Merge a1f5029 into 995344a

Author: irby

.github/workflows/test.yml

@@ -1,10 +1,16 @@
-name: test
-on: [workflow_dispatch, push, pull_request]
+name: Build Test and Lint
+on: 
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - release-*
+  pull_request:
 jobs:
   build:
-    name: Build and Lint
+    name: Build and Test
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     steps:
       # Checkout code
       # https://github.com/actions/checkout
@@ -25,25 +31,13 @@ jobs:
       # Build Go binary
       - run: go build -v cmd/main.go
 
-      # Run Go linters
-      # https://github.com/golangci/golangci-lint-action
-      - name: Run linters
-        uses: golangci/golangci-lint-action@v7
-        with:
-          version: v2.4.0
+      - run: go test ./...
 
-      - name: Regenerate CRDs
-        run: make generate manifests
-      - name: Check for CRD drift
-        run: |
-          git diff --compact-summary --exit-code || \
-            (echo; echo "Unexpected difference in directories after code generation. Run 'make generate manifests' and commit."; exit 1)
-
-  test:
-    name: Go Test
+  lint:
+    name: Lint
     needs: build
     runs-on: ubuntu-latest
-    timeout-minutes: 15
+    timeout-minutes: 10
     steps:
       # Checkout code
       # https://github.com/actions/checkout
@@ -58,9 +52,25 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
 
-      # Run Go tests
-      - name: Run go test
-        run: go test -v ./...
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+      
+      # Run Go linters
+      # https://github.com/golangci/golangci-lint-action
+      - name: Run linters
+        uses: golangci/golangci-lint-action@v7
+        with:
+          version: v2.4.0
+
+      - name: Regenerate CRDs
+        run: make generate manifests
+      - name: Check for CRD drift
+        run: |
+          git diff --compact-summary --exit-code -- config/crd deploy/charts || \
+            (echo; echo "Unexpected difference in directories after code generation. Run 'make generate manifests' and commit."; exit 1)
+
+      - name: Lint Helm manifests
+        run: make lint-manifests
 
   ## TODO: These integration tests are breaking in GitHub Actions. Need to investigate further as to why.
   # integration:

.kube-linter.yaml

@@ -0,0 +1,6 @@
+checks:
+  addAllBuiltIn: true
+  # Add project-specific exclusions below as needed, e.g.:
+  # exclude:
+  #   - "unset-cpu-requirements"
+  #   - "unset-memory-requirements"

CHANGELOG.md

@@ -1,3 +1,9 @@
+# v2.2.1
+## Fixes
+- Update Role and RoleBinding resources to have correct namespace when `secretConfig.useClusterRoleForConfigMapAccess` is set to `false` in Helm chart values.
+## Chores:
+- Update GitHub Actions workflow to check for policy enforcement on Helm chart rendered manifests in addition to checking for drift in generated CRDs.
+
 # v2.2.0
 ## Features:
 - Add support to specify a ConfigMap for CA trust bundles in Issuer / ClusterIssuer resources via the caBundleConfigMapName specification.

CONTRIBUTING.md

@@ -7,6 +7,8 @@ For information on how to contribute to EJBCA and related tools, see [EJBCA Cont
 ## Requirements
 - Go (>= 1.25)
 - golangci-lint (>= 2.4.0) ([installation notes](https://github.com/golangci/golangci-lint?tab=readme-ov-file#install-golangci-lint))
+- helm (>= 3.x) — required to render chart templates for manifest linting ([installation notes](https://helm.sh/docs/intro/install/))
+- conftest — policy testing tool powered by Open Policy Agent; installed automatically by `make lint-manifests`
 
 ## Installing dependencies
 Project dependencies can be installed by running the following:
@@ -35,6 +37,43 @@ The project uses golangci-lint to lint the codebase. The following command can b
 golangci-lint run
 ```
 
+## Updating generated manifests
+
+This command will update the generated custom resource definitions under `config/crd/bases`:
+
+```bash
+make generate manifests
+```
+
+> [!IMPORTANT]
+> There is no automated process to automatically update the CRDs under `deploy/charts/ejbca-cert-manager-issuer`. If any changes are made to the CRDs, the generated CRDs under `config/crd/bases` must be copied to `deploy/charts/ejbca-cert-manager-issuer/crds` to ensure the Helm chart is up to date.
+
+## Linting Helm manifests
+
+The Helm chart under `deploy/charts/ejbca-cert-manager-issuer` is linted with two tools on every PR:
+
+- **conftest** — runs custom Rego policies located in the [`policy/`](policy/) directory against the rendered manifests
+
+To run both checks locally:
+
+```bash
+make lint-manifests
+```
+
+`conftest` is downloaded automatically into `bin/` on first use; no manual installation is required.
+
+To inspect the rendered templates without linting:
+
+```bash
+make helm-template
+```
+
+### Adding or modifying policies
+
+Rego policies live in [`policy/`](policy/). Each `.rego` file in that directory is evaluated by conftest against every resource in the rendered chart. Add a new `.rego` file to enforce additional rules. For example, `policy/roles.rego` enforces that all `Role` resources declare an explicit namespace.
+
+kube-linter checks can be tuned in [.kube-linter.yaml](.kube-linter.yaml). To exclude a check, add its name under the `exclude` key.
+
 ## Running end-to-end tests
 A comprehensive end-to-end test suite is available to verify the issuer code works against cert-manager and an EJBCA instance.
 

Makefile

@@ -20,6 +20,10 @@ endif
 # tools. (i.e. podman)
 CONTAINER_TOOL ?= docker
 
+# Helm chart and Conftest policy directory for manifest linting
+HELM_CHART_DIR ?= deploy/charts/ejbca-cert-manager-issuer
+POLICY_DIR ?= policy
+
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
 SHELL = /usr/bin/env bash -o pipefail
@@ -84,6 +88,20 @@ lint: golangci-lint ## Run golangci-lint linter & yamllint
 lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 	$(GOLANGCI_LINT) run --fix
 
+.PHONY: helm-template
+helm-template: ## Render Helm chart templates to stdout (includes CRDs).
+	helm template ejbca-cert-manager-issuer $(HELM_CHART_DIR) --include-crds
+
+.PHONY: lint-manifests
+lint-manifests: conftest ## Run Conftest policy checks against every CI values file in $(HELM_CHART_DIR)/ci/.
+	@failed=0; \
+	for f in $(HELM_CHART_DIR)/ci/*-values.yaml; do \
+		echo "==> $$(basename $$f)"; \
+		helm template ejbca-cert-manager-issuer $(HELM_CHART_DIR) --include-crds -f "$$f" \
+			| $(CONFTEST) test --policy $(POLICY_DIR) - || failed=1; \
+	done; \
+	exit $$failed
+
 ##@ Build
 
 .PHONY: build
@@ -168,12 +186,16 @@ KUSTOMIZE ?= $(LOCALBIN)/kustomize-$(KUSTOMIZE_VERSION)
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen-$(CONTROLLER_TOOLS_VERSION)
 ENVTEST ?= $(LOCALBIN)/setup-envtest-$(ENVTEST_VERSION)
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION)
+KUBE_LINTER = $(LOCALBIN)/kube-linter-$(KUBE_LINTER_VERSION)
+CONFTEST = $(LOCALBIN)/conftest-$(CONFTEST_VERSION)
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.3.0
 CONTROLLER_TOOLS_VERSION ?= v0.17.3
 ENVTEST_VERSION ?= latest
 GOLANGCI_LINT_VERSION ?= v2.4.0
+KUBE_LINTER_VERSION ?= v0.6.8
+CONFTEST_VERSION ?= v0.60.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -200,6 +222,16 @@ $(GOLANGCI_LINT): $(LOCALBIN)
 	mv $(LOCALBIN)/golangci-lint $(GOLANGCI_LINT) ;\
 	}
 
+.PHONY: kube-linter
+kube-linter: $(KUBE_LINTER) ## Download kube-linter locally if necessary.
+$(KUBE_LINTER): $(LOCALBIN)
+	$(call go-install-tool,$(KUBE_LINTER),golang.stackrox.io/kube-linter/cmd/kube-linter,$(KUBE_LINTER_VERSION))
+
+.PHONY: conftest
+conftest: $(CONFTEST) ## Download conftest locally if necessary.
+$(CONFTEST): $(LOCALBIN)
+	$(call go-install-tool,$(CONFTEST),github.com/open-policy-agent/conftest,$(CONFTEST_VERSION))
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)
 # $2 - package url which can be installed

deploy/charts/ejbca-cert-manager-issuer/ci/cluster-access-values.yaml

@@ -0,0 +1,7 @@
+# Cluster-wide access configuration — exercises ClusterRole/ClusterRoleBinding
+# paths for secret and configmap access, and enables secure metrics.
+secretConfig:
+  useClusterRoleForSecretAccess: true
+  useClusterRoleForConfigMapAccess: true
+metrics:
+  secure: true

deploy/charts/ejbca-cert-manager-issuer/ci/default-values.yaml

@@ -0,0 +1,7 @@
+# Default configuration — all flags at their chart defaults.
+# Role/RoleBinding namespace-scoped paths are exercised.
+secretConfig:
+  useClusterRoleForSecretAccess: false
+  useClusterRoleForConfigMapAccess: false
+metrics:
+  secure: false

deploy/charts/ejbca-cert-manager-issuer/templates/clusterrole.yaml

@@ -78,20 +78,4 @@ rules:
       - /metrics
     verbs:
       - get
-{{- end }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: {{ if .Values.secretConfig.useClusterRoleForConfigMapAccess }}ClusterRole{{ else }}Role{{ end }}
-metadata:
-  labels:
-    {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
-  name: {{ include "ejbca-cert-manager-issuer.name" . }}-configmap-reader-role
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
+{{- end }}

deploy/charts/ejbca-cert-manager-issuer/templates/role.yaml

@@ -24,4 +24,23 @@ rules:
       - events
     verbs:
       - create
-      - patch
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ if .Values.secretConfig.useClusterRoleForConfigMapAccess }}ClusterRole{{ else }}Role{{ end }}
+metadata:
+  labels:
+    {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "ejbca-cert-manager-issuer.name" . }}-configmap-reader-role
+  {{- if not .Values.secretConfig.useClusterRoleForConfigMapAccess }}  
+  namespace: {{ .Release.Namespace }}  
+  {{- end }}  
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch

deploy/charts/ejbca-cert-manager-issuer/templates/rolebinding.yaml

@@ -20,6 +20,9 @@ metadata:
   labels:
     {{- include "ejbca-cert-manager-issuer.labels" . | nindent 4 }}
   name: {{ include "ejbca-cert-manager-issuer.name" . }}-configmap-reader-rolebinding
+  {{- if not .Values.secretConfig.useClusterRoleForConfigMapAccess }}  
+  namespace: {{ .Release.Namespace }}  
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: {{ if .Values.secretConfig.useClusterRoleForConfigMapAccess }}ClusterRole{{ else }}Role{{ end }}