feat(oauth): Implement OAuth 2.0 Client Credentials grant as supported auth mechanism

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: 'gomod'
+    # Raise pull requests for version updates
+    # against the `main` branch
+    target-branch: "main"
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+  - package-ecosystem: 'github-actions'
+    # Raise pull requests for version updates
+    # against the `main` branch
+    target-branch: "main"
+    directory: '/'
+    schedule:
+      interval: 'weekly'

.github/workflows/keyfactor-bootstrap-workflow.yml

@@ -0,0 +1,84 @@
+name: Keyfactor Bootstrap Workflow
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, closed, synchronize, edited, reopened]
+  push:
+  create:
+    branches:
+      - 'release-*.*'
+
+jobs:
+  build:
+    name: Build, Lint, and Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      # Setup GoLang build environment
+      # https://github.com/actions/setup-go
+      - name: Set up Go 1.x
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      # Download dependencies
+      - run: go mod download
+
+      # Build Go binary
+      - run: go build -v .
+
+      # Run Go linters
+      # https://github.com/golangci/golangci-lint-action
+      - name: Run linters
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+        with:
+          version: latest
+
+      # Run Go tests
+      - name: Run go test
+        run: go test -v ./...
+
+  integrationtest:
+    name: Integration Test
+    needs: build
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      # Checkout code
+      # https://github.com/actions/checkout
+      - name: Checkout code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      # Create a single-node K8s cluster with Kind
+      # Then, deploy an ephemeral EJBCA and SignServer
+      - uses: m8rmclaren/ejbca-signserver-k8s@main
+        with:
+          deploy-k8s: 'true'
+          deploy-nginx-ingress: 'true'
+          deploy-signserver: 'false'
+
+      # Run integration test
+      - name: Run integration test
+        run: |
+          chmod +x test/integrationtest.sh
+          ./test/integrationtest.sh
+
+  call-starter-workflow:
+    uses: keyfactor/actions/.github/workflows/starter.yml@v3
+    needs: integrationtest
+    secrets:
+      token: ${{ secrets.V2BUILDTOKEN}}
+      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}
+      docker-user: ${{ secrets.DOCKER_USER }}
+      docker-token:  ${{ secrets.DOCKER_PWD }}
+

.golangci.yml

@@ -0,0 +1,32 @@
+run:
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  timeout: 12m
+
+  skip-dirs:
+    - testdata$
+    - test/mock
+
+  skip-files:
+    - ".*\\.pb\\.go"
+
+linters:
+  enable:
+    - bodyclose
+    - durationcheck
+    - errorlint
+    - goimports
+    - revive
+    - gosec
+    - misspell
+    - nakedret
+    - unconvert
+    - unparam
+    - whitespace
+    - gocritic
+    - nolintlint
+    - govet
+
+linters-settings:
+  revive:
+    # minimal confidence for issues, default is 0.8
+    confidence: 0.0

CHANGELOG.md

@@ -1,3 +1,12 @@
+# 2.2.0
+## Features
+
+### Auth
+- Implement OAuth 2.0 Client Credentials grant as supported auth mechanism
+
+### Testing
+- Refactor unit tests to use fake interfaces and extract integration tests to a shell script that interacts with K8s directly
+
 # v2.1.0
 ## Features
 

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.20 as builder
+FROM golang:1.22.3 as builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -13,7 +13,6 @@ RUN go mod download
 
 # Copy the go source
 COPY main.go main.go
-COPY pkg/ pkg/
 COPY internal/ internal/
 
 # Build

Makefile

@@ -52,9 +52,6 @@ fmt: ## Run go fmt against code.
 vet: ## Run go vet against code.
 	go vet ./...
 
-.PHONY: test
-test: fmt vet envtest ## Run tests.
-
 ##@ Build
 
 .PHONY: regcheck
@@ -98,9 +95,3 @@ docker-buildx: regcheck ## Build and push docker image for the manager for cross
 	- docker buildx rm project-v3-builder
 	rm Dockerfile.cross
 
-##@ Build Dependencies
-
-.PHONY: envtest
-envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
-$(ENVTEST): $(LOCALBIN)
-	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest

README.md

@@ -1,53 +1,55 @@
 
-# ejbca-k8s-csr-signer
 
-An implementation of the Kubernetes CSR signing API that routes Certificate Signing Requests from the cluster to the EJBCA Enrollment API
+# EJBCA K8s CSR Signer
 
-#### Integration status: Production - Ready for use in production environments.
+![Integration Status: production](https://img.shields.io/badge/integration_status-production-3D1973?style=flat-square)
+[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-k8s-csr-signer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-k8s-csr-signer) 
+[![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/keyfactor/ejbca-k8s-csr-signer?label=release)](https://github.com/keyfactor/ejbca-k8s-csr-signer/releases) 
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) 
+[![license](https://img.shields.io/github/license/keyfactor/ejbca-k8s-csr-signer.svg)]()
 
-## About the Keyfactor API Client
 
-This API client allows for programmatic management of Keyfactor resources.
 
-## Support for ejbca-k8s-csr-signer
-
-ejbca-k8s-csr-signer is open source and supported on best effort level for this tool/library/client.  This means customers can report Bugs, Feature Requests, Documentation amendment or questions as well as requests for customer information required for setup that needs Keyfactor access to obtain. Such requests do not follow normal SLA commitments for response or resolution. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com/
-
-###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
-
----
+## Overview
 
+The EJBCA Certificate Signing Request Proxy for K8s forwards certificate signing requests generated by Kubernetes to [EJBCA](https://www.primekey.com/products/ejbca-enterprise/) for signing by a trusted enterprise certificate authority. The signer operates within the [K8s CertificateSigningRequests API](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and implements a Controller that uses the the V1 CertificateSigningRequests informer to handle associated resources. CSRs are only enrolled if they are approved using an [approver](https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/certificates/approver).
 
----
+> This project uses only the `/ejbca-rest-api/v1/certificate/pkcs10enroll` REST API endpoint, and is compatible with both [EJBCA Community](https://www.ejbca.org/) and [EJBCA Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/).
 
 
 
-<a href="https://kubernetes.io">
-    <img src="https://kubernetes.io/images/favicon.png" alt="Kubernetes logo" title="K8s" align="left" height="50" />
-</a>
+## Requirements
 
-<a href="https://kubernetes.io">
-    <img src="https://helm.sh/img/helm.svg" alt="Helm logo" title="K8s" align="left" height="50" />
-</a>
+### To build
 
-# EJBCA Certificate Signing Request Proxy for K8s 
+* Docker
+    * [Docker Engine](https://docs.docker.com/engine/install/) or [Docker Desktop](https://docs.docker.com/desktop/)
+* [Git](https://git-scm.com/)
+* [Make](https://www.gnu.org/software/make/)
+* [Go](https://golang.org/) >= v1.23.3
 
-[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-k8s-csr-signer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-k8s-csr-signer) [![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/keyfactor/ejbca-k8s-csr-signer?label=release)](https://github.com/keyfactor/ejbca-k8s-csr-signer/releases) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![license](https://img.shields.io/github/license/keyfactor/ejbca-k8s-csr-signer.svg)]()
+### To use
 
-The EJBCA Certificate Signing Request Proxy for K8s forwards certificate signing requests generated by Kubernetes to [EJBCA](https://www.primekey.com/products/ejbca-enterprise/) for signing by a trusted enterprise certificate authority. The signer operates within the [K8s CertificateSigningRequests API](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and implements a Controller that uses the the V1 CertificateSigningRequests informer to handle associated resources. CSRs are only enrolled if they are approved using an [approver](https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/certificates/approver).
+* [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (v1.11.3 +)
+* Kubernetes (v1.19 +)
+    * [Kubernetes](https://kubernetes.io/docs/tasks/tools/)
+    * [Minikube](https://minikube.sigs.k8s.io/docs/start/)
+    * [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
+    * [Docker Desktop](https://docs.docker.com/desktop/kubernetes/)
+    * [Azure Kubernetes](https://azure.microsoft.com/en-us/products/kubernetes-service)
+    * [Amazon EKS](https://aws.amazon.com/eks/)
+    * [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine)
+* Helm (to deploy to Kubernetes)
+    * [Helm](https://helm.sh/docs/intro/install/) (v3.1 +)
+* EJBCA [Community](https://www.ejbca.org/) or EJBCA [Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/) >= v7.7
+  * The "REST Certificate Management" protocol must be enabled under System Configuration > Protocol Configuration.
 
-## Community supported
-We welcome contributions.
+> EJBCA Enterprise is required for the OAuth 2.0 "client credentials" token flow. EJBCA Community only supports mTLS (client certificate) authentication.
 
-The cert-manager external issuer for Keyfactor command is open source and community supported, meaning that there is **no SLA** applicable for these tools.
 
-###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, see the [contribution guidelines](https://github.com/Keyfactor/command-k8s-csr-signer/blob/main/CONTRIBUTING.md) and use the **[Pull requests](../../pulls)** tab.
 
-## Migration from EJBCA CSR Signer v1.0 to v2.0
+## Getting Started
 
-The EJBCA CSR Signer v2.0 has breaking changes from v1.0. To migrate from v1.0 to v2.0, uninstall the v1.0 deployment and install the v2.0 deployment. The v2.0 deployment uses the same configuration as v1.0, but the configuration is now stored in a Kubernetes ConfigMap. See the [Getting Started](docs/getting-started.markdown) to install the v2.0 deployment.
-
-## Documentation
 * [Getting Started](docs/getting-started.markdown)
 * Usage
   * [Demo usage with Istio](docs/istio-deployment.markdown)
@@ -56,4 +58,25 @@ The EJBCA CSR Signer v2.0 has breaking changes from v1.0. To migrate from v1.0 t
 * [Testing](docs/testing.markdown)
 * [License](LICENSE)
 
+### Migration from EJBCA CSR Signer v1.0 to v2.0
+
+The EJBCA CSR Signer v2.0 has breaking changes from v1.0. To migrate from v1.0 to v2.0, uninstall the v1.0 deployment and install the v2.0 deployment. The v2.0 deployment uses the same configuration as v1.0, but the configuration is now stored in a Kubernetes ConfigMap. See the [Getting Started](docs/getting-started.markdown) to install the v2.0 deployment.
+
+
+
+## Community Support
+
+In the [Keyfactor Community](https://www.keyfactor.com/community/), we welcome contributions. Keyfactor Community software is open-source and community-supported, meaning that **no SLA** is applicable. Keyfactor will address issues as resources become available.
+
+* To report a problem or suggest a new feature, go to [Issues](../../issues).
+* If you want to contribute bug fixes or proposed enhancements, see the [Contributing Guidelines](CONTRIBUTING.md) and create a [Pull request](../../pulls).
+
+## Commercial Support
+
+Commercial support is available for [EJBCA Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/).
+
+## License
+For license information, see [LICENSE](LICENSE). 
 
+## Related Projects
+See all [Keyfactor EJBCA GitHub projects](https://github.com/orgs/Keyfactor/repositories?q=ejbca).