- feat(signer): Signer recognizes
metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value>annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command. - feat(release): Container build and release now uses GitHub Actions.
- fix(helm): CRDs now correspond to correct values for the
command-issuer. - fix(helm): Signer Helm Chart now includes a
secureMetricsvalue to enable/disable sidecar RBAC container for further protection of the/metricsendpoint. - fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
- fix(role): Removed permissions for
configmapsresource types for theleader-election-rolerole.
- feat(controller): Implement Kubernetes
client-goREST client for Secret/ConfigMap retrieval to bypasscontroller-runtimecaching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.
- fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
- fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
- Implement OAuth 2.0 Client Credentials grant as an authentication mechanism.
- Implement Azure Workload Identity as an authentication mechanism.
- Refactor Command signer module to remove tight dependency on Issuer/ClusterIssuer types.
- Migrate Kubebuilder from go/v3 to go/v4:
- Upgrade kustomize version to v5.3.0.
- Upgrade controller-gen to v0.14.0.
- Refactor unit tests to use fake Command API instead of requiring live Command server.
- Write e2e integration test.