Keyfactor · irby · Dec 18, 2025 · May 19, 2026 · May 20, 2026 · May 20, 2026
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -60,7 +60,7 @@ jobs:
       - name: Run linters
         uses: golangci/golangci-lint-action@v7
         with:
-          version: v2.4.0
+          version: v2.12.2
 
       - name: Regenerate CRDs
         run: make generate manifests

diff --git a/.golangci.yml b/.golangci.yml
@@ -32,6 +32,14 @@ linters:
       - third_party$
       - builtin$
       - examples$
+    rules:
+      # Exclude some linters from running on tests files.
+      - path: _test\.go
+        linters:
+          - gocyclo
+          - errcheck
+          - dupl
+          - gosec
 formatters:
   enable:
     - goimports

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,25 @@
+# v2.6.0
+## Features
+- Allow `certificateAuthorityLogicalName` to be optional when using an enrollment pattern.
+- The default healthcheck interval has been bumped from 1 minute to 10 minutes.
+
+## Security
+- The Helm chart now defaults `serviceAccount.automountServiceAccountToken` to `false`,
+  replacing the long-lived auto-mounted token with a short-lived projected token (~1 hour, automatically rotated by kubelet). The token is still mounted at the standard path `/var/run/secrets/kubernetes.io/serviceaccount` so no application changes are required.
+- Go version has been bumped from 1.24 to 1.26.2+ to fix CVE-2026-27143 (affects Go compiler versions below 1.25.9, and 1.26.0-1.26.1).
+
+> [!IMPORTANT]
+>
+> ### Upgrade Notes
+> 
+> - **Rolling restart**: Upgrading from v2.5.x will patch the ServiceAccount and update the Deployment spec, triggering an automatic rolling restart. Plan accordingly if downtime is a concern in your environment.
+> - **Bring-your-own ServiceAccount**: If you set `serviceAccount.create: false` and manage your own ServiceAccount, you must either set `automountServiceAccountToken: true` in your `values.yaml` to preserve the previous behavior, or manually add `automountServiceAccountToken: false` and the projected volume to your ServiceAccount and Deployment manifests.
+> - To restore the previous behavior explicitly, set in your `values.yaml`:
+> ```yaml
+> serviceAccount:
+>   automountServiceAccountToken: true
+> ```
+
 # v2.5.3
 ## Security
 - Updated dependencies to address various security vulnerabilities:

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.24 AS builder
+FROM golang:1.26 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

diff --git a/Makefile b/Makefile
@@ -190,9 +190,9 @@ CONFTEST = $(LOCALBIN)/conftest-$(CONFTEST_VERSION)
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.3.0
-CONTROLLER_TOOLS_VERSION ?= v0.14.0
+CONTROLLER_TOOLS_VERSION ?= v0.17.3
 ENVTEST_VERSION ?= latest
-GOLANGCI_LINT_VERSION ?= v2.4.0
+GOLANGCI_LINT_VERSION ?= v2.12.2
 KUBE_LINTER_VERSION ?= v0.6.8
 CONFTEST_VERSION ?= v0.60.0
 

diff --git a/README.md b/README.md
diff --git a/api/v1alpha1/issuer_types.go b/api/v1alpha1/issuer_types.go
@@ -85,8 +85,11 @@ type IssuerSpec struct {
 	// + optional
 	OwnerRoleName string `json:"ownerRoleName,omitempty"`
 
-	// CertificateAuthorityLogicalName is the logical name of the certificate authority to use
+	// CertificateAuthorityLogicalName is the logical name of the certificate authority to use. Not required if an enrollment pattern is specified,
+	// except if the enrollment pattern targets a standalone CA. If empty, an eligible certificate authority within the enrollment pattern's configuration tenant
+	// will be used.
 	// E.g. "Keyfactor Root CA" or "Intermediate CA"
+	// +optional
 	CertificateAuthorityLogicalName string `json:"certificateAuthorityLogicalName,omitempty"`
 
 	// CertificateAuthorityHostname is the hostname associated with the Certificate Authority specified by
@@ -301,7 +304,7 @@ type HealthCheckConfig struct {
 	// Determines whether to enable the health check when the issuer is healthy. Default: true
 	Enabled bool `json:"enabled"`
 
-	// The interval at which to health check the issuer when healthy. Defaults to 1 minute. Must not be less than "30s".
+	// The interval at which to health check the issuer when healthy. Defaults to 10 minutes. Must not be less than "30s".
 	// +kubebuilder:validation:Optional
 	Interval *metav1.Duration `json:"interval,omitempty"`
 }

diff --git a/cmd/main.go b/cmd/main.go
@@ -82,7 +82,7 @@ func main() {
 		"If set the metrics endpoint is served securely")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
-	flag.StringVar(&healthCheckInterval, "default-health-check-interval", "60s",
+	flag.StringVar(&healthCheckInterval, "default-health-check-interval", "10m", // 10 minutes
 		"If set, it is the default health check interval for issuers.")
 	flag.StringVar(&clusterResourceNamespace, "cluster-resource-namespace", "", "The namespace for secrets in which cluster-scoped resources are found.")
 	flag.BoolVar(&disableApprovedCheck, "disable-approved-check", false,

diff --git a/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: clusterissuers.command-issuer.keyfactor.com
 spec:
   group: command-issuer.keyfactor.com
@@ -79,7 +79,9 @@ spec:
                 type: string
               certificateAuthorityLogicalName:
                 description: |-
-                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use
+                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use. Not required if an enrollment pattern is specified,
+                  except if the enrollment pattern targets a standalone CA. If empty, an eligible certificate authority within the enrollment pattern's configuration tenant
+                  will be used.
                   E.g. "Keyfactor Root CA" or "Intermediate CA"
                 type: string
               certificateTemplate:
@@ -127,7 +129,8 @@ spec:
                     type: boolean
                   interval:
                     description: The interval at which to health check the issuer
-                      when healthy. Defaults to 1 minute. Must not be less than "30s".
+                      when healthy. Defaults to 10 minutes. Must not be less than
+                      "30s".
                     type: string
                 required:
                 - enabled

diff --git a/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml b/config/crd/bases/command-issuer.keyfactor.com_issuers.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: issuers.command-issuer.keyfactor.com
 spec:
   group: command-issuer.keyfactor.com
@@ -79,7 +79,9 @@ spec:
                 type: string
               certificateAuthorityLogicalName:
                 description: |-
-                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use
+                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use. Not required if an enrollment pattern is specified,
+                  except if the enrollment pattern targets a standalone CA. If empty, an eligible certificate authority within the enrollment pattern's configuration tenant
+                  will be used.
                   E.g. "Keyfactor Root CA" or "Intermediate CA"
                 type: string
               certificateTemplate:
@@ -127,7 +129,8 @@ spec:
                     type: boolean
                   interval:
                     description: The interval at which to health check the issuer
-                      when healthy. Defaults to 1 minute. Must not be less than "30s".
+                      when healthy. Defaults to 10 minutes. Must not be less than
+                      "30s".
                     type: string
                 required:
                 - enabled

diff --git a/deploy/charts/command-cert-manager-issuer/README.md b/deploy/charts/command-cert-manager-issuer/README.md
@@ -85,4 +85,4 @@ The following table lists the configurable parameters of the `command-cert-manag
 | `tolerations`                                | Tolerations for pod assignment                                                                                                           | `[]`                                                  |
 | `env`                                        | Environmental variables set for pod                                                                                                      | `{}`                                                  |
 | `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole                                      | `false`                                               |
-| `defaultHealthCheckInterval`                 | Specifies the default health check interval for issuers                                                        | `""` (uses the default in the code which is 60s)                                 |
+| `defaultHealthCheckInterval`                 | Specifies the default health check interval for issuers                                                        | `""` (uses the default in the code which is 10 minutes)                                 |
diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml
@@ -73,7 +73,9 @@ spec:
                 type: string
               certificateAuthorityLogicalName:
                 description: |-
-                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use
+                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use. Not required if an enrollment pattern is specified,
+                  except if the enrollment pattern targets a standalone CA. If empty, an eligible certificate authority within the enrollment pattern's configuration tenant
+                  will be used.
                   E.g. "Keyfactor Root CA" or "Intermediate CA"
                 type: string
               enrollmentPatternId:
@@ -104,7 +106,7 @@ spec:
                     type: boolean
                   interval:
                     description: The interval at which to health check the issuer
-                      when healthy. Defaults to 1 minute.
+                      when healthy. Defaults to 10 minutes.
                     type: string
                 required:
                 - enabled

diff --git a/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml b/deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml
@@ -73,7 +73,9 @@ spec:
                 type: string
               certificateAuthorityLogicalName:
                 description: |-
-                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use
+                  CertificateAuthorityLogicalName is the logical name of the certificate authority to use. Not required if an enrollment pattern is specified,
+                  except if the enrollment pattern targets a standalone CA. If empty, an eligible certificate authority within the enrollment pattern's configuration tenant
+                  will be used.
                   E.g. "Keyfactor Root CA" or "Intermediate CA"
                 type: string
               enrollmentPatternId:
@@ -104,7 +106,7 @@ spec:
                     type: boolean
                   interval:
                     description: The interval at which to health check the issuer
-                      when healthy. Defaults to 1 minute.
+                      when healthy. Defaults to 10 minutes.
                     type: string
                 required:
                 - enabled

diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
@@ -26,8 +26,32 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
+      {{- if not .Values.serviceAccount.automountServiceAccountToken }}
+      automountServiceAccountToken: false
+      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if not .Values.serviceAccount.automountServiceAccountToken }}
+      volumes:
+        - name: serviceaccount-token
+          projected:
+            defaultMode: {{ .Values.serviceAccount.projectedTokenVolume.defaultMode }}
+            sources:
+              - serviceAccountToken:
+                  expirationSeconds: {{ .Values.serviceAccount.projectedTokenVolume.expirationSeconds }}
+                  path: token
+              - configMap:
+                  name: kube-root-ca.crt
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+              - downwardAPI:
+                  items:
+                    - path: namespace
+                      fieldRef:
+                        apiVersion: v1
+                        fieldPath: metadata.namespace
+      {{- end }}
       containers:
         - args:
             - --health-probe-bind-address=:8081
@@ -67,6 +91,12 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- if not .Values.serviceAccount.automountServiceAccountToken }}
+          volumeMounts:
+            - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+              name: serviceaccount-token
+              readOnly: true
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml b/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml
@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml
@@ -48,6 +48,15 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  # Specifies whether to automount the service account token
+  # If false, a projected volume will be used to mount the token
+  automountServiceAccountToken: false
+  # Configuration for projected service account token volume (used when automountServiceAccountToken is false)
+  projectedTokenVolume:
+    # Token expiration time in seconds
+    expirationSeconds: 3607
+    # File permissions for the token
+    defaultMode: 0444
 
 podLabels: {}