feat(issuer): add caConfigMap and caBundleKey to deployment chart

irby · irby · commit 35d1481f2116 · 2026-01-20T14:43:51.000-05:00
Signed-off-by: Matthew H. Irby &lt;matt.irby@keyfactor.com&gt;
diff --git a/api/v1alpha1/issuer_types.go b/api/v1alpha1/issuer_types.go
@@ -113,6 +113,12 @@ type IssuerSpec struct {
 	// +optional
 	CaBundleConfigMapName string `json:"caBundleConfigMapName,omitempty"`
 
+	// The key in the Secret or ConfigMap containing the CA certificate bundle.
+	// Applies to both caSecretName and caBundleConfigMapName.
+	// If unspecifed, the last key alphabetically in the Secret or ConfigMap data will be used.
+	// +optional
+	CaBundleKey string `json:"caBundleKey,omitempty"`
+
 	// A list of comma separated scopes used when requesting a Bearer token from an ambient token provider implied
 	// by the environment, rather than by commandSecretName. For example, could be set to
 	// api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
diff --git a/cmd/main.go b/cmd/main.go
@@ -69,6 +69,7 @@ func main() {
 	var clusterResourceNamespace string
 	var disableApprovedCheck bool
 	var secretAccessGrantedAtClusterLevel bool
+	var configMapAccessGrantedAtClusterLevel bool
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -84,6 +85,8 @@ func main() {
 		"Disables waiting for CertificateRequests to have an approved condition before signing.")
 	flag.BoolVar(&secretAccessGrantedAtClusterLevel, "secret-access-granted-at-cluster-level", false,
 		"Set this flag to true if the secret access is granted at cluster level. This will allow the controller to access secrets in any namespace. ")
+	flag.BoolVar(&configMapAccessGrantedAtClusterLevel, "configmap-access-granted-at-cluster-level", false,
+		"Set this flag to true if the config map access is granted at cluster level. This will allow the controller to access config maps in any namespace. ")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -126,16 +129,31 @@ func main() {
 	}
 
 	var cacheOpts cache.Options
-	if secretAccessGrantedAtClusterLevel {
-		setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
-	} else {
-		setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
+
+	// Build the ByObject map if either resource is namespace-scoped
+	if !secretAccessGrantedAtClusterLevel || !configMapAccessGrantedAtClusterLevel {
+		byObject := make(map[client.Object]cache.ByObject)
+
+		if !secretAccessGrantedAtClusterLevel {
+			setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 Secret resources in the %q namespace", clusterResourceNamespace))
+			byObject[&corev1.Secret{}] = cache.ByObject{
+				Namespaces: map[string]cache.Config{clusterResourceNamespace: {}},
+			}
+		} else {
+			setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 Secret resources at cluster level")
+		}
+
+		if !configMapAccessGrantedAtClusterLevel {
+			setupLog.Info(fmt.Sprintf("expecting SA to have Get+List+Watch permissions for corev1 ConfigMap resources in the %q namespace", clusterResourceNamespace))
+			byObject[&corev1.ConfigMap{}] = cache.ByObject{
+				Namespaces: map[string]cache.Config{clusterResourceNamespace: {}},
+			}
+		} else {
+			setupLog.Info("expecting SA to have Get+List+Watch permissions for corev1 ConfigMap resources at cluster level")
+		}
+
 		cacheOpts = cache.Options{
-			ByObject: map[client.Object]cache.ByObject{
-				&corev1.Secret{}: {
-					Namespaces: map[string]cache.Config{clusterResourceNamespace: cache.Config{}},
-				},
-			},
+			ByObject: byObject,
 		}
 	}
 
diff --git a/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml
@@ -59,6 +59,12 @@ spec:
                   the client trust roots for the Command issuer. If both caSecretName and caBundleConfigMapName
                   are specified, caBundleConfigMapName will take precedence.
                 type: string
+              caBundleKey:
+                description: |-
+                  The key in the Secret or ConfigMap containing the CA certificate bundle.
+                  Applies to both caSecretName and caBundleConfigMapName.
+                  If unspecifed, the last key alphabetically in the Secret or ConfigMap data will be used.
+                type: string
               caSecretName:
                 description: |-
                   The name of the secret containing the CA bundle to use when verifying
diff --git a/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml
@@ -59,6 +59,12 @@ spec:
                   the client trust roots for the Command issuer. If both caSecretName and caBundleConfigMapName
                   are specified, caBundleConfigMapName will take precedence.
                 type: string
+              caBundleKey:
+                description: |-
+                  The key in the Secret or ConfigMap containing the CA certificate bundle.
+                  Applies to both caSecretName and caBundleConfigMapName.
+                  If unspecifed, the last key alphabetically in the Secret or ConfigMap data will be used.
+                type: string
               caSecretName:
                 description: |-
                   The name of the secret containing the CA bundle to use when verifying
diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml
@@ -46,11 +46,25 @@ spec:
                 description: APIPath is the base path of the Command API. KeyfactorAPI
                   by default
                 type: string
+              caBundleConfigMapName:
+                description: |-
+                  The name of the ConfigMap containing the CA bundle to use when verifying
+                  Command's server certificate. If specified, the CA bundle will be added to
+                  the client trust roots for the Command issuer. If both caSecretName and caBundleConfigMapName
+                  are specified, caBundleConfigMapName will take precedence.
+                type: string
+              caBundleKey:
+                description: |-
+                  The key in the Secret or ConfigMap containing the CA certificate bundle.
+                  Applies to both caSecretName and caBundleConfigMapName.
+                  If unspecifed, the last key alphabetically in the Secret or ConfigMap data will be used.
+                type: string
               caSecretName:
                 description: |-
                   The name of the secret containing the CA bundle to use when verifying
                   Command's server certificate. If specified, the CA bundle will be added to
-                  the client trust roots for the Command issuer.
+                  the client trust roots for the Command issuer. If both caSecretName and caBundleConfigMapName
+                  are specified, caBundleConfigMapName will take precedence.
                 type: string
               certificateAuthorityHostname:
                 description: |-
diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml
@@ -46,11 +46,25 @@ spec:
                 description: APIPath is the base path of the Command API. KeyfactorAPI
                   by default
                 type: string
+              caBundleConfigMapName:
+                description: |-
+                  The name of the ConfigMap containing the CA bundle to use when verifying
+                  Command's server certificate. If specified, the CA bundle will be added to
+                  the client trust roots for the Command issuer. If both caSecretName and caBundleConfigMapName
+                  are specified, caBundleConfigMapName will take precedence.
+                type: string
+              caBundleKey:
+                description: |-
+                  The key in the Secret or ConfigMap containing the CA certificate bundle.
+                  Applies to both caSecretName and caBundleConfigMapName.
+                  If unspecifed, the last key alphabetically in the Secret or ConfigMap data will be used.
+                type: string
               caSecretName:
                 description: |-
                   The name of the secret containing the CA bundle to use when verifying
                   Command's server certificate. If specified, the CA bundle will be added to
-                  the client trust roots for the Command issuer.
+                  the client trust roots for the Command issuer. If both caSecretName and caBundleConfigMapName
+                  are specified, caBundleConfigMapName will take precedence.
                 type: string
               certificateAuthorityHostname:
                 description: |-
diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
@@ -36,6 +36,9 @@ spec:
             {{- if .Values.secretConfig.useClusterRoleForSecretAccess}}
             - --secret-access-granted-at-cluster-level
             {{- end}}
+            {{- if .Values.secretConfig.useClusterRoleForConfigMapAccess}}
+            - --configmap-access-granted-at-cluster-level
+            {{- end}}
           command:
             - /manager
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}"
diff --git a/deploy/charts/command-cert-manager-issuer/templates/role.yaml b/deploy/charts/command-cert-manager-issuer/templates/role.yaml
@@ -40,3 +40,19 @@ rules:
       - get
       - list
       - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ if .Values.secretConfig.useClusterRoleForConfigMapAccess }}ClusterRole{{ else }}Role{{ end }}
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-configmap-reader-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml b/deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml
@@ -27,3 +27,18 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ if .Values.secretConfig.useClusterRoleForConfigMapAccess }}ClusterRoleBinding{{ else }}RoleBinding{{ end }}
+metadata:
+  labels:
+    {{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-configmap-reader-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ if .Values.secretConfig.useClusterRoleForConfigMapAccess }}ClusterRole{{ else }}Role{{ end }}
+  name: {{ include "command-cert-manager-issuer.name" . }}-configmap-reader-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml
@@ -23,6 +23,15 @@ secretConfig:
   # namespace the chart is deployed in.
   useClusterRoleForSecretAccess: false
 
+  # If true, when using Issuer resources, the configmap resource must be created in the same namespace as the
+  # Issuer resource. This access is facilitated by granting the ServiceAccount [get, list, watch] for the config map
+  # API at the cluster level.
+  #
+  # If false, both Issuer and ClusterIssuer must reference a config map in the same namespace as the chart/reconciler.
+  # This access is facilitated by granting the ServiceAccount [get, list, watch] for the config map API only for the
+  # namespace the chart is deployed in.
+  useClusterRoleForConfigMapAccess: false
+
 crd:
   # Specifies whether CRDs will be created
   create: true
diff --git a/e2e/run_tests.sh b/e2e/run_tests.sh
@@ -80,6 +80,7 @@ CERTIFICATEREQUEST_CRD_FQTN="certificaterequests.cert-manager.io"
 
 CA_CERTS_PATH="e2e/certs"
 CA_SECRET_NAME="ca-trust-secret"
+CA_CONFIG_MAP_NAME="ca-trust-configmap"
 
 
 CR_CR_NAME="req"
@@ -528,6 +529,33 @@ regenerate_ca_secret() {
     echo "✅ CA secret regenerated successfully"
 }
 
+create_ca_config_map() {
+    echo "🔐 Creating CA config map resource..."
+    
+    check_for_certificates
+    
+    kubectl -n ${MANAGER_NAMESPACE} create configmap $CA_CONFIG_MAP_NAME --from-file=$CA_CERTS_PATH
+    
+    echo "✅ CA config map '$CA_CONFIG_MAP_NAME' created successfully"
+}
+
+delete_ca_config_map() {
+    echo "🗑️ Deleting CA config map..."
+
+    kubectl -n ${MANAGER_NAMESPACE} delete configmap $CA_CONFIG_MAP_NAME || true
+
+    echo "✅ CA config map '$CA_CONFIG_MAP_NAME' deleted successfully"
+}
+
+regenerate_ca_config_map() {
+    echo "🔄 Regenerating CA config map..."
+
+    delete_ca_config_map
+    create_ca_config_map
+
+    echo "✅ CA config map regenerated successfully"
+}
+
 
 # ================= BEGIN: Resource Deployment =====================
 
@@ -812,8 +840,64 @@ check_certificate_request_status
 echo "🧪✅ Test 104 completed successfully."
 echo ""
 
+## ===================  END: Annotation Tests    ============================
+
+## ===================  BEGIN: CA Secret / ConfigMap Tests    ============================
+
+if [[ "$DISABLE_CA_CHECK" == "true" ]]; then
+    echo "⚠️ Skipping CA Secret / ConfigMap Tests as DISABLE_CA_CHECK is set to true"
+else
+    echo "🧪💬 Test 200: Use Secret for CA Bundle"
+    regenerate_issuer
+    delete_issuer_specification_field caSecretName Issuer
+    regenerate_ca_secret
+    add_issuer_specification_field caSecretName "\"$CA_SECRET_NAME\"" Issuer
+    regenerate_certificate_request Issuer
+    approve_certificate_request
+    check_certificate_request_status
+    echo "🧪✅ Test 200 completed successfully."
+    echo ""
+
+    echo "🧪💬 Test 201: Use ConfigMap for CA Bundle"
+    regenerate_issuer
+    delete_issuer_specification_field caSecretName Issuer
+    regenerate_ca_config_map
+    add_issuer_specification_field caBundleConfigMapName "\"$CA_CONFIG_MAP_NAME\"" Issuer
+    regenerate_certificate_request Issuer
+    approve_certificate_request
+    check_certificate_request_status
+    echo "🧪✅ Test 201 completed successfully."
+    echo ""
+
+    echo "🧪💬 Test 202: Use Secret with CA Key"
+    regenerate_issuer
+    delete_issuer_specification_field caSecretName Issuer
+    regenerate_ca_secret
+    add_issuer_specification_field caSecretName "\"$CA_SECRET_NAME\"" Issuer
+    add_issuer_specification_field caBundleKey "\"ca.crt\"" Issuer
+    regenerate_certificate_request Issuer
+    approve_certificate_request
+    check_certificate_request_status
+    echo "🧪✅ Test 202 completed successfully."
+    echo ""
+
+    echo "🧪💬 Test 203: Use ConfigMap with CA Key"
+    regenerate_issuer
+    delete_issuer_specification_field caSecretName Issuer
+    regenerate_ca_config_map
+    add_issuer_specification_field caBundleConfigMapName "\"$CA_CONFIG_MAP_NAME\"" Issuer
+    add_issuer_specification_field caBundleKey "\"ca.crt\"" Issuer
+    regenerate_certificate_request Issuer
+    approve_certificate_request
+    check_certificate_request_status
+    echo "🧪✅ Test 203 completed successfully."
+    echo ""
+fi
+
+
+
 echo "🎉🎉🎉 Tests have completed successfully!"
 
-## ===================  END: Annotation Tests    ============================
+## ===================  END: CA Secret / ConfigMap Tests    ============================
 
 # ================= END: Test Execution ========================
diff --git a/internal/controller/issuer_controller.go b/internal/controller/issuer_controller.go
@@ -42,6 +42,7 @@ var (
 	errGetAuthSecret        = errors.New("failed to get Secret containing Issuer credentials")
 	errGetCaConfigMap       = errors.New("caBundleConfigMapName specified a name, but failed to get ConfigMap containing CA certificate")
 	errGetCaSecret          = errors.New("caSecretName specified a name, but failed to get Secret containing CA certificate")
+	errGetCaBundleKey       = errors.New("failed to get CA bundle key from CA certificate data")
 	errHealthCheckerBuilder = errors.New("failed to build the healthchecker")
 	errHealthCheckerCheck   = errors.New("healthcheck failed")
 )
@@ -248,11 +249,18 @@ func commandConfigFromIssuer(ctx context.Context, c client.Client, issuer comman
 	}
 
 	var caCertBytes []byte
-	// There is no requirement that the CA certificate is stored under a specific
-	// key in the secret, so we can just iterate over the map and effectively select
-	// the last value in the map
-	for _, bytes := range caData {
-		caCertBytes = bytes
+
+	if issuer.GetSpec().CaBundleKey != "" {
+		caCert, ok := caData[issuer.GetSpec().CaBundleKey]
+		if !ok {
+			return nil, fmt.Errorf("%w: caBundleKey '%s' not found in CA bundle data", errGetCaBundleKey, issuer.GetSpec().CaBundleKey)
+		}
+		caCertBytes = caCert
+	} else {
+		// If no caBundleKey is specified, take the last entry in the caData map
+		for _, bytes := range caData {
+			caCertBytes = bytes
+		}
 	}
 
 	return &command.Config{
diff --git a/internal/controller/issuer_controller_test.go b/internal/controller/issuer_controller_test.go
