Sync with upstream

.github/workflows/contrast-sast-scan-child.yml

@@ -0,0 +1,13 @@
+name: Contrast SAST Scan
+
+on:
+ push:
+ branches:
+ - master
+ - main
+ workflow_dispatch:
+
+jobs:
+ sast-scan:
+ uses: ibm-skills-network/.github/.github/workflows/contrast-sast-scan.yaml@main
+ secrets: inherit

.github/workflows/release-helm-chart.yaml

@@ -0,0 +1,63 @@
+name: Release Helm Chart
+
+on:
+ push:
+ branches:
+ - master
+ tags:
+ - "**"
+ pull_request:
+ branches:
+ - master
+
+jobs:
+ release:
+ if: github.event_name == 'push' # This ensures release only runs on push events, not on pull_request events
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ fetch-depth: 0
+
+ - name: Install yq - portable yaml processor
+ uses: mikefarah/[email protected]
+
+ - name: Install Helm
+ uses: azure/setup-helm@v1
+ with:
+ version: v3.4.0
+
+ - name: Lint chart
+ run: helm lint deploy/cert-manager-ibm-cis-webhook
+
+ - name: Fetch charts dependencies
+ run: |
+ cd deploy/cert-manager-ibm-cis-webhook
+ helm dependency build
+
+ - name: Package Helm Chart
+ run: |
+ helm package deploy/cert-manager-ibm-cis-webhook
+
+ - name: Check Out Helm Chart Repository
+ uses: actions/checkout@v2
+ with:
+ repository: ibm-skills-network/charts
+ token: ${{ secrets.PUBLIC_HELM_CHART_REPO_PUBLISH_TOKEN }}
+ path: charts-repo
+ ref: gh-pages
+
+ - name: Copy Packaged Chart to Charts Repo
+ run: |
+ cp cert-manager-ibm-cis-webhook*.tgz charts-repo/
+
+ - name: Update Helm Chart Repository Index
+ run: |
+ cd charts-repo
+ git config user.name "$GITHUB_ACTOR"
+ git config user.email "[email protected]"
+ helm repo index . --url https://ibm-skills-network.github.io/charts/ --merge index.yaml
+ git add .
+ git commit -m "Update Helm chart for my-chart"
+ git push

.github/workflows/release-image.yml

@@ -0,0 +1,46 @@
+name: Build and Publish Docker Image
+
+on:
+ push:
+ branches:
+ - '*'
+ tags:
+ - '*'
+
+jobs:
+ build-and-publish:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+
+ steps:
+ - name: Check Out Repository
+ uses: actions/checkout@v4
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Log in to GitHub Container Registry
+ if: startsWith(github.ref, 'refs/tags/')
+ uses: docker/login-action@v3
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Extract Tag Name
+ if: startsWith(github.ref, 'refs/tags/')
+ id: tag_name
+ run: echo "::set-output name=TAG_NAME::${GITHUB_REF##*/}"
+
+ - name: Build Docker Image
+ uses: docker/build-push-action@v5
+ with:
+ context: .
+ file: Dockerfile
+ push: ${{ startsWith(github.ref, 'refs/tags/') }}
+ tags: |
+ ghcr.io/${{ github.repository }}:latest
+ ghcr.io/${{ github.repository }}:1
+ ${{ steps.tag_name.outputs.TAG_NAME != '' && format('ghcr.io/{0}:{1}', github.repository, steps.tag_name.outputs.TAG_NAME) }}

.github/workflows/test.yml

@@ -0,0 +1,32 @@
+name: Test
+
+on:
+ push:
+ branches:
+ - master
+ workflow_dispatch:
+
+jobs:
+ test:
+ concurrency:
+ group: test
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check Out Repository
+ uses: actions/checkout@v2
+ - name: Run tests
+ run: |
+ cat > testdata/ibm-cloud-cis/config.json <<EOF
+ {
+ "ibmCloudCisCrns": [ "$TEST_CIS_INSTANCE_CRN" ]
+ }
+ EOF
+
+ cat testdata/ibm-cloud-cis/config.json
+
+ make test
+ env:
+ TEST_ZONE_NAME: ${{ vars.TEST_ZONE_NAME }}
+ TEST_DNS_RECORD: ${{ vars.TEST_DNS_RECORD }}
+ TEST_CIS_INSTANCE_CRN: ${{ vars.TEST_CIS_INSTANCE_CRN }}
+ IBMCLOUD_API_KEY: ${{ secrets.IBMCLOUD_API_KEY }}

.tool-versions

@@ -0,0 +1 @@
+golang 1.22.5

.whitesource

@@ -0,0 +1,5 @@
+
+{
+ "settingsInheritedFrom": "ibm-skills-network/mend-config@main"
+}
+

CODEOWNERS

@@ -0,0 +1,35 @@
+* @ibm-skills-network/security
+#### Organization Synced Configuration Below ####
+# If you want to add to the below, please do so in the security-compliance-automation repo and sync the file to every repo
+
+# Dependency Resolution and Supported Package Manager Files
+# Reference: https://docs.mend.io/bundle/wsk/page/dependency_resolution_and_supported_package_manager_files.html
+
+# Python
+requirements.txt
+Pipfile
+Pipfile.lock
+pyproject.toml
+poetry.lock
+setup.py
+setup.cfg
+environment.yml
+
+# JavaScript
+package.json
+package-lock.json
+yarn.lock
+pnpm-lock.yaml
+
+# Go
+go.mod
+go.sum
+
+# Ruby
+Gemfile
+Gemfile.lock
+
+# Elixer, Erlang
+mix.exs
+mix.lock
+rebar.config

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine3.18 AS build_deps
+FROM golang:1.22-alpine AS build_deps
 
 RUN apk add --no-cache git
 
@@ -11,14 +11,18 @@ RUN go mod download
 
 FROM build_deps AS build
 
-COPY . .
+COPY main.go .
 
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.18
+FROM alpine:3 as final
+
+RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D webhook
 
 RUN apk add --no-cache ca-certificates
 
+USER 1000
+
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 
 ENTRYPOINT ["webhook"]

Makefile

@@ -2,14 +2,14 @@ GO ?= $(shell which go)
 OS ?= $(shell $(GO) env GOOS)
 ARCH ?= $(shell $(GO) env GOARCH)
 
-IMAGE_NAME := "webhook"
+IMAGE_NAME := "icr.io/skills-network/cert-manager-webhook-ibm-cis"
 IMAGE_TAG := "latest"
 
 OUT := $(shell pwd)/_out
 
 KUBEBUILDER_VERSION=1.28.0
 
-HELM_FILES := $(shell find deploy/example-webhook)
+HELM_FILES := $(shell find deploy/cert-manager-ibm-cis-webhook)
 
 test: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl
  TEST_ASSET_ETCD=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd \
@@ -36,10 +36,10 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
 
 $(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
  helm template \
- --name example-webhook \
+ --name cert-manager-ibm-cis-webhook \
  --set image.repository=$(IMAGE_NAME) \
  --set image.tag=$(IMAGE_TAG) \
- deploy/example-webhook > $@
+ deploy/cert-manager-ibm-cis-webhook > $@
 
 _test $(OUT) _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH):
  mkdir -p $@

README.md

@@ -1,58 +1,57 @@
-<p align="center">
- <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" height="256" width="256" alt="cert-manager project logo" />
-</p>
+# Cert Manager IBM Cloud Internet Services Webhook Solver
 
-# ACME webhook example
-
-The ACME issuer type supports an optional 'webhook' solver, which can be used
+Cert Manager's ACME (automated certificate management environment) issuer type supports an optional 'webhook' solver, which can be used
 to implement custom DNS01 challenge solving logic.
 
-This is useful if you need to use cert-manager with a DNS provider that is not
-officially supported in cert-manager core.
-
-## Why not in core?
-
-As the project & adoption has grown, there has been an influx of DNS provider
-pull requests to our core codebase. As this number has grown, the test matrix
-has become un-maintainable and so, it's not possible for us to certify that
-providers work to a sufficient level.
-
-By creating this 'interface' between cert-manager and DNS providers, we allow
-users to quickly iterate and test out new integrations, and then packaging
-those up themselves as 'extensions' to cert-manager.
-
-We can also then provide a standardised 'testing framework', or set of
-conformance tests, which allow us to validate the a DNS provider works as
-expected.
+IBM Cloud Internet Services is not officially supported in cert-manager core, so if you want to automatically provision certificates with cert-manager using DNS challenges, you can use this repository to do so.
 
-## Creating your own webhook
+## Usage
 
-Webhook's themselves are deployed as Kubernetes API services, in order to allow
-administrators to restrict access to webhooks with Kubernetes RBAC.
+### Prerequisites
 
-This is important, as otherwise it'd be possible for anyone with access to your
-webhook to complete ACME challenge validations and obtain certificates.
+You must have cert-manager already installed in your cluster.
 
-To make the set up of these webhook's easier, we provide a template repository
-that can be used to get started quickly.
+See [installation instructions here](https://cert-manager.io/docs/installation/).
 
-### Creating your own repository
+### Installation
 
-### Running the test suite
+You can install this webhook using helm:
 
-All DNS providers **must** run the DNS01 provider conformance testing suite,
-else they will have undetermined behaviour when used with cert-manager.
-
-**It is essential that you configure and run the test suite when creating a
-DNS01 webhook.**
+```shell
+helm install cert-manager-ibm-cis-webhook --set ibmCloudApiKey="<your IBM Cloud API key>"
+```
 
-An example Go test file has been provided in [main_test.go](https://github.com/cert-manager/webhook-example/blob/master/main_test.go).
+### Issuer
+
+Create or update an `Issuer` (or `ClusterIssuer`) to reference the newly installed solver:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: acme-dns-issuer
+spec:
+ acme:
+ email: [email protected]
+ privateKeySecretRef:
+ name: letsencrypt
+ server: https://acme-v02.api.letsencrypt.org/directory
+ solvers:
+ - dns01:
+ webhook:
+ config:
+ ibmCloudCisCrns:
+ - 'crn:v1:bluemix:public:internet-svcs:global:a/***:***::'
+ groupName: acme.skills.network
+ solverName: ibm-cloud-cis
+ selector:
+ dnsZones:
+ - your.site.domain.com
+```
 
-You can run the test suite with:
+After update your issuer, cert-manager should be able to automatically complete challenges for your certificates on IBM CIS-managed domains.
 
-```bash
-$ TEST_ZONE_NAME=example.com. make test
-```
+## Contributing
 
-The example file has a number of areas you must fill in and replace with your
-own options in order for tests to pass.
+Contributions are welcome.
+Please see [docs/CONTRIBUTING.md](./docs/CONTRIBUTING.md) to get started.

chart-releaser.yaml

@@ -0,0 +1,4 @@
+owner: ibm-skills-network
+git-repo: charts
+# package-path: deploy/cert-manager-ibm-cis-webhook/
+# package-path: charts

deploy/example-webhook/Chart.yaml → deploy/cert-manager-ibm-cis-webhook/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
-name: example-webhook
-version: 0.1.0
+name: cert-manager-ibm-cis-webhook
+version: 2.0.0