Add missing namespace specification + address linting issues#66
Merged
indrora merged 8 commits intorelease-2.5from Apr 30, 2026
Merged
Add missing namespace specification + address linting issues#66indrora merged 8 commits intorelease-2.5from
indrora merged 8 commits intorelease-2.5from
Conversation
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves Helm-rendered manifest safety and observability by enforcing explicit namespaces on namespace-scoped RBAC resources, adding Conftest policy checks for rendered manifests, and enhancing logging/error-wrapping in the controller + Command client.
Changes:
- Add Conftest Rego policies and CI/local targets to lint Helm-rendered manifests (including new CI values matrices).
- Ensure Helm templates explicitly set
metadata.namespacewhere appropriate and add RBAC finalizer permissions. - Improve Go code quality: better error wrapping (
%w), log response bodies on failed enrollment, and address lint/test cleanups.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
policy/serviceaccounts.rego |
New Conftest policy requiring explicit namespace on ServiceAccounts. |
policy/roles.rego |
New Conftest policies for Role/RoleBinding namespaces and RBAC hygiene checks. |
internal/controller/issuer_controller_test.go |
Test refactors to use a single API import alias. |
internal/controller/issuer_controller.go |
Improve error wrapping; minor control-flow cleanup. |
internal/controller/certificaterequest_controller_test.go |
Remove unused crypto helpers/imports. |
internal/controller/certificaterequest_controller.go |
Improve error wrapping; add success log line after signing. |
internal/command/command_test.go |
Add coverage to assert failed EnrollCSR response body is included in error output. |
internal/command/command.go |
Include failed enrollment response body in error details; remove unused context plumb-through. |
internal/command/client_test.go |
Update tests for printClaims no longer returning an error. |
internal/command/client.go |
Change GetAllMetadataFields API to close response body internally; make printClaims fire-and-forget. |
deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml |
Add explicit namespace to ServiceAccount metadata. |
deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml |
Add explicit namespaces to namespaced RoleBindings; conditionally omit for ClusterRoleBinding. |
deploy/charts/command-cert-manager-issuer/templates/role.yaml |
Add explicit namespaces to namespaced Roles; conditionally omit for ClusterRole. |
deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml |
Add finalizer subresource permission for clusterissuers. |
deploy/charts/command-cert-manager-issuer/ci/default-values.yaml |
Add CI values file to exercise namespaced RBAC paths. |
deploy/charts/command-cert-manager-issuer/ci/cluster-access-values.yaml |
Add CI values file to exercise cluster-wide RBAC paths. |
cmd/main.go |
Simplify error creation (use fmt.Errorf). |
api/v1alpha1/issuer_types_test.go |
Fix time comparison usage in tests. |
api/v1alpha1/issuer_types.go |
Minor slice manipulation cleanup in UnsetCondition. |
Makefile |
Add conftest/kube-linter tooling + manifest linting targets; update golangci-lint version/install logic. |
CONTRIBUTING.md |
Document local linting/testing workflow and Helm manifest linting. |
CHANGELOG.md |
Add release notes for v2.5.2. |
.kube-linter.yaml |
Add baseline kube-linter configuration. |
.golangci.yml |
Update golangci-lint configuration for v2 format and enable goimports formatter. |
.github/workflows/test.yml |
Restructure CI jobs to include linting + manifest checks (but currently drops running unit tests). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves Kubernetes manifest hygiene and CI enforcement for the Helm chart, while also tightening Go error wrapping/logging and addressing various lint-driven refactors across controllers and Command client code.
Changes:
- Add Conftest Rego policies to enforce explicit namespaces on namespace-scoped RBAC/ServiceAccounts (and other RBAC correctness checks).
- Update Helm templates (ServiceAccount/Role/RoleBinding) to explicitly set namespaces and add CI values files for manifest linting scenarios.
- Refine Go codebase linting/error-handling (more
%wwrapping, improved error detail logging for failed enrollment calls) and update CI workflow + lint configuration.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
policy/serviceaccounts.rego |
New Conftest policy requiring ServiceAccounts to set metadata.namespace. |
policy/roles.rego |
New Conftest policies for Role/RoleBinding namespace enforcement and RBAC/Deployment checks. |
deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml |
Set ServiceAccount namespace explicitly from .Release.Namespace. |
deploy/charts/command-cert-manager-issuer/templates/role.yaml |
Set Role namespace explicitly (and conditionally for cluster-scoped variants). |
deploy/charts/command-cert-manager-issuer/templates/rolebinding.yaml |
Set RoleBinding namespace explicitly (and conditionally for cluster-scoped variants). |
deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml |
Add finalizers subresource to RBAC rules. |
deploy/charts/command-cert-manager-issuer/ci/default-values.yaml |
Add CI values file for namespace-scoped RBAC path testing. |
deploy/charts/command-cert-manager-issuer/ci/cluster-access-values.yaml |
Add CI values file for cluster-scoped RBAC + secure metrics path testing. |
Makefile |
Add Helm/conftest manifest lint targets and tooling installs; bump linter versions. |
.github/workflows/test.yml |
Split build/test and lint jobs; add Helm + manifest linting + CRD drift checks. |
.golangci.yml |
Update golangci-lint configuration format, linters, and formatter settings. |
.kube-linter.yaml |
Add kube-linter configuration scaffold. |
CONTRIBUTING.md |
Add contributor guidance for linting/manifests/policies and local workflows. |
CHANGELOG.md |
Add v2.5.2 entry describing the fixes/chores in this PR. |
cmd/main.go |
Improve health check interval validation error construction. |
internal/controller/issuer_controller.go |
Use %w wrapping and simplify secret type switch. |
internal/controller/issuer_controller_test.go |
Lint-driven import/type alias cleanup in tests. |
internal/controller/certificaterequest_controller.go |
Use %w wrapping and add a success log on signing completion. |
internal/controller/certificaterequest_controller_test.go |
Remove unused crypto helpers/imports from tests. |
api/v1alpha1/issuer_types.go |
Fix/clean up condition removal logic to mutate the backing slice directly. |
api/v1alpha1/issuer_types_test.go |
Update LastTransitionTime assertion to match type API. |
internal/command/client.go |
Change metadata fields API to close response body internally; make JWT claim printing non-error-returning. |
internal/command/client_test.go |
Align tests with printClaims no longer returning errors. |
internal/command/command.go |
Improve enrollment error detail construction and refactor request builder signatures. |
internal/command/command_test.go |
Add coverage asserting enrollment error includes response body content; refactor to match API changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com>
indrora
added a commit
that referenced
this pull request
Apr 30, 2026
* feat: release 2.5.0 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation * release: 2.5.1 * feat: release 2.5.0 (#62) 2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> * feat: add client caching to reduce OAuth token requests Previously, every certificate request reconciliation created a new Command API client, which meant a new OAuth token was fetched for each request. For customers with OAuth provider quotas, this caused rate limiting issues. This change introduces a ClientCache that: - Caches Command API clients by configuration hash - Reuses cached clients across reconciliations for the same issuer - Allows the underlying oauth2 library's token caching to work as intended - Is thread-safe for concurrent reconciliations The cache key is a SHA-256 hash of all configuration fields that affect the client connection (hostname, API path, credentials, scopes, etc.), ensuring different issuers get different clients while the same issuer reuses its client. Fixes: OAuth token re-authentication on every request Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore(scripts): update scripting usability * feat: update keyfactor-auth-client-go to v1.3.1 Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: remove test short circuit Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Revert "Potential fix for pull request finding" This reverts commit 19bc19b. * chore: cleanup Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: break build & test into its own workflow Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: remove lint from CI Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore(docs): update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Morgan Gangwere <470584+indrora@users.noreply.github.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add missing namespace specification + address linting issues (#66) * fix: log errors from Enrollment API call Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * fix: add missing namespaces, add linting to catch issues Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: add linting Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: address lint issues Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: update CHANGELOG Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * chore: apply copilot feedback Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: fix typo Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> * feat: copilot suggestions Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> --------- Signed-off-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Matthew H. Irby <irby@users.noreply.github.com> Co-authored-by: spb <1661003+spbsoluble@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matthew H. Irby <matt.irby@keyfactor.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes
kubectl apply -fdirectly with the rendered template.Chores