Merge branch 'release-candidate' into add-notafter-notbefore-calculation

.gitignore

@@ -15,17 +15,18 @@
 builds/
 bin/
 
-# Intelij setting
-.idea/
+
 
 # Dependency directories
 vendor/
 
 # Go workspace file
 go.work
 
+#VSCode settings folder
+.vscode/
 
-#Intelij setting folder
+#Intelij settings folder
 .idea/
 
 #test reports and coverage

README.md

@@ -18,7 +18,7 @@
 
 ncm-issuer is a [Kubernetes](https://kubernetes.io) controller (external [cert-manager](https://cert-manager.io/) issuer) that allows to integrate with
 [Nokia NetGuard Certificate Manager (NCM)](https://www.nokia.com/networks/products/pki-authority-with-netguard-certificate-manager/)
-PKI system to sign certificate requests. The integration with NCM makes it easy to obtain non-selfsigned certificates for
+PKI system to sign certificate requests. The integration with NCM makes it easy to obtain non self-signed certificates for
 applications and to ensure that they are valid and up to date.
 
 ## Table of contents
@@ -45,7 +45,7 @@ applications and to ensure that they are valid and up to date.
 
 Prerequisites for building and using ncm-issuer:
 
-* [NCM](https://www.nokia.com/networks/products/pki-authority-with-netguard-certificate-manager/) release 21 or later,
+* [NCM](https://www.nokia.com/networks/products/pki-authority-with-netguard-certificate-manager/) release 23 or later,
 * [Kubernetes](https://kubernetes.io) version 1.24 - 1.29,
 * [cert-manager](https://cert-manager.io/) version 1.0.0 or later,
 * [Docker](https://docs.docker.com/engine/install/) version 20.10.0 or later,
@@ -286,6 +286,7 @@ Once the `Issuer` was successfully created, it is now time to sign the first cer
     name: example-ncm-certificate
     namespace: example-ncm-ns
   spec:
+    duration: 4382h
     commonName: example-ncm-certificate-nokia-ncm.local
     dnsNames:
     - example-ncm-certificate-nokia-ncm.local
@@ -307,6 +308,8 @@ Once the `Issuer` was successfully created, it is now time to sign the first cer
   EOF
   ```
 
+NOTE: Duration parameter is ignored, unless NCM release >= `24.11` (with REST API >= `1.13`) is used and CA's `set-validity-period` policy module's `Overwrite Old` parameter is set to false
+
 Then we can check the status of our newly issued certificate:
 
   ```bash
@@ -327,9 +330,9 @@ and whether it has corresponding Secret referenced:
 
 Additionally, in NCM GUI we can also find our newly issued certificate.
 
-### Renewing or reenrolling certificate
+### Renewing or re-enrolling certificate
 
-When it comes to renewing or reenrolling certificates, ncm-issuer will take care of this and
+When it comes to renewing or re-enrolling certificates, ncm-issuer will take care of this and
 do it before the certificate expires (the renewal grace period
 depends on the defined values in `Certificate` resource).
 
@@ -338,14 +341,14 @@ setting certain PK rotation policy in `Certificate` resource.
 
 |               Field               |  Operation   |             Value             |
 |:---------------------------------:|:------------:|:-----------------------------:|
-| `.spec.privateKey.rotationPolicy` | Reenrollment |           "Always"            |
+| `.spec.privateKey.rotationPolicy` | Re-enrollment |           "Always"            |
 | `.spec.privateKey.rotationPolicy` |   Renewal    | "Never" or not even specified |
 
-**:loudspeaker: Attention:** There is also an option for enforcing the reenrollment on
+**:loudspeaker: Attention:** There is also an option for enforcing the re-enrollment on
 renewal in the definition of `Issuer` or `ClusterIssuer` resource. To do this simply set `.spec.reenrollmentOnRenew`
 to **true** in `Issuer` or `ClusterIssuer` definition.
 
-However, you can also trigger renewal or reenrolling operation manually using one of the commands below.
+However, you can also trigger renewal or re-enrolling operation manually using one of the commands below.
 
 In case you have cert-manager kubectl plugin:
 

api/v1/issuer_types.go

@@ -181,7 +181,7 @@ type IssuerCondition struct {
 	// Reason is a brief machine-readable explanation for the condition's last
 	// transition.
 	// +optional
-	Reason string `json:"reason,omitempty"`
+	Reason ReasonType `json:"reason,omitempty"`
 
 	// Message is a human-readable description of the details of the last
 	// transition, complementing reason.
@@ -221,6 +221,21 @@ const (
 	ConditionUnknown ConditionStatus = "Unknown"
 )
 
+// ConditionStatus represents a condition's status.
+// +kubebuilder:validation:Enum=SecretNotFound;Verified;Error
+type ReasonType string
+
+const (
+	// ReasonNotFound represents the fact that secrets needed to authenticate to the NCM API do not exist in cluster
+	ReasonNotFound ReasonType = "SecretNotFound"
+
+	// ReasonVerified represents the fact that the NCM Issuer(ClusterIssuer) are configured correctly
+	ReasonVerified ReasonType = "Verified"
+
+	// ReasonError represents the fact that the NCM Issuer(ClusterIssuer) are configured not correctly and require user interaction
+	ReasonError ReasonType = "Error"
+)
+
 func init() {
 	SchemeBuilder.Register(&Issuer{}, &IssuerList{})
 }

config/crd/bases/certmanager.ncm.nokia.com_clusterissuers.yaml

@@ -211,6 +211,10 @@ spec:
                       description: |-
                         Reason is a brief machine-readable explanation for the condition's last
                         transition.
+                      enum:
+                      - SecretNotFound
+                      - Verified
+                      - Error
                       type: string
                     status:
                       allOf:

config/crd/bases/certmanager.ncm.nokia.com_issuers.yaml

@@ -211,6 +211,10 @@ spec:
                       description: |-
                         Reason is a brief machine-readable explanation for the condition's last
                         transition.
+                      enum:
+                      - SecretNotFound
+                      - Verified
+                      - Error
                       type: string
                     status:
                       allOf:

docs/release-notes/.pages

@@ -1,4 +1,5 @@
 nav:
+    - 1.1.2.md
     - 1.1.1.md
     - 1.1.0.md
     - 1.0.3.md

docs/release-notes/1.1.2.md

@@ -0,0 +1,17 @@
+---
+title: 1.1.2
+---
+
+# What's changed
+
+ncm-issuer `1.1.2` introduces two new features and includes some small improvements.
+
+## Features
+
+* Support for setting notBefore and notAfter parameters in NCM certificate requests corresponding to suggested Duration parameter in cert-manager.io/v1 Certificate object kind. notBefore is set to the current time when cert is being enrolled. Feature is available for NCM >= `24.11`, in older release new parameters are ignored
+* Added issuer `.spec.caID/CASHREF` validation, so there is an error presented if the user specifies wrongly formatted value
+
+## Other
+
+* Linting code improvements
+* CI improvements

helm/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: ncm-issuer
-appVersion: 1.1.1
-version: 1.1.1
+appVersion: 1.1.2
+version: 1.1.2
 kubeVersion: ">= 1.24.0-0 < 1.30.0-0"
 description: A Helm chart for cert-manager external issuer with NCM (NetGuard Certificate Manager)
 home: https://github.com/nokia/ncm-issuer
@@ -14,9 +14,5 @@ keywords:
   - com.nokia.ncm.certifier
   - tls
 maintainers:
-- email: sara.ryfczynska@nokia.com
-  name: Sara Ryfczynska
-- email: dawid.machoczek@nokia.com
-  name: Dawid Machoczek
-- email: adam.korba@nokia.com
-  name: Adam Korba
+- name: Michal Szymanski
+  email: misiektoja-github@rm-rf.ninja

helm/values.yaml

@@ -3,7 +3,7 @@ priorityClassName: ""
 
 image:
   repository: docker.io/misiektoja/ncm-issuer
-  tag: 1.1.1
+  tag: 1.1.2
   pullPolicy: Always
   pullSecrets: []
 

pkg/cfg/ncmcfg.go

@@ -17,7 +17,7 @@ limitations under the License.
 package cfg
 
 import (
-	"fmt"
+	"errors"
 	"reflect"
 	"strings"
 	"time"
@@ -213,24 +213,32 @@ func (cfg *NCMConfig) InjectNamespace(namespace string) {
 
 func (cfg *NCMConfig) Validate() error {
 	if cfg.MainAPI == "" {
-		return fmt.Errorf("incorrect NCM API data: missing main API url")
+		return cfg.getError("incorrect NCM API data: missing main API url")
+	}
+
+	if caIDInUnsupportedFormat(cfg.CAID) {
+		return cfg.getError("incorrect caID \"" + cfg.CAID + "\". Please provide only ID of the https://ncm.domain.example/v1/cas/{ID} endpoint")
 	}
 
 	if cfg.Username == "" || cfg.Password == "" {
-		return fmt.Errorf("incorrect authentication data: missing username or usrpassword")
+		return cfg.getError("incorrect authentication data: missing username or usrpassword")
 	}
 
 	if cfg.CAName == "" && cfg.CAID == "" {
-		return fmt.Errorf("incorrect signing CA certificate data: missing CANAME or CAHREF")
+		return cfg.getError("incorrect signing CA certificate data: missing CANAME or CAHREF")
 	}
 
 	if !reflect.DeepEqual(cfg.TLSNamespacedName, types.NamespacedName{}) && cfg.CACert == "" && cfg.Key == "" && cfg.Cert == "" {
-		return fmt.Errorf("incorrect TLS data: missing cacert, key or cert in TLS secret")
+		return cfg.getError("incorrect TLS data: missing cacert, key or cert in TLS secret")
 	}
 
 	return nil
 }
 
+func (cfg *NCMConfig) getError(message string) error {
+	return errors.New("Failed to validate config provided in spec: " + message)
+}
+
 func (cfg *NCMConfig) handleDeprecatedFields(issuerSpec *ncmv1.IssuerSpec) {
 	if cfg.MainAPI == "" {
 		cfg.MainAPI = strings.TrimSuffix(issuerSpec.NCMServer, "/")