Nonstandard sa name (#37)

* klone upgrade

Signed-off-by: Abhijeet V <[email protected]>

* upgraded dependencies

Signed-off-by: Abhijeet V <[email protected]>

* fallback to non-standard service account name

Signed-off-by: Abhijeet V <[email protected]>

---------

Signed-off-by: Abhijeet V <[email protected]>

Author: abvaidya

.github/dependabot.yaml

@@ -1,20 +1,20 @@
 # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
-# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/dependabot.yaml instead.
 
-# Update Go dependencies and GitHub Actions dependencies weekly.
+# Update Go dependencies and GitHub Actions dependencies daily.
 version: 2
 updates:
 - package-ecosystem: gomod
   directory: /
   schedule:
-    interval: weekly
+    interval: daily
   groups:
     all:
       patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
-    interval: weekly
+    interval: daily
   groups:
     all:
       patterns: ["*"]

.github/workflows/make-self-upgrade.yaml

@@ -5,36 +5,49 @@ name: make-self-upgrade
 concurrency: make-self-upgrade
 on:
   workflow_dispatch: {}
-  # schedule:
-  #   - cron: '0 0 * * *'
+#  schedule:
+#    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
 
 jobs:
-  build_images:
+  self_upgrade:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'AthenZ'
+
     permissions:
       contents: write
       pull-requests: write
+    
+    env:
+      SOURCE_BRANCH: "${{ github.ref_name }}"
+      SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}"
 
     steps:
-      - name: Fail if branch is not main
-        if: github.ref != 'refs/heads/main'
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
         run: |
-          echo "This workflow should not be run on a branch other than main."
+          echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
       - run: |
-          git checkout -B "self-upgrade"
+          git checkout -B "$SELF_UPGRADE_BRANCH"
 
       - run: |
           make -j upgrade-klone
@@ -57,30 +70,36 @@ jobs:
           git config --global user.name "athenz-bot"
           git config --global user.email "[email protected]"
           git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
-          git push -f origin self-upgrade
+          git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
             const pulls = await github.rest.pulls.list({
               owner: owner,
               repo: repo,
-              head: owner + ':self-upgrade',
-              base: 'main',
+              head: owner + ':' + process.env.SELF_UPGRADE_BRANCH,
+              base: process.env.SOURCE_BRANCH,
               state: 'open',
             });
             
             if (pulls.data.length < 1) {
-              await github.rest.pulls.create({
-                title: '[CI] Merge self-upgrade into main',
+              const result = await github.rest.pulls.create({
+                title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
-                head: 'self-upgrade',
-                base: 'main',
+                head: process.env.SELF_UPGRADE_BRANCH,
+                base: process.env.SOURCE_BRANCH,
                 body: [
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),
               });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['skip-review']
+              });
             }

.gitignore

@@ -27,4 +27,5 @@ _bin
 _certs
 .vscode
 
-scratch.txt
+scratch.txt
+.idea/

.golangci.yaml

@@ -0,0 +1,80 @@
+version: "2"
+linters:
+  default: none
+  exclusions:
+    generated: lax
+    presets: [comments, common-false-positives, legacy, std-error-handling]
+    paths: [third_party, builtin$, examples$]
+    warn-unused: true
+  settings:
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"]
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - canonicalheader
+    - contextcheck
+    - copyloopvar
+    - decorder
+    - dogsled
+    - dupword
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - exhaustive
+    - exptostd
+    - forbidigo
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - goheader
+    - goprintffuncname
+    - gosec
+    - gosmopolitan
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - interfacebloat
+    - intrange
+    - loggercheck
+    - makezero
+    - mirror
+    - misspell
+    - musttag
+    - nakedret
+    - nilerr
+    - nilnil
+    - noctx
+    - nosprintfhostport
+    - predeclared
+    - promlinter
+    - protogetter
+    - reassign
+    - sloglint
+    - staticcheck
+    - tagalign
+    - testableexamples
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - usetesting
+    - wastedassign
+formatters:
+  enable: [gci, gofmt]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/AthenZ/athenz-issuer) # Custom section: groups all imports with the specified Prefix.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+  exclusions:
+    generated: lax
+    paths: [third_party, builtin$, examples$]

Makefile

@@ -1,4 +1,4 @@
-# Copyright The Athenz Authors.
+# Copyright 2023 The cert-manager Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,7 +30,7 @@
 ##################################
 
 # Some modules build their dependencies from variables, we want these to be 
-# evalutated at the last possible moment. For this we use second expansion to 
+# evaluated at the last possible moment. For this we use second expansion to 
 # re-evaluate the generate and verify targets a second time.
 #
 # See https://www.gnu.org/software/make/manual/html_node/Secondary-Expansion.html
@@ -48,6 +48,10 @@ FORCE:
 
 noop: # do nothing
 
+# Set empty value for MAKECMDGOALS to prevent the "warning: undefined variable 'MAKECMDGOALS'"
+# warning from happening when running make without arguments
+MAKECMDGOALS ?=
+
 ##################################
 # Host OS and architecture setup #
 ##################################
@@ -56,8 +60,10 @@ noop: # do nothing
 # binary may not be available in the PATH yet when the Makefiles are
 # evaluated. HOST_OS and HOST_ARCH only support Linux, *BSD and macOS (M1
 # and Intel).
-HOST_OS ?= $(shell uname -s | tr A-Z a-z)
-HOST_ARCH ?= $(shell uname -m)
+host_os := $(shell uname -s | tr A-Z a-z)
+host_arch := $(shell uname -m)
+HOST_OS ?= $(host_os)
+HOST_ARCH ?= $(host_arch)
 
 ifeq (x86_64, $(HOST_ARCH))
 	HOST_ARCH = amd64
@@ -70,7 +76,8 @@ endif
 # Git and versioning information #
 ##################################
 
-VERSION ?= $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty)
+git_version := $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty)
+VERSION ?= $(git_version)
 IS_PRERELEASE := $(shell git describe --tags --always --match='v*' --abbrev=0 | grep -q '-' && echo true || echo false)
 GITCOMMIT := $(shell git rev-parse HEAD)
 GITEPOCH := $(shell git show -s --format=%ct HEAD)

controller/signer.go

@@ -102,8 +102,8 @@ func (s *Signer) Check(ctx context.Context, issuerObject v1alpha1.Issuer) error
 	}
 	// create zts client
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{},
-		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig:   &tls.Config{},
+		Proxy:             http.ProxyFromEnvironment,
 		DisableKeepAlives: true,
 	}
 
@@ -215,7 +215,13 @@ func getServiceAccountTokenFromAPIServer(namespaceName string, ctx context.Conte
 
 	sa, err := clientset.CoreV1().ServiceAccounts(namespaceName).Get(ctx, spiffeSA, metav1.GetOptions{})
 	if err != nil {
-		return "", fmt.Errorf("failed to get service account: %w", err)
+		// try with a fallback service account name
+		_, fallbackSA := issuerutil.ExtractDomainServiceFromServiceAccount(spiffeSA)
+		sa, err = clientset.CoreV1().ServiceAccounts(namespaceName).Get(ctx, fallbackSA, metav1.GetOptions{})
+		if err != nil {
+			// if we still can't find the service account, return an error
+			return "", fmt.Errorf("failed to get service account %s or %s in namespace %s: %w", spiffeSA, fallbackSA, namespaceName, err)
+		}
 	}
 
 	tr := &authenticationv1.TokenRequest{

deploy/charts/athenz-issuer/templates/crd-cert-manager.athenz.io_athenzclusterissuers.yaml

@@ -136,4 +136,4 @@ spec:
       storage: true
       subresources:
         status: {}
-{{- end }}
+{{- end }}

deploy/charts/athenz-issuer/templates/crd-cert-manager.athenz.io_athenzissuers.yaml

@@ -136,4 +136,4 @@ spec:
       storage: true
       subresources:
         status: {}
-{{- end }}
+{{- end }}