/README.md index 3c83a88..7bfffd5 100644 --- a/deploy/charts/command-cert-manager-issuer/README.md +++ b/deploy/charts/command-cert-manager-issuer/README.md @@ -63,29 +63,33 @@ helm install command-cert-manager-issuer command-issuer/command-cert-manager-iss The following table lists the configurable parameters of the `command-cert-manager-issuer` chart and their default values. -| Parameter | Description | Default | -|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------| -| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` | -| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.tag` | Image tag | `""` | -| `imagePullSecrets` | Image pull secrets | `[]` | -| `nameOverride` | Name override | `""` | -| `fullnameOverride` | Full name override | `""` | -| `crd.create` | Specifies if CRDs will be created | `true` | -| `crd.annotations` | Annotations to add to the CRD | `{}` | -| `serviceAccount.create` | Specifies if a service account should be created | `true` | -| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | -| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) | +| Parameter | Description | Default | +|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------| +| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` | +| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.tag` | Image tag | `""` | +| `imagePullSecrets` | Image pull secrets | `[]` | +| `nameOverride` | Name override | `""` | +| `fullnameOverride` | Full name override | `""` | +| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false` | +| `secretConfig.useClusterRoleForConfigMapAccess` | Specifies if the ServiceAccount should be granted access to the ConfigMap resource using a ClusterRole | `false` | +| `crd.create` | Specifies if CRDs will be created | `true` | +| `crd.annotations` | Annotations to add to the CRD | `{}` | +| `serviceAccount.create` | Specifies if a service account should be created | `true` | +| `serviceAccount.labels` | Labels to add to the service account | `{}` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) | | `serviceAccount.automountServiceAccountToken` | Controls whether Kubernetes automatically mounts the service account token into the pod. When `false` (default), a projected volume is used instead, giving explicit control over token expiration and file permissions. Setting to `true` uses Kubernetes' default token mount, which has no expiration and is less restrictive — only recommended if the projected volume approach causes compatibility issues. | `false` | | `serviceAccount.projectedTokenVolume.expirationSeconds` | Lifetime in seconds of the projected service account token. The kubelet will rotate the token before it expires. Only applies when `automountServiceAccountToken` is `false`. | `3607` | -| `serviceAccount.projectedTokenVolume.defaultMode` | File permission bits for the projected token volume. Only applies when `automountServiceAccountToken` is `false`. | `0444` | -| `podAnnotations` | Annotations for the pod | `{}` | -| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` | -| `securityContext` | Security context for the pod | `{}` (with commented out options) | -| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `env` | Environmental variables set for pod | `{}` | -| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false` | -| `defaultHealthCheckInterval` | Specifies the default health check interval for issuers | `""` (uses the default in the code which is 10 minutes) | +| `serviceAccount.projectedTokenVolume.defaultMode` | File permission bits for the projected token volume. Only applies when `automountServiceAccountToken` is `false`. | `0444` | +| `podLabels` | Labels for the pod | `{}` | +| `podAnnotations` | Annotations for the pod | `{}` | +| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` | +| `securityContext` | Security context for the pod | `{}` (with commented out options) | +| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `priorityClassName` | Priority class to set for pod | `""` | +| `defaultHealthCheckInterval` | Specifies the default health check interval for issuers | `""` (uses the default in the code which is 10 minutes)| +| `env` | Environmental variables set for pod | `{}` | \ No newline at end of file diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml index 2f5de7d..4d95538 100644 --- a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml +++ b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml @@ -121,4 +121,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} terminationGracePeriodSeconds: 10 diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml index e715b4c..cb9716f 100644 --- a/deploy/charts/command-cert-manager-issuer/values.yaml +++ b/deploy/charts/command-cert-manager-issuer/values.yaml @@ -89,6 +89,8 @@ nodeSelector: {} tolerations: [] +priorityClassName: "" + defaultHealthCheckInterval: "" env: {}