Keyfactor · irby · Feb 26, 2025 · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025
diff --git a/.gitignore b/.gitignore
@@ -19,4 +19,7 @@ bin
 # Helm
 *.tgz
 
-.DS_Store
+# VS Code configuration
+.vscode/
+
+.DS_Store
diff --git a/api/v1alpha1/issuer_types.go b/api/v1alpha1/issuer_types.go
@@ -81,6 +81,14 @@ type IssuerSpec struct {
 	// effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
 	// +optional
 	Scopes string `json:"scopes,omitempty"`
+
+	// The audience value used when requesting a Bearer token from an ambient token provider implied
+	// by the environment, rather than by commandSecretName. For example, could be set to
+	// https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+	// the URL of your Command environment.Has no effect on OAuth 2.0 Client Credential configuration - please specify
+	// the audience for this method in an Opaque secret.
+	// +optional
+	Audience string `json:"audience,omitempty"`
 }
 
 func (i *Issuer) GetStatus() *IssuerStatus {

diff --git a/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml
@@ -85,6 +85,13 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

diff --git a/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml
@@ -85,6 +85,13 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: command-issuer
-  newTag: latest
+  newName: keyfactor/command-cert-manager-issuer
+  newTag: 2.1.0-rc.0
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -71,7 +71,7 @@ spec:
         args:
         - --leader-elect
         image: controller:latest
-        imagePullPolicy: Never
+        imagePullPolicy: IfNotPresent
         name: manager
         securityContext:
           allowPrivilegeEscalation: false

diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml
@@ -87,6 +87,13 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml
@@ -87,6 +87,13 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/cert-manager/cert-manager v1.16.2
 	github.com/go-logr/logr v1.4.2
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/oauth2 v0.26.0
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
 	k8s.io/client-go v0.31.1
@@ -17,7 +17,24 @@ require (
 )
 
 require (
-	cloud.google.com/go/compute/metadata v0.5.1 // indirect
+	cloud.google.com/go/auth v0.15.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
+	google.golang.org/grpc v1.70.0 // indirect
+)
+
+require (
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
@@ -45,7 +62,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-hclog v1.5.0 // indirect
@@ -76,15 +93,16 @@ require (
 	go.mozilla.org/pkcs7 v0.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.32.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/api v0.223.0
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect