2.5.0: CA Bundle with ConfigMap + GKE Ambient Credentials Documentation

[irby]

v2.5.0

Features

• Add support to specify a ConfigMap for CA trust bundles in Issuer / ClusterIssuer resources via the caBundleConfigMapName specification.
• Add support for specifying a key on a Secret / ConfigMap resource for the CA trust bundle via the caBundleKey specification on an Issuer / ClusterIssuer resource.
• Add a timeout when fetching ambient Azure credentials to move onto other ambient credential methods.
• Ability to specify environment variables on issuer deployment to set additional configuration options (i.e. HTTP proxy settings, etc.)

Chores

• Add documentation for how to configure command-cert-manager-issuer with ambient credentials on Google Kubernetes Engine (GKE).
• Add documentation for configuring CA trust bundles via Secret and ConfigMap resources using trust-manager.

[Copilot]

Pull request overview

This PR introduces version 2.5.0 of command-cert-manager-issuer, adding support for ConfigMap-based CA trust bundles, enhanced CA bundle key specification, and improved ambient credential handling for Azure. The release also includes comprehensive documentation for GKE workload identity integration and trust-manager usage.

Changes:

• Added ConfigMap support for CA trust bundles alongside existing Secret support, with precedence given to ConfigMap when both are specified
• Implemented caBundleKey specification to allow explicit key selection in CA bundle resources
• Added timeout for Azure ambient credential fetching to enable fallback to other credential methods
• Added comprehensive GKE workload identity documentation and trust-manager integration guide

Reviewed changes

Copilot reviewed 23 out of 24 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
internal/controller/issuer_controller_test.go	Added comprehensive test suite for commandConfigFromIssuer function covering Secret/ConfigMap CA bundles, key specifications, and various authentication scenarios
internal/controller/issuer_controller.go	Implemented ConfigMap support and key-based CA bundle retrieval logic with proper error handling
internal/command/client.go	Added 10-second timeout for Azure ambient credential token requests
e2e/run_tests.sh	Added end-to-end tests for CA Secret/ConfigMap functionality with key specification support
e2e/README.md	Updated documentation for CA trust bundle configuration in e2e tests
e2e/.gitignore	Added gitignore rules for certificate files
e2e/.env.example	Added DISABLE_CA_CHECK environment variable option
docsource/content.md	Updated documentation with references to new CA Bundle docs and GKE ambient credentials
docs/ca-bundle/README.md	Added comprehensive CA bundle documentation including trust-manager integration guide
docs/ambient-providers/google.md	Added complete GKE workload identity configuration documentation
deploy/charts/command-cert-manager-issuer/values.yaml	Added Helm value for ConfigMap access RBAC configuration
deploy/charts/command-cert-manager-issuer/templates/*	Added RBAC resources and deployment configuration for ConfigMap access
config/crd/bases/*	Updated CRD definitions with new CA bundle fields
cmd/main.go	Added ConfigMap access flag and improved cache configuration logic
api/v1alpha1/issuer_types.go	Added CaBundleConfigMapName and CaBundleKey fields to IssuerSpec
README.md	Updated main documentation with references to CA Bundle and GKE docs
Makefile	Updated e2e test target to use bash script
CHANGELOG.md	Added v2.5.0 release notes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.