v2.2.0: Support Enrollment Patterns

.github/workflows/helm.yml

@@ -1,20 +1,12 @@
 name: Build and Release Helm Chart
 on:
-  pull_request:
-    branches:
-      - 'release-*'
-    types:
-      # action should run when the pull request is closed
-      # (regardless of whether it was merged or just closed)
-      - closed
-      # Make sure the action runs every time new commits are
-      # pushed to the pull request's branch
-      - synchronize
-
+  push:
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+'     # 1.2.3 (exact match) - release candidates are excluded
+
 jobs:
   helm:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.merged == true
     steps:
       - name: Set IMAGE_NAME
         run: |
@@ -23,20 +15,20 @@ jobs:
       # Checkout code
       # https://github.com/actions/checkout
       - name: Checkout code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@v4.1.0
 
       # Extract metadata (tags, labels) to use in Helm chart
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        uses: docker/metadata-action@v5.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Set version from DOCKER_METADATA_OUTPUT_VERSION as environment variable
       - name: Set Version
         run: |
-          echo "VERSION=${DOCKER_METADATA_OUTPUT_VERSION:8}.0" >> $GITHUB_ENV # Eventually will build this into Keyfactor bootstrap
+          echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV # Eventually will build this into Keyfactor bootstrap
 
       # Change version and appVersion in Chart.yaml to the tag in the closed PR
       - name: Update Helm App/Chart Version
@@ -48,7 +40,7 @@ jobs:
       # Setup Helm
       # https://github.com/Azure/setup-helm
       - name: Install Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        uses: azure/setup-helm@v3.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -61,7 +53,7 @@ jobs:
       # Build and release Helm chart to GitHub Pages
       # https://github.com/helm/chart-releaser-action
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
+        uses: helm/chart-releaser-action@v1.5.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:

.github/workflows/keyfactor-bootstrap-workflow.yml

@@ -14,10 +14,10 @@ jobs:
   build:
     name: Build and Lint
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 8
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4.2.1
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -35,9 +35,9 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@v4
       - name: Set up Go 1.x
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        uses: actions/setup-go@v4.2.1
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -46,7 +46,7 @@ jobs:
         run: go test -v ./...
 
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v3
+    uses: keyfactor/actions/.github/workflows/starter.yml@3.2.0
     needs: test
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}

.gitignore

@@ -19,4 +19,8 @@ bin
 # Helm
 *.tgz
 
-.DS_Store
+.DS_Store
+
+**/.env
+**/.env.*
+!**/.env.example

CHANGELOG.md

@@ -1,23 +1,40 @@
-# v1.0.4
-
+# v2.2.0
 ## Features
-* feat(signer): Signer recognizes `metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value>` annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command.
-* feat(release): Container build and release now uses GitHub Actions.
+- Added support for enrolling CSRs with [Enrollment Patterns](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Enrollment-Patterns.htm), a new feature introduced in Keyfactor Command 25.1. [Release notes](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReleaseNotes/Release2511.htm)
+    - Usage of `CertificateTemplate` is still supported, but if using Keyfactor Command 25.1 and above, it is recommended to start using Enrollment Patterns in your issuer specification. You may use `EnrollmentPatternId` or `EnrollmentPatternName` in your specification.
+- When using ambient credentials, some relevant token claims (subject, issuer, object ID, etc.) are logged for easier debugging and setup for security roles and identity providers.
+
+## Chores
+- Updated documentation for using ambient credentials with Azure Kuberentes Services.
+- Removed documentation for using ambient credentials with Google Kubernetes Engine. As of writing, Google is not a supported identity provider in Keyfactor Command.
+- Migrated from using [keyfactor-go-client](https://github.com/Keyfactor/keyfactor-go-client) to [keyfactor-go-client-sdk](https://github.com/keyfactor/keyfactor-go-client-sdk).
 
 ## Fixes
-* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
-* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
-* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
-* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.
+- Fix the Helm chart releaser job to not run into issues with overlapping Helm chart versions.
 
-# v1.0.5
+# v2.1.1
 
-## Features
-* feat(controller): Implement Kubernetes `client-go` REST client for Secret/ConfigMap retrieval to bypass `controller-runtime` caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.
+## Fixes
+- Update Helm chart deployment template to resolve Docker image metadata issue.
+
+## Chores
+- Update documentation for more clear instructions on deploying workloads to Azure Kubernetes Service and Google Kubernetes Engine, as well as permissions needed on Command Security Roles.
+
+# v2.1.0
 
 ## Fixes
-* fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
-* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
+- Updated library golang.org/x/crypto to version v0.33.0 to address authorization bypass vulnerability (https://github.com/advisories/GHSA-v778-237x-gjrc)
+- Bug fix for Google ambient credentials
+
+# v2.0.2
+
+## Fixes
+- Bug fix in Helm chart release action
+
+# v2.0.1
+
+## Fixes
+- Change Helm release trigger from `v*` to `release-*` to support Keyfactor Bootstrap Workflow
 
 # v2.0.0
 
@@ -33,26 +50,23 @@
 - Refactor unit tests to use fake Command API instead of requiring live Command server.
 - Write e2e integration test.
 
-# v2.0.1
-
-## Fixes
-- Change Helm release trigger from `v*` to `release-*` to support Keyfactor Bootstrap Workflow
+# v1.0.5
 
-# v2.0.2
+## Features
+* feat(controller): Implement Kubernetes `client-go` REST client for Secret/ConfigMap retrieval to bypass `controller-runtime` caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.
 
 ## Fixes
-- Bug fix in Helm chart release action
-
-# v2.1.0
+* fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
+* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
 
-## Fixes
-- Updated library golang.org/x/crypto to version v0.33.0 to address authorization bypass vulnerability (https://github.com/advisories/GHSA-v778-237x-gjrc)
-- Bug fix for Google ambient credentials
+# v1.0.4
 
-# v2.1.1
+## Features
+* feat(signer): Signer recognizes `metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value>` annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command.
+* feat(release): Container build and release now uses GitHub Actions.
 
 ## Fixes
-- Update Helm chart deployment template to resolve Docker image metadata issue.
-
-## Chores
-- Update documentation for more clear instructions on deploying workloads to Azure Kubernetes Service and Google Kubernetes Engine, as well as permissions needed on Command Security Roles.
+* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
+* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
+* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
+* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.23.4 AS builder
+FROM golang:1.24 AS builder
 ARG TARGETOS
 ARG TARGETARCH