Merge pull request #39 from ibm-skills-network/fix_apiserver

Fix apiserver

Author: LiyangW

.github/workflows/contrast-sast-scan-child.yml

@@ -0,0 +1,13 @@
+name: Contrast SAST Scan
+
+on:
+  push:
+    branches:
+      - master
+      - main
+  workflow_dispatch:
+
+jobs:
+  sast-scan:
+    uses: ibm-skills-network/.github/.github/workflows/contrast-sast-scan.yaml@main
+    secrets: inherit

.github/workflows/release-helm-chart.yaml

@@ -0,0 +1,63 @@
+name: Release Helm Chart
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - "**"
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  release:
+    if: github.event_name == 'push' # This ensures release only runs on push events, not on pull_request events
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install yq - portable yaml processor
+        uses: mikefarah/yq@v4.30.5
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Lint chart
+        run: helm lint deploy/cert-manager-ibm-cis-webhook
+
+      - name: Fetch charts dependencies
+        run: |
+          cd deploy/cert-manager-ibm-cis-webhook
+          helm dependency build
+
+      - name: Package Helm Chart
+        run: |
+          helm package deploy/cert-manager-ibm-cis-webhook
+
+      - name: Check Out Helm Chart Repository
+        uses: actions/checkout@v2
+        with:
+          repository: ibm-skills-network/charts
+          token: ${{ secrets.PUBLIC_HELM_CHART_REPO_PUBLISH_TOKEN }}
+          path: charts-repo
+          ref: gh-pages
+
+      - name: Copy Packaged Chart to Charts Repo
+        run: |
+          cp cert-manager-ibm-cis-webhook*.tgz charts-repo/
+
+      - name: Update Helm Chart Repository Index
+        run: |
+          cd charts-repo
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          helm repo index . --url https://ibm-skills-network.github.io/charts/ --merge index.yaml
+          git add .
+          git commit -m "Update Helm chart for my-chart"
+          git push

.github/workflows/release-image.yml

@@ -0,0 +1,46 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    branches:
+      - '*'
+    tags:
+      - '*'
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Check Out Repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Tag Name
+        if: startsWith(github.ref, 'refs/tags/')
+        id: tag_name
+        run: echo "::set-output name=TAG_NAME::${GITHUB_REF##*/}"
+
+      - name: Build Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          push: ${{ startsWith(github.ref, 'refs/tags/') }}
+          tags: |
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:1
+            ${{ steps.tag_name.outputs.TAG_NAME != '' && format('ghcr.io/{0}:{1}', github.repository, steps.tag_name.outputs.TAG_NAME) }}

.github/workflows/test.yml

@@ -0,0 +1,34 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+jobs:
+  test:
+    concurrency:
+      group: test
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check Out Repository
+      uses: actions/checkout@v2
+    - name: Run tests
+      run: |
+          cat > testdata/ibm-cloud-cis/config.json <<EOF
+          {
+              "ibmCloudCisCrns": [ "$TEST_CIS_INSTANCE_CRN" ]
+          }
+          EOF
+
+          cat testdata/ibm-cloud-cis/config.json
+
+          make test
+      env:
+        TEST_ZONE_NAME: ${{ vars.TEST_ZONE_NAME }}
+        TEST_DNS_RECORD: ${{ vars.TEST_DNS_RECORD }}
+        TEST_CIS_INSTANCE_CRN: ${{ vars.TEST_CIS_INSTANCE_CRN }}
+        IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}

.tool-versions

@@ -0,0 +1 @@
+golang 1.22.5

.whitesource

@@ -0,0 +1,5 @@
+
+{
+  "settingsInheritedFrom": "ibm-skills-network/mend-config@main"
+}
+

CODEOWNERS

@@ -0,0 +1,35 @@
+* @ibm-skills-network/security
+#### Organization Synced Configuration Below ####
+# If you want to add to the below, please do so in the security-compliance-automation repo and sync the file to every repo
+
+# Dependency Resolution and Supported Package Manager Files
+# Reference: https://docs.mend.io/bundle/wsk/page/dependency_resolution_and_supported_package_manager_files.html
+
+# Python
+requirements.txt
+Pipfile
+Pipfile.lock
+pyproject.toml
+poetry.lock
+setup.py
+setup.cfg
+environment.yml
+
+# JavaScript
+package.json
+package-lock.json
+yarn.lock
+pnpm-lock.yaml
+
+# Go
+go.mod
+go.sum
+
+# Ruby
+Gemfile
+Gemfile.lock
+
+# Elixer, Erlang
+mix.exs
+mix.lock
+rebar.config

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22-alpine3.19 AS build_deps
+FROM golang:1.22-alpine AS build_deps
 
 RUN apk add --no-cache git
 
@@ -11,14 +11,18 @@ RUN go mod download
 
 FROM build_deps AS build
 
-COPY . .
+COPY main.go .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.18
+FROM alpine:3 as final
+
+RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D webhook
 
 RUN apk add --no-cache ca-certificates
 
+USER 1000
+
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 
 ENTRYPOINT ["webhook"]

Makefile

@@ -2,14 +2,14 @@ GO ?= $(shell which go)
 OS ?= $(shell $(GO) env GOOS)
 ARCH ?= $(shell $(GO) env GOARCH)
 
-IMAGE_NAME := "webhook"
+IMAGE_NAME := "icr.io/skills-network/cert-manager-webhook-ibm-cis"
 IMAGE_TAG := "latest"
 
 OUT := $(shell pwd)/_out
 
 KUBEBUILDER_VERSION=1.28.0
 
-HELM_FILES := $(shell find deploy/example-webhook)
+HELM_FILES := $(shell find deploy/cert-manager-ibm-cis-webhook)
 
 test: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl
 	TEST_ASSET_ETCD=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd \
@@ -36,10 +36,10 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
 
 $(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
 	helm template \
-	    --name example-webhook \
+	    --name cert-manager-ibm-cis-webhook \
             --set image.repository=$(IMAGE_NAME) \
             --set image.tag=$(IMAGE_TAG) \
-            deploy/example-webhook > $@
+            deploy/cert-manager-ibm-cis-webhook > $@
 
 _test $(OUT) _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH):
 	mkdir -p $@

README.md

@@ -1,58 +1,57 @@
-<p align="center">
-  <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" height="256" width="256" alt="cert-manager project logo" />
-</p>
+# Cert Manager IBM Cloud Internet Services Webhook Solver
 
-# ACME webhook example
-
-The ACME issuer type supports an optional 'webhook' solver, which can be used
+Cert Manager's ACME (automated certificate management environment) issuer type supports an optional 'webhook' solver, which can be used
 to implement custom DNS01 challenge solving logic.
 
-This is useful if you need to use cert-manager with a DNS provider that is not
-officially supported in cert-manager core.
-
-## Why not in core?
-
-As the project & adoption has grown, there has been an influx of DNS provider
-pull requests to our core codebase. As this number has grown, the test matrix
-has become un-maintainable and so, it's not possible for us to certify that
-providers work to a sufficient level.
-
-By creating this 'interface' between cert-manager and DNS providers, we allow
-users to quickly iterate and test out new integrations, and then packaging
-those up themselves as 'extensions' to cert-manager.
-
-We can also then provide a standardised 'testing framework', or set of
-conformance tests, which allow us to validate that a DNS provider works as
-expected.
+IBM Cloud Internet Services is not officially supported in cert-manager core, so if you want to automatically provision certificates with cert-manager using DNS challenges, you can use this repository to do so.
 
-## Creating your own webhook
+## Usage
 
-Webhook's themselves are deployed as Kubernetes API services, in order to allow
-administrators to restrict access to webhooks with Kubernetes RBAC.
+### Prerequisites
 
-This is important, as otherwise it'd be possible for anyone with access to your
-webhook to complete ACME challenge validations and obtain certificates.
+You must have cert-manager already installed in your cluster.
 
-To make the set up of these webhook's easier, we provide a template repository
-that can be used to get started quickly.
+See [installation instructions here](https://cert-manager.io/docs/installation/).
 
-### Creating your own repository
+### Installation
 
-### Running the test suite
+You can install this webhook using helm:
 
-All DNS providers **must** run the DNS01 provider conformance testing suite,
-else they will have undetermined behaviour when used with cert-manager.
-
-**It is essential that you configure and run the test suite when creating a
-DNS01 webhook.**
+```shell
+helm install cert-manager-ibm-cis-webhook --set ibmCloudApiKey="<your IBM Cloud API key>"
+```
 
-An example Go test file has been provided in [main_test.go](https://github.com/cert-manager/webhook-example/blob/master/main_test.go).
+### Issuer
+
+Create or update an `Issuer` (or `ClusterIssuer`) to reference the newly installed solver:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme-dns-issuer
+spec:
+  acme:
+    email: you@your.email.domain.com
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          webhook:
+            config:
+              ibmCloudCisCrns:
+                - "crn:v1:bluemix:public:internet-svcs:global:a/***:***::"
+            groupName: acme.skills.network
+            solverName: ibm-cloud-cis
+        selector:
+          dnsZones:
+            - your.site.domain.com
+```
 
-You can run the test suite with:
+After update your issuer, cert-manager should be able to automatically complete challenges for your certificates on IBM CIS-managed domains.
 
-```bash
-$ TEST_ZONE_NAME=example.com. make test
-```
+## Contributing
 
-The example file has a number of areas you must fill in and replace with your
-own options in order for tests to pass.
+Contributions are welcome.
+Please see [docs/CONTRIBUTING.md](./docs/CONTRIBUTING.md) to get started.