├── charts └── adcs-issuer │ ├── .gitignore │ ├── Chart.yaml │ ├── templates │ ├── serviceaccount-rbac.yaml │ ├── simulator-service.yaml │ ├── webhook-service.yaml │ ├── simulator-secret.yaml │ ├── metrics-service.yaml │ ├── metrics-servicemonitor.yaml │ ├── proxy-rbac.yaml │ ├── simulator-certificate-secret.yaml │ ├── simulator-example-certificate.yaml │ ├── cert-manager-controller-approve-dcs-certmanager-csf-nokia-com-rbac.yaml │ ├── leader-election-rbac.yaml │ ├── validating-webhook-configuration.yaml │ ├── mutating-webhook-configuration.yaml │ ├── _helpers.tpl │ ├── manager-rbac.yaml │ ├── simulator-deployment.yaml │ ├── simulator-clusterissuer.yaml │ ├── adcsissuer-crd.yaml │ └── clusteradcsissuer-crd.yaml │ ├── .helmignore │ └── README.md.gotmpl ├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ ├── BUG-REPORT.yml │ └── FEATURE-REQUEST.yml ├── dependabot.yml ├── workflows │ ├── helm-release.yaml │ ├── test.yaml │ ├── trivy-scan.yaml │ ├── release.yaml │ ├── trivy.yml │ ├── codeql.yaml │ └── helm-test.yaml └── PULL_REQUEST_TEMPLATE.md ├── config ├── certmanager │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── certificate.yaml ├── webhook │ ├── kustomization.yaml │ ├── service.yaml │ ├── kustomizeconfig.yaml │ └── manifests.yaml ├── samples │ ├── issuer.yaml │ ├── adcs_v1_adcsrequest.yaml │ ├── adcs_v1_adcs-issuer-credentials.yaml │ ├── certificate.yaml │ ├── adcs_v1_clusteradcsissuer.yaml │ └── adcs_v1_adcsissuer.yaml ├── samples-dev │ ├── secret.yaml │ ├── certificate.yaml │ └── adccsissuer.yaml ├── manager │ ├── kustomization.yaml │ └── manager.yaml ├── rbac │ ├── role_binding.yaml │ ├── auth_proxy_role.yaml │ ├── auth_proxy_role_binding.yaml │ ├── leader_election_role_binding.yaml │ ├── auth_proxy_service.yaml │ ├── cert_manager_controller_approver_clusterrole.yaml │ ├── cert_manager_controller_approver_clusterrolebinding.yaml │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ └── role.yaml ├── crd │ ├── patches │ │ ├── cainjection_in_adcsissuers.yaml │ │ ├── cainjection_in_adcsrequests.yaml │ │ ├── cainjection_in_clusteradcsissuers.yaml │ │ ├── webhook_in_adcsissuers.yaml │ │ ├── webhook_in_adcsrequests.yaml │ │ └── webhook_in_clusteradcsissuers.yaml │ ├── kustomizeconfig.yaml │ ├── kustomization.yaml │ └── bases │ │ ├── adcs.certmanager.csf.nokia.com_adcsissuers.yaml │ │ ├── adcs.certmanager.csf.nokia.com_clusteradcsissuers.yaml │ │ └── adcs.certmanager.csf.nokia.com_adcsrequests.yaml └── default │ ├── manager_prometheus_metrics_patch.yaml │ ├── manager_webhook_patch.yaml │ ├── webhookcainjection_patch.yaml │ ├── manager_auth_proxy_patch.yaml │ └── kustomization.yaml ├── api └── v1 │ ├── types.go │ ├── groupversion_info.go │ ├── adcsissuer_types.go │ ├── clusteradcsissuer_types.go │ ├── adcsrequest_types.go │ └── .adcsissuer_webhook.go ├── docs ├── README.md └── install-examples │ ├── secrets │ └── adcs-credentials.yaml │ ├── adcs-simulator │ ├── cert-manager-namespace │ │ ├── secret-adcs-sim.yaml │ │ ├── certificate-adcs-sim.yaml │ │ ├── adcs-simulator-cert-manager-namespace.yaml │ │ └── clusteradcsissuer-adcs-sim.yaml │ └── adcs-issuer-namespace │ │ ├── secret-adcs-sim.yaml │ │ ├── certificate-adcs-sim.yaml │ │ ├── csi-driver-app-pod.yaml │ │ ├── adcs-simulator-adcs-issuer-namespace.yaml │ │ └── clusteradcsissuer-adcs-sim.yaml │ ├── certificates │ ├── adcs-certificate.yaml │ └── cluster-adcs-certificate.yaml │ ├── gateways │ ├── README.md │ └── cluster-adcs-gateway.yaml │ ├── csi-driver │ └── pod.yaml │ ├── values-adcs-issuer-namespace.yaml │ ├── values-cert-manager-namespace.yaml │ ├── issuers │ ├── cluster-adcs-issuer.yaml │ └── adcs-issuer.yaml │ ├── routes │ └── adcs-route-tls.yaml │ ├── ingresses │ └── cluster-adcs-ingress-tls.yaml │ └── README.md ├── manifests ├── Namespace │ └── cert-manager.yaml ├── Service │ ├── adcs-issuer-webhook-service.yaml │ └── adcs-issuer-controller-manager-metrics-service.yaml ├── ClusterRoleBinding │ ├── adcs-issuer-proxy-rolebinding.yaml │ ├── adcs-issuer-manager-rolebinding.yaml │ └── adcs-issuer-cert-manager-controller-approve_adcs-certmanager-csf-nokia-com.yaml ├── ClusterRole │ ├── adcs-issuer-proxy-role.yaml │ ├── adcs-issuer-cert-manager-controller-approve_adcs-certmanager-csf-nokia-com.yaml │ └── adcs-issuer-manager-role.yaml ├── RoleBinding │ └── adcs-issuer-leader-election-rolebinding.yaml ├── Certificate │ └── adcs-issuer-serving-cert.yaml ├── Role │ └── adcs-issuer-leader-election-role.yaml ├── MutatingWebhookConfiguration │ └── adcs-issuer-mutating-webhook-configuration.yaml ├── ValidatingWebhookConfiguration │ └── adcs-issuer-validating-webhook-configuration.yaml ├── Deployment │ └── adcs-issuer-controller-manager.yaml └── CustomResourceDefinition │ ├── adcsissuers.adcs.certmanager.csf.nokia.com.yaml │ ├── clusteradcsissuers.adcs.certmanager.csf.nokia.com.yaml │ └── adcsrequests.adcs.certmanager.csf.nokia.com.yaml ├── healthcheck └── healthcheck.go ├── scripts ├── cert-manager-install.bash ├── gomodk8s.sh ├── generate-certs.sh ├── common_utils.sh └── operator-sdk-install.sh ├── ct.yaml ├── version └── version.go ├── .devcontainer ├── devcontainer.json └── test-on-create.sh ├── issuers ├── testdata │ ├── incorrectPKCS7Cert.pem │ ├── cfss_outputx509.pem │ └── cfss_rawPKCS7.p7b └── issuer_test.go ├── .gitignore ├── chart_schema.yaml ├── PROJECT ├── lintconf.yaml ├── Dockerfile ├── README.md ├── controllers ├── adcsissuer_controller.go ├── clusteradcsissuer_controller.go └── .suite_test.go ├── adcs └── certsrv.go ├── .goreleaser.yaml ├── LICENSE └── go.mod /charts/adcs-issuer/.gitignore: -------------------------------------------------------------------------------- 1 | *.tgz 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | blank_issues_enabled: false 3 | -------------------------------------------------------------------------------- /config/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | configurations: 5 | - kustomizeconfig.yaml 6 | -------------------------------------------------------------------------------- /api/v1/types.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | type LocalObjectReference struct { 4 | // Name of the referent. 5 | Name string `json:"name"` 6 | } 7 | -------------------------------------------------------------------------------- /config/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # `adcs-issuer` Documentation 2 | 3 | A documentation rewrite is in progress. In the mean time, please see the [old documentation](./OLD.md). 4 | -------------------------------------------------------------------------------- /manifests/Namespace/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: cert-manager 7 | -------------------------------------------------------------------------------- /config/samples/issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: selfsigned-issuer 5 | namespace: cert-manager 6 | spec: 7 | selfSigned: {} -------------------------------------------------------------------------------- /config/samples/adcs_v1_adcsrequest.yaml: -------------------------------------------------------------------------------- 1 | #apiVersion: adcs.certmanager.csf.nokia.com/v1 2 | #kind: AdcsRequest 3 | #metadata: 4 | # name: adcsrequest-sample 5 | # namespace: cert-manager 6 | #spec: 7 | -------------------------------------------------------------------------------- /config/samples-dev/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: test-adcs-issuer-credentials 5 | namespace: cert-manager 6 | type: Opaque 7 | data: 8 | password: cGFzc3dvcmQ= 9 | username: dXNlcm5hbWU= -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - manager.yaml 6 | images: 7 | - name: controller 8 | newName: controller 9 | newTag: latest 10 | -------------------------------------------------------------------------------- /config/samples/adcs_v1_adcs-issuer-credentials.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: adcs-issuer-secret 5 | namespace: cert-manager 6 | type: Opaque 7 | stringData: 8 | password: cGFzc3dvcmQ= 9 | username: dXNlcm5hbWU= 10 | -------------------------------------------------------------------------------- /config/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: webhook-service 6 | namespace: system 7 | spec: 8 | ports: 9 | - port: 443 10 | targetPort: 9443 11 | selector: 12 | control-plane: controller-manager 13 | -------------------------------------------------------------------------------- /healthcheck/healthcheck.go: -------------------------------------------------------------------------------- 1 | package healthcheck 2 | 3 | import ( 4 | "net/http" 5 | 6 | "sigs.k8s.io/controller-runtime/pkg/log" 7 | ) 8 | 9 | func HealthCheck(r *http.Request) error { 10 | log.Log.WithName("healthcheck").V(1).Info("Healthcheck passed") 11 | return nil 12 | } 13 | -------------------------------------------------------------------------------- /docs/install-examples/secrets/adcs-credentials.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: adcs-issuer-credentials 5 | namespace: adcs-issuer # namespace of adcs operator 6 | type: Opaque 7 | data: 8 | password: UGE1NXcucmQ= # Password 9 | username: YWRjcy11c2Vy # username -------------------------------------------------------------------------------- /scripts/cert-manager-install.bash: -------------------------------------------------------------------------------- 1 | helm repo add jetstack https://charts.jetstack.io 2 | 3 | helm repo update 4 | 5 | helm install \ 6 | cert-manager jetstack/cert-manager \ 7 | --namespace cert-manager \ 8 | --create-namespace \ 9 | --version v1.9.1 \ 10 | --set installCRDs=true -------------------------------------------------------------------------------- /manifests/Service/adcs-issuer-webhook-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: adcs-issuer-webhook-service 5 | namespace: cert-manager 6 | spec: 7 | ports: 8 | - port: 443 9 | targetPort: 9443 10 | selector: 11 | control-plane: controller-manager 12 | -------------------------------------------------------------------------------- /ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing#configuration 2 | remote: origin 3 | target-branch: master 4 | chart-dirs: 5 | - charts/adcs-issuer 6 | chart-repos: 7 | - adcs-issuer-issuer=https://djkormo.github.io/adcs-issuer/ 8 | - cert-manager=https://charts.jetstack.io 9 | helm-extra-args: --timeout 200s 10 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/cert-manager-namespace/secret-adcs-sim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: adcs-issuer-credentials 5 | namespace: cert-manager # namespace of cert managera and adcs operator 6 | type: Opaque 7 | data: 8 | password: cGFzc3dvcmQ= # password 9 | username: dXNlcm5hbWU= # username 10 | 11 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: cert-manager 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: ["authentication.k8s.io"] 7 | resources: 8 | - tokenreviews 9 | verbs: ["create"] 10 | - apiGroups: ["authorization.k8s.io"] 11 | resources: 12 | - subjectaccessreviews 13 | verbs: ["create"] 14 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: cert-manager 13 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/adcs-issuer-namespace/secret-adcs-sim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: adcs-issuer-credentials 5 | namespace: adcs-issuer # namespace of cert managera and adcs operator 6 | type: Opaque 7 | data: 8 | password: cGFzc3dvcmQ= # password 9 | username: dXNlcm5hbWU= # username 10 | 11 | -------------------------------------------------------------------------------- /version/version.go: -------------------------------------------------------------------------------- 1 | package version 2 | 3 | var ( 4 | // BuildTime is a time label of the moment when the binary was built 5 | BuildTime = "unset" 6 | // Commit is a last commit hash at the moment when the binary was built 7 | Commit = "unset" 8 | // Release is a semantic version of current build 9 | Release = "unset" 10 | Version = "adcs-operator" 11 | ) 12 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: cert-manager 13 | -------------------------------------------------------------------------------- /charts/adcs-issuer/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: adcs-issuer 3 | description: ADCS Issuer plugin for cert-manager. 4 | type: application 5 | version: 2.1.5 6 | appVersion: "2.1.5" 7 | home: https://github.com/djkormo/adcs-issuer 8 | sources: 9 | - https://github.com/djkormo/adcs-issuer 10 | - https://djkormo.github.io/adcs-issuer/ 11 | kubeVersion: ">=1.16.0-0" 12 | 13 | -------------------------------------------------------------------------------- /manifests/ClusterRoleBinding/adcs-issuer-proxy-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: adcs-issuer-proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: adcs-issuer-proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: cert-manager 13 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/serviceaccount-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.rbac.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Values.controllerManager.rbac.serviceAccountName | default (include "chart.fullname" .) }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /manifests/ClusterRoleBinding/adcs-issuer-manager-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: adcs-issuer-manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: adcs-issuer-manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: cert-manager 13 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_adcsissuers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: adcsissuers.adcs.certmanager.csf.nokia.com 9 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_adcsrequests.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: adcsrequests.adcs.certmanager.csf.nokia.com 9 | -------------------------------------------------------------------------------- /manifests/ClusterRole/adcs-issuer-proxy-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: adcs-issuer-proxy-role 5 | rules: 6 | - apiGroups: 7 | - authentication.k8s.io 8 | resources: 9 | - tokenreviews 10 | verbs: 11 | - create 12 | - apiGroups: 13 | - authorization.k8s.io 14 | resources: 15 | - subjectaccessreviews 16 | verbs: 17 | - create 18 | -------------------------------------------------------------------------------- /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "postStartCommand": "bash .devcontainer/test-on-create.sh", 3 | "customizations": { 4 | "vscode": { 5 | "extensions": ["redhat.vscode-yaml", 6 | "ms-kubernetes-tools.vscode-kubernetes-tools", 7 | "golang.Go", 8 | "mhutchie.git-graph", 9 | "766b.go-outliner", "m4ns0ur.base64" 10 | ] 11 | 12 | } 13 | } 14 | } -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_clusteradcsissuers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 8 | name: clusteradcsissuers.adcs.certmanager.csf.nokia.com 9 | -------------------------------------------------------------------------------- /config/samples-dev/certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: adcs-certificate 5 | spec: 6 | commonName: test.example.com 7 | dnsNames: 8 | - test1-alternate.example.com 9 | - test2-alternate.example.com 10 | issuerRef: 11 | group: adcs.certmanager.csf.nokia.com 12 | kind: AdcsIssuer 13 | name: test-adcs-issuer 14 | 15 | secretName: adcsIssuer-certificate -------------------------------------------------------------------------------- /manifests/RoleBinding/adcs-issuer-leader-election-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: adcs-issuer-leader-election-rolebinding 5 | namespace: cert-manager 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: Role 9 | name: adcs-issuer-leader-election-role 10 | subjects: 11 | - kind: ServiceAccount 12 | name: default 13 | namespace: cert-manager 14 | -------------------------------------------------------------------------------- /docs/install-examples/certificates/adcs-certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: adcs-certificate 5 | namespace: adcs-issuer 6 | spec: 7 | commonName: example.com 8 | dnsNames: 9 | - service1.example.com 10 | - service2.example.com 11 | issuerRef: 12 | group: adcs.certmanager.csf.nokia.com 13 | kind: AdcsIssuer 14 | name: adcs-issuer 15 | secretName: adcs-cert 16 | -------------------------------------------------------------------------------- /issuers/testdata/incorrectPKCS7Cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICHQYJKoZIhvcNAQcCoIICDjCCAgoCAQExADALBgkqhkiG9w0BBwGgggHwMIIB 3 | 7DCCAZKgAwIBAgIIE/Qz49ebG7kwCgYIKoZIzj0EAwIwTDELMAkGA1UEBhMCVVMx 4 | EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAO 5 | BgNVBAoTB2FjbWUuY28wHhcNMTcwNTIzMTk1MTQ0WhcNMTcwODIzMDE1NjQ0WjBM 6 | /pzE3LDA6GpIts6TVyzgftLLEfU2BzQsjp0CIQDo+sn8t7XC6JN4KKRr2ABlZI+J 7 | ifgG+2KCy9ln2LxGJaEAMQA= 8 | -----END CERTIFICATE----- 9 | -------------------------------------------------------------------------------- /charts/adcs-issuer/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /config/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: cert-manager.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: cert-manager.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: cert-manager.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: cert-manager.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "8443" 6 | prometheus.io/scheme: https 7 | prometheus.io/scrape: "true" 8 | labels: 9 | control-plane: controller-manager 10 | name: controller-manager-metrics-service 11 | namespace: cert-manager 12 | spec: 13 | ports: 14 | - name: https 15 | port: 8443 16 | targetPort: https 17 | selector: 18 | control-plane: controller-manager 19 | -------------------------------------------------------------------------------- /manifests/Certificate/adcs-issuer-serving-cert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: adcs-issuer-serving-cert 5 | namespace: cert-manager 6 | spec: 7 | commonName: adcs-issuer-webhook-service.cert-manager.svc 8 | dnsNames: 9 | - adcs-issuer-webhook-service$.cert-manager.svc.cluster.local 10 | issuerRef: 11 | kind: AdcsIssuer 12 | name: adcsissuer-sample 13 | group: adcs.certmanager.csf.nokia.com 14 | secretName: webhook-server-cert 15 | -------------------------------------------------------------------------------- /docs/install-examples/certificates/cluster-adcs-certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | name: cluster-adcs-certificate 5 | namespace: adcs-issuer 6 | spec: 7 | commonName: example-cluster.com 8 | dnsNames: 9 | - service1-cluster.example.com 10 | - service2-cluster.example.com 11 | issuerRef: 12 | group: adcs.certmanager.csf.nokia.com 13 | kind: ClusterAdcsIssuer 14 | name: adcs-cluster-issuer 15 | secretName: adcs-cluster-cert 16 | -------------------------------------------------------------------------------- /manifests/ClusterRole/adcs-issuer-cert-manager-controller-approve_adcs-certmanager-csf-nokia-com.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: adcs-issuer-cert-manager-controller-approve:adcs-certmanager-csf-nokia-com 5 | rules: 6 | - apiGroups: 7 | - cert-manager.io 8 | resourceNames: 9 | - adcsissuers.adcs.certmanager.csf.nokia.com/* 10 | - clusteradcsissuers.adcs.certmanager.csf.nokia.com/* 11 | resources: 12 | - signers 13 | verbs: 14 | - approve 15 | -------------------------------------------------------------------------------- /config/rbac/cert_manager_controller_approver_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | # permissions to approve all adcs.certmanager.csf.nokia.com requests 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: cert-manager-controller-approve:adcs-certmanager-csf-nokia-com 6 | rules: 7 | - apiGroups: 8 | - cert-manager.io 9 | resources: 10 | - signers 11 | verbs: 12 | - approve 13 | resourceNames: 14 | - adcsissuers.adcs.certmanager.csf.nokia.com/* 15 | - clusteradcsissuers.adcs.certmanager.csf.nokia.com/* 16 | -------------------------------------------------------------------------------- /manifests/ClusterRoleBinding/adcs-issuer-cert-manager-controller-approve_adcs-certmanager-csf-nokia-com.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: adcs-issuer-cert-manager-controller-approve:adcs-certmanager-csf-nokia-com 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: adcs-issuer-cert-manager-controller-approve:adcs-certmanager-csf-nokia-com 9 | subjects: 10 | - kind: ServiceAccount 11 | name: cert-manager 12 | namespace: cert-manager 13 | -------------------------------------------------------------------------------- /manifests/Service/adcs-issuer-controller-manager-metrics-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "8443" 6 | prometheus.io/scheme: https 7 | prometheus.io/scrape: "true" 8 | labels: 9 | control-plane: controller-manager 10 | name: adcs-issuer-controller-manager-metrics-service 11 | namespace: cert-manager 12 | spec: 13 | ports: 14 | - name: https 15 | port: 8443 16 | targetPort: https 17 | selector: 18 | control-plane: controller-manager 19 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/simulator-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.simulator.enabled }} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ .Values.simulator.serviceName | default "adcs-sim-service" }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | spec: 11 | ports: 12 | - port: {{ .Values.simulator.servicePort | default 8443 }} 13 | targetPort: {{ .Values.simulator.containerPort | default 8443 }} 14 | selector: 15 | control-plane: adcs-sim 16 | 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/webhook-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.enabledWebHooks }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "chart.fullname" . }}-webhook-service 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "chart.labels" . | nindent 4 }} 9 | spec: 10 | type: {{ .Values.webhookService.type }} 11 | selector: 12 | {{- include "chart.selectorLabels" . | nindent 4 }} 13 | control-plane: controller-manager 14 | ports: 15 | {{- .Values.webhookService.ports | toYaml | nindent 4 }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /config/default/manager_prometheus_metrics_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch enables Prometheus scraping for the manager pod. 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: cert-manager 7 | spec: 8 | template: 9 | metadata: 10 | annotations: 11 | prometheus.io/scrape: 'true' 12 | spec: 13 | containers: 14 | # Expose the prometheus metrics on default port 15 | - name: manager 16 | ports: 17 | - containerPort: 8080 18 | name: metrics 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /config/rbac/cert_manager_controller_approver_clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | # bind the cert-manager internal approver to approve 2 | # adcs.certmanager.csf.nokia.com CertificateRequests 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: cert-manager-controller-approve:adcs-certmanager-csf-nokia-com 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: cert-manager-controller-approve:adcs-certmanager-csf-nokia-com 11 | subjects: 12 | - kind: ServiceAccount 13 | name: cert-manager 14 | namespace: cert-manager 15 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/simulator-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.simulator.enabled }} 2 | 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ .Values.simulator.secretName | default "adcs-sim-secret" }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | type: Opaque 11 | data: 12 | username: {{ .Values.simulator.username | default (randAlphaNum 8) | b64enc }} # Random 8-character username 13 | password: {{ .Values.simulator.password | default (randAlphaNum 16) | b64enc }} # Random 16-character password 14 | 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json 2 | --- 3 | version: 2 4 | updates: 5 | - package-ecosystem: gomod 6 | directory: / 7 | schedule: 8 | interval: weekly 9 | labels: 10 | - dependencies 11 | - golang 12 | reviewers: 13 | - djkormo 14 | open-pull-requests-limit: 3 15 | 16 | - package-ecosystem: github-actions 17 | directory: / 18 | schedule: 19 | interval: weekly 20 | labels: 21 | - dependencies 22 | - github-actions 23 | reviewers: 24 | - djkormo 25 | open-pull-requests-limit: 3 26 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/adcs-issuer-namespace/certificate-adcs-sim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | 5 | name: adcs-sim-cert 6 | namespace: adcs-issuer 7 | spec: 8 | commonName: example.com 9 | dnsNames: 10 | - adcs1.example.com 11 | - adcs2.example.com 12 | 13 | issuerRef: 14 | group: adcs.certmanager.csf.nokia.com 15 | kind: ClusterAdcsIssuer 16 | name: adcs-cluster-issuer-adcs-sim 17 | 18 | duration: 2160h # 90d 19 | renewBefore: 360h # 15d 20 | subject: 21 | organizations: 22 | - Your organization 23 | 24 | secretName: adcs-sim-secret 25 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/cert-manager-namespace/certificate-adcs-sim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | 5 | name: adcs-sim-cert 6 | namespace: cert-manager 7 | spec: 8 | commonName: example.com 9 | dnsNames: 10 | - adcs1.example.com 11 | - adcs2.example.com 12 | 13 | issuerRef: 14 | group: adcs.certmanager.csf.nokia.com 15 | kind: ClusterAdcsIssuer 16 | name: adcs-cluster-issuer-adcs-sim 17 | 18 | duration: 2160h # 90d 19 | renewBefore: 360h # 15d 20 | subject: 21 | organizations: 22 | - Your organization 23 | 24 | secretName: adcs-sim-secret 25 | -------------------------------------------------------------------------------- /config/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: cert-manager 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 9443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /scripts/gomodk8s.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Thanks to https://github.com/abursavich for this script. 3 | 4 | set -euo pipefail 5 | 6 | VERSION=${1#"v"} 7 | if [ -z "$VERSION" ]; then 8 | echo "Must specify version!" 9 | exit 1 10 | fi 11 | MODS=($( 12 | curl -sS https://raw.githubusercontent.com/kubernetes/kubernetes/v${VERSION}/go.mod | 13 | sed -n 's|.*k8s.io/\(.*\) => ./staging/src/k8s.io/.*|k8s.io/\1|p' 14 | )) 15 | for MOD in "${MODS[@]}"; do 16 | V=$( 17 | go mod download -json "${MOD}@kubernetes-${VERSION}" | 18 | sed -n 's|.*"Version": "\(.*\)".*|\1|p' 19 | ) 20 | go mod edit "-replace=${MOD}=${MOD}@${V}" 21 | done 22 | go get "k8s.io/kubernetes@v${VERSION}" -------------------------------------------------------------------------------- /config/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 16 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | # Comment the following 3 lines if you want to disable 7 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 8 | # which protects your /metrics endpoint. 9 | - auth_proxy_service.yaml 10 | - auth_proxy_role.yaml 11 | - auth_proxy_role_binding.yaml 12 | # Comment the following 2 lines if you don't wish for the internal cert-manager 13 | # approver to approve all adcs.certmanager.csf.nokia.com CertificateRequests by 14 | # default. 15 | - cert_manager_controller_approver_clusterrole.yaml 16 | - cert_manager_controller_approver_clusterrolebinding.yaml 17 | -------------------------------------------------------------------------------- /config/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # Assume cert-manager is running and a ClusterIssuer 'selfsigned' is present. 2 | 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 7 | namespace: cert-manager 8 | spec: 9 | # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize 10 | commonName: $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc 11 | dnsNames: 12 | - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local 13 | issuerRef: 14 | kind: ClusterIssuer 15 | name: selfsigned 16 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_adcsissuers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: adcsissuers.adcs.certmanager.csf.nokia.com 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_adcsrequests.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: adcsrequests.adcs.certmanager.csf.nokia.com 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/metrics-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metricsService.enabled }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- $metricsServiceName := printf "%s-controller-metrics" (include "chart.fullname" . | trunc 44) }} 6 | name: {{ default $metricsServiceName $.Values.metricsService.nameOverride }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | control-plane: controller-manager 10 | {{- include "chart.labels" . | nindent 4 }} 11 | spec: 12 | type: {{ .Values.metricsService.type | default "ClusterIP" }} 13 | selector: 14 | control-plane: controller-manager 15 | {{- include "chart.selectorLabels" . | nindent 4 }} 16 | ports: 17 | {{- .Values.metricsService.ports | toYaml | nindent 4 }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | - apiGroups: 34 | - coordination.k8s.io 35 | resources: 36 | - leases 37 | verbs: 38 | - get 39 | - update 40 | - create -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_clusteradcsissuers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: clusteradcsissuers.adcs.certmanager.csf.nokia.com 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /api/v1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | // Package v1 contains API Schema definitions for the adcs v1 API group 2 | // +kubebuilder:object:generate=true 3 | // +groupName=adcs.certmanager.csf.nokia.com 4 | package v1 5 | 6 | import ( 7 | "k8s.io/apimachinery/pkg/runtime/schema" 8 | "sigs.k8s.io/controller-runtime/pkg/scheme" 9 | ) 10 | 11 | var ( 12 | // GroupVersion is group version used to register these objects 13 | GroupVersion = schema.GroupVersion{Group: "adcs.certmanager.csf.nokia.com", Version: "v1"} 14 | 15 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 16 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 17 | 18 | // AddToScheme adds the types in this group-version to the given scheme. 19 | AddToScheme = SchemeBuilder.AddToScheme 20 | ) 21 | -------------------------------------------------------------------------------- /manifests/Role/adcs-issuer-leader-election-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: adcs-issuer-leader-election-role 5 | namespace: cert-manager 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - events 31 | verbs: 32 | - create 33 | - apiGroups: 34 | - coordination.k8s.io 35 | resources: 36 | - leases 37 | verbs: 38 | - get 39 | - update 40 | - create 41 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/metrics-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.metricsService.serviceMonitor.enabled }} 2 | --- 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: {{ include "chart.fullname" . }} 7 | labels: 8 | control-plane: controller-manager 9 | {{- include "chart.labels" . | nindent 4 }} 10 | spec: 11 | endpoints: 12 | {{- range $.Values.metricsService.ports }} 13 | - path: /metrics 14 | port: {{ .port | squote }} 15 | scheme: {{ $.Values.metricsService.serviceMonitor.scheme }} 16 | {{- end }} 17 | namespaceSelector: 18 | matchNames: 19 | - {{ .Release.Namespace }} 20 | selector: 21 | matchLabels: 22 | control-plane: controller-manager 23 | {{- include "chart.labels" . | nindent 6 }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /issuers/testdata/cfss_outputx509.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIB7DCCAZKgAwIBAgIIE/Qz49ebG7kwCgYIKoZIzj0EAwIwTDELMAkGA1UEBhMC 3 | VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x 4 | EDAOBgNVBAoTB2FjbWUuY28wHhcNMTcwNTIzMTk1MTQ0WhcNMTcwODIzMDE1NjQ0 5 | WjBMMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN 6 | U2FuIEZyYW5jaXNjbzEQMA4GA1UEChMHYWNtZS5jbzBZMBMGByqGSM49AgEGCCqG 7 | SM49AwEHA0IABEW8F+k/avvdBm/KRsuDnTZ3p+VuVdsqDF+aD9nIYeOhx5sj574y 8 | hEIZOpgbEsi3BvqY63y2jYyPFodf25+CA9GjXjBcMA4GA1UdDwEB/wQEAwIFoDAd 9 | BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV 10 | HQ4EFgQUzDpu+HN89EC1M8aNl7f0Ln5JnnIwCgYIKoZIzj0EAwIDSAAwRQIgC4/r 11 | urbw/pzE3LDA6GpIts6TVyzgftLLEfU2BzQsjp0CIQDo+sn8t7XC6JN4KKRr2ABl 12 | ZI+JifgG+2KCy9ln2LxGJQ== 13 | -----END CERTIFICATE----- 14 | -------------------------------------------------------------------------------- /issuers/testdata/cfss_rawPKCS7.p7b: -------------------------------------------------------------------------------- 1 | -----BEGIN PKCS7----- 2 | MIICHQYJKoZIhvcNAQcCoIICDjCCAgoCAQExADALBgkqhkiG9w0BBwGgggHwMIIB 3 | 7DCCAZKgAwIBAgIIE/Qz49ebG7kwCgYIKoZIzj0EAwIwTDELMAkGA1UEBhMCVVMx 4 | EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEDAO 5 | BgNVBAoTB2FjbWUuY28wHhcNMTcwNTIzMTk1MTQ0WhcNMTcwODIzMDE1NjQ0WjBM 6 | MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2Fu 7 | IEZyYW5jaXNjbzEQMA4GA1UEChMHYWNtZS5jbzBZMBMGByqGSM49AgEGCCqGSM49 8 | AwEHA0IABEW8F+k/avvdBm/KRsuDnTZ3p+VuVdsqDF+aD9nIYeOhx5sj574yhEIZ 9 | OpgbEsi3BvqY63y2jYyPFodf25+CA9GjXjBcMA4GA1UdDwEB/wQEAwIFoDAdBgNV 10 | HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E 11 | FgQUzDpu+HN89EC1M8aNl7f0Ln5JnnIwCgYIKoZIzj0EAwIDSAAwRQIgC4/rurbw 12 | /pzE3LDA6GpIts6TVyzgftLLEfU2BzQsjp0CIQDo+sn8t7XC6JN4KKRr2ABlZI+J 13 | ifgG+2KCy9ln2LxGJaEAMQA= 14 | -----END PKCS7----- 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | bin 9 | # Test binary, build with `go test -c` 10 | *.test 11 | 12 | # Output of the go coverage tool, specifically when used with LiteIDE 13 | *.out 14 | 15 | # Kubernetes Generated files - skip generated files, except for vendored files 16 | 17 | !vendor/**/zz_generated.* 18 | 19 | # editor and IDE paraphernalia 20 | .idea 21 | *.iml 22 | *.swp 23 | *.swo 24 | *~ 25 | .vs 26 | .vscode 27 | 28 | examples/* 29 | issuers/testdata/ca/ 30 | issuers/testdata/pkcs7.pem 31 | issuers/testdata/x509.pem 32 | 33 | minikube_downloads/ 34 | *.logs 35 | *.tar.gz 36 | *.crt 37 | *.key 38 | *-all.yaml 39 | *.exe 40 | /adcs-issuer 41 | /adcs-sim 42 | /deploy.env 43 | 44 | # Added by goreleaser init: 45 | dist/ 46 | 47 | kubeconfig -------------------------------------------------------------------------------- /.github/workflows/helm-release.yaml: -------------------------------------------------------------------------------- 1 | name: Release (Helm) 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | # tags: 7 | # - 'helm/v[0-9]+.[0-9]+.[0-9]+' 8 | # - 'helm/v[0-9]+.[0-9]+.[0-9]+rc[0-9]+' 9 | paths: 10 | - 'charts/*/Chart.yaml' 11 | 12 | jobs: 13 | release: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v2 18 | with: 19 | fetch-depth: 0 20 | 21 | - name: Configure Git 22 | run: | 23 | git config user.name "$GITHUB_ACTOR" 24 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 25 | - name: Run chart-releaser 26 | uses: helm/chart-releaser-action@v1.6.0 27 | env: 28 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 29 | with: 30 | charts_dir: charts 31 | skip_existing: false 32 | -------------------------------------------------------------------------------- /config/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/samples/certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Certificate 3 | metadata: 4 | annotations: 5 | name: adcs-cert 6 | namespace: cert-manager 7 | spec: 8 | commonName: example.com 9 | dnsNames: 10 | - service1.example.com 11 | - service2.example.com 12 | issuerRef: 13 | group: adcs.certmanager.csf.nokia.com 14 | kind: ClusterAdcsIssuer 15 | name: adcsclusterissuer-sample 16 | secretName: webhook-server-cert 17 | # subject: 18 | # organizations: 19 | # - example.com 20 | # - anybody.com 21 | --- 22 | apiVersion: cert-manager.io/v1 23 | kind: Certificate 24 | metadata: 25 | annotations: 26 | name: generic-cert 27 | namespace: cert-manager 28 | spec: 29 | commonName: example.com 30 | dnsNames: 31 | - service1.example.com 32 | - service2.example.com 33 | issuerRef: 34 | kind: Issuer 35 | name: selfsigned-issuer 36 | secretName: webhook-server-cert -------------------------------------------------------------------------------- /.github/workflows/test.yaml: -------------------------------------------------------------------------------- 1 | name: Test 2 | on: 3 | workflow_dispatch: 4 | pull_request: 5 | 6 | permissions: 7 | contents: read 8 | # Optional: allow read access to pull request. Use with `only-new-issues` option. 9 | pull-requests: read 10 | 11 | jobs: 12 | golangci: 13 | name: lint 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@v4 17 | - uses: actions/setup-go@v5 18 | with: 19 | go-version: '1.24' 20 | - name: golangci-lint 21 | uses: golangci/golangci-lint-action@v8 22 | with: 23 | args: --timeout=3m 24 | version: v2.7.2 25 | skip-cache: true 26 | skip-save-cache: true 27 | cache-invalidation-interval: 15 28 | # TODO: 29 | # - codecov (ideally with PR comment) 30 | # - run `make test` 31 | # - `make generate` & make sure there is no diff 32 | 33 | # - vulnerability scanner? 34 | 35 | -------------------------------------------------------------------------------- /charts/adcs-issuer/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "chart.header" . }} 2 | 3 | {{ template "chart.deprecationWarning" . }} 4 | 5 | ## Chart Overview 6 | 7 | {{ template "chart.description" . }} 8 | 9 | ### Chart Details 10 | 11 | - **Chart Name:** {{ template "chart.name" . }} 12 | - **Version:** {{ template "chart.versionBadge" . }} 13 | - **App Version:** {{ template "chart.appVersionBadge" . }} 14 | - **Chart Type:** {{ template "chart.typeBadge" . }} 15 | 16 | {{ template "chart.homepageLine" . }} 17 | 18 | 19 | {{ template "chart.maintainersSection" . }} 20 | 21 | 22 | {{ template "chart.sourcesSection" . }} 23 | 24 | 25 | {{ template "chart.requirementsSection" . }} 26 | 27 | 28 | {{ template "chart.valuesSection" . }} 29 | 30 | ### Configuration 31 | 32 | To install the chart with the release name `{{ template "chart.name" . }}`: 33 | 34 | ```bash 35 | helm install {{ template "chart.name" . }} {{ template "chart.name" . }} --namespace --create-namespace 36 | ``` 37 | -------------------------------------------------------------------------------- /config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the controller manager, 2 | # it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: cert-manager 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 14 | args: 15 | - "--secure-listen-address=0.0.0.0:8443" 16 | - "--upstream=http://127.0.0.1:8080/" 17 | - "--logtostderr=true" 18 | - "--v=10" 19 | ports: 20 | - containerPort: 8443 21 | name: https 22 | - name: manager 23 | args: 24 | - "--metrics-addr=127.0.0.1:8080" 25 | - "--healthcheck-addr=:8081" 26 | - "--enable-leader-election" 27 | - "--cluster-resource-namespace=cert-manager" 28 | -------------------------------------------------------------------------------- /.github/workflows/trivy-scan.yaml: -------------------------------------------------------------------------------- 1 | name: Scan With Trivy and Upload Results to GitHub Security Tab 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: 7 | - master 8 | - v* 9 | pull_request: 10 | 11 | jobs: 12 | scan-vulnerabilities: 13 | name: Scan for Vulnerabilities With Trivy 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout code 17 | uses: actions/checkout@v4 18 | 19 | - name: Run Trivy vulnerability scanner in fs mode 20 | uses: aquasecurity/trivy-action@0.29.0 21 | with: 22 | scan-type: "fs" 23 | scan-ref: "." 24 | format: "sarif" 25 | output: "trivy-results.sarif" 26 | exit-code: "1" 27 | ignore-unfixed: true 28 | severity: "CRITICAL,HIGH" 29 | 30 | - name: Upload Trivy Scan Results to GitHub Security Tab 31 | if: failure() 32 | uses: github/codeql-action/upload-sarif@v3 33 | with: 34 | sarif_file: "trivy-results.sarif" 35 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: cert-manager 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: controller-manager 12 | namespace: cert-manager 13 | labels: 14 | control-plane: controller-manager 15 | spec: 16 | selector: 17 | matchLabels: 18 | control-plane: controller-manager 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | control-plane: controller-manager 24 | spec: 25 | containers: 26 | - command: 27 | - /manager 28 | args: 29 | - --enable-leader-election 30 | image: djkormo/adcs-issuer:dev 31 | name: manager 32 | resources: 33 | limits: 34 | cpu: 100m 35 | memory: 500Mi 36 | requests: 37 | cpu: 100m 38 | memory: 100Mi 39 | terminationGracePeriodSeconds: 10 40 | -------------------------------------------------------------------------------- /docs/install-examples/gateways/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml" 5 | 6 | 7 | helm repo add jetstack https://charts.jetstack.io --force-update 8 | 9 | 10 | 11 | helm search repo cert-manager/cert-manager 12 | 13 | helm search repo cert-manager/cert-manager --versions 14 | 15 | 16 | 17 | helm upgrade --install \ 18 | cert-manager jetstack/cert-manager \ 19 | --namespace cert-manager \ 20 | --create-namespace \ 21 | --version v1.15.4 \ 22 | --set config.enableGatewayAPI=true \ 23 | --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \ 24 | --set config.kind="ControllerConfiguration" \ 25 | --set enableCertificateOwnerRef=true 26 | 27 | 28 | kubectl delete -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml" 29 | 30 | 31 | Based on https://cert-manager.io/docs/usage/gateway/ 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /docs/install-examples/gateways/cluster-adcs-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1 2 | kind: Gateway 3 | metadata: 4 | name: adcs-cluster-gateway 5 | namespace: adcs-issuer 6 | annotations: 7 | 8 | cert-manager.io/issuer: "adcs-cluster-issuer" #use specific name of issuer 9 | cert-manager.io/issuer-kind: "ClusterAdcsIssuer" #or AdcsIssuer 10 | cert-manager.io/issuer-group: "adcs.certmanager.csf.nokia.com" 11 | 12 | #(optional) this annotation allows you to configure spec.commonName for the Certificate to be generated. 13 | cert-manager.io/common-name: "example.gateway.com" # common name should be added. (REQUIRED) ADCS will raise 412 error without it 14 | 15 | spec: 16 | gatewayClassName: nginx 17 | listeners: 18 | - name: http 19 | hostname: example.gateway.com 20 | port: 443 21 | protocol: HTTPS 22 | allowedRoutes: 23 | namespaces: 24 | from: All 25 | tls: 26 | mode: Terminate 27 | certificateRefs: 28 | - name: example-gateway-com-tls 29 | 30 | -------------------------------------------------------------------------------- /docs/install-examples/csi-driver/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: my-csi-app 5 | namespace: adcs-issuer 6 | labels: 7 | app: my-csi-app 8 | spec: 9 | containers: 10 | - name: my-frontend 11 | image: busybox 12 | volumeMounts: 13 | - mountPath: "/tls" 14 | name: tls 15 | command: [ "sleep", "1000000" ] 16 | volumes: 17 | - name: tls 18 | csi: 19 | driver: csi.cert-manager.io 20 | readOnly: true 21 | volumeAttributes: 22 | csi.cert-manager.io/issuer-name: adcs-cluster-issuer #use specific name of issuer 23 | csi.cert-manager.io/issuer-kind: ClusterAdcsIssuer # type of issuer 24 | csi.cert-manager.io/issuer-group: adcs.certmanager.csf.nokia.com # issuer group 25 | csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local 26 | csi.cert-manager.io/uri-sans: "spiffe://cluster.local/ns/${POD_NAMESPACE}/pod/${POD_NAME}/${POD_UID}" 27 | csi.cert-manager.io/common-name: "${SERVICE_ACCOUNT_NAME}.${POD_NAMESPACE}" -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/BUG-REPORT.yml: -------------------------------------------------------------------------------- 1 | name: Bug report 2 | description: Help us improve by reporting a bug 3 | title: "[BUG]" 4 | labels: 5 | - bug 6 | assignees: 7 | body: 8 | - type: textarea 9 | id: describe-bug 10 | attributes: 11 | label: Describe the bug 12 | description: A short description of the bug. 13 | validations: 14 | required: true 15 | - type: textarea 16 | id: reproduce 17 | attributes: 18 | label: To reproduce 19 | description: Steps to reproduce the behavior and/or a minimal code sample. 20 | placeholder: | 21 | 1. Go to '...' 22 | 2. Click on '....' 23 | 3. Scroll down to '....' 24 | 4. See error 25 | validations: 26 | required: true 27 | - type: textarea 28 | id: expected 29 | attributes: 30 | label: Expected behavior 31 | description: A description of what you expected to happen. 32 | validations: 33 | required: true 34 | - type: textarea 35 | id: additional 36 | attributes: 37 | label: Additional information 38 | description: Any additional information that is relevant to the problem. 39 | validations: 40 | required: false 41 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/proxy-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.rbac.enabled }} 2 | 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ include "chart.fullname" . }}-proxy-role 7 | labels: 8 | {{- include "chart.labels" . | nindent 4 }} 9 | rules: 10 | - apiGroups: 11 | - authentication.k8s.io 12 | resources: 13 | - tokenreviews 14 | verbs: 15 | - create 16 | - apiGroups: 17 | - authorization.k8s.io 18 | resources: 19 | - subjectaccessreviews 20 | verbs: 21 | - create 22 | 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: {{ include "chart.fullname" . }}-proxy-rolebinding 28 | labels: 29 | {{- include "chart.labels" . | nindent 4 }} 30 | roleRef: 31 | apiGroup: rbac.authorization.k8s.io 32 | kind: ClusterRole 33 | name: {{ include "chart.fullname" . }}-proxy-role 34 | subjects: 35 | - kind: ServiceAccount 36 | name: {{ .Values.controllerManager.rbac.serviceAccountName | default (include "chart.fullname" .) }} 37 | namespace: {{ .Release.Namespace }} 38 | 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /chart_schema.yaml: -------------------------------------------------------------------------------- 1 | name: str() 2 | home: str(required=False) 3 | version: str() 4 | apiVersion: str() 5 | appVersion: any(str(), num(), required=False) 6 | description: str(required=False) 7 | keywords: list(str(), required=False) 8 | sources: list(str(), required=False) 9 | maintainers: list(include('maintainer'), required=False) 10 | dependencies: list(include('dependency'), required=False) 11 | icon: str(required=False) 12 | engine: str(required=False) 13 | condition: str(required=False) 14 | tags: str(required=False) 15 | deprecated: bool(required=False) 16 | kubeVersion: str(required=False) 17 | annotations: map(str(), str(), required=False) 18 | type: str(required=False) 19 | --- 20 | maintainer: 21 | name: str() 22 | email: str(required=False) 23 | url: str(required=False) 24 | --- 25 | dependency: 26 | name: str() 27 | version: str() 28 | repository: str(required=False) 29 | condition: str(required=False) 30 | tags: list(str(), required=False) 31 | enabled: bool(required=False) 32 | import-values: any(list(str()), list(include('import-value')), required=False) 33 | alias: str(required=False) 34 | --- 35 | import-value: 36 | child: str() 37 | parent: str() 38 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | projectName: adcs-issuer 2 | layout: 3 | - go.kubebuilder.io/v3 4 | version: "3" 5 | domain: certmanager.csf.nokia.com 6 | repo: github.com/djkormo/adcs-issuer 7 | 8 | resources: 9 | 10 | - api: 11 | crdVersion: v1 12 | namespaced: true 13 | controller: true 14 | domain: certmanager.csf.nokia.com 15 | group: adcs 16 | kind: AdcsRequest 17 | path: example/api/v1 18 | version: v1 19 | webhooks: 20 | defaulting: true 21 | validation: true 22 | webhookVersion: v1 23 | 24 | - api: 25 | crdVersion: v1 26 | namespaced: true 27 | controller: true 28 | domain: certmanager.csf.nokia.com 29 | group: adcs 30 | kind: AdcsIssuer 31 | path: example/api/v1 32 | version: v1 33 | webhooks: 34 | defaulting: true 35 | validation: true 36 | webhookVersion: v1 37 | 38 | - api: 39 | crdVersion: v1 40 | namespaced: true 41 | controller: true 42 | domain: certmanager.csf.nokia.com 43 | group: adcs 44 | kind: ClusterAdcsIssuer 45 | path: example/api/v1 46 | version: v1 47 | webhooks: 48 | defaulting: true 49 | validation: true 50 | webhookVersion: v1 51 | 52 | 53 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml: -------------------------------------------------------------------------------- 1 | name: Feature request 2 | description: Suggest an idea for this project 3 | title: "[FEATURE]" 4 | labels: 5 | - enhancement 6 | assignees: 7 | body: 8 | - type: textarea 9 | id: problem 10 | attributes: 11 | label: Is your feature request related to a problem? Please describe. 12 | description: A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 13 | validations: 14 | required: false 15 | - type: textarea 16 | id: solution 17 | attributes: 18 | label: Describe the solution you'd like 19 | description: A clear and concise description of what you want to happen. 20 | validations: 21 | required: true 22 | - type: textarea 23 | id: alternatives 24 | attributes: 25 | label: Describe alternatives you've considered 26 | description: A clear and concise description of any alternative solutions or features you've considered. 27 | validations: 28 | required: false 29 | - type: textarea 30 | id: additional 31 | attributes: 32 | label: Additional context 33 | description: Add any other context or screenshots about the feature request here. 34 | validations: 35 | required: false 36 | -------------------------------------------------------------------------------- /lintconf.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | rules: 3 | braces: 4 | min-spaces-inside: 0 5 | max-spaces-inside: 0 6 | min-spaces-inside-empty: -1 7 | max-spaces-inside-empty: -1 8 | brackets: 9 | min-spaces-inside: 0 10 | max-spaces-inside: 0 11 | min-spaces-inside-empty: -1 12 | max-spaces-inside-empty: -1 13 | colons: 14 | max-spaces-before: 0 15 | max-spaces-after: 1 16 | commas: 17 | max-spaces-before: 0 18 | min-spaces-after: 1 19 | max-spaces-after: 1 20 | comments: 21 | require-starting-space: false # was true 22 | min-spaces-from-content: 1 # was 2 23 | document-end: disable 24 | document-start: disable # No --- to start a file 25 | empty-lines: 26 | max: 5 # was 2 27 | max-start: 0 28 | max-end: 0 29 | hyphens: 30 | max-spaces-after: 1 31 | indentation: 32 | spaces: consistent 33 | indent-sequences: whatever # - list indentation will handle both indentation and without 34 | check-multi-line-strings: false 35 | key-duplicates: enable 36 | line-length: disable # Lines can be any length 37 | new-line-at-end-of-file: disable 38 | new-lines: 39 | type: unix 40 | trailing-spaces: false # was true 41 | truthy: 42 | level: warning 43 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/adcs-issuer-namespace/csi-driver-app-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: csi-driver-app-pod 5 | namespace: adcs-issuer 6 | labels: 7 | app: my-csi-app 8 | spec: 9 | containers: 10 | - name: my-frontend 11 | image: busybox 12 | volumeMounts: 13 | - mountPath: "/tls" 14 | name: tls 15 | command: [ "sleep", "1000000" ] 16 | 17 | resources: 18 | limits: 19 | cpu: 100m 20 | memory: 500Mi 21 | requests: 22 | cpu: 100m 23 | memory: 100Mi 24 | 25 | volumes: 26 | - name: tls 27 | csi: 28 | driver: csi.cert-manager.io 29 | readOnly: true 30 | volumeAttributes: 31 | csi.cert-manager.io/issuer-name: adcs-sim-adcsclusterissuer 32 | csi.cert-manager.io/issuer-kind: ClusterAdcsIssuer 33 | csi.cert-manager.io/issuer-group: adcs.certmanager.csf.nokia.com 34 | csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local 35 | csi.cert-manager.io/uri-sans: "spiffe://cluster.local/ns/${POD_NAMESPACE}/pod/${POD_NAME}/${POD_UID}" 36 | csi.cert-manager.io/common-name: "${SERVICE_ACCOUNT_NAME}.${POD_NAMESPACE}" -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/simulator-certificate-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.simulator.enabled }} 2 | apiVersion: cert-manager.io/v1 3 | kind: Issuer 4 | metadata: 5 | name: {{ .Values.simulator.issuerName | default "adcs-sim-selfissuer" }} 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | selfSigned: {} 9 | --- 10 | apiVersion: cert-manager.io/v1 11 | kind: Certificate 12 | metadata: 13 | name: {{ .Values.simulator.secretCertificateName | default "adcs-sim-certificate-secret" }} 14 | namespace: {{ .Release.Namespace }} 15 | labels: 16 | {{- include "chart.labels" . | nindent 4 }} 17 | spec: 18 | secretName: {{ .Values.simulator.secretCertificateName | default "adcs-sim-certificate-secret" }} 19 | issuerRef: 20 | name: {{ .Values.simulator.issuerName | default "adcs-sim-selfissuer" }} 21 | kind: {{ .Values.simulator.issuerKind | default "Issuer" }} 22 | group: {{ .Values.simulator.issuerGroup | default "cert-manager.io" }} 23 | dnsNames: 24 | - {{ .Values.simulator.serviceName }}.{{ .Release.Namespace }}.svc.cluster.local 25 | duration: {{ .Values.simulator.certificateDuration | default "2160h" }} # 90 days by default 26 | renewBefore: {{ .Values.simulator.certificateRenewBefore | default "360h" }} # 15 days before expiry by default 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/simulator-example-certificate.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.simulator.exampleCertificate.enabled }} 2 | 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: {{ .Values.simulator.exampleCertificate.name | default "adcs-sim-certificate" }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | spec: 11 | commonName: {{ .Values.simulator.exampleCertificate.commonName | default "example.com" }} 12 | dnsNames: 13 | - {{ .Values.simulator.exampleCertificate.dnsName1 | default "adcs1.example.com" }} 14 | - {{ .Values.simulator.exampleCertificate.dnsName2 | default "adcs2.example.com" }} 15 | issuerRef: 16 | group: adcs.certmanager.csf.nokia.com 17 | kind: ClusterAdcsIssuer 18 | name: {{ .Values.simulator.clusterIssuerName | default "adcs-sim-adcsclusterissuer" }} 19 | duration: {{ .Values.simulator.exampleCertificate.duration | default "2160h" }} # 90d 20 | renewBefore: {{ .Values.simulator.exampleCertificate.renewBefore | default "360h" }} # 15d 21 | subject: 22 | organizations: 23 | - {{ .Values.simulator.exampleCertificate.organization | default "Your Organization" }} 24 | secretName: {{ .Values.simulator.secretName | default "adcs-sim-secret" }} 25 | 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/adcs.certmanager.csf.nokia.com_adcsrequests.yaml 6 | - bases/adcs.certmanager.csf.nokia.com_adcsissuers.yaml 7 | - bases/adcs.certmanager.csf.nokia.com_clusteradcsissuers.yaml 8 | # +kubebuilder:scaffold:crdkustomizeresource 9 | 10 | patchesStrategicMerge: 11 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. 12 | # patches here are for enabling the conversion webhook for each CRD 13 | #- patches/webhook_in_adcsrequests.yaml 14 | #- patches/webhook_in_adcsissuers.yaml 15 | #- patches/webhook_in_clusteradcsissuers.yaml 16 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 17 | 18 | # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. 19 | # patches here are for enabling the CA injection for each CRD 20 | #- patches/cainjection_in_adcsrequests.yaml 21 | #- patches/cainjection_in_adcsissuers.yaml 22 | #- patches/cainjection_in_clusteradcsissuers.yaml 23 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 24 | 25 | # the following config is for teaching kustomize how to do kustomization for CRDs. 26 | configurations: 27 | - kustomizeconfig.yaml 28 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | tags: 7 | - 'v[0-9]+.[0-9]+.[0-9]+' 8 | - 'v[0-9]+.[0-9]+.[0-9]+rc[0-9]+' 9 | - '[0-9]+.[0-9]+.[0-9]+' 10 | - '[0-9]+.[0-9]+.[0-9]+rc[0-9]+' 11 | 12 | permissions: 13 | contents: write 14 | packages: write 15 | 16 | jobs: 17 | build: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - uses: actions/checkout@v4 21 | with: 22 | # Needed for goreleaser 23 | fetch-depth: 0 24 | 25 | - uses: actions/setup-go@v5 26 | with: 27 | go-version: '1.22' 28 | 29 | - uses: docker/login-action@v3 30 | with: 31 | username: ${{ secrets.DOCKER_USERNAME }} 32 | password: ${{ secrets.DOCKER_TOKEN }} 33 | - uses: docker/login-action@v3 34 | with: 35 | registry: ghcr.io 36 | username: ${{ github.actor }} 37 | password: ${{ secrets.GITHUB_TOKEN }} 38 | 39 | # goreleaser will: 40 | # 1. compile the binaries 41 | # 2. create & push the docker image using `ko` 42 | # 3. create a GitHub release 43 | - uses: goreleaser/goreleaser-action@v6 44 | with: 45 | version: '~> v2' 46 | args: --clean 47 | env: 48 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 49 | -------------------------------------------------------------------------------- /manifests/MutatingWebhookConfiguration/adcs-issuer-mutating-webhook-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: MutatingWebhookConfiguration 3 | metadata: 4 | name: adcs-issuer-mutating-webhook-configuration 5 | webhooks: 6 | - admissionReviewVersions: 7 | - v1 8 | clientConfig: 9 | service: 10 | name: adcs-issuer-webhook-service 11 | namespace: cert-manager 12 | path: /mutate-adcs-certmanager-csf-nokia-com-v1-adcsissuer 13 | failurePolicy: Fail 14 | name: adcsissuer-mutation.adcs.certmanager.csf.nokia.com 15 | rules: 16 | - apiGroups: 17 | - adcs.certmanager.csf.nokia.com 18 | apiVersions: 19 | - v1 20 | operations: 21 | - CREATE 22 | - UPDATE 23 | resources: 24 | - adcsissuer 25 | sideEffects: None 26 | - admissionReviewVersions: 27 | - v1 28 | clientConfig: 29 | service: 30 | name: adcs-issuer-webhook-service 31 | namespace: cert-manager 32 | path: /mutate-batch-certmanager-csf-nokia-com-v1-clusteradcsissuer 33 | failurePolicy: Fail 34 | name: mclusteradcsissuer.kb.io 35 | rules: 36 | - apiGroups: 37 | - batch.certmanager.csf.nokia.com 38 | apiVersions: 39 | - v1 40 | operations: 41 | - CREATE 42 | - UPDATE 43 | resources: 44 | - clusteradcsissuers 45 | sideEffects: None 46 | -------------------------------------------------------------------------------- /manifests/ValidatingWebhookConfiguration/adcs-issuer-validating-webhook-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: admissionregistration.k8s.io/v1 2 | kind: ValidatingWebhookConfiguration 3 | metadata: 4 | name: adcs-issuer-validating-webhook-configuration 5 | webhooks: 6 | - admissionReviewVersions: 7 | - v1 8 | clientConfig: 9 | service: 10 | name: adcs-issuer-webhook-service 11 | namespace: cert-manager 12 | path: /validate-adcs-certmanager-csf-nokia-com-v1-adcsissuer 13 | failurePolicy: Fail 14 | name: adcsissuer-validation.adcs.certmanager.csf.nokia.com 15 | rules: 16 | - apiGroups: 17 | - adcs.certmanager.csf.nokia.com 18 | apiVersions: 19 | - v1 20 | operations: 21 | - CREATE 22 | - UPDATE 23 | resources: 24 | - adcsissuer 25 | sideEffects: None 26 | - admissionReviewVersions: 27 | - v1 28 | clientConfig: 29 | service: 30 | name: adcs-issuer-webhook-service 31 | namespace: cert-manager 32 | path: /validate-batch-certmanager-csf-nokia-com-v1-clusteradcsissuer 33 | failurePolicy: Fail 34 | name: vclusteradcsissuer.kb.io 35 | rules: 36 | - apiGroups: 37 | - batch.certmanager.csf.nokia.com 38 | apiVersions: 39 | - v1 40 | operations: 41 | - CREATE 42 | - UPDATE 43 | resources: 44 | - clusteradcsissuers 45 | sideEffects: None 46 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Build the manager binary 2 | FROM golang:1.24 as builder 3 | 4 | 5 | ARG VERSION 6 | ARG COMMIT 7 | ARG BUILD_TIME 8 | ARG PROJECT 9 | 10 | WORKDIR /workspace 11 | 12 | 13 | # Copy the Go Modules manifests 14 | COPY go.mod go.mod 15 | COPY go.sum go.sum 16 | 17 | 18 | # cache deps before building and copying source so that we don't need to re-download as much 19 | # and so that source changes don't invalidate our downloaded layer 20 | RUN go mod download 21 | 22 | 23 | # Copy the go source 24 | COPY main.go main.go 25 | COPY api/ api/ 26 | COPY controllers/ controllers/ 27 | COPY issuers/ issuers/ 28 | COPY adcs/ adcs/ 29 | COPY healthcheck/ healthcheck/ 30 | COPY version/ version/ 31 | # Build 32 | #RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go 33 | 34 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build \ 35 | -ldflags "-s -w -X ${PROJECT}/version.Release=${VERSION} \ 36 | -X ${PROJECT}/version.Commit=${COMMIT} -X ${PROJECT}/version.BuildTime=${BUILD_TIME}" \ 37 | -o manager main.go 38 | 39 | # Use distroless as minimal base image to package the manager binary 40 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 41 | FROM gcr.io/distroless/static:nonroot 42 | WORKDIR / 43 | 44 | COPY --from=builder /workspace/manager . 45 | USER nonroot:nonroot 46 | 47 | ENTRYPOINT ["/manager"] 48 | 49 | -------------------------------------------------------------------------------- /docs/install-examples/values-adcs-issuer-namespace.yaml: -------------------------------------------------------------------------------- 1 | crd: 2 | install: true 3 | 4 | controllerManager: 5 | manager: 6 | image: 7 | repository: djkormo/adcs-issuer 8 | tag: 2.0.8 9 | resources: 10 | limits: 11 | cpu: 100m 12 | memory: 500Mi 13 | requests: 14 | cpu: 100m 15 | memory: 100Mi 16 | 17 | rbac: 18 | enabled: true 19 | serviceAccountName: adcs-issuer # service account for rbac 20 | certManagerNamespace: cert-manager # cert manager serviceaccount 21 | certManagerServiceAccountName: cert-manager # cert manager namespace 22 | 23 | 24 | replicas: 1 25 | 26 | environment: 27 | KUBERNETES_CLUSTER_DOMAIN: cluster.local 28 | ENABLE_WEBHOOKS: "false" 29 | ENABLE_DEBUG: "false" 30 | arguments: 31 | enable-leader-election: "true" 32 | cluster-resource-namespace: "adcs-issuer" # namespace for cluster scoped resources, common secret 33 | zap-log-level: 5 34 | disable-approved-check: "false" 35 | 36 | securityContext: 37 | runAsUser: 1000 38 | 39 | enabledWebHooks: false 40 | enabledCaCerts: false 41 | caCertsSecretName: ca-certificates 42 | metricsService: 43 | enabled: true 44 | ports: 45 | - name: https 46 | port: 8443 47 | targetPort: https 48 | type: ClusterIP 49 | 50 | webhookService: 51 | ports: 52 | - port: 443 53 | targetPort: 9443 54 | type: ClusterIP 55 | 56 | 57 | -------------------------------------------------------------------------------- /docs/install-examples/values-cert-manager-namespace.yaml: -------------------------------------------------------------------------------- 1 | crd: 2 | install: true 3 | 4 | controllerManager: 5 | manager: 6 | image: 7 | repository: djkormo/adcs-issuer 8 | tag: 2.0.8 9 | resources: 10 | limits: 11 | cpu: 100m 12 | memory: 500Mi 13 | requests: 14 | cpu: 100m 15 | memory: 100Mi 16 | 17 | rbac: 18 | enabled: true 19 | serviceAccountName: cert-manager # service account for rbac 20 | certManagerNamespace: cert-manager # cert manager serviceaccount 21 | certManagerServiceAccountName: cert-manager # cert manager namespace 22 | 23 | 24 | replicas: 1 25 | 26 | environment: 27 | KUBERNETES_CLUSTER_DOMAIN: cluster.local 28 | ENABLE_WEBHOOKS: "false" 29 | ENABLE_DEBUG: "false" 30 | arguments: 31 | enable-leader-election: "true" 32 | cluster-resource-namespace: "cert-manager" # namespace for cluster scoped resources, common secret 33 | zap-log-level: 5 34 | disable-approved-check: "false" 35 | 36 | securityContext: 37 | runAsUser: 1000 38 | 39 | enabledWebHooks: false 40 | enabledCaCerts: false 41 | caCertsSecretName: ca-certificates 42 | metricsService: 43 | enabled: true 44 | ports: 45 | - name: https 46 | port: 8443 47 | targetPort: https 48 | type: ClusterIP 49 | 50 | webhookService: 51 | ports: 52 | - port: 443 53 | targetPort: 9443 54 | type: ClusterIP 55 | 56 | 57 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ADCS Issuer 2 | 3 | ![Badge1](https://github.com/djkormo/adcs-issuer/actions/workflows/test.yaml/badge.svg) ![Badge2](https://github.com/djkormo/adcs-issuer/actions/workflows/codeql.yaml/badge.svg) ![Badge3](https://github.com/djkormo/adcs-issuer/actions/workflows/release.yaml/badge.svg) ![Badge4](https://github.com/djkormo/adcs-issuer/actions/workflows/helm-test.yaml/badge.svg) ![Badge5](https://github.com/djkormo/adcs-issuer/actions/workflows/helm-release.yaml/badge.svg) 4 | 5 | ADCS Issuer is a [Kubernetes](https://kubernetes.io/) [`cert-manager`](https://cert-manager.io) 6 | [`CertificateRequest`](https://cert-manager.io/docs/concepts/certificaterequest/) controller 7 | that uses [Microsoft Active Directory Certificate Services](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview) 8 | to sign certificate requests. 9 | 10 | It supports NTLM authentication. 11 | 12 | This project is a community maintained fork of the [original implementation by Nokia](https://github.com/nokia/adcs-issuer/). 13 | 14 | ## Getting started 15 | 16 | TODO: a short summary of installing and configuring the issuer 17 | 18 | ## Documentation 19 | 20 | Detailed documentation can be found in the [docs folder](./docs/README.md) or on [GitHub Pages](https://djkormo.github.io/adcs-issuer). 21 | 22 | ## License 23 | 24 | This project is licensed under the BSD-3-Clause license - see the [LICENSE](https://github.com/nokia/adcs-issuer/blob/master/LICENSE). 25 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | #### Description 6 | 7 | 8 | #### Motivation and Context 9 | 10 | 11 | Closes # 12 | 13 | #### Screenshots (if appropriate): 14 | 15 | #### How Has This Been Tested? 16 | 17 | 18 | 19 | 20 | #### Checklist: 21 | 22 | 23 | - [ ] I have updated the documentation accordingly. 24 | - [ ] I have updated the tests accordingly. 25 | - [ ] I have run `make generate` and checked in the results. 26 | - [ ] I have run `make manifests` and checked in the results. 27 | 28 | For new code releases: 29 | - [ ] I have bumped the `appVersion` in the Helm chart. 30 | 31 | For new Helm chart releases: 32 | - [ ] I have bumped the Helm chart version. 33 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/cert-manager-controller-approve-dcs-certmanager-csf-nokia-com-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.rbac.enabled }} 2 | 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ include "chart.fullname" . }}-cert-manager-controller-approve-adcs-certmanager-csf-nokia-com 7 | labels: 8 | {{- include "chart.labels" . | nindent 4 }} 9 | rules: 10 | - apiGroups: 11 | - cert-manager.io 12 | resourceNames: 13 | - adcsissuers.adcs.certmanager.csf.nokia.com/* 14 | - clusteradcsissuers.adcs.certmanager.csf.nokia.com/* 15 | resources: 16 | - signers 17 | verbs: 18 | - approve 19 | 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | kind: ClusterRoleBinding 23 | metadata: 24 | name: {{ include "chart.fullname" . }}-cert-manager-controller-approve-adcs-certmanager-csf-nokia-com 25 | labels: 26 | {{- include "chart.labels" . | nindent 4 }} 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | kind: ClusterRole 30 | name: {{ include "chart.fullname" . }}-cert-manager-controller-approve-adcs-certmanager-csf-nokia-com 31 | subjects: 32 | - kind: ServiceAccount 33 | name: {{ .Values.controllerManager.rbac.serviceAccountName | default (include "chart.fullname" .) }} 34 | namespace: {{ .Release.Namespace }} 35 | - kind: ServiceAccount 36 | name: {{ .Values.controllerManager.rbac.certManagerServiceAccountName }} 37 | namespace: {{ .Values.controllerManager.rbac.certManagerNamespace }} 38 | 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /manifests/Deployment/adcs-issuer-controller-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: adcs-issuer-controller-manager 7 | namespace: cert-manager 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | control-plane: controller-manager 13 | template: 14 | metadata: 15 | labels: 16 | control-plane: controller-manager 17 | spec: 18 | containers: 19 | - args: 20 | - --enable-leader-election=true 21 | - --cluster-resource-namespace=cert-manager 22 | - --zap-log-level=5 23 | - --disable-approved-check=false 24 | command: 25 | - /manager 26 | image: djkormo/adcs-issuer:dev 27 | env: 28 | - name: ENABLE_WEBHOOKS 29 | value: "false" 30 | name: manager 31 | ports: 32 | - containerPort: 9443 33 | name: webhook-server 34 | protocol: TCP 35 | resources: 36 | limits: 37 | cpu: 100m 38 | memory: 500Mi 39 | requests: 40 | cpu: 100m 41 | memory: 100Mi 42 | # volumeMounts: 43 | # - mountPath: /tmp/k8s-webhook-server/serving-certs 44 | # name: cert 45 | # readOnly: true 46 | terminationGracePeriodSeconds: 10 47 | # volumes: 48 | # - name: cert 49 | # secret: 50 | # defaultMode: 420 51 | # secretName: webhook-server-cert 52 | -------------------------------------------------------------------------------- /controllers/adcsissuer_controller.go: -------------------------------------------------------------------------------- 1 | package controllers 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/go-logr/logr" 7 | ctrl "sigs.k8s.io/controller-runtime" 8 | "sigs.k8s.io/controller-runtime/pkg/client" 9 | 10 | adcsv1 "github.com/djkormo/adcs-issuer/api/v1" 11 | ) 12 | 13 | // AdcsIssuerReconciler reconciles a AdcsIssuer object 14 | type AdcsIssuerReconciler struct { 15 | client.Client 16 | Log logr.Logger 17 | } 18 | 19 | // +kubebuilder:rbac:groups=adcs.certmanager.csf.nokia.com,resources=adcsissuers,verbs=get;list;watch;create;update;patch;delete 20 | // +kubebuilder:rbac:groups=adcs.certmanager.csf.nokia.com,resources=adcsissuers/status,verbs=get;update;patch 21 | 22 | func (r *AdcsIssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { 23 | log := r.Log.WithValues("adcsissuer", req.NamespacedName) 24 | 25 | // your logic here 26 | 27 | // Fetch the AdcsIssuer resource being reconciled 28 | issuer := new(adcsv1.AdcsIssuer) 29 | if err := r.Get(ctx, req.NamespacedName, issuer); err != nil { 30 | // We don't log error here as this is probably the 'NotFound' 31 | // case for deleted object. The AdcsRequest will be automatically deleted for cascading delete. 32 | // 33 | // The Manager will log other errors. 34 | return ctrl.Result{}, client.IgnoreNotFound(err) 35 | } 36 | log.Info("Registered issuer") 37 | 38 | return ctrl.Result{}, nil 39 | } 40 | 41 | func (r *AdcsIssuerReconciler) SetupWithManager(mgr ctrl.Manager) error { 42 | return ctrl.NewControllerManagedBy(mgr). 43 | For(&adcsv1.AdcsIssuer{}). 44 | Complete(r) 45 | } 46 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/leader-election-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.rbac.enabled }} 2 | 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: Role 5 | metadata: 6 | name: {{ include "chart.fullname" . }}-leader-election-role 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - configmaps 15 | verbs: 16 | - get 17 | - list 18 | - watch 19 | - create 20 | - update 21 | - patch 22 | - delete 23 | - apiGroups: 24 | - "" 25 | resources: 26 | - configmaps/status 27 | verbs: 28 | - get 29 | - update 30 | - patch 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - events 35 | verbs: 36 | - create 37 | - apiGroups: 38 | - coordination.k8s.io 39 | resources: 40 | - leases 41 | verbs: 42 | - get 43 | - update 44 | - create 45 | 46 | --- 47 | apiVersion: rbac.authorization.k8s.io/v1 48 | kind: RoleBinding 49 | metadata: 50 | name: {{ include "chart.fullname" . }}-leader-election-rolebinding 51 | namespace: {{ .Release.Namespace }} 52 | labels: 53 | {{- include "chart.labels" . | nindent 4 }} 54 | roleRef: 55 | apiGroup: rbac.authorization.k8s.io 56 | kind: Role 57 | name: {{ include "chart.fullname" . }}-leader-election-role 58 | subjects: 59 | - kind: ServiceAccount 60 | name: {{ .Values.controllerManager.rbac.serviceAccountName | default (include "chart.fullname" .) }} 61 | namespace: {{ .Release.Namespace }} 62 | 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /scripts/generate-certs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 7 | OUTPUT_DIR="${SCRIPT_DIR}/../issuers/testdata" 8 | 9 | if [ -f "${OUTPUT_DIR}/pkcs7.pem" ] && [ -f "${OUTPUT_DIR}/x509.pem" ]; then 10 | printf 'Certificates already exist, skipping generation...\n' 11 | exit 0 12 | fi 13 | 14 | set -x 15 | 16 | mkdir -pv "${OUTPUT_DIR}/ca" 17 | 18 | # Create the CA key 19 | openssl genrsa -out "${OUTPUT_DIR}/ca/ca.key" 2048 20 | # Create a configuration file for the Root CA 21 | 22 | # Create CA config 23 | cat > "${OUTPUT_DIR}/ca/ca.cnf" << EOF 24 | [req] 25 | default_bits = 4096 26 | prompt = no 27 | default_md = sha256 28 | distinguished_name = dn 29 | x509_extensions = v3_ca 30 | 31 | [dn] 32 | C = US 33 | ST = YourState 34 | L = YourCity 35 | O = YourOrganization 36 | OU = YourOrganizationalUnit 37 | CN = adcs-issuer Test CA 38 | 39 | [v3_ca] 40 | subjectKeyIdentifier = hash 41 | authorityKeyIdentifier = keyid:always,issuer 42 | basicConstraints = critical, CA:TRUE 43 | keyUsage = critical, digitalSignature, keyCertSign 44 | EOF 45 | 46 | # Generate the CA cert 47 | openssl req -x509 -new -nodes \ 48 | -key "${OUTPUT_DIR}/ca/ca.key" \ 49 | -sha256 \ 50 | -days 3650 \ 51 | -out "${OUTPUT_DIR}/ca/ca.pem" \ 52 | -config "${OUTPUT_DIR}/ca/ca.cnf" 53 | 54 | # This is probably wrong, but it seems the test 55 | # just compares equality of the parsed pkcs7.pem to the raw x509.pem... 56 | # TODO: review 57 | cp -v "${OUTPUT_DIR}/ca/ca.pem" "${OUTPUT_DIR}/pkcs7.pem" 58 | cp -v "${OUTPUT_DIR}/ca/ca.pem" "${OUTPUT_DIR}/x509.pem" 59 | -------------------------------------------------------------------------------- /controllers/clusteradcsissuer_controller.go: -------------------------------------------------------------------------------- 1 | package controllers 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/go-logr/logr" 7 | ctrl "sigs.k8s.io/controller-runtime" 8 | "sigs.k8s.io/controller-runtime/pkg/client" 9 | 10 | adcsv1 "github.com/djkormo/adcs-issuer/api/v1" 11 | ) 12 | 13 | // ClusterAdcsIssuerReconciler reconciles a ClusterAdcsIssuer object 14 | type ClusterAdcsIssuerReconciler struct { 15 | client.Client 16 | Log logr.Logger 17 | } 18 | 19 | // +kubebuilder:rbac:groups=adcs.certmanager.csf.nokia.com,resources=clusteradcsissuers,verbs=get;list;watch;create;update;patch;delete 20 | // +kubebuilder:rbac:groups=adcs.certmanager.csf.nokia.com,resources=clusteradcsissuers/status,verbs=get;update;patch 21 | 22 | func (r *ClusterAdcsIssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { 23 | log := r.Log.WithValues("clusteradcsissuer", req.NamespacedName) 24 | 25 | // your logic here 26 | 27 | // Fetch the ClusterAdcsIssuer resource being reconciled 28 | issuer := new(adcsv1.ClusterAdcsIssuer) 29 | if err := r.Get(ctx, req.NamespacedName, issuer); err != nil { 30 | // We don't log error here as this is probably the 'NotFound' 31 | // case for deleted object. The AdcsRequest will be automatically deleted for cascading delete. 32 | // 33 | // The Manager will log other errors. 34 | return ctrl.Result{}, client.IgnoreNotFound(err) 35 | } 36 | log.Info("Registered cluster issuer") 37 | 38 | return ctrl.Result{}, nil 39 | } 40 | 41 | func (r *ClusterAdcsIssuerReconciler) SetupWithManager(mgr ctrl.Manager) error { 42 | return ctrl.NewControllerManagedBy(mgr). 43 | For(&adcsv1.ClusterAdcsIssuer{}). 44 | Complete(r) 45 | } 46 | -------------------------------------------------------------------------------- /.github/workflows/trivy.yml: -------------------------------------------------------------------------------- 1 | # This workflow uses actions that are not certified by GitHub. 2 | # They are provided by a third-party and are governed by 3 | # separate terms of service, privacy policy, and support 4 | # documentation. 5 | 6 | name: trivy 7 | 8 | on: 9 | workflow_dispatch: 10 | push: 11 | branches: [ "master" ] 12 | pull_request: 13 | # The branches below must be a subset of the branches above 14 | branches: [ "master" ] 15 | schedule: 16 | - cron: '23 7 * * 6' 17 | 18 | permissions: 19 | contents: read 20 | 21 | jobs: 22 | build: 23 | permissions: 24 | contents: read # for actions/checkout to fetch code 25 | security-events: write # for github/codeql-action/upload-sarif to upload SARIF results 26 | actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 27 | name: Build 28 | runs-on: ubuntu-latest 29 | steps: 30 | - name: Checkout code 31 | uses: actions/checkout@v4 32 | 33 | - name: Build an image from Dockerfile 34 | run: | 35 | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . 36 | 37 | - name: Run Trivy vulnerability scanner 38 | uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe 39 | with: 40 | image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' 41 | format: 'template' 42 | template: '@/contrib/sarif.tpl' 43 | output: 'trivy-results.sarif' 44 | severity: 'CRITICAL,HIGH' 45 | 46 | - name: Upload Trivy scan results to GitHub Security tab 47 | uses: github/codeql-action/upload-sarif@v3 48 | with: 49 | sarif_file: 'trivy-results.sarif' 50 | -------------------------------------------------------------------------------- /config/samples-dev/adccsissuer.yaml: -------------------------------------------------------------------------------- 1 | kind: AdcsIssuer 2 | apiVersion: adcs.certmanager.csf.nokia.com/v1 3 | metadata: 4 | name: test-adcs-issuer 5 | namespace: cert-manager 6 | spec: 7 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQU92T05idHY0OU5OTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIwRkVRMU5UYVcwd0hoY05NVGt3TnpJd01Ua3lOekV4V2hjTk1qa3dOekUzTVRreU56RXhXakFTTVJBdwpEZ1lEVlFRRERBZEJSRU5UVTJsdE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCm1TMjMreXZpRnBURU1HTnQzbHYrSmt3cEFLeEt6QlhSU2MvYkpUWWphOGxTbWc4WTZsQWZrYURBYWdjeUltUkYKY2Y1dzBCNVhVT2R4TFpIM0ROR0VZUEp1bEIzZ2ZlMVYvdm90UzFCZzFMSEtHbWVvS1JYQVZLVERUK25kM3d0KwphQ1l2d2tFVjBjSTRyTnNMd1VWVW5qZktjbEVPTGJQMVRGYUJSOG1VWWdkN0ZqUFd1T1hwbk5Hb3RyNWdkbmhNCmJXVjJ4SEFHWVR5Nno3U05EVHJNQjVWWTVYQVA1ZlRvN09pT2UyUHlnMnFiMmdUMnhUWjZ4OUo0aCtrUTMreEUKRWRaTVVHeUF0WWlFTFhZN3dBZGxwS0hjMDJKejUrVGgzWUdUbWgxbk1MbW84eUpyZUJWMytIVlozVU55TGx6NAppUSszUko1Q2tMcTIxQS9yUW5qZlV3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVDTUtMM3htVEUzOWwwbXl0CmxtQkZlU3FabUdBd0h3WURWUjBqQkJnd0ZvQVVDTUtMM3htVEUzOWwwbXl0bG1CRmVTcVptR0F3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZXdjM2JtZlFDaDNKanJkc2tsMnliWXE3ZTlKRgpFME9JNjgyWEllWWhVUHdUU1pHMy9Od01BbmtlK3QrRmR5TU9ENVNvL2NxQ2VtTGlCVWJGUnR6QmpyTlBJRUplCnUyNTZYekVxbXBDNmw5K0tGQzVqMzZKQ01leFZ6L2hxUnU4SlFJaitOenJBb0prTCtTNzBMdk1QUk90ZDVOS2UKNnQ3d3VmTE9RRkxHanBuU3lyWHEzbGRHZ0JRWGw3bG5JdVVMd0lJak9YcWR6OTFMa2VQbGVCRVV6QUdmZERmTwpJSU9GWWNwMDVoa2lmbm1SSzA1VTJucDAwWGZMakhRZEVRNDdVZ3NPZW9ncXl3UEg4WWRGaUQvRy9WWnVZMmZKCnVWRFNXQVljRHpwTmIzVWUvam5qQlBjTTlqZTB2YVdhZUE4UG10Y3dVeTZlOGdsVjdBZlZOWXVvQ3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== 8 | credentialsRef: 9 | name: test-adcs-issuer-credentials 10 | statusCheckInterval: 2m 11 | retryInterval: 2m 12 | url: https://localhost:8443 -------------------------------------------------------------------------------- /adcs/certsrv.go: -------------------------------------------------------------------------------- 1 | package adcs 2 | 3 | type AdcsResponseStatus int 4 | 5 | const ( 6 | Unknown AdcsResponseStatus = 0 7 | Pending AdcsResponseStatus = 1 8 | Ready AdcsResponseStatus = 2 9 | Errored AdcsResponseStatus = 3 10 | Rejected AdcsResponseStatus = 4 11 | ) 12 | 13 | type AdcsCertsrv interface { 14 | // Request new certificate. 15 | // Returns (cert status, certificate or description, id, error) 16 | // If cert status is 'Unknown' the state of the certificate info couldn't be obtained from certsrv. Check for error. 17 | // If cert status is 'Ready' the cert is returned immediately in 'certificate'. 18 | // If cert status is 'Pending' the cert can be obtained later with getExistingCertificate using the 'id' (see 'description' for more details) 19 | // If cert status is 'Error' see 'description' for details. 20 | RequestCertificate(csr string, template string) (AdcsResponseStatus, string, string, error) 21 | 22 | // Get previously requested certicate from Certserv 23 | // Returns (cert status, certificate or description, id, error) 24 | // If cert status is 'Unknown' the state of the certificate info couldn't be obtained from certsrv. Check for error. 25 | // If cert status is 'Ready' the cert is returned in 'certificate'. 26 | // If cert status is 'Pending' the cert can be obtained later with getExistingCertificate using the 'id' (see 'description' for more details) 27 | // If cert status is 'Error' see 'description' for details. 28 | GetExistingCertificate(id string) (AdcsResponseStatus, string, string, error) 29 | 30 | // Get the certsrv' CA cert 31 | // Returns ( certificate, error) 32 | GetCaCertificate() (string, error) 33 | 34 | // Get the certsrv' CA chain 35 | // Returns (certificate, error) 36 | GetCaCertificateChain() (string, error) 37 | } 38 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/validating-webhook-configuration.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.enabledWebHooks }} 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: ValidatingWebhookConfiguration 4 | metadata: 5 | name: {{ include "chart.fullname" . }}-validating-webhook-configuration 6 | annotations: 7 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "chart.fullname" . }}- 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | webhooks: 11 | - name: adcsissuer-validation.adcs.certmanager.csf.nokia.com 12 | admissionReviewVersions: 13 | - v1 14 | clientConfig: 15 | service: 16 | name: {{ include "chart.fullname" . }}-webhook-service 17 | namespace: {{ .Release.Namespace }} 18 | path: /validate-adcs-certmanager-csf-nokia-com-v1-adcsissuer 19 | failurePolicy: Fail 20 | rules: 21 | - apiGroups: 22 | - adcs.certmanager.csf.nokia.com 23 | apiVersions: 24 | - v1 25 | operations: 26 | - CREATE 27 | - UPDATE 28 | resources: 29 | - adcsissuers 30 | sideEffects: None 31 | - name: vclusteradcsissuer.kb.io 32 | admissionReviewVersions: 33 | - v1 34 | clientConfig: 35 | service: 36 | name: {{ include "chart.fullname" . }}-webhook-service 37 | namespace: {{ .Release.Namespace }} 38 | path: /validate-batch-certmanager-csf-nokia-com-v1-clusteradcsissuer 39 | failurePolicy: Fail 40 | rules: 41 | - apiGroups: 42 | - batch.certmanager.csf.nokia.com 43 | apiVersions: 44 | - v1 45 | operations: 46 | - CREATE 47 | - UPDATE 48 | resources: 49 | - clusteradcsissuers 50 | sideEffects: None 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/mutating-webhook-configuration.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.enabledWebHooks }} 2 | 3 | apiVersion: admissionregistration.k8s.io/v1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: {{ include "chart.fullname" . }}-mutating-webhook-configuration 7 | annotations: 8 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "chart.fullname" . }}- 9 | labels: 10 | {{- include "chart.labels" . | nindent 4 }} 11 | webhooks: 12 | - name: adcsissuer-mutation.adcs.certmanager.csf.nokia.com 13 | admissionReviewVersions: 14 | - v1 15 | clientConfig: 16 | service: 17 | name: {{ include "chart.fullname" . }}-webhook-service 18 | namespace: {{ .Release.Namespace }} 19 | path: /mutate-adcs-certmanager-csf-nokia-com-v1-adcsissuer 20 | failurePolicy: Fail 21 | rules: 22 | - apiGroups: 23 | - adcs.certmanager.csf.nokia.com 24 | apiVersions: 25 | - v1 26 | operations: 27 | - CREATE 28 | - UPDATE 29 | resources: 30 | - adcsissuer 31 | sideEffects: None 32 | 33 | - name: mclusteradcsissuer.kb.io 34 | admissionReviewVersions: 35 | - v1 36 | clientConfig: 37 | service: 38 | name: {{ include "chart.fullname" . }}-webhook-service 39 | namespace: {{ .Release.Namespace }} 40 | path: /mutate-batch-certmanager-csf-nokia-com-v1-clusteradcsissuer 41 | failurePolicy: Fail 42 | rules: 43 | - apiGroups: 44 | - batch.certmanager.csf.nokia.com 45 | apiVersions: 46 | - v1 47 | operations: 48 | - CREATE 49 | - UPDATE 50 | resources: 51 | - clusteradcsissuers 52 | sideEffects: None 53 | 54 | {{- end }} 55 | -------------------------------------------------------------------------------- /config/samples/adcs_v1_clusteradcsissuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: adcs.certmanager.csf.nokia.com/v1 2 | kind: ClusterAdcsIssuer 3 | metadata: 4 | name: adcsclusterissuer-sample 5 | namespace: cert-manager 6 | spec: 7 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQU92T05idHY0OU5OTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIwRkVRMU5UYVcwd0hoY05NVGt3TnpJd01Ua3lOekV4V2hjTk1qa3dOekUzTVRreU56RXhXakFTTVJBdwpEZ1lEVlFRRERBZEJSRU5UVTJsdE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCm1TMjMreXZpRnBURU1HTnQzbHYrSmt3cEFLeEt6QlhSU2MvYkpUWWphOGxTbWc4WTZsQWZrYURBYWdjeUltUkYKY2Y1dzBCNVhVT2R4TFpIM0ROR0VZUEp1bEIzZ2ZlMVYvdm90UzFCZzFMSEtHbWVvS1JYQVZLVERUK25kM3d0KwphQ1l2d2tFVjBjSTRyTnNMd1VWVW5qZktjbEVPTGJQMVRGYUJSOG1VWWdkN0ZqUFd1T1hwbk5Hb3RyNWdkbmhNCmJXVjJ4SEFHWVR5Nno3U05EVHJNQjVWWTVYQVA1ZlRvN09pT2UyUHlnMnFiMmdUMnhUWjZ4OUo0aCtrUTMreEUKRWRaTVVHeUF0WWlFTFhZN3dBZGxwS0hjMDJKejUrVGgzWUdUbWgxbk1MbW84eUpyZUJWMytIVlozVU55TGx6NAppUSszUko1Q2tMcTIxQS9yUW5qZlV3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVDTUtMM3htVEUzOWwwbXl0CmxtQkZlU3FabUdBd0h3WURWUjBqQkJnd0ZvQVVDTUtMM3htVEUzOWwwbXl0bG1CRmVTcVptR0F3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZXdjM2JtZlFDaDNKanJkc2tsMnliWXE3ZTlKRgpFME9JNjgyWEllWWhVUHdUU1pHMy9Od01BbmtlK3QrRmR5TU9ENVNvL2NxQ2VtTGlCVWJGUnR6QmpyTlBJRUplCnUyNTZYekVxbXBDNmw5K0tGQzVqMzZKQ01leFZ6L2hxUnU4SlFJaitOenJBb0prTCtTNzBMdk1QUk90ZDVOS2UKNnQ3d3VmTE9RRkxHanBuU3lyWHEzbGRHZ0JRWGw3bG5JdVVMd0lJak9YcWR6OTFMa2VQbGVCRVV6QUdmZERmTwpJSU9GWWNwMDVoa2lmbm1SSzA1VTJucDAwWGZMakhRZEVRNDdVZ3NPZW9ncXl3UEg4WWRGaUQvRy9WWnVZMmZKCnVWRFNXQVljRHpwTmIzVWUvam5qQlBjTTlqZTB2YVdhZUE4UG10Y3dVeTZlOGdsVjdBZlZOWXVvQ3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== 8 | credentialsRef: 9 | name: test-adcs-issuer-credentials 10 | statusCheckInterval: 3m 11 | retryInterval: 3m 12 | url: https://localhost:8443 -------------------------------------------------------------------------------- /.goreleaser.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://goreleaser.com/static/schema.json 2 | # vim: set ts=2 sw=2 tw=0 fo=cnqoj 3 | 4 | version: 2 5 | 6 | project_name: adcs-issuer 7 | 8 | git: 9 | ignore_tags: 10 | - helm/* 11 | 12 | builds: 13 | - env: 14 | - CGO_ENABLED=0 15 | goos: 16 | - linux 17 | goarch: 18 | - amd64 19 | - arm64 20 | main: . 21 | binary: adcs-issuer 22 | mod_timestamp: "{{.CommitTimestamp}}" 23 | flags: 24 | - -trimpath 25 | ldflags: 26 | - -s -w 27 | - -X {{.ModulePath}}/version.Release={{.Version}} 28 | - -X {{.ModulePath}}/version.Commit={{.Commit}} 29 | # NOTE: the Makefile uses time of build but that is non-reproducible 30 | - -X {{.ModulePath}}/version.BuildTime={{.CommitTimestamp}} 31 | 32 | # Build a Docker image using `ko` 33 | kos: 34 | - id: adcs-issuer 35 | bare: true 36 | repositories: 37 | - docker.io/djkormo/adcs-issuer 38 | - ghcr.io/djkormo/adcs-issuer 39 | platforms: 40 | - linux/amd64 41 | - linux/arm64 42 | tags: 43 | - latest 44 | - "{{.Tag}}" 45 | annotations: 46 | # https://github.com/opencontainers/image-spec/blob/main/annotations.md 47 | org.opencontainers.image.created: "{{.CommitTimestamp}}" 48 | org.opencontainers.image.authors: djkormo 49 | org.opencontainers.image.source: "https://{{.ModulePath}}" 50 | org.opencontainers.image.version: "{{.Tag}}" 51 | org.opencontainers.image.revision: "{{.Commit}}" 52 | 53 | release: 54 | prerelease: auto 55 | draft: false 56 | header: | 57 | ## {{.ProjectName}} {{.Tag}} 58 | 59 | checksum: 60 | name_template: 'checksums.txt' 61 | algorithm: sha256 62 | 63 | archives: 64 | - name_template: '{{.ProjectName}}_{{.Os}}_{{.Arch}}' 65 | files: 66 | - LICENSE 67 | - README.md 68 | -------------------------------------------------------------------------------- /config/samples/adcs_v1_adcsissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: adcs.certmanager.csf.nokia.com/v1 3 | kind: AdcsIssuer 4 | metadata: 5 | name: adcsissuer-sample 6 | namespace: cert-manager 7 | spec: 8 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tTUlJRFNEQ0NBakNnQXdJQkFnSUlUV1dDSVFmOC9WSXdEUVlKS29aSWh2Y05BUUVOQlFBd0VqRVFNQTRHQTFVRUF3d0hRVVJEVTFOcGJUQWVGdzB5TWpFeE1qQXhNelV5TVROYUZ3MHlNekV4TWpBeE16VXlNVE5hTUU0eE1EQXVCZ05WQkFvVEowRkVRMU1nYzJsdGRXeGhkRzl5SUdadmNpQmpaWEowTFcxaGJtRm5aWElnZEdWemRHbHVaekVhTUJnR0ExVUVBeE1SZEdWemRERXVaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREJ1N0J5UG9KM2VCa1FzTDhLNEt4a0wxOWtKY2x3cFdWaWhad1RFOHcvOEVkMHhUUEV4dFd0c3NjTTV0MUJkSHhHMkMzVW1iNGFjUDRFRDJEUnBqenFYWWc2RkxBR2RuUkM0dXRHUnRacUs2d1VkNUVyUU5tK093UXliYy9NNzJuZUhJbG56K0ZlVk1sQkJhT3Z0S1VYSk5LMFlpaXRZK29RbDlKMTVrWllIU0dReFAwVCttaHQzdFlnYW9na0tKelFVTzhxbXNxWjZwRWlOd2tHeDB3OURqMm5Kbk1FaW0zN2hBazM0NllZQTFnSU9VdlRVVlZsNWROcHJwR2U2ZjgxM05SVElSY1JXU1BaT29rd0RrRW9SNHJLWEtLZ0dUdU1Lc2VaOCtrK0NmREZVcjlYYmE0TFNlczhWUzUwTGFMR0lic2QyZ3h0d1k5UzEzOW9pLzVEQWdNQkFBR2paakJrTUE0R0ExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBZkJnTlZIU01FR0RBV2dCUUl3b3ZmR1pNVGYyWFNiSzJXWUVWNUtwbVlZREFjQmdOVkhSRUVGVEFUZ2hGMFpYTjBNUzVsZUdGdGNHeGxMbU52YlRBTkJna3Foa2lHOXcwQkFRMEZBQU9DQVFFQUI4ZmRBTDRTRFQ2YUkwdjg4SzA2VjYxWkJub2ZyWTE3MktIclFPS2hwYk44TElIQTBhTWVEaVkzK3lId3VXckFNNk1QYUVBNnFwR1VrZDRidHRlNXhkRlBwMUhzbVhSTzlDVTR5cmNpU0JaVGlvN0ZzTENsMjZRdjF2aThPUTZEcjZwOHVZblRGZjVXVk5ON1pKc29MVG91L0IzTDliT0ZLYzNEa2IyNUV3ZDFnSlFkUUd3SzJoNjFaMGtwbDhnVmtoeW4vdWxVcWVNdWFCTzRZS2YrV2tCT1dIU0xPa3ZaM1Q4K3IvcDQwbU15K3Y2THh5cXZPZ3BJd0t2ZWNGRk0zYnBtUGx4R1Q5amtpS0dKRTNjOHp0dDcwOGQ4WUpScjlKVlhFNDdKc1JqTmtvKzRDdGNKdlVhZ3E1NTF4ZnRLbVkxTVE0aVdz 9 | credentialsRef: 10 | name: adcs-issuer-secret 11 | statusCheckInterval: 2m 12 | retryInterval: 2m 13 | url: adcs-certice-url 14 | templateName: BasicSSLWebServer -------------------------------------------------------------------------------- /scripts/common_utils.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (c) 2020, 2020 Red Hat, IBM Corporation and others. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | ############################### utilities ################################# 19 | 20 | function check_running() { 21 | 22 | check_pod=$1 23 | prometheus_ns="monitoring" 24 | kubectl_cmd="kubectl -n ${prometheus_ns}" 25 | 26 | echo "Info: Waiting for ${check_pod} to come up..." 27 | err_wait=0 28 | while true; 29 | do 30 | sleep 2 31 | ${kubectl_cmd} get pods | grep ${check_pod} 32 | pod_stat=$(${kubectl_cmd} get pods | grep ${check_pod} | awk '{ print $3 }') 33 | case "${pod_stat}" in 34 | "Running") 35 | echo "Info: ${check_pod} deploy succeeded: ${pod_stat}" 36 | err=0 37 | break; 38 | ;; 39 | "Error") 40 | # On Error, wait for 10 seconds before exiting. 41 | err_wait=$(( err_wait + 1 )) 42 | if [ ${err_wait} -gt 5 ]; then 43 | echo "Error: ${check_pod} deploy failed: ${pod_stat}" 44 | err=-1 45 | break; 46 | fi 47 | ;; 48 | *) 49 | sleep 2 50 | ;; 51 | esac 52 | done 53 | 54 | ${kubectl_cmd} get pods | grep ${check_pod} 55 | echo 56 | } 57 | 58 | # Check error code from last command, exit on error 59 | check_err() { 60 | err=$? 61 | if [ ${err} -ne 0 ]; then 62 | echo "$*" 63 | exit -1 64 | fi 65 | } 66 | -------------------------------------------------------------------------------- /config/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: manager-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - events 11 | verbs: 12 | - create 13 | - patch 14 | - apiGroups: 15 | - "" 16 | resources: 17 | - secrets 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - adcs.certmanager.csf.nokia.com 24 | resources: 25 | - adcsissuers 26 | verbs: 27 | - create 28 | - delete 29 | - get 30 | - list 31 | - patch 32 | - update 33 | - watch 34 | - apiGroups: 35 | - adcs.certmanager.csf.nokia.com 36 | resources: 37 | - adcsissuers/status 38 | verbs: 39 | - get 40 | - patch 41 | - update 42 | - apiGroups: 43 | - adcs.certmanager.csf.nokia.com 44 | resources: 45 | - adcsrequests 46 | verbs: 47 | - create 48 | - delete 49 | - get 50 | - list 51 | - patch 52 | - update 53 | - watch 54 | - apiGroups: 55 | - adcs.certmanager.csf.nokia.com 56 | resources: 57 | - adcsrequests/status 58 | verbs: 59 | - get 60 | - patch 61 | - update 62 | - apiGroups: 63 | - adcs.certmanager.csf.nokia.com 64 | resources: 65 | - clusteradcsissuers 66 | verbs: 67 | - create 68 | - delete 69 | - get 70 | - list 71 | - patch 72 | - update 73 | - watch 74 | - apiGroups: 75 | - adcs.certmanager.csf.nokia.com 76 | resources: 77 | - clusteradcsissuers/status 78 | verbs: 79 | - get 80 | - patch 81 | - update 82 | - apiGroups: 83 | - cert-manager.io 84 | resources: 85 | - certificaterequests 86 | verbs: 87 | - get 88 | - list 89 | - patch 90 | - update 91 | - watch 92 | - apiGroups: 93 | - cert-manager.io 94 | resources: 95 | - certificaterequests/finalizers 96 | - certificaterequests/status 97 | - certificates/finalizers 98 | verbs: 99 | - get 100 | - patch 101 | - update 102 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart, allowing for an override. 3 | */}} 4 | {{- define "chart.name" -}} 5 | {{- .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a fully qualified app name. Truncate at 63 characters as required by the DNS naming spec. 10 | */}} 11 | {{- define "chart.fullname" -}} 12 | {{- if .Values.fullnameOverride }} 13 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 14 | {{- else }} 15 | {{- $name := include "chart.name" . }} 16 | {{- if contains $name .Release.Name }} 17 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 18 | {{- else }} 19 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} 23 | 24 | {{/* 25 | Create chart name and version for labeling purposes. 26 | */}} 27 | {{- define "chart.chart" -}} 28 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 29 | {{- end }} 30 | 31 | {{/* 32 | Common labels used across Kubernetes objects. 33 | */}} 34 | {{- define "chart.labels" -}} 35 | helm.sh/chart: {{ include "chart.chart" . }} 36 | {{ include "chart.selectorLabels" . }} 37 | {{- with .Chart.AppVersion }} 38 | app.kubernetes.io/version: {{ quote . }} 39 | {{- end }} 40 | app.kubernetes.io/managed-by: {{ .Release.Service }} 41 | {{- end }} 42 | 43 | {{/* 44 | Selector labels to help identify related Kubernetes resources. 45 | */}} 46 | {{- define "chart.selectorLabels" -}} 47 | app.kubernetes.io/name: {{ include "chart.name" . }} 48 | app.kubernetes.io/instance: {{ .Release.Name }} 49 | {{- end }} 50 | 51 | {{/* 52 | Create the service account name, with the option to override or use a default. 53 | */}} 54 | {{- define "chart.serviceAccountName" -}} 55 | {{- if .Values.serviceAccount.create }} 56 | {{- .Values.serviceAccount.name | default (include "chart.fullname" .) }} 57 | {{- else }} 58 | {{- default "default" .Values.serviceAccount.name }} 59 | {{- end }} 60 | {{- end }} 61 | -------------------------------------------------------------------------------- /docs/install-examples/issuers/cluster-adcs-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: adcs.certmanager.csf.nokia.com/v1 2 | kind: ClusterAdcsIssuer 3 | metadata: 4 | name: adcs-cluster-issuer 5 | spec: 6 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEWVRDQ0FrbWdBd0lCQWdJUVhONUZGQUtDbjZkSVB1eGFHT0lwMlRBTkJna3Foa2lHOXcwQkFRc0ZBREJEDQpNUlV3RXdZS0NaSW1pWlB5TEdRQkdSWUZiRzlqWVd3eEZ6QVZCZ29Ka2lhSmsvSXNaQUVaRmdka2FtdHZjbTF2DQpNUkV3RHdZRFZRUURFd2hCUkVOVExURXdNREFlRncweU5EQTVNVFl4TlRNeU16aGFGdzAwT1RBNU1UWXhOVFF5DQpNemhhTUVNeEZUQVRCZ29Ka2lhSmsvSXNaQUVaRmdWc2IyTmhiREVYTUJVR0NnbVNKb21UOGl4a0FSa1dCMlJxDQphMjl5Ylc4eEVUQVBCZ05WQkFNVENFRkVRMU10TVRBd01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBDQpNSUlCQ2dLQ0FRRUFyRVhBQTFpR3cySjNFSThMdU1wSUdtZ2pOcGcyMXhQUlkwUGp4UkpaUEJFSHNPKzFHZldwDQpTbXNXWHAvY2U2VmxGajRsaHJRMTVpQmdQcEVHUWM4c3l5d25XL0I2bXIrcXkyZ2J6TklFTnBtNEFHdFRDd2lRDQpVMGxuU2h6YUhtZEdkUC8yRFZLcjFRRE5qTkVLck8wNUZNaHRkTmpnNjhQeDJwNDBWNmtYZkRKVU94cU16TTYwDQpZODZIQW15UHNCUGlYSndXcUp5MHVpL2gzdDR0eG4rd1NuRm0rVjRzaisvd0tuMmFUcElVRWNJcTZ1ZlBSZjkwDQpsMitBbW1ISmphdW0wRlNsckk0VVV3RnI5bkg3S2xCcmJ0eHFpMitrSThHMFVhcTVQdURnaXBqVXNhNXpXWW9aDQpHY0ZyZU5uMkRRcExSbkVvVG1GK2htSDdrSHo2eDB1cTRRSURBUUFCbzFFd1R6QUxCZ05WSFE4RUJBTUNBWVl3DQpEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVNcGY0QkRVWUVSNmZ6Qkhnaks3RzFiNURhVGN3DQpFQVlKS3dZQkJBR0NOeFVCQkFNQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRHlYSlVsVGlDUVZab1VhDQovb2dTTkhIYWJjc3QxeGtJME1JeG9iMkJkUCtyT1pGSkw0MzdlY3lNMUdWQzAyT3N5MUtpL1V6RHliVEZQSkI3DQppOXZ0U2FkVkdmZDNNTmxRZXVLWnNtQW5NSmZXMDRZYWdmVXpOZ0FaQmRKdEc5ZkwvOTJkWGk4bTltcEdRTTZXDQo3WTFJeE9tY1kwNmltZm5lbXF4LzRCWWk3NVRiYkJadTZEbkYrNm9mRFI2RjJ1QU5nNDhQSXNQbzhIY0JXYlVtDQpxR2pFY01OVlhReVJ0c01sdGJmbXpaN2dFRm40VXNSWkphWXZaZnNtbDAxL1hXbWFTNG5xNFBlYUE5aWlUT2QwDQo5N0RTbW16ZTZkdDNXNFZUV1YvYjNxWFovWXBxZjlFS0ZsSmhsTkZGdndsTFJEWUE1YlRyYUNVMUdTM3JnTy90DQpRM25YQ3BFPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== 7 | # ca certificate 8 | credentialsRef: 9 | name: adcs-issuer-credentials # secret with username and password 10 | statusCheckInterval: 5m 11 | retryInterval: 5m 12 | url: http://adcs-local/certsrv # external host 13 | templateName: SslWebServer1month # external template 14 | 15 | 16 | -------------------------------------------------------------------------------- /docs/install-examples/issuers/adcs-issuer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: adcs.certmanager.csf.nokia.com/v1 2 | kind: AdcsIssuer 3 | metadata: 4 | name: adcs-issuer 5 | namespace: adcs-issuer 6 | spec: 7 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEWVRDQ0FrbWdBd0lCQWdJUVhONUZGQUtDbjZkSVB1eGFHT0lwMlRBTkJna3Foa2lHOXcwQkFRc0ZBREJEDQpNUlV3RXdZS0NaSW1pWlB5TEdRQkdSWUZiRzlqWVd3eEZ6QVZCZ29Ka2lhSmsvSXNaQUVaRmdka2FtdHZjbTF2DQpNUkV3RHdZRFZRUURFd2hCUkVOVExURXdNREFlRncweU5EQTVNVFl4TlRNeU16aGFGdzAwT1RBNU1UWXhOVFF5DQpNemhhTUVNeEZUQVRCZ29Ka2lhSmsvSXNaQUVaRmdWc2IyTmhiREVYTUJVR0NnbVNKb21UOGl4a0FSa1dCMlJxDQphMjl5Ylc4eEVUQVBCZ05WQkFNVENFRkVRMU10TVRBd01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBDQpNSUlCQ2dLQ0FRRUFyRVhBQTFpR3cySjNFSThMdU1wSUdtZ2pOcGcyMXhQUlkwUGp4UkpaUEJFSHNPKzFHZldwDQpTbXNXWHAvY2U2VmxGajRsaHJRMTVpQmdQcEVHUWM4c3l5d25XL0I2bXIrcXkyZ2J6TklFTnBtNEFHdFRDd2lRDQpVMGxuU2h6YUhtZEdkUC8yRFZLcjFRRE5qTkVLck8wNUZNaHRkTmpnNjhQeDJwNDBWNmtYZkRKVU94cU16TTYwDQpZODZIQW15UHNCUGlYSndXcUp5MHVpL2gzdDR0eG4rd1NuRm0rVjRzaisvd0tuMmFUcElVRWNJcTZ1ZlBSZjkwDQpsMitBbW1ISmphdW0wRlNsckk0VVV3RnI5bkg3S2xCcmJ0eHFpMitrSThHMFVhcTVQdURnaXBqVXNhNXpXWW9aDQpHY0ZyZU5uMkRRcExSbkVvVG1GK2htSDdrSHo2eDB1cTRRSURBUUFCbzFFd1R6QUxCZ05WSFE4RUJBTUNBWVl3DQpEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVNcGY0QkRVWUVSNmZ6Qkhnaks3RzFiNURhVGN3DQpFQVlKS3dZQkJBR0NOeFVCQkFNQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRHlYSlVsVGlDUVZab1VhDQovb2dTTkhIYWJjc3QxeGtJME1JeG9iMkJkUCtyT1pGSkw0MzdlY3lNMUdWQzAyT3N5MUtpL1V6RHliVEZQSkI3DQppOXZ0U2FkVkdmZDNNTmxRZXVLWnNtQW5NSmZXMDRZYWdmVXpOZ0FaQmRKdEc5ZkwvOTJkWGk4bTltcEdRTTZXDQo3WTFJeE9tY1kwNmltZm5lbXF4LzRCWWk3NVRiYkJadTZEbkYrNm9mRFI2RjJ1QU5nNDhQSXNQbzhIY0JXYlVtDQpxR2pFY01OVlhReVJ0c01sdGJmbXpaN2dFRm40VXNSWkphWXZaZnNtbDAxL1hXbWFTNG5xNFBlYUE5aWlUT2QwDQo5N0RTbW16ZTZkdDNXNFZUV1YvYjNxWFovWXBxZjlFS0ZsSmhsTkZGdndsTFJEWUE1YlRyYUNVMUdTM3JnTy90DQpRM25YQ3BFPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== 8 | # ca certificate 9 | credentialsRef: 10 | name: adcs-issuer-credentials # secret with username and password 11 | statusCheckInterval: 5m 12 | retryInterval: 5m 13 | url: http://adcs-local/certsrv # external host 14 | templateName: SslWebServer1month # external template 15 | 16 | -------------------------------------------------------------------------------- /manifests/ClusterRole/adcs-issuer-manager-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | creationTimestamp: null 5 | name: adcs-issuer-manager-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - events 11 | verbs: 12 | - create 13 | - patch 14 | - apiGroups: 15 | - "" 16 | resources: 17 | - secrets 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | - apiGroups: 23 | - adcs.certmanager.csf.nokia.com 24 | resources: 25 | - adcsissuers 26 | verbs: 27 | - create 28 | - delete 29 | - get 30 | - list 31 | - patch 32 | - update 33 | - watch 34 | - apiGroups: 35 | - adcs.certmanager.csf.nokia.com 36 | resources: 37 | - adcsissuers/status 38 | verbs: 39 | - get 40 | - patch 41 | - update 42 | - apiGroups: 43 | - adcs.certmanager.csf.nokia.com 44 | resources: 45 | - adcsrequests 46 | verbs: 47 | - create 48 | - delete 49 | - get 50 | - list 51 | - patch 52 | - update 53 | - watch 54 | - apiGroups: 55 | - adcs.certmanager.csf.nokia.com 56 | resources: 57 | - adcsrequests/status 58 | verbs: 59 | - get 60 | - patch 61 | - update 62 | - apiGroups: 63 | - adcs.certmanager.csf.nokia.com 64 | resources: 65 | - clusteradcsissuers 66 | verbs: 67 | - create 68 | - delete 69 | - get 70 | - list 71 | - patch 72 | - update 73 | - watch 74 | - apiGroups: 75 | - adcs.certmanager.csf.nokia.com 76 | resources: 77 | - clusteradcsissuers/status 78 | verbs: 79 | - get 80 | - patch 81 | - update 82 | - apiGroups: 83 | - cert-manager.io 84 | resources: 85 | - certificaterequests 86 | verbs: 87 | - get 88 | - list 89 | - patch 90 | - update 91 | - watch 92 | - apiGroups: 93 | - cert-manager.io 94 | resources: 95 | - certificaterequests/finalizers 96 | - certificaterequests/status 97 | - certificates/finalizers 98 | verbs: 99 | - get 100 | - patch 101 | - update 102 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yaml: -------------------------------------------------------------------------------- 1 | name: CodeQL 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: [master, main, dev] 7 | paths: 8 | - '**.go' 9 | - 'controllers/**.go' 10 | - 'api/**.go' 11 | - 'config/**.go' 12 | pull_request: 13 | # The branches below must be a subset of the branches above 14 | branches: [master,main, dev] 15 | schedule: 16 | - cron: '0 15 * * 2' 17 | 18 | 19 | jobs: 20 | CodeQL: 21 | 22 | strategy: 23 | fail-fast: false 24 | 25 | # CodeQL runs on ubuntu-latest and windows-latest 26 | runs-on: ubuntu-latest 27 | permissions: 28 | actions: read 29 | contents: read 30 | security-events: write 31 | 32 | steps: 33 | - name: Checkout repository 34 | uses: actions/checkout@v3 35 | with: 36 | # We must fetch at least the immediate parents so that if this is 37 | # a pull request then we can checkout the head. 38 | fetch-depth: 2 39 | 40 | # If this run was triggered by a pull request event, then checkout 41 | # the head of the pull request instead of the merge commit. 42 | #- run: git checkout HEAD^2 43 | # if: ${{ github.event_name == 'pull_request' }} 44 | 45 | # Initializes the CodeQL tools for scanning. 46 | - name: Initialize CodeQL 47 | uses: github/codeql-action/init@v3 48 | with: 49 | languages: go 50 | 51 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 52 | # If this step fails, then you should remove it and run the build manually (see below) 53 | - name: Autobuild 54 | uses: github/codeql-action/autobuild@v3 55 | 56 | # ℹ️ Command-line programs to run using the OS shell. 57 | # 📚 https://git.io/JvXDl 58 | 59 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 60 | # and modify them (or add more) to build your code if your project 61 | # uses a compiled language 62 | 63 | #- run: | 64 | # make bootstrap 65 | # make release 66 | 67 | - name: Perform CodeQL Analysis 68 | uses: github/codeql-action/analyze@v3 69 | -------------------------------------------------------------------------------- /docs/install-examples/routes/adcs-route-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: route.openshift.io/v1 2 | kind: Route 3 | metadata: 4 | name: adcs-route 5 | namespace: adcs-issuer 6 | annotations: 7 | cert-manager.io/issuer: "adcs-cluster-issuer" #use specific name of issuer 8 | cert-manager.io/issuer-kind: "ClusterAdcsIssuer" #or AdcsIssuer 9 | cert-manager.io/issuer-group: "adcs.certmanager.csf.nokia.com" 10 | #cert-manager.io/duration: 1h # Optional, defaults to 90 days 11 | #cert-manager.io/renew-before: 30m # Optional, defaults to 1/3 of total certificate duration. 12 | cert-manager.io/common-name: "template-route1.apps-crc.testing" # Optional, no default. 13 | cert-manager.io/alt-names: "template2-route1.apps-crc.testing" # Optional, no default 14 | cert-manager.io/ip-sans: "10.20.30.40,192.168.192.168" # Optional, no default 15 | cert-manager.io/private-key-algorithm: "RSA" # Optional, defaults to RSA 16 | cert-manager.io/private-key-size: "2048" # Optional, defaults to 265 for ECDSA and 2048 for RSA 17 | cert-manager.io/email-sans: "me@example.com,you@example.com" # Optional, no default 18 | cert-manager.io/subject-organizations: "Company 1,Company 2" # Optional, no default 19 | spec: 20 | host: template-route1.apps-crc.testing # will be added to the Subject Alternative Names of the CertificateRequest 21 | port: 22 | targetPort: 5678 23 | to: 24 | kind: Service 25 | name: hello1-openshift 26 | --- 27 | --- 28 | apiVersion: v1 29 | kind: Service 30 | metadata: 31 | name: hello1-openshift 32 | namespace: cview-issuer 33 | spec: 34 | ports: 35 | - port: 5678 36 | targetPort: 5678 37 | selector: 38 | app: hello1-openshift 39 | 40 | --- 41 | apiVersion: apps/v1 42 | kind: Deployment 43 | metadata: 44 | name: hello1-openshift 45 | namespace: cview-issuer 46 | spec: 47 | selector: 48 | matchLabels: 49 | app: hello1-openshift 50 | replicas: 1 51 | template: 52 | metadata: 53 | labels: 54 | app: hello1-openshift 55 | spec: 56 | containers: 57 | - name: echo 58 | image: hashicorp/http-echo 59 | args: 60 | - "-text=hello1-openshift" 61 | ports: 62 | - containerPort: 5678 -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/manager-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.controllerManager.rbac.enabled }} 2 | 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: {{ include "chart.fullname" . }}-manager-role 7 | labels: 8 | {{- include "chart.labels" . | nindent 4 }} 9 | rules: 10 | - apiGroups: 11 | - "" 12 | resources: 13 | - events 14 | verbs: 15 | - create 16 | - patch 17 | - apiGroups: 18 | - "" 19 | resources: 20 | - secrets 21 | verbs: 22 | - get 23 | - list 24 | - watch 25 | - apiGroups: 26 | - adcs.certmanager.csf.nokia.com 27 | resources: 28 | - adcsissuers 29 | - adcsissuers/status 30 | verbs: 31 | - create 32 | - delete 33 | - get 34 | - list 35 | - patch 36 | - update 37 | - watch 38 | - apiGroups: 39 | - adcs.certmanager.csf.nokia.com 40 | resources: 41 | - adcsrequests 42 | - adcsrequests/status 43 | verbs: 44 | - create 45 | - delete 46 | - get 47 | - list 48 | - patch 49 | - update 50 | - watch 51 | - apiGroups: 52 | - adcs.certmanager.csf.nokia.com 53 | resources: 54 | - clusteradcsissuers 55 | - clusteradcsissuers/status 56 | verbs: 57 | - create 58 | - delete 59 | - get 60 | - list 61 | - patch 62 | - update 63 | - watch 64 | - apiGroups: 65 | - cert-manager.io 66 | resources: 67 | - certificaterequests 68 | - certificaterequests/finalizers 69 | - certificaterequests/status 70 | - certificates/finalizers 71 | verbs: 72 | - get 73 | - list 74 | - patch 75 | - update 76 | - watch 77 | 78 | --- 79 | apiVersion: rbac.authorization.k8s.io/v1 80 | kind: ClusterRoleBinding 81 | metadata: 82 | name: {{ include "chart.fullname" . }}-manager-rolebinding 83 | labels: 84 | {{- include "chart.labels" . | nindent 4 }} 85 | roleRef: 86 | apiGroup: rbac.authorization.k8s.io 87 | kind: ClusterRole 88 | name: {{ include "chart.fullname" . }}-manager-role 89 | subjects: 90 | - kind: ServiceAccount 91 | name: {{ .Values.controllerManager.rbac.serviceAccountName | default (include "chart.fullname" .) }} 92 | namespace: {{ .Release.Namespace }} 93 | 94 | {{- end }} 95 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/adcs-issuer-namespace/adcs-simulator-adcs-issuer-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: adcs-sim-deployment 5 | namespace: adcs-issuer 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | control-plane: adcs-sim 11 | template: 12 | metadata: 13 | labels: 14 | control-plane: adcs-sim 15 | spec: 16 | containers: 17 | - args: 18 | - --dns=adcs-sim-service.adcs-issuer.svc,adcs2.example.com 19 | - --ips=10.10.10.1,10.10.10.2 20 | - --port=8443 21 | command: 22 | - /usr/local/adcs-sim/manager 23 | image: djkormo/adcs-sim:0.0.5 24 | imagePullPolicy: Always 25 | env: 26 | - name: ENABLE_DEBUG 27 | value: "false" 28 | name: manager 29 | volumeMounts: 30 | 31 | # emptydirs for storing csr and cert files 32 | - name: csr 33 | mountPath: "/usr/local/adcs-sim/ca" 34 | 35 | # ca cert 36 | - name: config-pem 37 | mountPath: "/usr/local/adcs-sim/ca/root.pem" 38 | subPath: root.pem 39 | readOnly: true 40 | 41 | # ca key 42 | - name: config-key 43 | mountPath: "/usr/local/adcs-sim/ca/root.key" 44 | subPath: root.key 45 | readOnly: true 46 | 47 | ports: 48 | - containerPort: 8443 # the same as --port=8443 in arguments 49 | name: adcs-sim 50 | protocol: TCP 51 | resources: 52 | limits: 53 | cpu: 100m 54 | memory: 500Mi 55 | requests: 56 | cpu: 100m 57 | memory: 100Mi 58 | 59 | terminationGracePeriodSeconds: 10 60 | 61 | volumes: 62 | 63 | - name: csr 64 | emptyDir: 65 | sizeLimit: 50Mi 66 | 67 | - name: config-pem 68 | configMap: 69 | name: adcs-sim-configmap # configmap for storing ca cert 70 | 71 | - name: config-key 72 | configMap: 73 | name: adcs-sim-configmap # configmap for storing ca key 74 | --- 75 | apiVersion: v1 76 | kind: Service 77 | metadata: 78 | name: adcs-sim-service 79 | namespace: adcs-issuer 80 | spec: 81 | ports: 82 | - port: 8443 83 | targetPort: 8443 84 | selector: 85 | control-plane: adcs-sim 86 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/cert-manager-namespace/adcs-simulator-cert-manager-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: adcs-sim-deployment 5 | namespace: cert-manager 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | control-plane: adcs-sim 11 | template: 12 | metadata: 13 | labels: 14 | control-plane: adcs-sim 15 | spec: 16 | containers: 17 | - args: 18 | - --dns=adcs-sim-service.cert-manager.svc,adcs2.example.com 19 | - --ips=10.10.10.1,10.10.10.2 20 | - --port=8443 21 | command: 22 | - /usr/local/adcs-sim/manager 23 | image: djkormo/adcs-sim:0.0.5 24 | imagePullPolicy: Always 25 | env: 26 | - name: ENABLE_DEBUG 27 | value: "false" 28 | name: manager 29 | volumeMounts: 30 | 31 | # emptydirs for storing csr and cert files 32 | - name: csr 33 | mountPath: "/usr/local/adcs-sim/ca" 34 | 35 | # ca cert 36 | - name: config-pem 37 | mountPath: "/usr/local/adcs-sim/ca/root.pem" 38 | subPath: root.pem 39 | readOnly: true 40 | 41 | # ca key 42 | - name: config-key 43 | mountPath: "/usr/local/adcs-sim/ca/root.key" 44 | subPath: root.key 45 | readOnly: true 46 | 47 | ports: 48 | - containerPort: 8443 # the same as --port=8443 in arguments 49 | name: adcs-sim 50 | protocol: TCP 51 | resources: 52 | limits: 53 | cpu: 100m 54 | memory: 500Mi 55 | requests: 56 | cpu: 100m 57 | memory: 100Mi 58 | 59 | terminationGracePeriodSeconds: 10 60 | 61 | volumes: 62 | 63 | - name: csr 64 | emptyDir: 65 | sizeLimit: 50Mi 66 | 67 | - name: config-pem 68 | configMap: 69 | name: adcs-sim-configmap # configmap for storing ca cert 70 | 71 | - name: config-key 72 | configMap: 73 | name: adcs-sim-configmap # configmap for storing ca key 74 | --- 75 | apiVersion: v1 76 | kind: Service 77 | metadata: 78 | name: adcs-sim-service 79 | namespace: cert-manager 80 | spec: 81 | ports: 82 | - port: 8443 83 | targetPort: 8443 84 | selector: 85 | control-plane: adcs-sim 86 | -------------------------------------------------------------------------------- /config/webhook/manifests.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: admissionregistration.k8s.io/v1 3 | kind: MutatingWebhookConfiguration 4 | metadata: 5 | name: mutating-webhook-configuration 6 | webhooks: 7 | - admissionReviewVersions: 8 | - v1 9 | clientConfig: 10 | service: 11 | name: webhook-service 12 | namespace: system 13 | path: /mutate-adcs-certmanager-csf-nokia-com-v1-adcsissuer 14 | failurePolicy: Fail 15 | name: adcsissuer-mutation.adcs.certmanager.csf.nokia.com 16 | rules: 17 | - apiGroups: 18 | - adcs.certmanager.csf.nokia.com 19 | apiVersions: 20 | - v1 21 | operations: 22 | - CREATE 23 | - UPDATE 24 | resources: 25 | - adcsissuer 26 | sideEffects: None 27 | - admissionReviewVersions: 28 | - v1 29 | clientConfig: 30 | service: 31 | name: webhook-service 32 | namespace: system 33 | path: /mutate-batch-certmanager-csf-nokia-com-v1-clusteradcsissuer 34 | failurePolicy: Fail 35 | name: mclusteradcsissuer.kb.io 36 | rules: 37 | - apiGroups: 38 | - batch.certmanager.csf.nokia.com 39 | apiVersions: 40 | - v1 41 | operations: 42 | - CREATE 43 | - UPDATE 44 | resources: 45 | - clusteradcsissuers 46 | sideEffects: None 47 | --- 48 | apiVersion: admissionregistration.k8s.io/v1 49 | kind: ValidatingWebhookConfiguration 50 | metadata: 51 | name: validating-webhook-configuration 52 | webhooks: 53 | - admissionReviewVersions: 54 | - v1 55 | clientConfig: 56 | service: 57 | name: webhook-service 58 | namespace: system 59 | path: /validate-adcs-certmanager-csf-nokia-com-v1-adcsissuer 60 | failurePolicy: Fail 61 | name: adcsissuer-validation.adcs.certmanager.csf.nokia.com 62 | rules: 63 | - apiGroups: 64 | - adcs.certmanager.csf.nokia.com 65 | apiVersions: 66 | - v1 67 | operations: 68 | - CREATE 69 | - UPDATE 70 | resources: 71 | - adcsissuer 72 | sideEffects: None 73 | - admissionReviewVersions: 74 | - v1 75 | clientConfig: 76 | service: 77 | name: webhook-service 78 | namespace: system 79 | path: /validate-batch-certmanager-csf-nokia-com-v1-clusteradcsissuer 80 | failurePolicy: Fail 81 | name: vclusteradcsissuer.kb.io 82 | rules: 83 | - apiGroups: 84 | - batch.certmanager.csf.nokia.com 85 | apiVersions: 86 | - v1 87 | operations: 88 | - CREATE 89 | - UPDATE 90 | resources: 91 | - clusteradcsissuers 92 | sideEffects: None 93 | -------------------------------------------------------------------------------- /.github/workflows/helm-test.yaml: -------------------------------------------------------------------------------- 1 | name: Test (Helm) 2 | on: 3 | - pull_request 4 | - workflow_dispatch 5 | 6 | jobs: 7 | lint-test: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Checkout 11 | uses: actions/checkout@v4.2.1 12 | with: 13 | fetch-depth: 0 14 | 15 | 16 | - name: Set up Helm 17 | uses: azure/setup-helm@v4.2.0 18 | with: 19 | version: v3.13.0 20 | - name: Setup polaris 21 | uses: fairwindsops/polaris/.github/actions/setup-polaris@master 22 | 23 | with: 24 | version: 5.0.0 25 | 26 | # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and 27 | # yamllint (https://github.com/adrienverge/yamllint) which require Python 28 | - name: Set up Python 29 | uses: actions/setup-python@v5.2.0 30 | with: 31 | python-version: 3.x 32 | 33 | - name: Set up chart-testing 34 | uses: helm/chart-testing-action@v2.6.1 35 | 36 | - name: Run chart-testing (list-changed) 37 | id: list-changed 38 | run: | 39 | changed=$(ct list-changed --config ct.yaml) 40 | if [[ -n "$changed" ]]; then 41 | echo "changed=true" >> $GITHUB_OUTPUT 42 | fi 43 | 44 | - name: Run chart-testing (lint) 45 | run: ct lint --config ct.yaml --lint-conf lintconf.yaml --chart-yaml-schema chart_schema.yaml --debug 46 | 47 | - name: Create kind cluster 48 | uses: helm/kind-action@v1.10.0 49 | if: steps.list-changed.outputs.changed == 'true' 50 | 51 | - run: | 52 | kubectl cluster-info 53 | kubectl get nodes -v=6 54 | helm version 55 | helm repo add jetstack https://charts.jetstack.io --force-update 56 | helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.14.2 --set installCRDs=true --set enableCertificateOwnerRef=true 57 | helm repo add fairwinds-stable https://charts.fairwinds.com/stable --force-update 58 | helm upgrade --install polaris fairwinds-stable/polaris --namespace demo --create-namespace --set webhook.enable=false --set dashboard.enable=false 59 | if: steps.list-changed.outputs.changed == 'true' 60 | 61 | 62 | - name: Use command polaris 63 | run: polaris version 64 | if: steps.list-changed.outputs.changed == 'true' 65 | 66 | 67 | - name: Run chart-testing (install) 68 | run: ct install --config ct.yaml --namespace default 69 | if: steps.list-changed.outputs.changed == 'true' 70 | -------------------------------------------------------------------------------- /api/v1/adcsissuer_types.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 | ) 6 | 7 | // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! 8 | // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. 9 | 10 | // AdcsIssuerSpec defines the desired state of AdcsIssuer 11 | type AdcsIssuerSpec struct { 12 | // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster 13 | // Important: Run "make" to regenerate code after modifying this file 14 | 15 | // URL is the base URL for the ADCS instance 16 | URL string `json:"url"` 17 | 18 | // CredentialsRef is a reference to a Secret containing the username and 19 | // password for the ADCS server. 20 | // The secret must contain two keys, 'username' and 'password'. 21 | CredentialsRef LocalObjectReference `json:"credentialsRef"` 22 | 23 | // CABundle is a PEM encoded TLS certifiate to use to verify connections to 24 | // the ADCS server. 25 | // +optional 26 | CABundle []byte `json:"caBundle,omitempty"` 27 | 28 | // How often to check for request status in the server (in time.ParseDuration() format) 29 | // Default 6 hours. 30 | // +optional 31 | StatusCheckInterval string `json:"statusCheckInterval,omitempty"` 32 | 33 | // How often to retry in case of communication errors (in time.ParseDuration() format) 34 | // Default 1 hour. 35 | // +optional 36 | RetryInterval string `json:"retryInterval,omitempty"` 37 | 38 | // Which ADCS Template should this issuer use 39 | // Defaults to the what is specified in main.go or as an cli option. 40 | // +optional 41 | TemplateName string `json:"templateName,omitempty"` 42 | } 43 | 44 | // AdcsIssuerStatus defines the observed state of AdcsIssuer 45 | type AdcsIssuerStatus struct { 46 | // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster 47 | // Important: Run "make" to regenerate code after modifying this file 48 | } 49 | 50 | // +kubebuilder:object:root=true 51 | // +kubebuilder:resource:path=adcsissuers,scope=Namespaced 52 | // +kubebuilder:subresource:status 53 | 54 | // AdcsIssuer is the Schema for the adcsissuers API 55 | type AdcsIssuer struct { 56 | metav1.TypeMeta `json:",inline"` 57 | metav1.ObjectMeta `json:"metadata,omitempty"` 58 | 59 | Spec AdcsIssuerSpec `json:"spec,omitempty"` 60 | Status AdcsIssuerStatus `json:"status,omitempty"` 61 | } 62 | 63 | // +kubebuilder:object:root=true 64 | 65 | // AdcsIssuerList contains a list of AdcsIssuer 66 | type AdcsIssuerList struct { 67 | metav1.TypeMeta `json:",inline"` 68 | metav1.ListMeta `json:"metadata,omitempty"` 69 | Items []AdcsIssuer `json:"items"` 70 | } 71 | 72 | func init() { 73 | SchemeBuilder.Register(&AdcsIssuer{}, &AdcsIssuerList{}) 74 | } 75 | -------------------------------------------------------------------------------- /controllers/.suite_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | */ 15 | 16 | package controllers 17 | 18 | import ( 19 | "path/filepath" 20 | "testing" 21 | 22 | . "github.com/onsi/ginkgo" 23 | . "github.com/onsi/gomega" 24 | 25 | adcsv1 "github.com/djkormo/adcs-issuer/api/v1" 26 | "k8s.io/client-go/kubernetes/scheme" 27 | "k8s.io/client-go/rest" 28 | "sigs.k8s.io/controller-runtime/pkg/client" 29 | "sigs.k8s.io/controller-runtime/pkg/envtest" 30 | //"sigs.k8s.io/controller-runtime/pkg/envtest/printer" 31 | logf "sigs.k8s.io/controller-runtime/pkg/log" 32 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 33 | // +kubebuilder:scaffold:imports 34 | ) 35 | 36 | // These tests use Ginkgo (BDD-style Go testing framework). Refer to 37 | // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. 38 | 39 | var cfg *rest.Config 40 | var k8sClient client.Client 41 | var testEnv *envtest.Environment 42 | 43 | func TestAPIs(t *testing.T) { 44 | RegisterFailHandler(Fail) 45 | 46 | RunSpecsWithDefaultAndCustomReporters(t, 47 | "Controller Suite", 48 | []Reporter{printer.NewlineReporter{}}) 49 | } 50 | 51 | var _ = BeforeSuite(func(done Done) { 52 | logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter))) 53 | 54 | By("bootstrapping test environment") 55 | testEnv = &envtest.Environment{ 56 | CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, 57 | } 58 | 59 | var err error 60 | cfg, err = testEnv.Start() 61 | Expect(err).ToNot(HaveOccurred()) 62 | Expect(cfg).ToNot(BeNil()) 63 | 64 | err = adcsv1.AddToScheme(scheme.Scheme) 65 | Expect(err).NotTo(HaveOccurred()) 66 | 67 | err = adcsv1.AddToScheme(scheme.Scheme) 68 | Expect(err).NotTo(HaveOccurred()) 69 | 70 | err = adcsv1.AddToScheme(scheme.Scheme) 71 | Expect(err).NotTo(HaveOccurred()) 72 | 73 | // +kubebuilder:scaffold:scheme 74 | 75 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 76 | Expect(err).ToNot(HaveOccurred()) 77 | Expect(k8sClient).ToNot(BeNil()) 78 | 79 | close(done) 80 | }, 60) 81 | 82 | var _ = AfterSuite(func() { 83 | By("tearing down the test environment") 84 | err := testEnv.Stop() 85 | Expect(err).ToNot(HaveOccurred()) 86 | }) 87 | -------------------------------------------------------------------------------- /api/v1/clusteradcsissuer_types.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 | ) 6 | 7 | // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! 8 | // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. 9 | 10 | // ClusterAdcsIssuerSpec defines the desired state of ClusterAdcsIssuer 11 | type ClusterAdcsIssuerSpec struct { 12 | // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster 13 | // Important: Run "make" to regenerate code after modifying this file 14 | 15 | // URL is the base URL for the ADCS instance 16 | URL string `json:"url"` 17 | 18 | // CredentialsRef is a reference to a Secret containing the username and 19 | // password for the ADCS server. 20 | // The secret must contain two keys, 'username' and 'password'. 21 | CredentialsRef LocalObjectReference `json:"credentialsRef"` 22 | 23 | // CABundle is a PEM encoded TLS certifiate to use to verify connections to 24 | // the ADCS server. 25 | // +optional 26 | CABundle []byte `json:"caBundle,omitempty"` 27 | 28 | // How often to check for request status in the server (in time.ParseDuration() format) 29 | // Default 6 hours. 30 | // +optional 31 | StatusCheckInterval string `json:"statusCheckInterval,omitempty"` 32 | 33 | // How often to retry in case of communication errors (in time.ParseDuration() format) 34 | // Default 1 hour. 35 | // +optional 36 | RetryInterval string `json:"retryInterval,omitempty"` 37 | 38 | // Which ADCS Template should this issuer use 39 | // Defaults to the what is specified in main.go or as an cli option. 40 | // +optional 41 | TemplateName string `json:"templateName,omitempty"` 42 | } 43 | 44 | // ClusterAdcsIssuerStatus defines the observed state of ClusterAdcsIssuer 45 | type ClusterAdcsIssuerStatus struct { 46 | // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster 47 | // Important: Run "make" to regenerate code after modifying this file 48 | } 49 | 50 | // +kubebuilder:object:root=true 51 | // +kubebuilder:resource:path=clusteradcsissuers,scope=Cluster 52 | // +kubebuilder:subresource:status 53 | 54 | // ClusterAdcsIssuer is the Schema for the clusteradcsissuers API 55 | type ClusterAdcsIssuer struct { 56 | metav1.TypeMeta `json:",inline"` 57 | metav1.ObjectMeta `json:"metadata,omitempty"` 58 | 59 | Spec ClusterAdcsIssuerSpec `json:"spec,omitempty"` 60 | Status ClusterAdcsIssuerStatus `json:"status,omitempty"` 61 | } 62 | 63 | // +kubebuilder:object:root=true 64 | 65 | // ClusterAdcsIssuerList contains a list of ClusterAdcsIssuer 66 | type ClusterAdcsIssuerList struct { 67 | metav1.TypeMeta `json:",inline"` 68 | metav1.ListMeta `json:"metadata,omitempty"` 69 | Items []ClusterAdcsIssuer `json:"items"` 70 | } 71 | 72 | func init() { 73 | SchemeBuilder.Register(&ClusterAdcsIssuer{}, &ClusterAdcsIssuerList{}) 74 | } 75 | -------------------------------------------------------------------------------- /config/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: cert-manager 3 | 4 | # Value of this field is prepended to the 5 | # names of all resources, e.g. a deployment named 6 | # "wordpress" becomes "alices-wordpress". 7 | # Note that it should also match with the prefix (text before '-') of the namespace 8 | # field above. 9 | namePrefix: adcs-issuer- 10 | 11 | # Labels to add to all resources and selectors. 12 | #commonLabels: 13 | # someName: someValue 14 | 15 | resources: 16 | #bases: 17 | - ../crd 18 | - ../rbac 19 | - ../manager 20 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml 21 | - ../webhook 22 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. 23 | - ../certmanager 24 | 25 | patchesStrategicMerge: 26 | # Protect the /metrics endpoint by putting it behind auth. 27 | # Only one of manager_auth_proxy_patch.yaml and 28 | # manager_prometheus_metrics_patch.yaml should be enabled. 29 | # - manager_auth_proxy_patch.yaml 30 | # If you want your controller-manager to expose the /metrics 31 | # endpoint w/o any authn/z, uncomment the following line and 32 | # comment manager_auth_proxy_patch.yaml. 33 | # Only one of manager_auth_proxy_patch.yaml and 34 | # manager_prometheus_metrics_patch.yaml should be enabled. 35 | #- manager_prometheus_metrics_patch.yaml 36 | 37 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml 38 | - manager_webhook_patch.yaml 39 | 40 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 41 | # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. 42 | # 'CERTMANAGER' needs to be enabled to use ca injection 43 | #- webhookcainjection_patch.yaml 44 | 45 | # the following config is for teaching kustomize how to do var substitution 46 | vars: 47 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. 48 | #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR 49 | # objref: 50 | # kind: Certificate 51 | # group: cert-manager.io 52 | # version: v1 53 | # name: serving-cert # this name should match the one in certificate.yaml 54 | # fieldref: 55 | # fieldpath: metadata.namespace 56 | #- name: CERTIFICATE_NAME 57 | # objref: 58 | # kind: Certificate 59 | # group: cert-manager.io 60 | # version: v1 61 | # name: serving-cert # this name should match the one in certificate.yaml 62 | #- name: SERVICE_NAMESPACE # namespace of the service 63 | # objref: 64 | # kind: Service 65 | # version: v1 66 | # name: webhook-service 67 | # fieldref: 68 | # fieldpath: metadata.namespace 69 | #- name: SERVICE_NAME 70 | # objref: 71 | # kind: Service 72 | # version: v1 73 | # name: webhook-service 74 | -------------------------------------------------------------------------------- /docs/install-examples/ingresses/cluster-adcs-ingress-tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # https://cert-manager.io/docs/usage/ingress/ annotations 3 | apiVersion: networking.k8s.io/v1 4 | kind: Ingress 5 | metadata: 6 | name: test-ingress 7 | namespace: adcs-issuer 8 | annotations: 9 | 10 | cert-manager.io/issuer: "adcs-cluster-issuer" #use specific name of issuer 11 | cert-manager.io/issuer-kind: "ClusterAdcsIssuer" #or AdcsIssuer 12 | cert-manager.io/issuer-group: "adcs.certmanager.csf.nokia.com" 13 | 14 | #(optional) this annotation allows you to configure spec.commonName for the Certificate to be generated. 15 | cert-manager.io/common-name: "echo1.example.com" # common name should be added 16 | 17 | # (optional) this annotation allows you to configure spec.emailAddresses field for the Certificate to be generated. Supports comma-separated values e.g. "me@example.com,you@example.com" 18 | cert-manager.io/email-sans: "me@example.com,you@example.com" 19 | 20 | #(optional) this annotation allows you to configure spec.subject.organizations field for the Certificate to be generated. Supports comma-separated values e.g. "Company 1,Company 2" 21 | cert-manager.io/subject-organizations: "Company 1,Company 2" 22 | 23 | #(optional) this annotation allows you to configure spec.subject.organizationalUnits field for the Certificate to be generated. Supports comma-separated values e.g. "IT Services,Cloud Services" 24 | cert-manager.io/subject-organizationalunits: "IT Services, IT Solutions" 25 | 26 | #(optional) this annotation allows you to configure spec.subject.countries field for the Certificate to be generated. Supports comma-separated values e.g. "Country 1,Country 2" 27 | cert-manager.io/subject-countries: "PL,AU" # NOTE only two characters long 28 | 29 | #(optional) this annotation allows you to configure spec.subject.provinces field for the Certificate to be generated. Supports comma-separated values e.g. "Province 1,Province 2" 30 | cert-manager.io/subject-provinces: "Province 1, Province2" 31 | 32 | # (optional) this annotation allows you to configure spec.subject.localities field for the Certificate to be generated. Supports comma-separated values e.g. "City 1,City 2" 33 | cert-manager.io/subject-localities: "City 1, City 2" 34 | 35 | 36 | 37 | cert-manager.io/revision-history-limit: "5" 38 | cert-manager.io/renew-before: 40m 39 | 40 | spec: 41 | tls: 42 | - hosts: 43 | - echo1.example.com 44 | - echo2.example.com 45 | secretName: echo-tls-for-ingress 46 | rules: 47 | - host: echo1.example.com 48 | http: 49 | paths: 50 | - pathType: Prefix 51 | path: "/" 52 | backend: 53 | service: 54 | name: echo1 55 | port: 56 | number: 80 57 | - host: echo2.example.com 58 | http: 59 | paths: 60 | - pathType: Prefix 61 | path: "/" 62 | backend: 63 | service: 64 | name: echo2 65 | port: 66 | number: 80 67 | -------------------------------------------------------------------------------- /issuers/issuer_test.go: -------------------------------------------------------------------------------- 1 | package issuers 2 | 3 | import ( 4 | "fmt" 5 | "github.com/stretchr/testify/assert" 6 | "os" 7 | "testing" 8 | 9 | ctrl "sigs.k8s.io/controller-runtime" 10 | ) 11 | 12 | var ( 13 | log = ctrl.Log.WithName("issuer_test") 14 | ) 15 | 16 | // TODO: provide proper PKCS7 certificates for testing. 17 | // TODO: create makefile to populate testdata (openssl) 18 | // 2 tests will fail! 19 | // testdata/pkcs7.pem and testdata/x509.pem aren't provided, for the tests to be able to run, please provide own certs of these format. 20 | 21 | func TestParsingCaCertShouldReturnX509(t *testing.T) { 22 | // arrange 23 | pkcs7Pem, err := os.ReadFile("testdata/pkcs7.pem") 24 | assert.NoError(t, err) 25 | 26 | validX509Certificate, err := os.ReadFile("testdata/x509.pem") 27 | assert.NoError(t, err) 28 | // act 29 | 30 | parsedCaCert, err := parseCaCert(pkcs7Pem, log) 31 | 32 | // assert 33 | assert.NoError(t, err) 34 | assert.Equal(t, validX509Certificate, parsedCaCert) 35 | } 36 | 37 | func TestIncorrectFormatPkcs(t *testing.T) { 38 | //arrange 39 | incorrectPKCS7Cert, err := os.ReadFile("testdata/incorrectPKCS7Cert.pem") 40 | assert.NoError(t, err) 41 | 42 | // act 43 | 44 | ca, err := parseCaCert(incorrectPKCS7Cert, log) 45 | 46 | // assert 47 | assert.EqualError(t, err, "parsing PKCS7: ber2der: BER tag length is more than available data") 48 | assert.Nil(t, ca, "expecting ca to be empty") 49 | } 50 | 51 | func TestEmptyPkcs(t *testing.T) { 52 | // arrange 53 | emptyPKCS7 := []byte(``) 54 | 55 | // act 56 | 57 | ca, err := parseCaCert(emptyPKCS7, log) 58 | 59 | // assert 60 | assert.EqualError(t, err, "error decoding the pem block") 61 | assert.Nil(t, ca, "expecting ca to be empty") 62 | } 63 | 64 | func TestIncorrectCertFormat(t *testing.T) { 65 | // arrange 66 | incorrectCertFormat := []byte(`This is not correct!`) 67 | 68 | // act 69 | 70 | ca, err := parseCaCert(incorrectCertFormat, log) 71 | 72 | // assert 73 | assert.Error(t, err) 74 | assert.EqualError(t, err, "error decoding the pem block") 75 | assert.Nil(t, ca, "expecting ca to be empty ") 76 | } 77 | 78 | func TestParseCaCertCorrectPKCS7(t *testing.T) { 79 | // arrange 80 | // raw format pkcs7.p7b from cfss testdata (https://github.com/cloudflare/cfssl/tree/master/helpers/testdata) 81 | rawPkcs7, err := os.ReadFile("testdata/cfss_rawPKCS7.p7b") 82 | assert.NoError(t, err) 83 | cfssOutputX509, err := os.ReadFile("testdata/cfss_outputx509.pem") 84 | assert.NoError(t, err) 85 | 86 | // act 87 | 88 | ca, err := parseCaCert(rawPkcs7, log) 89 | 90 | // assert 91 | assert.NoError(t, err) 92 | assert.Equal(t, cfssOutputX509, ca) 93 | } 94 | 95 | func TestCorrectX509Cert(t *testing.T) { 96 | // arrange 97 | // raw format pkcs7.p7b from cfss testdata (https://github.com/cloudflare/cfssl/tree/master/helpers/testdata) 98 | x509, err := os.ReadFile("testdata/x509.pem") 99 | 100 | if err != nil { 101 | fmt.Println("TestCorrectX509Cert") 102 | } 103 | // act 104 | 105 | parsedCaCert, err := parseCaCert(x509, log) 106 | 107 | // assert 108 | assert.NoError(t, err) 109 | assert.Equal(t, x509, parsedCaCert) 110 | } 111 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/simulator-deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.simulator.enabled }} 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ .Values.simulator.deploymentName | default "adcs-sim-deployment" }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: 9 | {{- include "chart.labels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.simulator.replicas | default 1 }} 12 | strategy: 13 | type: Recreate 14 | selector: 15 | matchLabels: 16 | control-plane: adcs-sim 17 | template: 18 | metadata: 19 | labels: 20 | control-plane: adcs-sim 21 | {{- include "chart.selectorLabels" . | nindent 8 }} 22 | spec: 23 | topologySpreadConstraints: 24 | - maxSkew: 1 25 | topologyKey: "topology.kubernetes.io/zone" 26 | whenUnsatisfiable: ScheduleAnyway 27 | securityContext: 28 | {{- toYaml .Values.simulator.podSecurityContext | nindent 8 }} 29 | containers: 30 | - name: manager 31 | image: {{ .Values.simulator.image.repository }}:{{ .Values.simulator.image.tag }} 32 | imagePullPolicy: Always 33 | command: 34 | - /usr/local/adcs-sim/manager 35 | {{- if .Values.simulator.arguments }} 36 | args: 37 | {{- range $key, $value := .Values.simulator.arguments }} 38 | - --{{ $key }}{{ if $value }}={{ $value }}{{ end }} 39 | {{- end }} 40 | {{- end }} 41 | env: 42 | - name: ENABLE_DEBUG 43 | value: {{ .Values.simulator.environment.ENABLE_DEBUG | quote }} 44 | ports: 45 | - containerPort: {{ .Values.simulator.containerPort | default 8443 }} 46 | name: adcs-sim 47 | protocol: TCP 48 | volumeMounts: 49 | - name: csr 50 | mountPath: "/usr/local/adcs-sim/ca" 51 | - name: certs 52 | mountPath: "/usr/local/adcs-sim/ca" 53 | readOnly: true 54 | subPath: root.pem 55 | resources: 56 | {{- toYaml .Values.simulator.resources | nindent 12 }} 57 | securityContext: 58 | {{- toYaml .Values.simulator.containerSecurityContext | nindent 12 }} 59 | {{- with .Values.simulator.readinessProbe }} 60 | readinessProbe: 61 | {{- toYaml . | nindent 12 }} 62 | {{- end }} 63 | {{- with .Values.simulator.livenessProbe }} 64 | livenessProbe: 65 | {{- toYaml . | nindent 12 }} 66 | {{- end }} 67 | terminationGracePeriodSeconds: 10 68 | volumes: 69 | - name: csr 70 | emptyDir: 71 | sizeLimit: 50Mi 72 | - name: certs 73 | secret: 74 | secretName: {{ .Values.simulator.certificateSecretName | default "adcs-sim-ca-secret" }} 75 | items: 76 | - key: tls.crt 77 | path: root.pem 78 | - key: tls.key 79 | path: root.key 80 | {{- with .Values.simulator.nodeSelector }} 81 | nodeSelector: 82 | {{- toYaml . | nindent 8 }} 83 | {{- end }} 84 | 85 | {{- end }} 86 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/adcs-issuer-namespace/clusteradcsissuer-adcs-sim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: adcs.certmanager.csf.nokia.com/v1 2 | kind: ClusterAdcsIssuer 3 | metadata: 4 | name: adcs-cluster-issuer-adcs-sim 5 | spec: 6 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUtQRTNLcmthVFBDSktxWEtZOHB0dG1qMTUyVXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3WkRFTE1Ba0dBMVVFQmhNQ1VFd3hEekFOQmdOVkJBZ01CbGRoY25OaGR6RVBNQTBHQTFVRUJ3d0dUVzl5DQpaRzl5TVJBd0RnWURWUVFLREFkQlJFTlRVMGxOTVFzd0NRWURWUVFMREFKSlZERVVNQklHQTFVRUF3d0xaWGhoDQpiWEJzWlM1amIyMHdIaGNOTWpNeE1qTXhNVEkxTWpRMVdoY05Nek14TWpJNE1USTFNalExV2pCa01Rc3dDUVlEDQpWUVFHRXdKUVRERVBNQTBHQTFVRUNBd0dWMkZ5YzJGM01ROHdEUVlEVlFRSERBWk5iM0prYjNJeEVEQU9CZ05WDQpCQW9NQjBGRVExTlRTVTB4Q3pBSkJnTlZCQXNNQWtsVU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDDQpBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxrbldhU1pTZk9uMzNHbERKaEU1MUl3DQpFNCtGRTZiL0MwUG9ZdGErb2U4N1NNZDE0NnhkakJDYitBdE5ZUW5wdkVuVkcyYThHMW1qNHJIeGtUb0IvUnhjDQpyOXdtMlRaNXREMUlwT1NERXBnSVlORXNYN2tmcnFLbEtBLzhyZWdGb0I3UUxrazVNc09tTW8rWU9yWmNjYlpKDQpVMTQ0V01tdTBubFIxbVhETUR0QTZET3lhSUhDVENQTWtWOEY3MFB3TkRDMFU3aktnV1NBSEFaRzRrUGpYTUpUDQptZHgxY3ZONXJLN3dLQzBjRit2RUdTdGNML3NTdk1aaEF0MDhuK3JxRUdudDdhV3RsYURBbUtVZTBKbDU4QnY4DQpab1g3NnZWVXcvLzdoRWhyTVFLbGNtL1VpNFVUSDBuaXlOOGg4U0pRbllYdzZWRk1hOHMxbzZTdTR4SG94dnI3DQpUMkxyVEphMi80UGNvbnlEOGxvNktZRHdPa0VqK3VkemltZ1U2Ty9sM0xFN1dSQWh4UmhQQjYzYWVjb3Awc2w4DQpObXo1TnR5bHZVMHhlVFdGZDRnT1RRRmdRTk45VmlNcXFuVWh4ZEI0cTNjS25NbTVESDdMcjJkckVFbENKcTNSDQp4dnFiclc5d3JvdGllNCtnMWZMdHk2Wkxua3NFdkdzMjZ1ZUFqbFhRREdTZU9kTThsTXR5VjZHbGtnSTY1bmhoDQpjYnNBY1I4dlRMSVRVYk82NkphTjNRbElrcHhNWTcwaGd2WVlUSS95eDNDVEhkbjZmaHBTbXJKbHhYOU5nMmdVDQphaHRRaU1QcXduLzcrMk1VVUVrQ2h6M1JXUVdTYnFFTTNERmk5TWlZSG1QL2NmQlFyR1hIWnZ3N25rMDI2dXVxDQpHS2xiSVVrK3BaVGJoTWdlUFlSM0FnTUJBQUdqZ1lBd2ZqQWRCZ05WSFE0RUZnUVVUS1pVQitFWFRWaVNuV2l2DQozWDRlUjd4dGl1RXdId1lEVlIwakJCZ3dGb0FVVEtaVUIrRVhUVmlTbldpdjNYNGVSN3h0aXVFd0R3WURWUjBUDQpBUUgvQkFVd0F3RUIvekFyQmdOVkhSRUVKREFpZ2d0bGVHRnRjR3hsTG1OdmJZSU5LaTVsZUdGdGNHeGxMbU52DQpiWWNFQ2dBQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFjZDVncmV0aTQ0dWtqZ3hXU05vWUZzNkhaNjU5DQpPb3N0eEtMSDBqTUZTVVF4dnQ1dHJLOWtqdzI3aFdZZzVDNzNXSWMzWGxlL2J5UFN5a1RRc3hxOXRpOTZxZTBUDQpVNCtoc2ZkRlZla3FsTjgzaDNwWi9Mb0Q5eUVsWDJ2ekZrTGFpcW4vN0dXZGY2bTQ3MnpwZ1h4Nm9QbFA2R1RWDQpuOXBicVBoYnV0TVNBanBvbXJSNVNpdWVQb3NWaVYxVWpQdjZRVXZLV3VTK0dPUDBIelkrS3UxeWZlejEvcFJwDQowdDVKVGdNTlVvWVNrakM0ZFN5UEJ5OUhRTXhSN09pZzNNTnpZZXVDOTBzWXZ2NkdKNG45c3FReGNqK2FEYzNnDQpiRHhGWlY5UXUxOVcrekNnTFAyNWFxc2MzUjUyYzBkRWJCeVpWRWoydTM2VTdvMnNnRVJQVml2M053OXFjZlpFDQptVFovK1VROXl1WXJmOWFLYzBxU1U1cVZvdXp4MW5HOVRRYlgvNWdoWmdtd1VMUkxUaWcyb3dBaWJEMDVKVTBlDQpheW5TQ2JtRUprZElQeDVkckt6YmFCOVJLSi8vanJrcG1VU0NPOEI5UmpSVlptbUlJdHhkbjI4cHlEeTdBOEpYDQpYWXdCRlFJZnRDQjFXUGl4eHJsaVRpWXJRb3RLZ0s0VDdBL3l0VGF5Rk10YU12QnFNN291bGo1djNQb3djZlpqDQpoa2V6YU5Qc1J4NGNMU0cvOVBjMDJRMEVIQ2pMemw4UzhGOC9tMDZuall1OWtQZEc3N3VWMjVvdlNhTnluQm00DQpqZjE3UDUyUDV6cVB3V1FzT01PdTUxT1REaHlhZ0RoMXFWSmF5cjRrOXNrQXBJeVlFQlRzaEJCdU93clAvbnhGDQpGOFNETm41d2pzWXBVSXM9DQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 7 | credentialsRef: 8 | name: adcs-issuer-credentials # secret with username and password 9 | statusCheckInterval: 1m 10 | retryInterval: 1m 11 | url: https://adcs-sim-service.adcs-issuer.svc:8443 # external host 12 | templateName: BasicSSLWebServer # external template 13 | 14 | -------------------------------------------------------------------------------- /docs/install-examples/adcs-simulator/cert-manager-namespace/clusteradcsissuer-adcs-sim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: adcs.certmanager.csf.nokia.com/v1 2 | kind: ClusterAdcsIssuer 3 | metadata: 4 | name: adcs-cluster-issuer-adcs-sim 5 | spec: 6 | caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUtQRTNLcmthVFBDSktxWEtZOHB0dG1qMTUyVXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3WkRFTE1Ba0dBMVVFQmhNQ1VFd3hEekFOQmdOVkJBZ01CbGRoY25OaGR6RVBNQTBHQTFVRUJ3d0dUVzl5DQpaRzl5TVJBd0RnWURWUVFLREFkQlJFTlRVMGxOTVFzd0NRWURWUVFMREFKSlZERVVNQklHQTFVRUF3d0xaWGhoDQpiWEJzWlM1amIyMHdIaGNOTWpNeE1qTXhNVEkxTWpRMVdoY05Nek14TWpJNE1USTFNalExV2pCa01Rc3dDUVlEDQpWUVFHRXdKUVRERVBNQTBHQTFVRUNBd0dWMkZ5YzJGM01ROHdEUVlEVlFRSERBWk5iM0prYjNJeEVEQU9CZ05WDQpCQW9NQjBGRVExTlRTVTB4Q3pBSkJnTlZCQXNNQWtsVU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDDQpBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxrbldhU1pTZk9uMzNHbERKaEU1MUl3DQpFNCtGRTZiL0MwUG9ZdGErb2U4N1NNZDE0NnhkakJDYitBdE5ZUW5wdkVuVkcyYThHMW1qNHJIeGtUb0IvUnhjDQpyOXdtMlRaNXREMUlwT1NERXBnSVlORXNYN2tmcnFLbEtBLzhyZWdGb0I3UUxrazVNc09tTW8rWU9yWmNjYlpKDQpVMTQ0V01tdTBubFIxbVhETUR0QTZET3lhSUhDVENQTWtWOEY3MFB3TkRDMFU3aktnV1NBSEFaRzRrUGpYTUpUDQptZHgxY3ZONXJLN3dLQzBjRit2RUdTdGNML3NTdk1aaEF0MDhuK3JxRUdudDdhV3RsYURBbUtVZTBKbDU4QnY4DQpab1g3NnZWVXcvLzdoRWhyTVFLbGNtL1VpNFVUSDBuaXlOOGg4U0pRbllYdzZWRk1hOHMxbzZTdTR4SG94dnI3DQpUMkxyVEphMi80UGNvbnlEOGxvNktZRHdPa0VqK3VkemltZ1U2Ty9sM0xFN1dSQWh4UmhQQjYzYWVjb3Awc2w4DQpObXo1TnR5bHZVMHhlVFdGZDRnT1RRRmdRTk45VmlNcXFuVWh4ZEI0cTNjS25NbTVESDdMcjJkckVFbENKcTNSDQp4dnFiclc5d3JvdGllNCtnMWZMdHk2Wkxua3NFdkdzMjZ1ZUFqbFhRREdTZU9kTThsTXR5VjZHbGtnSTY1bmhoDQpjYnNBY1I4dlRMSVRVYk82NkphTjNRbElrcHhNWTcwaGd2WVlUSS95eDNDVEhkbjZmaHBTbXJKbHhYOU5nMmdVDQphaHRRaU1QcXduLzcrMk1VVUVrQ2h6M1JXUVdTYnFFTTNERmk5TWlZSG1QL2NmQlFyR1hIWnZ3N25rMDI2dXVxDQpHS2xiSVVrK3BaVGJoTWdlUFlSM0FnTUJBQUdqZ1lBd2ZqQWRCZ05WSFE0RUZnUVVUS1pVQitFWFRWaVNuV2l2DQozWDRlUjd4dGl1RXdId1lEVlIwakJCZ3dGb0FVVEtaVUIrRVhUVmlTbldpdjNYNGVSN3h0aXVFd0R3WURWUjBUDQpBUUgvQkFVd0F3RUIvekFyQmdOVkhSRUVKREFpZ2d0bGVHRnRjR3hsTG1OdmJZSU5LaTVsZUdGdGNHeGxMbU52DQpiWWNFQ2dBQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFjZDVncmV0aTQ0dWtqZ3hXU05vWUZzNkhaNjU5DQpPb3N0eEtMSDBqTUZTVVF4dnQ1dHJLOWtqdzI3aFdZZzVDNzNXSWMzWGxlL2J5UFN5a1RRc3hxOXRpOTZxZTBUDQpVNCtoc2ZkRlZla3FsTjgzaDNwWi9Mb0Q5eUVsWDJ2ekZrTGFpcW4vN0dXZGY2bTQ3MnpwZ1h4Nm9QbFA2R1RWDQpuOXBicVBoYnV0TVNBanBvbXJSNVNpdWVQb3NWaVYxVWpQdjZRVXZLV3VTK0dPUDBIelkrS3UxeWZlejEvcFJwDQowdDVKVGdNTlVvWVNrakM0ZFN5UEJ5OUhRTXhSN09pZzNNTnpZZXVDOTBzWXZ2NkdKNG45c3FReGNqK2FEYzNnDQpiRHhGWlY5UXUxOVcrekNnTFAyNWFxc2MzUjUyYzBkRWJCeVpWRWoydTM2VTdvMnNnRVJQVml2M053OXFjZlpFDQptVFovK1VROXl1WXJmOWFLYzBxU1U1cVZvdXp4MW5HOVRRYlgvNWdoWmdtd1VMUkxUaWcyb3dBaWJEMDVKVTBlDQpheW5TQ2JtRUprZElQeDVkckt6YmFCOVJLSi8vanJrcG1VU0NPOEI5UmpSVlptbUlJdHhkbjI4cHlEeTdBOEpYDQpYWXdCRlFJZnRDQjFXUGl4eHJsaVRpWXJRb3RLZ0s0VDdBL3l0VGF5Rk10YU12QnFNN291bGo1djNQb3djZlpqDQpoa2V6YU5Qc1J4NGNMU0cvOVBjMDJRMEVIQ2pMemw4UzhGOC9tMDZuall1OWtQZEc3N3VWMjVvdlNhTnluQm00DQpqZjE3UDUyUDV6cVB3V1FzT01PdTUxT1REaHlhZ0RoMXFWSmF5cjRrOXNrQXBJeVlFQlRzaEJCdU93clAvbnhGDQpGOFNETm41d2pzWXBVSXM9DQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t 7 | credentialsRef: 8 | name: adcs-issuer-credentials # secret with username and password 9 | statusCheckInterval: 1m 10 | retryInterval: 1m 11 | url: https://adcs-sim-service.cert-manager.svc:8443 # external host 12 | templateName: BasicSSLWebServer # external template 13 | 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | # License 1 2 | 3 | BSD 3-Clause License 4 | 5 | Copyright (c) 2022 - present, adcs-issuer contributors 6 | All rights reserved. 7 | 8 | Redistribution and use in source and binary forms, with or without 9 | modification, are permitted provided that the following conditions are met: 10 | 11 | 1. Redistributions of source code must retain the above copyright notice, this 12 | list of conditions and the following disclaimer. 13 | 14 | 2. Redistributions in binary form must reproduce the above copyright notice, 15 | this list of conditions and the following disclaimer in the documentation 16 | and/or other materials provided with the distribution. 17 | 18 | 3. Neither the name of the copyright holder nor the names of its 19 | contributors may be used to endorse or promote products derived from 20 | this software without specific prior written permission. 21 | 22 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 23 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 25 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 26 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 28 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 29 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 31 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | 33 | # License 2 34 | 35 | BSD 3-Clause License 36 | 37 | Copyright (c) 2019, Nokia 38 | All rights reserved. 39 | 40 | Redistribution and use in source and binary forms, with or without 41 | modification, are permitted provided that the following conditions are met: 42 | 43 | 1. Redistributions of source code must retain the above copyright notice, this 44 | list of conditions and the following disclaimer. 45 | 46 | 2. Redistributions in binary form must reproduce the above copyright notice, 47 | this list of conditions and the following disclaimer in the documentation 48 | and/or other materials provided with the distribution. 49 | 50 | 3. Neither the name of the copyright holder nor the names of its 51 | contributors may be used to endorse or promote products derived from 52 | this software without specific prior written permission. 53 | 54 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 55 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 56 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 57 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 58 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 59 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 60 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 61 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 62 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 63 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 64 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/simulator-clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.simulator.enabled }} 2 | apiVersion: adcs.certmanager.csf.nokia.com/v1 3 | kind: ClusterAdcsIssuer 4 | metadata: 5 | name: {{ .Values.simulator.clusterIssuerName | default "adcs-sim-adcsclusterissuer" }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "chart.labels" . | nindent 4 }} 9 | spec: 10 | caBundle: | 11 | {{- .Values.simulator.caBundle | default "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGMXpDQ0E3K2dBd0lCQWdJVUtQRTNLcmthVFBDSktxWEtZOHB0dG1qMTUyVXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3WkRFTE1Ba0dBMVVFQmhNQ1VFd3hEekFOQmdOVkJBZ01CbGRoY25OaGR6RVBNQTBHQTFVRUJ3d0dUVzl5DQpaRzl5TVJBd0RnWURWUVFLREFkQlJFTlRVMGxOTVFzd0NRWURWUVFMREFKSlZERVVNQklHQTFVRUF3d0xaWGhoDQpiWEJzWlM1amIyMHdIaGNOTWpNeE1qTXhNVEkxTWpRMVdoY05Nek14TWpJNE1USTFNalExV2pCa01Rc3dDUVlEDQpWUVFHRXdKUVRERVBNQTBHQTFVRUNBd0dWMkZ5YzJGM01ROHdEUVlEVlFRSERBWk5iM0prYjNJeEVEQU9CZ05WDQpCQW9NQjBGRVExTlRTVTB4Q3pBSkJnTlZCQXNNQWtsVU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDDQpBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUxrbldhU1pTZk9uMzNHbERKaEU1MUl3DQpFNCtGRTZiL0MwUG9ZdGErb2U4N1NNZDE0NnhkakJDYitBdE5ZUW5wdkVuVkcyYThHMW1qNHJIeGtUb0IvUnhjDQpyOXdtMlRaNXREMUlwT1NERXBnSVlORXNYN2tmcnFLbEtBLzhyZWdGb0I3UUxrazVNc09tTW8rWU9yWmNjYlpKDQpVMTQ0V01tdTBubFIxbVhETUR0QTZET3lhSUhDVENQTWtWOEY3MFB3TkRDMFU3aktnV1NBSEFaRzRrUGpYTUpUDQptZHgxY3ZONXJLN3dLQzBjRit2RUdTdGNML3NTdk1aaEF0MDhuK3JxRUdudDdhV3RsYURBbUtVZTBKbDU4QnY4DQpab1g3NnZWVXcvLzdoRWhyTVFLbGNtL1VpNFVUSDBuaXlOOGg4U0pRbllYdzZWRk1hOHMxbzZTdTR4SG94dnI3DQpUMkxyVEphMi80UGNvbnlEOGxvNktZRHdPa0VqK3VkemltZ1U2Ty9sM0xFN1dSQWh4UmhQQjYzYWVjb3Awc2w4DQpObXo1TnR5bHZVMHhlVFdGZDRnT1RRRmdRTk45VmlNcXFuVWh4ZEI0cTNjS25NbTVESDdMcjJkckVFbENKcTNSDQp4dnFiclc5d3JvdGllNCtnMWZMdHk2Wkxua3NFdkdzMjZ1ZUFqbFhRREdTZU9kTThsTXR5VjZHbGtnSTY1bmhoDQpjYnNBY1I4dlRMSVRVYk82NkphTjNRbElrcHhNWTcwaGd2WVlUSS95eDNDVEhkbjZmaHBTbXJKbHhYOU5nMmdVDQphaHRRaU1QcXduLzcrMk1VVUVrQ2h6M1JXUVdTYnFFTTNERmk5TWlZSG1QL2NmQlFyR1hIWnZ3N25rMDI2dXVxDQpHS2xiSVVrK3BaVGJoTWdlUFlSM0FnTUJBQUdqZ1lBd2ZqQWRCZ05WSFE0RUZnUVVUS1pVQitFWFRWaVNuV2l2DQozWDRlUjd4dGl1RXdId1lEVlIwakJCZ3dGb0FVVEtaVUIrRVhUVmlTbldpdjNYNGVSN3h0aXVFd0R3WURWUjBUDQpBUUgvQkFVd0F3RUIvekFyQmdOVkhSRUVKREFpZ2d0bGVHRnRjR3hsTG1OdmJZSU5LaTVsZUdGdGNHeGxMbU52DQpiWWNFQ2dBQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFjZDVncmV0aTQ0dWtqZ3hXU05vWUZzNkhaNjU5DQpPb3N0eEtMSDBqTUZTVVF4dnQ1dHJLOWtqdzI3aFdZZzVDNzNXSWMzWGxlL2J5UFN5a1RRc3hxOXRpOTZxZTBUDQpVNCtoc2ZkRlZla3FsTjgzaDNwWi9Mb0Q5eUVsWDJ2ekZrTGFpcW4vN0dXZGY2bTQ3MnpwZ1h4Nm9QbFA2R1RWDQpuOXBicVBoYnV0TVNBanBvbXJSNVNpdWVQb3NWaVYxVWpQdjZRVXZLV3VTK0dPUDBIelkrS3UxeWZlejEvcFJwDQowdDVKVGdNTlVvWVNrakM0ZFN5UEJ5OUhRTXhSN09pZzNNTnpZZXVDOTBzWXZ2NkdKNG45c3FReGNqK2FEYzNnDQpiRHhGWlY5UXUxOVcrekNnTFAyNWFxc2MzUjUyYzBkRWJCeVpWRWoydTM2VTdvMnNnRVJQVml2M053OXFjZlpFDQptVFovK1VROXl1WXJmOWFLYzBxU1U1cVZvdXp4MW5HOVRRYlgvNWdoWmdtd1VMUkxUaWcyb3dBaWJEMDVKVTBlDQpheW5TQ2JtRUprZElQeDVkckt6YmFCOVJLSi8vanJrcG1VU0NPOEI5UmpSVlptbUlJdHhkbjI4cHlEeTdBOEpYDQpYWXdCRlFJZnRDQjFXUGl4eHJsaVRpWXJRb3RLZ0s0VDdBL3l0VGF5Rk10YU12QnFNN291bGo1djNQb3djZlpqDQpoa2V6YU5Qc1J4NGNMU0cvOVBjMDJRMEVIQ2pMemw4UzhGOC9tMDZuall1OWtQZEc3N3VWMjVvdlNhTnluQm00DQpqZjE3UDUyUDV6cVB3V1FzT01PdTUxT1REaHlhZ0RoMXFWSmF5cjRrOXNrQXBJeVlFQlRzaEJCdU93clAvbnhGDQpGOFNETm41d2pzWXBVSXM9DQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" | nindent 4 }} 12 | credentialsRef: 13 | name: {{ .Values.simulator.secretName | default "adcs-sim-secret" }} # secret with username and password 14 | statusCheckInterval: 1m 15 | retryInterval: 1m 16 | url: https://{{ .Values.simulator.serviceName }}.{{ .Release.Namespace }}.svc:{{ .Values.simulator.servicePort }} # external host 17 | templateName: BasicSSLWebServer # external template 18 | 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /config/crd/bases/adcs.certmanager.csf.nokia.com_adcsissuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | controller-gen.kubebuilder.io/version: v0.14.0 7 | name: adcsissuers.adcs.certmanager.csf.nokia.com 8 | spec: 9 | group: adcs.certmanager.csf.nokia.com 10 | names: 11 | kind: AdcsIssuer 12 | listKind: AdcsIssuerList 13 | plural: adcsissuers 14 | singular: adcsissuer 15 | scope: Namespaced 16 | versions: 17 | - name: v1 18 | schema: 19 | openAPIV3Schema: 20 | description: AdcsIssuer is the Schema for the adcsissuers API 21 | properties: 22 | apiVersion: 23 | description: |- 24 | APIVersion defines the versioned schema of this representation of an object. 25 | Servers should convert recognized schemas to the latest internal value, and 26 | may reject unrecognized values. 27 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 28 | type: string 29 | kind: 30 | description: |- 31 | Kind is a string value representing the REST resource this object represents. 32 | Servers may infer this from the endpoint the client submits requests to. 33 | Cannot be updated. 34 | In CamelCase. 35 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 36 | type: string 37 | metadata: 38 | type: object 39 | spec: 40 | description: AdcsIssuerSpec defines the desired state of AdcsIssuer 41 | properties: 42 | caBundle: 43 | description: |- 44 | CABundle is a PEM encoded TLS certifiate to use to verify connections to 45 | the ADCS server. 46 | format: byte 47 | type: string 48 | credentialsRef: 49 | description: |- 50 | CredentialsRef is a reference to a Secret containing the username and 51 | password for the ADCS server. 52 | The secret must contain two keys, 'username' and 'password'. 53 | properties: 54 | name: 55 | description: Name of the referent. 56 | type: string 57 | required: 58 | - name 59 | type: object 60 | retryInterval: 61 | description: |- 62 | How often to retry in case of communication errors (in time.ParseDuration() format) 63 | Default 1 hour. 64 | type: string 65 | statusCheckInterval: 66 | description: |- 67 | How often to check for request status in the server (in time.ParseDuration() format) 68 | Default 6 hours. 69 | type: string 70 | templateName: 71 | description: |- 72 | Which ADCS Template should this issuer use 73 | Defaults to the what is specified in main.go or as an cli option. 74 | type: string 75 | url: 76 | description: URL is the base URL for the ADCS instance 77 | type: string 78 | required: 79 | - credentialsRef 80 | - url 81 | type: object 82 | status: 83 | description: AdcsIssuerStatus defines the observed state of AdcsIssuer 84 | type: object 85 | type: object 86 | served: true 87 | storage: true 88 | subresources: 89 | status: {} 90 | -------------------------------------------------------------------------------- /manifests/CustomResourceDefinition/adcsissuers.adcs.certmanager.csf.nokia.com.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: adcsissuers.adcs.certmanager.csf.nokia.com 8 | spec: 9 | group: adcs.certmanager.csf.nokia.com 10 | names: 11 | kind: AdcsIssuer 12 | listKind: AdcsIssuerList 13 | plural: adcsissuers 14 | singular: adcsissuer 15 | scope: Namespaced 16 | versions: 17 | - name: v1 18 | schema: 19 | openAPIV3Schema: 20 | description: AdcsIssuer is the Schema for the adcsissuers API 21 | properties: 22 | apiVersion: 23 | description: 'APIVersion defines the versioned schema of this representation 24 | of an object. Servers should convert recognized schemas to the latest 25 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 26 | type: string 27 | kind: 28 | description: 'Kind is a string value representing the REST resource this 29 | object represents. Servers may infer this from the endpoint the client 30 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 31 | type: string 32 | metadata: 33 | type: object 34 | spec: 35 | description: AdcsIssuerSpec defines the desired state of AdcsIssuer 36 | properties: 37 | caBundle: 38 | description: CABundle is a PEM encoded TLS certifiate to use to verify 39 | connections to the ADCS server. 40 | format: byte 41 | type: string 42 | credentialsRef: 43 | description: CredentialsRef is a reference to a Secret containing 44 | the username and password for the ADCS server. The secret must contain 45 | two keys, 'username' and 'password'. 46 | properties: 47 | name: 48 | description: Name of the referent. 49 | type: string 50 | required: 51 | - name 52 | type: object 53 | retryInterval: 54 | description: How often to retry in case of communication errors (in 55 | time.ParseDuration() format) Default 1 hour. 56 | type: string 57 | statusCheckInterval: 58 | description: How often to check for request status in the server (in 59 | time.ParseDuration() format) Default 6 hours. 60 | type: string 61 | templateName: 62 | description: Which ADCS Template should this issuer use Defaults to 63 | the what is specified in main.go or as an cli option. 64 | type: string 65 | url: 66 | description: URL is the base URL for the ADCS instance 67 | type: string 68 | required: 69 | - credentialsRef 70 | - url 71 | type: object 72 | status: 73 | description: AdcsIssuerStatus defines the observed state of AdcsIssuer 74 | type: object 75 | type: object 76 | served: true 77 | storage: true 78 | subresources: 79 | status: {} 80 | status: 81 | acceptedNames: 82 | kind: "" 83 | plural: "" 84 | conditions: [] 85 | storedVersions: [] 86 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/djkormo/adcs-issuer 2 | 3 | go 1.24.0 4 | 5 | toolchain go1.24.11 6 | 7 | require ( 8 | github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 9 | github.com/cert-manager/cert-manager v1.16.2 10 | github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa 11 | github.com/go-logr/logr v1.4.2 12 | github.com/stretchr/testify v1.9.0 13 | github.com/sykesm/zap-logfmt v0.0.4 14 | go.uber.org/zap v1.27.0 15 | k8s.io/api v0.31.1 16 | k8s.io/apimachinery v0.31.1 17 | k8s.io/client-go v0.31.1 18 | k8s.io/klog v1.0.0 19 | k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 20 | sigs.k8s.io/controller-runtime v0.19.0 21 | 22 | ) 23 | 24 | require ( 25 | github.com/beorn7/perks v1.0.1 // indirect 26 | github.com/blang/semver/v4 v4.0.0 // indirect 27 | github.com/cespare/xxhash/v2 v2.3.0 // indirect 28 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 29 | github.com/emicklei/go-restful/v3 v3.12.1 // indirect 30 | github.com/evanphx/json-patch/v5 v5.9.0 // indirect 31 | github.com/fsnotify/fsnotify v1.7.0 // indirect 32 | github.com/fxamacker/cbor/v2 v2.7.0 // indirect 33 | github.com/go-logr/zapr v1.3.0 // indirect 34 | github.com/go-openapi/jsonpointer v0.21.0 // indirect 35 | github.com/go-openapi/jsonreference v0.21.0 // indirect 36 | github.com/go-openapi/swag v0.23.0 // indirect 37 | github.com/gogo/protobuf v1.3.2 // indirect 38 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 39 | github.com/golang/protobuf v1.5.4 // indirect 40 | github.com/google/gnostic-models v0.6.8 // indirect 41 | github.com/google/go-cmp v0.6.0 // indirect 42 | github.com/google/gofuzz v1.2.0 // indirect 43 | github.com/google/uuid v1.6.0 // indirect 44 | github.com/imdario/mergo v0.3.16 // indirect 45 | github.com/inconshreveable/mousetrap v1.1.0 // indirect 46 | github.com/josharian/intern v1.0.0 // indirect 47 | github.com/json-iterator/go v1.1.12 // indirect 48 | github.com/klauspost/compress v1.17.9 // indirect 49 | github.com/mailru/easyjson v0.7.7 // indirect 50 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 51 | github.com/modern-go/reflect2 v1.0.2 // indirect 52 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 53 | github.com/pkg/errors v0.9.1 // indirect 54 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 55 | github.com/prometheus/client_golang v1.20.4 // indirect 56 | github.com/prometheus/client_model v0.6.1 // indirect 57 | github.com/prometheus/common v0.55.0 // indirect 58 | github.com/prometheus/procfs v0.15.1 // indirect 59 | github.com/spf13/cobra v1.8.1 // indirect 60 | github.com/spf13/pflag v1.0.5 // indirect 61 | github.com/x448/float16 v0.8.4 // indirect 62 | go.uber.org/multierr v1.11.0 // indirect 63 | golang.org/x/crypto v0.46.0 // indirect 64 | golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect 65 | golang.org/x/net v0.47.0 // indirect 66 | golang.org/x/oauth2 v0.34.0 // indirect 67 | golang.org/x/sys v0.39.0 // indirect 68 | golang.org/x/term v0.38.0 // indirect 69 | golang.org/x/text v0.32.0 // indirect 70 | golang.org/x/time v0.6.0 // indirect 71 | gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect 72 | google.golang.org/protobuf v1.34.2 // indirect 73 | gopkg.in/inf.v0 v0.9.1 // indirect 74 | gopkg.in/yaml.v2 v2.4.0 // indirect 75 | gopkg.in/yaml.v3 v3.0.1 // indirect 76 | k8s.io/apiextensions-apiserver v0.31.1 // indirect 77 | k8s.io/component-base v0.31.1 // indirect 78 | k8s.io/klog/v2 v2.130.1 // indirect 79 | k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38 // indirect 80 | sigs.k8s.io/gateway-api v1.1.0 // indirect 81 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect 82 | sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect 83 | sigs.k8s.io/yaml v1.4.0 // indirect 84 | ) 85 | -------------------------------------------------------------------------------- /scripts/operator-sdk-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -u 4 | 5 | set -e 6 | 7 | KUBERNETES_VERSION=v1.26.1 8 | GO_VERSION=1.21.7 9 | OPERATOR_SDK_VERSION=v1.19.x 10 | CERT_MANAGER_VERSION=v1.12.6 11 | 12 | sudo apt-get update 13 | sudo apt-get install snap dos2unix 14 | 15 | 16 | # uninstall existing golang 17 | 18 | sudo rm -rvf /usr/local/go/ 19 | 20 | # install go GO_VERSION 21 | 22 | 23 | VERSION=${GO_VERSION} # go version 24 | ARCH="amd64" # go architecture 25 | curl -O -L "https://golang.org/dl/go${VERSION}.linux-${ARCH}.tar.gz" 26 | ls -l 27 | 28 | #Extract the tarball using the tar command: 29 | 30 | sudo tar -xf "go${VERSION}.linux-${ARCH}.tar.gz" 31 | ls -l 32 | cd go/ 33 | ls -l 34 | cd .. 35 | 36 | 37 | #Set up the permissions using the chown command/chmod command: 38 | sudo chown -R root:root ./go 39 | 40 | sudo rm -f -R /usr/local/go 41 | 42 | sudo mv -v go /usr/local 43 | 44 | rm -f go*.tar.gz 45 | 46 | cd ~ 47 | 48 | 49 | # Kustomize 50 | 51 | curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash 52 | 53 | chmod a+x kustomize 54 | sudo mv kustomize /usr/local/bin/kustomize 55 | 56 | 57 | 58 | # Kubebuilder 59 | 60 | cd ~ 61 | 62 | curl -L -o kubebuilder https://go.kubebuilder.io/dl/latest/$(go env GOOS)/$(go env GOARCH) 63 | sudo chmod +x kubebuilder && sudo mv kubebuilder /usr/local/bin/kubebuilder 64 | 65 | # Operator SDK 66 | 67 | git clone https://github.com/operator-framework/operator-sdk 68 | cd operator-sdk 69 | git checkout ${OPERATOR_SDK_VERSION} 70 | make install 71 | 72 | cd ~ 73 | 74 | rm -fr operator-sdk 75 | 76 | # Kubernetes staff 77 | 78 | alias k='kubectl' 79 | alias kubectx='kubectl config use-context ' 80 | alias kubens='kubectl config set-context --current --namespace ' 81 | 82 | 83 | # krew plugins 84 | 85 | ( 86 | set -x; cd "$(mktemp -d)" && 87 | OS="$(uname | tr '[:upper:]' '[:lower:]')" && 88 | ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" && 89 | KREW="krew-${OS}_${ARCH}" && 90 | curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" && 91 | tar zxvf "${KREW}.tar.gz" && 92 | ./"${KREW}" install krew 93 | ) 94 | 95 | #Add the $HOME/.krew/bin directory to your PATH environment variable. To do this, update your .bashrc or .zshrc file and append the following line: 96 | 97 | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" 98 | 99 | 100 | kubectl krew install split-yaml 101 | kubectl krew install neat 102 | kubectl krew install prune-unused 103 | 104 | kubectl krew list 105 | 106 | echo "Component Versions" 107 | kustomize version 108 | kubebuilder version 109 | operator-sdk version 110 | helm version 111 | 112 | minikube start -p aged --kubernetes-version=${KUBERNETES_VERSION} 113 | 114 | kubectl get nodes -o wide 115 | 116 | # install cert-manager 117 | 118 | helm repo add jetstack https://charts.jetstack.io --force-update 119 | 120 | helm repo update 121 | 122 | helm search repo cert-manager 123 | helm search repo cert-manager --versions | grep v1. 124 | 125 | helm install \ 126 | cert-manager jetstack/cert-manager \ 127 | --namespace cert-manager \ 128 | --create-namespace \ 129 | --version $CERT_MANAGER_VERSION \ 130 | --set installCRDs=true 131 | 132 | 133 | code --install-extension redhat.vscode-yaml --force 134 | code --install-extension ms-kubernetes-tools.vscode-kubernetes-tools --force 135 | 136 | code --install-extension golang.Go --force 137 | code --install-extension 766b.go-outliner --force 138 | 139 | code --install-extension mhutchie.git-graph --force 140 | 141 | echo "done" -------------------------------------------------------------------------------- /config/crd/bases/adcs.certmanager.csf.nokia.com_clusteradcsissuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | controller-gen.kubebuilder.io/version: v0.14.0 7 | name: clusteradcsissuers.adcs.certmanager.csf.nokia.com 8 | spec: 9 | group: adcs.certmanager.csf.nokia.com 10 | names: 11 | kind: ClusterAdcsIssuer 12 | listKind: ClusterAdcsIssuerList 13 | plural: clusteradcsissuers 14 | singular: clusteradcsissuer 15 | scope: Cluster 16 | versions: 17 | - name: v1 18 | schema: 19 | openAPIV3Schema: 20 | description: ClusterAdcsIssuer is the Schema for the clusteradcsissuers API 21 | properties: 22 | apiVersion: 23 | description: |- 24 | APIVersion defines the versioned schema of this representation of an object. 25 | Servers should convert recognized schemas to the latest internal value, and 26 | may reject unrecognized values. 27 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 28 | type: string 29 | kind: 30 | description: |- 31 | Kind is a string value representing the REST resource this object represents. 32 | Servers may infer this from the endpoint the client submits requests to. 33 | Cannot be updated. 34 | In CamelCase. 35 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 36 | type: string 37 | metadata: 38 | type: object 39 | spec: 40 | description: ClusterAdcsIssuerSpec defines the desired state of ClusterAdcsIssuer 41 | properties: 42 | caBundle: 43 | description: |- 44 | CABundle is a PEM encoded TLS certifiate to use to verify connections to 45 | the ADCS server. 46 | format: byte 47 | type: string 48 | credentialsRef: 49 | description: |- 50 | CredentialsRef is a reference to a Secret containing the username and 51 | password for the ADCS server. 52 | The secret must contain two keys, 'username' and 'password'. 53 | properties: 54 | name: 55 | description: Name of the referent. 56 | type: string 57 | required: 58 | - name 59 | type: object 60 | retryInterval: 61 | description: |- 62 | How often to retry in case of communication errors (in time.ParseDuration() format) 63 | Default 1 hour. 64 | type: string 65 | statusCheckInterval: 66 | description: |- 67 | How often to check for request status in the server (in time.ParseDuration() format) 68 | Default 6 hours. 69 | type: string 70 | templateName: 71 | description: |- 72 | Which ADCS Template should this issuer use 73 | Defaults to the what is specified in main.go or as an cli option. 74 | type: string 75 | url: 76 | description: URL is the base URL for the ADCS instance 77 | type: string 78 | required: 79 | - credentialsRef 80 | - url 81 | type: object 82 | status: 83 | description: ClusterAdcsIssuerStatus defines the observed state of ClusterAdcsIssuer 84 | type: object 85 | type: object 86 | served: true 87 | storage: true 88 | subresources: 89 | status: {} 90 | -------------------------------------------------------------------------------- /docs/install-examples/README.md: -------------------------------------------------------------------------------- 1 | ## install cert-manager 2 | ``` 3 | helm repo add jetstack https://charts.jetstack.io --force-update 4 | ``` 5 | ``` 6 | helm repo update 7 | ``` 8 | ``` 9 | helm search repo cert-manager 10 | helm search repo cert-manager --versions | grep v1. 11 | ``` 12 | ``` 13 | helm install \ 14 | cert-manager jetstack/cert-manager \ 15 | --namespace cert-manager \ 16 | --create-namespace \ 17 | --version v1.12.6 \ 18 | --set installCRDs=true 19 | ``` 20 | 21 | helm search repo cert-manager-csi-driver 22 | helm search repo cert-manager-csi-driver --versions 23 | 24 | helm install \ 25 | cert-manager-csi-driver jetstack/cert-manager-csi-driver \ 26 | --namespace cert-manager \ 27 | --version v0.7.1 28 | 29 | 30 | 31 | ## Install adcs-issuer 32 | 33 | ### add helm repo 34 | 35 | ``` 36 | helm repo add djkormo-adcs-issuer https://djkormo.github.io/adcs-issuer/ 37 | ``` 38 | 39 | ### update 40 | 41 | ``` 42 | helm repo update djkormo-adcs-issuer 43 | ``` 44 | 45 | ### check all versions 46 | ``` 47 | helm search repo adcs-issuer --versions 48 | ``` 49 | 50 | 51 | ### install in cert-manager namespace 52 | 53 | ```console 54 | helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.8 \ 55 | --namespace cert-manager --values values-cert-manager-namespace.yaml --create-namespace 56 | ``` 57 | 58 | 59 | ``` 60 | kubectl -n cert-manager get deploy 61 | kubectl -n cert-manager logs deploy/adcs-issuer-controller-manager 62 | ``` 63 | 64 | 65 | ### install adcs issuer in adcs-issuer namespace 66 | 67 | ```console 68 | helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.8 \ 69 | --namespace adcs-issuer --values values-adcs-issuer-namespace.yaml --create-namespace 70 | ``` 71 | 72 | #### Checks 73 | ``` 74 | kubectl -n adcs-issuer get deploy 75 | kubectl -n adcs-issuer logs deploy/adcs-issuer-controller-manager 76 | ``` 77 | 78 | ## install adcs-simulator 79 | 80 | ### install adcs-simulator in adcs-issuer namespace 81 | 82 | ``` 83 | kubectl apply -R -f adcs-simulator/adcs-issuer-namespace/ -n adcs-issuer 84 | 85 | ``` 86 | 87 | 88 | 89 | #### Checks 90 | ``` 91 | kubectl -n adcs-issuer logs deploy/adcs-sim-deployment 92 | kubectl -n adcs-issuer get clusteradcsissuer,adcsrequest 93 | kubectl -n adcs-issuer get secrets --field-selector type=kubernetes.io/tls 94 | kubectl -n adcs-issuer get certificate -ojsonpath="{range .items[*]}{.metadata.name} not before: {.status.notBefore} not after: {.status.notAfter}{'\n'}{end}" 95 | ``` 96 | 97 | 
 98 | 
 99 | NAME                                        READY   SECRET            AGE
100 | certificate.cert-manager.io/adcs-sim-cert   True    adcs-sim-secret   25s
101 | 
102 | NAME                                                                            AGE
103 | clusteradcsissuer.adcs.certmanager.csf.nokia.com/adcs-cluster-issuer-adcs-sim   22m
104 | 
105 | NAME              TYPE                DATA   AGE
106 | adcs-sim-secret   kubernetes.io/tls   2      20m
107 | 
108 | adcs-sim-cert not before: 2024-02-07T21:05:58Z not after: 2025-02-06T21:05:58Z
109 | 
110 |
111 | 112 | 113 | #### Installed helm charts 114 | 115 | ```console 116 | helm list -A 117 | ``` 118 | 
119 | NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
120 | adcs-issuer     adcs-issuer     1               2024-02-07 21:57:18.0829885 +0100 CET   deployed        adcs-issuer-2.0.8               2.0.8
121 | cert-manager    cert-manager    1               2024-02-07 22:16:03.1434831 +0100 CET   deployed        cert-manager-v1.12.6            v1.12.6
122 |
123 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/adcsissuer-crd.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.crd.install }} 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: adcsissuers.adcs.certmanager.csf.nokia.com 6 | annotations: 7 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "chart.fullname" . }}- 8 | controller-gen.kubebuilder.io/version: v0.7.0 9 | labels: 10 | {{- include "chart.labels" . | nindent 4 }} 11 | spec: 12 | group: adcs.certmanager.csf.nokia.com 13 | names: 14 | kind: AdcsIssuer 15 | listKind: AdcsIssuerList 16 | plural: adcsissuers 17 | singular: adcsissuer 18 | scope: Namespaced 19 | versions: 20 | - name: v1 21 | schema: 22 | openAPIV3Schema: 23 | description: AdcsIssuer is the Schema for the adcsissuers API 24 | properties: 25 | apiVersion: 26 | description: 'APIVersion defines the versioned schema of this representation 27 | of an object. Servers should convert recognized schemas to the latest 28 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this 32 | object represents. Servers may infer this from the endpoint the client 33 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 34 | type: string 35 | metadata: 36 | type: object 37 | spec: 38 | description: AdcsIssuerSpec defines the desired state of AdcsIssuer 39 | properties: 40 | caBundle: 41 | description: CABundle is a PEM encoded TLS certifiate to use to verify 42 | connections to the ADCS server. 43 | format: byte 44 | type: string 45 | credentialsRef: 46 | description: CredentialsRef is a reference to a Secret containing the 47 | username and password for the ADCS server. The secret must contain 48 | two keys, 'username' and 'password'. 49 | properties: 50 | name: 51 | description: Name of the referent. 52 | type: string 53 | required: 54 | - name 55 | type: object 56 | retryInterval: 57 | description: How often to retry in case of communication errors (in 58 | time.ParseDuration() format) Default 1 hour. 59 | type: string 60 | statusCheckInterval: 61 | description: How often to check for request status in the server (in 62 | time.ParseDuration() format) Default 6 hours. 63 | type: string 64 | templateName: 65 | description: Which ADCS Template should this issuer use Defaults to 66 | the what is specified in main.go or as an cli option. 67 | type: string 68 | url: 69 | description: URL is the base URL for the ADCS instance 70 | type: string 71 | required: 72 | - credentialsRef 73 | - url 74 | type: object 75 | status: 76 | description: AdcsIssuerStatus defines the observed state of AdcsIssuer 77 | type: object 78 | type: object 79 | served: true 80 | storage: true 81 | subresources: 82 | status: {} 83 | status: 84 | acceptedNames: 85 | kind: "" 86 | plural: "" 87 | conditions: [] 88 | storedVersions: [] 89 | 90 | {{- end }} -------------------------------------------------------------------------------- /manifests/CustomResourceDefinition/clusteradcsissuers.adcs.certmanager.csf.nokia.com.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: clusteradcsissuers.adcs.certmanager.csf.nokia.com 8 | spec: 9 | group: adcs.certmanager.csf.nokia.com 10 | names: 11 | kind: ClusterAdcsIssuer 12 | listKind: ClusterAdcsIssuerList 13 | plural: clusteradcsissuers 14 | singular: clusteradcsissuer 15 | scope: Cluster 16 | versions: 17 | - name: v1 18 | schema: 19 | openAPIV3Schema: 20 | description: ClusterAdcsIssuer is the Schema for the clusteradcsissuers API 21 | properties: 22 | apiVersion: 23 | description: 'APIVersion defines the versioned schema of this representation 24 | of an object. Servers should convert recognized schemas to the latest 25 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 26 | type: string 27 | kind: 28 | description: 'Kind is a string value representing the REST resource this 29 | object represents. Servers may infer this from the endpoint the client 30 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 31 | type: string 32 | metadata: 33 | type: object 34 | spec: 35 | description: ClusterAdcsIssuerSpec defines the desired state of ClusterAdcsIssuer 36 | properties: 37 | caBundle: 38 | description: CABundle is a PEM encoded TLS certifiate to use to verify 39 | connections to the ADCS server. 40 | format: byte 41 | type: string 42 | credentialsRef: 43 | description: CredentialsRef is a reference to a Secret containing 44 | the username and password for the ADCS server. The secret must contain 45 | two keys, 'username' and 'password'. 46 | properties: 47 | name: 48 | description: Name of the referent. 49 | type: string 50 | required: 51 | - name 52 | type: object 53 | retryInterval: 54 | description: How often to retry in case of communication errors (in 55 | time.ParseDuration() format) Default 1 hour. 56 | type: string 57 | statusCheckInterval: 58 | description: How often to check for request status in the server (in 59 | time.ParseDuration() format) Default 6 hours. 60 | type: string 61 | templateName: 62 | description: Which ADCS Template should this issuer use Defaults to 63 | the what is specified in main.go or as an cli option. 64 | type: string 65 | url: 66 | description: URL is the base URL for the ADCS instance 67 | type: string 68 | required: 69 | - credentialsRef 70 | - url 71 | type: object 72 | status: 73 | description: ClusterAdcsIssuerStatus defines the observed state of ClusterAdcsIssuer 74 | type: object 75 | type: object 76 | served: true 77 | storage: true 78 | subresources: 79 | status: {} 80 | status: 81 | acceptedNames: 82 | kind: "" 83 | plural: "" 84 | conditions: [] 85 | storedVersions: [] 86 | -------------------------------------------------------------------------------- /charts/adcs-issuer/templates/clusteradcsissuer-crd.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.crd.install }} 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: clusteradcsissuers.adcs.certmanager.csf.nokia.com 6 | annotations: 7 | cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "chart.fullname" . }}- 8 | controller-gen.kubebuilder.io/version: v0.7.0 9 | labels: 10 | {{- include "chart.labels" . | nindent 4 }} 11 | spec: 12 | group: adcs.certmanager.csf.nokia.com 13 | names: 14 | kind: ClusterAdcsIssuer 15 | listKind: ClusterAdcsIssuerList 16 | plural: clusteradcsissuers 17 | singular: clusteradcsissuer 18 | scope: Cluster 19 | versions: 20 | - name: v1 21 | schema: 22 | openAPIV3Schema: 23 | description: ClusterAdcsIssuer is the Schema for the clusteradcsissuers API 24 | properties: 25 | apiVersion: 26 | description: 'APIVersion defines the versioned schema of this representation 27 | of an object. Servers should convert recognized schemas to the latest 28 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 29 | type: string 30 | kind: 31 | description: 'Kind is a string value representing the REST resource this 32 | object represents. Servers may infer this from the endpoint the client 33 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 34 | type: string 35 | metadata: 36 | type: object 37 | spec: 38 | description: ClusterAdcsIssuerSpec defines the desired state of ClusterAdcsIssuer 39 | properties: 40 | caBundle: 41 | description: CABundle is a PEM encoded TLS certifiate to use to verify 42 | connections to the ADCS server. 43 | format: byte 44 | type: string 45 | credentialsRef: 46 | description: CredentialsRef is a reference to a Secret containing the 47 | username and password for the ADCS server. The secret must contain 48 | two keys, 'username' and 'password'. 49 | properties: 50 | name: 51 | description: Name of the referent. 52 | type: string 53 | required: 54 | - name 55 | type: object 56 | retryInterval: 57 | description: How often to retry in case of communication errors (in 58 | time.ParseDuration() format) Default 1 hour. 59 | type: string 60 | statusCheckInterval: 61 | description: How often to check for request status in the server (in 62 | time.ParseDuration() format) Default 6 hours. 63 | type: string 64 | templateName: 65 | description: Which ADCS Template should this issuer use Defaults to 66 | the what is specified in main.go or as an cli option. 67 | type: string 68 | url: 69 | description: URL is the base URL for the ADCS instance 70 | type: string 71 | required: 72 | - credentialsRef 73 | - url 74 | type: object 75 | status: 76 | description: ClusterAdcsIssuerStatus defines the observed state of ClusterAdcsIssuer 77 | type: object 78 | type: object 79 | served: true 80 | storage: true 81 | subresources: 82 | status: {} 83 | status: 84 | acceptedNames: 85 | kind: "" 86 | plural: "" 87 | conditions: [] 88 | storedVersions: [] 89 | 90 | {{- end }} -------------------------------------------------------------------------------- /api/v1/adcsrequest_types.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 5 | 6 | cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" 7 | ) 8 | 9 | // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! 10 | // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. 11 | 12 | // AdcsRequestSpec defines the desired state of AdcsRequest 13 | type AdcsRequestSpec struct { 14 | // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster 15 | // Important: Run "make" to regenerate code after modifying this file 16 | 17 | // Certificate signing request bytes in PEM encoding. 18 | // This will be used when finalizing the request. 19 | // This field must be set on the request. 20 | CSRPEM []byte `json:"csr"` 21 | 22 | // IssuerRef references a properly configured AdcsIssuer which should 23 | // be used to serve this AdcsRequest. 24 | // If the Issuer does not exist, processing will be retried. 25 | // If the Issuer is not an 'ADCS' Issuer, an error will be returned and the 26 | // ADCSRequest will be marked as failed. 27 | IssuerRef cmmeta.ObjectReference `json:"issuerRef"` 28 | } 29 | 30 | // AdcsRequestStatus defines the observed state of AdcsRequest 31 | type AdcsRequestStatus struct { 32 | // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster 33 | // Important: Run "make" to regenerate code after modifying this file 34 | 35 | // ID of the Request assigned by the ADCS. 36 | // This will initially be empty when the resource is first created. 37 | // The ADCSRequest controller will populate this field when the Request is accepted by ADCS. 38 | // This field will be immutable after it is initially set. 39 | // +optional 40 | Id string `json:"id,omitempty"` 41 | 42 | // State contains the current state of this ADCSRequest resource. 43 | // States 'ready' and 'rejected' are 'final' 44 | // +optional 45 | State State `json:"state,omitempty"` 46 | 47 | // Reason optionally provides more information about a why the AdcsRequest is in 48 | // the current state. 49 | // +optional 50 | Reason string `json:"reason,omitempty"` 51 | } 52 | 53 | // State represents the state of an ADCSRequest. 54 | // Clients utilising this type must also gracefully handle unknown 55 | // values, as the contents of this enumeration may be added to over time. 56 | // +kubebuilder:validation:Enum=pending;ready;errored;rejected 57 | type State string 58 | 59 | const ( 60 | // It is used to represent an unrecognised value. 61 | Unknown State = "" 62 | 63 | // If a request is marked 'Pending', is's waiting for acceptance on the ADCS. 64 | // This is a transient state. 65 | Pending State = "pending" 66 | 67 | // If a request is 'ready', the certificate has been issued by the ADCS server. 68 | // This is a final state. 69 | Ready State = "ready" 70 | 71 | // Errored signifies that the ADCS request has errored for some reason. 72 | // This is a catch-all state, and is used for marking internal cert-manager 73 | // errors such as validation failures. 74 | // This is a final state. 75 | Errored State = "errored" 76 | 77 | // The 'rejected' state is used when ADCS denied signing the request. 78 | Rejected State = "rejected" 79 | ) 80 | 81 | // +kubebuilder:object:root=true 82 | // +kubebuilder:subresource:status 83 | // +kubebuilder:resource:path=adcsrequests,scope=Namespaced 84 | // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state" 85 | 86 | // AdcsRequest is the Schema for the adcsrequests API 87 | type AdcsRequest struct { 88 | metav1.TypeMeta `json:",inline"` 89 | metav1.ObjectMeta `json:"metadata,omitempty"` 90 | 91 | Spec AdcsRequestSpec `json:"spec,omitempty"` 92 | Status AdcsRequestStatus `json:"status,omitempty"` 93 | } 94 | 95 | // +kubebuilder:object:root=true 96 | 97 | // AdcsRequestList contains a list of AdcsRequest 98 | type AdcsRequestList struct { 99 | metav1.TypeMeta `json:",inline"` 100 | metav1.ListMeta `json:"metadata,omitempty"` 101 | Items []AdcsRequest `json:"items"` 102 | } 103 | 104 | func init() { 105 | SchemeBuilder.Register(&AdcsRequest{}, &AdcsRequestList{}) 106 | } 107 | -------------------------------------------------------------------------------- /.devcontainer/test-on-create.sh: -------------------------------------------------------------------------------- 1 | 2 | #!/bin/bash 3 | 4 | set -u 5 | set -e 6 | set -x 7 | 8 | KUBERNETES_VERSION=v1.26.1 9 | GO_VERSION=1.21.7 10 | OPERATOR_SDK_VERSION=v1.19.x 11 | CERT_MANAGER_VERSION=v1.12.6 12 | 13 | sudo apt-get update 14 | sudo apt-get install snap dos2unix 15 | 16 | 17 | # uninstall existing golang 18 | 19 | sudo rm -rvf /usr/local/go/ 20 | 21 | # install go GO_VERSION 22 | 23 | 24 | VERSION=${GO_VERSION} # go version 25 | ARCH="amd64" # go architecture 26 | curl -O -L "https://golang.org/dl/go${VERSION}.linux-${ARCH}.tar.gz" 27 | ls -l 28 | 29 | #Extract the tarball using the tar command: 30 | 31 | sudo tar -xf "go${VERSION}.linux-${ARCH}.tar.gz" 32 | ls -l 33 | cd go/ 34 | ls -l 35 | cd .. 36 | 37 | 38 | #Set up the permissions using the chown command/chmod command: 39 | sudo chown -R root:root ./go 40 | 41 | sudo rm -f -R /usr/local/go 42 | 43 | sudo mv -v go /usr/local 44 | 45 | rm -f go*.tar.gz 46 | 47 | cd ~ 48 | 49 | 50 | # Kustomize 51 | 52 | curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash 53 | 54 | chmod a+x kustomize 55 | sudo mv kustomize /usr/local/bin/kustomize 56 | 57 | 58 | 59 | # Kubebuilder 60 | 61 | cd ~ 62 | 63 | curl -L -o kubebuilder https://go.kubebuilder.io/dl/latest/$(go env GOOS)/$(go env GOARCH) 64 | sudo chmod +x kubebuilder && sudo mv kubebuilder /usr/local/bin/kubebuilder 65 | 66 | # Operator SDK 67 | 68 | git clone https://github.com/operator-framework/operator-sdk 69 | cd operator-sdk 70 | git checkout ${OPERATOR_SDK_VERSION} 71 | make install 72 | 73 | cd ~ 74 | 75 | rm -fr operator-sdk 76 | 77 | # Kubernetes staff 78 | 79 | alias k='kubectl' 80 | alias kubectx='kubectl config use-context ' 81 | alias kubens='kubectl config set-context --current --namespace ' 82 | alias kge='kubectl get events --sort-by=.metadata.creationTimestamp' 83 | 84 | # krew plugins 85 | 86 | ( 87 | set -x; cd "$(mktemp -d)" && 88 | OS="$(uname | tr '[:upper:]' '[:lower:]')" && 89 | ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" && 90 | KREW="krew-${OS}_${ARCH}" && 91 | curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" && 92 | tar zxvf "${KREW}.tar.gz" && 93 | ./"${KREW}" install krew 94 | ) 95 | 96 | #Add the $HOME/.krew/bin directory to your PATH environment variable. To do this, update your .bashrc or .zshrc file and append the following line: 97 | 98 | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" 99 | 100 | 101 | kubectl krew install split-yaml 102 | kubectl krew install neat 103 | kubectl krew install prune-unused 104 | 105 | kubectl krew list 106 | 107 | echo "Component Versions" 108 | kustomize version 109 | kubebuilder version 110 | operator-sdk version 111 | helm version 112 | 113 | minikube start -p aged --kubernetes-version=${KUBERNETES_VERSION} 114 | 115 | kubectl get nodes -o wide 116 | 117 | # install cert-manager 118 | 119 | helm repo add jetstack https://charts.jetstack.io --force-update 120 | 121 | helm repo update 122 | 123 | helm search repo cert-manager 124 | helm search repo cert-manager --versions | grep v1. 125 | 126 | helm install \ 127 | cert-manager jetstack/cert-manager \ 128 | --namespace cert-manager \ 129 | --create-namespace \ 130 | --version $CERT_MANAGER_VERSION \ 131 | --set installCRDs=true 132 | 133 | 134 | ### add adcs issuer chart repo 135 | 136 | helm repo add djkormo-adcs-issuer https://djkormo.github.io/adcs-issuer/ --force-update 137 | 138 | ### check all versions 139 | 140 | helm search repo adcs-issuer --versions 141 | 142 | 143 | #code --install-extension redhat.vscode-yaml --force 144 | #code --install-extension ms-kubernetes-tools.vscode-kubernetes-tools --force 145 | 146 | #code --install-extension golang.Go --force 147 | #code --install-extension 766b.go-outliner --force 148 | 149 | #code --install-extension mhutchie.git-graph --force 150 | 151 | 152 | 153 | echo "alias k='kubectl' " >> ~/.bashrc 154 | echo "alias kubectx='kubectl config use-context ' " >> ~/.bashrc 155 | echo "alias kubens='kubectl config set-context --current --namespace ' " >> ~/.bashrc 156 | echo "alias kge='kubectl get events --sort-by=.metadata.creationTimestamp' " >> ~/.bashrc 157 | 158 | echo "done" 159 | 160 | -------------------------------------------------------------------------------- /api/v1/.adcsissuer_webhook.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | "regexp" 5 | "time" 6 | 7 | apierrors "k8s.io/apimachinery/pkg/api/errors" 8 | "k8s.io/apimachinery/pkg/runtime" 9 | "k8s.io/apimachinery/pkg/runtime/schema" 10 | 11 | //validationutils "k8s.io/apimachinery/pkg/util/validation" 12 | "k8s.io/apimachinery/pkg/util/validation/field" 13 | 14 | ctrl "sigs.k8s.io/controller-runtime" 15 | logf "sigs.k8s.io/controller-runtime/pkg/log" 16 | "sigs.k8s.io/controller-runtime/pkg/webhook" 17 | "sigs.k8s.io/controller-runtime/pkg/webhook/admission" 18 | 19 | "github.com/cert-manager/cert-manager/pkg/util/pki" 20 | ) 21 | 22 | var log = logf.Log.WithName("adcsissuer-resource") 23 | 24 | func (r *AdcsIssuer) SetupWebhookWithManager(mgr ctrl.Manager) error { 25 | return ctrl.NewWebhookManagedBy(mgr). 26 | For(r). 27 | Complete() 28 | } 29 | 30 | // +kubebuilder:webhook:path=/mutate-adcs-certmanager-csf-nokia-com-v1-adcsissuer,mutating=true,failurePolicy=fail,groups=adcs.certmanager.csf.nokia.com,resources=adcsissuer,verbs=create;update,versions=v1,name=adcsissuer-mutation.adcs.certmanager.csf.nokia.com,sideEffects=None,admissionReviewVersions=v1 31 | 32 | var _ webhook.Defaulter = &AdcsIssuer{} 33 | 34 | // Default implements webhook.Defaulter so a webhook will be registered for the type 35 | func (r *AdcsIssuer) Default() { 36 | log.Info("default", "name", r.Name) 37 | 38 | if r.Spec.StatusCheckInterval == "" { 39 | r.Spec.StatusCheckInterval = "6h" 40 | } 41 | if r.Spec.RetryInterval == "" { 42 | r.Spec.RetryInterval = "1h" 43 | } 44 | } 45 | 46 | // +kubebuilder:webhook:verbs=create;update,path=/validate-adcs-certmanager-csf-nokia-com-v1-adcsissuer,mutating=false,failurePolicy=fail,groups=adcs.certmanager.csf.nokia.com,resources=adcsissuer,versions=v1,name=adcsissuer-validation.adcs.certmanager.csf.nokia.com,sideEffects=None,admissionReviewVersions=v1 47 | 48 | var _ webhook.Validator = &AdcsIssuer{} 49 | 50 | // ValidateCreate implements webhook.Validator so a webhook will be registered for the type 51 | func (r *AdcsIssuer) ValidateCreate() (warnings admission.Warnings, err error) { 52 | log.Info("validate create", "name", r.Name) 53 | 54 | return r.validateAdcsIssuer() 55 | } 56 | 57 | // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type 58 | func (r *AdcsIssuer) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error) { 59 | log.Info("validate update", "name", r.Name) 60 | 61 | return r.validateAdcsIssuer() 62 | } 63 | 64 | // ValidateDelete implements webhook.Validator so a webhook will be registered for the type 65 | func (r *AdcsIssuer) ValidateDelete() (warnings admission.Warnings, err error) { 66 | log.Info("validate delete", "name", r.Name) 67 | 68 | return nil, nil 69 | } 70 | 71 | func (r *AdcsIssuer) validateAdcsIssuer() (warnings admission.Warnings, err error) { 72 | var allErrs field.ErrorList 73 | 74 | // Validate RetryInterval 75 | _, err_val := time.ParseDuration(r.Spec.RetryInterval) 76 | if err_val != nil { 77 | allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("retryInterval"), r.Spec.RetryInterval, err_val.Error())) 78 | } 79 | 80 | // Validate Status Check Interval 81 | _, err_val = time.ParseDuration(r.Spec.StatusCheckInterval) 82 | if err_val != nil { 83 | allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("statusCheckInterval"), r.Spec.StatusCheckInterval, err_val.Error())) 84 | } 85 | 86 | // Validate URL. Must be valide http or https URL 87 | re := regexp.MustCompile(`(http|https):\/\/([\w\-_]+(?:(?:\.[\w\-_]+)+))([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?`) 88 | if !re.MatchString(r.Spec.URL) { 89 | allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("url"), r.Spec.URL, "Invalid URL format. Must be valid 'http://' or 'https://' URL.")) 90 | } 91 | 92 | // Validate CA Bundle. Must be a valid certificate PEM. 93 | _, err_val = pki.DecodeX509CertificateBytes(r.Spec.CABundle) 94 | if err_val != nil { 95 | allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("caBundle"), r.Spec.CABundle, err_val.Error())) 96 | } 97 | 98 | // TODO: Validate credentials secret name? 99 | 100 | if len(allErrs) == 0 { 101 | return nil, nil 102 | } 103 | return apierrors.NewInvalid( 104 | schema.GroupKind{Group: "adcs.certmanager.csf.nokia.com", Kind: "AdcsIssuer"}, 105 | r.Name, allErrs), nil 106 | 107 | } 108 | -------------------------------------------------------------------------------- /config/crd/bases/adcs.certmanager.csf.nokia.com_adcsrequests.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | controller-gen.kubebuilder.io/version: v0.14.0 7 | name: adcsrequests.adcs.certmanager.csf.nokia.com 8 | spec: 9 | group: adcs.certmanager.csf.nokia.com 10 | names: 11 | kind: AdcsRequest 12 | listKind: AdcsRequestList 13 | plural: adcsrequests 14 | singular: adcsrequest 15 | scope: Namespaced 16 | versions: 17 | - additionalPrinterColumns: 18 | - jsonPath: .status.state 19 | name: State 20 | type: string 21 | name: v1 22 | schema: 23 | openAPIV3Schema: 24 | description: AdcsRequest is the Schema for the adcsrequests API 25 | properties: 26 | apiVersion: 27 | description: |- 28 | APIVersion defines the versioned schema of this representation of an object. 29 | Servers should convert recognized schemas to the latest internal value, and 30 | may reject unrecognized values. 31 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources 32 | type: string 33 | kind: 34 | description: |- 35 | Kind is a string value representing the REST resource this object represents. 36 | Servers may infer this from the endpoint the client submits requests to. 37 | Cannot be updated. 38 | In CamelCase. 39 | More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds 40 | type: string 41 | metadata: 42 | type: object 43 | spec: 44 | description: AdcsRequestSpec defines the desired state of AdcsRequest 45 | properties: 46 | csr: 47 | description: |- 48 | Certificate signing request bytes in PEM encoding. 49 | This will be used when finalizing the request. 50 | This field must be set on the request. 51 | format: byte 52 | type: string 53 | issuerRef: 54 | description: |- 55 | IssuerRef references a properly configured AdcsIssuer which should 56 | be used to serve this AdcsRequest. 57 | If the Issuer does not exist, processing will be retried. 58 | If the Issuer is not an 'ADCS' Issuer, an error will be returned and the 59 | ADCSRequest will be marked as failed. 60 | properties: 61 | group: 62 | description: Group of the resource being referred to. 63 | type: string 64 | kind: 65 | description: Kind of the resource being referred to. 66 | type: string 67 | name: 68 | description: Name of the resource being referred to. 69 | type: string 70 | required: 71 | - name 72 | type: object 73 | required: 74 | - csr 75 | - issuerRef 76 | type: object 77 | status: 78 | description: AdcsRequestStatus defines the observed state of AdcsRequest 79 | properties: 80 | id: 81 | description: |- 82 | ID of the Request assigned by the ADCS. 83 | This will initially be empty when the resource is first created. 84 | The ADCSRequest controller will populate this field when the Request is accepted by ADCS. 85 | This field will be immutable after it is initially set. 86 | type: string 87 | reason: 88 | description: |- 89 | Reason optionally provides more information about a why the AdcsRequest is in 90 | the current state. 91 | type: string 92 | state: 93 | description: |- 94 | State contains the current state of this ADCSRequest resource. 95 | States 'ready' and 'rejected' are 'final' 96 | enum: 97 | - pending 98 | - ready 99 | - errored 100 | - rejected 101 | type: string 102 | type: object 103 | type: object 104 | served: true 105 | storage: true 106 | subresources: 107 | status: {} 108 | -------------------------------------------------------------------------------- /manifests/CustomResourceDefinition/adcsrequests.adcs.certmanager.csf.nokia.com.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: adcsrequests.adcs.certmanager.csf.nokia.com 8 | spec: 9 | group: adcs.certmanager.csf.nokia.com 10 | names: 11 | kind: AdcsRequest 12 | listKind: AdcsRequestList 13 | plural: adcsrequests 14 | singular: adcsrequest 15 | scope: Namespaced 16 | versions: 17 | - additionalPrinterColumns: 18 | - jsonPath: .status.state 19 | name: State 20 | type: string 21 | name: v1 22 | schema: 23 | openAPIV3Schema: 24 | description: AdcsRequest is the Schema for the adcsrequests API 25 | properties: 26 | apiVersion: 27 | description: 'APIVersion defines the versioned schema of this representation 28 | of an object. Servers should convert recognized schemas to the latest 29 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 30 | type: string 31 | kind: 32 | description: 'Kind is a string value representing the REST resource this 33 | object represents. Servers may infer this from the endpoint the client 34 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 35 | type: string 36 | metadata: 37 | type: object 38 | spec: 39 | description: AdcsRequestSpec defines the desired state of AdcsRequest 40 | properties: 41 | csr: 42 | description: Certificate signing request bytes in PEM encoding. This 43 | will be used when finalizing the request. This field must be set 44 | on the request. 45 | format: byte 46 | type: string 47 | issuerRef: 48 | description: IssuerRef references a properly configured AdcsIssuer 49 | which should be used to serve this AdcsRequest. If the Issuer does 50 | not exist, processing will be retried. If the Issuer is not an 'ADCS' 51 | Issuer, an error will be returned and the ADCSRequest will be marked 52 | as failed. 53 | properties: 54 | group: 55 | description: Group of the resource being referred to. 56 | type: string 57 | kind: 58 | description: Kind of the resource being referred to. 59 | type: string 60 | name: 61 | description: Name of the resource being referred to. 62 | type: string 63 | required: 64 | - name 65 | type: object 66 | required: 67 | - csr 68 | - issuerRef 69 | type: object 70 | status: 71 | description: AdcsRequestStatus defines the observed state of AdcsRequest 72 | properties: 73 | id: 74 | description: ID of the Request assigned by the ADCS. This will initially 75 | be empty when the resource is first created. The ADCSRequest controller 76 | will populate this field when the Request is accepted by ADCS. This 77 | field will be immutable after it is initially set. 78 | type: string 79 | reason: 80 | description: Reason optionally provides more information about a why 81 | the AdcsRequest is in the current state. 82 | type: string 83 | state: 84 | description: State contains the current state of this ADCSRequest 85 | resource. States 'ready' and 'rejected' are 'final' 86 | enum: 87 | - pending 88 | - ready 89 | - errored 90 | - rejected 91 | type: string 92 | type: object 93 | type: object 94 | served: true 95 | storage: true 96 | subresources: 97 | status: {} 98 | status: 99 | acceptedNames: 100 | kind: "" 101 | plural: "" 102 | conditions: [] 103 | storedVersions: [] 104 | --------------------------------------------------------------------------------