feat: add client caching to reduce OAuth token requests

Dockerfile

@@ -7,6 +7,8 @@ WORKDIR /workspace
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
+
+
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download

Makefile

@@ -64,9 +64,10 @@ vet: ## Run go vet against code.
 test: manifests generate fmt vet envtest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out
 
-# Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
-.PHONY: test-e2e  # Run the e2e tests against a Kind k8s instance that is spun up.
-test-e2e:
+# Run e2e tests against the current kubeconfig context (set USE_MINIKUBE=true to use minikube instead)
+# Configure e2e/.env with Command instance credentials before running
+.PHONY: test-e2e
+test-e2e: ## Run e2e tests against a Kubernetes cluster
 	cd e2e && source .env && ./run_tests.sh
 
 .PHONY: lint

cluster-issuer.yaml

@@ -0,0 +1,12 @@
+apiVersion: command-issuer.keyfactor.com/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: cluster-issuer
+spec:
+  apiPath: Keyfactor/API
+  caSecretName: ca-trust-secret
+  certificateAuthorityHostname: ''
+  certificateAuthorityLogicalName: Sub-CA
+  certificateTemplate: Server_tlsServerAuth-1y
+  commandSecretName: auth-secret
+  hostname: matthew-irby-1.kftestlab.com

cmd/main.go

@@ -196,43 +196,51 @@
 		os.Exit(1)
 	}
 
-	if defaultHealthCheckInterval < time.Duration(30) * time.Second {
+	if defaultHealthCheckInterval < time.Duration(30)*time.Second {
 		setupLog.Error(errors.New(fmt.Sprintf("interval %s is invalid, must be greater than or equal to '30s'", healthCheckInterval)), "invalid health check interval")
 		os.Exit(1)
 	}
 
+	// Create a shared client cache to avoid re-authenticating (fetching new OAuth tokens)
+	// for every certificate request. Clients are cached by configuration hash.
+	clientCache := command.NewClientCache()
+	setupLog.Info("initialized Command client cache for OAuth token reuse")
+
 	if err = (&controller.IssuerReconciler{
-		Client:                            mgr.GetClient(),
-		Kind:                              "Issuer",
-		ClusterResourceNamespace:          clusterResourceNamespace,
-		SecretAccessGrantedAtClusterLevel: secretAccessGrantedAtClusterLevel,
-		Scheme:                            mgr.GetScheme(),
-		HealthCheckerBuilder:              command.NewHealthChecker,
-		DefaultHealthCheckInterval:        defaultHealthCheckInterval,
+		Client:                              mgr.GetClient(),
+		Kind:                                "Issuer",
+		ClusterResourceNamespace:            clusterResourceNamespace,
+		SecretAccessGrantedAtClusterLevel:   secretAccessGrantedAtClusterLevel,
+		ConfigMapAccessGrantedAtClusterLevel: configmapAccessGrantedAtClusterLevel,
+		Scheme:                              mgr.GetScheme(),
+		HealthCheckerBuilder:                clientCache.GetOrCreateHealthChecker,
+		DefaultHealthCheckInterval:          defaultHealthCheckInterval,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Issuer")
 		os.Exit(1)
 	}
 	if err = (&controller.IssuerReconciler{
-		Client:                            mgr.GetClient(),
-		Scheme:                            mgr.GetScheme(),
-		Kind:                              "ClusterIssuer",
-		ClusterResourceNamespace:          clusterResourceNamespace,
-		SecretAccessGrantedAtClusterLevel: secretAccessGrantedAtClusterLevel,
-		HealthCheckerBuilder:              command.NewHealthChecker,
-		DefaultHealthCheckInterval:        defaultHealthCheckInterval,
+		Client:                              mgr.GetClient(),
+		Scheme:                              mgr.GetScheme(),
+		Kind:                                "ClusterIssuer",
+		ClusterResourceNamespace:            clusterResourceNamespace,
+		SecretAccessGrantedAtClusterLevel:   secretAccessGrantedAtClusterLevel,
+		ConfigMapAccessGrantedAtClusterLevel: configmapAccessGrantedAtClusterLevel,
+		HealthCheckerBuilder:                clientCache.GetOrCreateHealthChecker,
+		DefaultHealthCheckInterval:          defaultHealthCheckInterval,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterIssuer")
 		os.Exit(1)
 	}
 	if err = (&controller.CertificateRequestReconciler{
-		Client:                            mgr.GetClient(),
-		Scheme:                            mgr.GetScheme(),
-		ClusterResourceNamespace:          clusterResourceNamespace,
-		SignerBuilder:                     command.NewSignerBuilder,
-		CheckApprovedCondition:            !disableApprovedCheck,
-		SecretAccessGrantedAtClusterLevel: secretAccessGrantedAtClusterLevel,
-		Clock:                             clock.RealClock{},
+		Client:                              mgr.GetClient(),
+		Scheme:                              mgr.GetScheme(),
+		ClusterResourceNamespace:            clusterResourceNamespace,
+		SignerBuilder:                       clientCache.GetOrCreateSigner,
+		CheckApprovedCondition:              !disableApprovedCheck,
+		SecretAccessGrantedAtClusterLevel:   secretAccessGrantedAtClusterLevel,
+		ConfigMapAccessGrantedAtClusterLevel: configmapAccessGrantedAtClusterLevel,
+		Clock:                               clock.RealClock{},
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CertificateRequest")
 		os.Exit(1)

e2e/.gitignore

@@ -1,2 +1,3 @@
+.env
 certs/*
 !**/.gitkeep

e2e/README.md

@@ -13,19 +13,30 @@ The test suite does the following:
 This is currently configured as a Bash script, so it is necessary to run this on a UNIX-compatible machine.
 
 ## Requirements
-- An available Command instance is running and configured as described in the [root README](../README.md#configuring-command)
-    - OAuth is used to communicate with Command
+
+**Local tools:**
 - Docker (>= 28.2.2)
-- Minikube (>= v1.35.0)
 - kubectl (>= v1.32.2)
 - helm (>= v3.17.1)
 - cmctl (>= v2.1.1)
+- Minikube (>= v1.35.0) - only required if using `USE_MINIKUBE=true`
+
+**Kubernetes cluster:**
+- By default, tests run against your current kubeconfig context
+- Set `USE_MINIKUBE=true` to use minikube instead
+
+**Command instance:**
+- An available Command instance configured as described in the [root README](../README.md#configuring-command)
+- OAuth credentials for API access
+- An enrollment pattern (default: "Default Pattern") with CSR Enrollment enabled
+- A security role (default: "InstanceOwner") with Enrollment permissions
 
 On the Command side:
 - An enrollment pattern is created called "Test Enrollment Pattern" that is has CSR Enrollment, CSR Generation, and PFX Enrollment enabled
 - A security role by the name of "InstanceOwner" exists and has the ability to perform Enrollment
 
 ## Configuring the environment variables
+
 command-cert-manager-issuer interacts with an external Command instance. An environment variable file `.env` can be used to store the environment variables to be used to talk to the Command instance.
 
 A `.env.example` file is available as a template for your environment variables.
@@ -35,24 +46,86 @@ A `.env.example` file is available as a template for your environment variables.
 cp .env.example .env
 ```
 
-Modify the fields as needed.
+### Required variables
+
+| Variable | Description |
+|----------|-------------|
+| `HOSTNAME` | Command instance hostname |
+| `API_PATH` | API path (default: `KeyfactorAPI`) |
+| `OAUTH_TOKEN_URL` | OAuth token endpoint URL |
+| `OAUTH_CLIENT_ID` | OAuth client ID |
+| `OAUTH_CLIENT_SECRET` | OAuth client secret |
+| `CERTIFICATE_TEMPLATE` | Certificate template short name |
+| `CERTIFICATE_AUTHORITY_LOGICAL_NAME` | CA logical name in Command |
+
+### Optional variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `IMAGE_TAG` | Docker image version to test | `2.5.0` |
+| `HELM_CHART_VERSION` | Helm chart version | `2.5.0` |
+| `E2E_ENROLLMENT_PATTERN_NAME` | Enrollment pattern name | `Default Pattern` |
+| `E2E_OWNER_ROLE_NAME` | Owner role name | `InstanceOwner` |
+| `DISABLE_CA_CHECK` | Skip TLS CA verification | `false` |
+| `USE_MINIKUBE` | Use minikube instead of current kubeconfig | `false` |
+| `IMAGE_REGISTRY` | Registry to push local builds (when `IMAGE_TAG=local`) | - |
 
 ## Configuring the trusted certificate store
+
 The issuer created in the end-to-end tests can leverage the `caSecretName` specification to determine a collection of CAs to trust in order to establish a trusted connection with the remote Keyfactor Command instance. The certificates defined in this secret will be pulled from the `certs` folder in this directory.
 
-Please place the CA certificates for the Keyfactor Command instance you'd like to connect to (the intermediate and/or root CAs) under `certs` directory.
+Place the CA certificates for the Keyfactor Command instance you'd like to connect to (the intermediate and/or root CAs) under `certs` directory.
 
 > NOTE: This check can be disabled by setting the env variable `DISABLE_CA_CHECK=true`.
 
-## Running the script
+## Running the tests
+
+### Using current kubeconfig context (default)
+
+```bash
+# Configure your .env file first
+source .env
+
+# Run the tests
+./run_tests.sh
+```
+
+Or from the project root:
+```bash
+make test-e2e
+```
+
+### Using minikube
 
 ```bash
-# enable the script to be executed
-chmod +x ./run_tests.sh
+export USE_MINIKUBE=true
+source .env
+./run_tests.sh
+```
 
-# load the environment variables
+### Testing a specific version
+
+```bash
+export IMAGE_TAG="2.4.0"
+export HELM_CHART_VERSION="2.4.0"
 source .env
+./run_tests.sh
+```
 
-# run the end-to-end tests
+### Testing local changes
+
+```bash
+# With minikube (image built directly into minikube's docker)
+export IMAGE_TAG="local"
+export HELM_CHART_VERSION="local"
+export USE_MINIKUBE=true
+source .env
 ./run_tests.sh
-```
+
+# With a remote cluster (requires pushing to a registry)
+export IMAGE_TAG="local"
+export HELM_CHART_VERSION="local"
+export IMAGE_REGISTRY="your-registry.com/your-repo"
+source .env
+./run_tests.sh
+```

e2e/run_tests.sh

@@ -36,15 +36,17 @@
 ## ===========================================================================
 
 
-IMAGE_REPO="keyfactor"
-IMAGE_NAME="command-cert-manager-issuer"
-# IMAGE_TAG="2.2.0-rc.9" # Uncomment if you want to use an existing image from the repository
-IMAGE_TAG="local" # Uncomment if you want to build the image locally
+# Image configuration - can be overridden via environment variables
+# Set IMAGE_TAG=local to build locally, or use a published version (default: local)
+IMAGE_REPO="${IMAGE_REPO:-keyfactor}"
+IMAGE_NAME="${IMAGE_NAME:-command-cert-manager-issuer}"
+IMAGE_TAG="${IMAGE_TAG:-local}"
 FULL_IMAGE_NAME="${IMAGE_REPO}/${IMAGE_NAME}:${IMAGE_TAG}"
 
+# Helm chart configuration - can be overridden via environment variables
+# Set HELM_CHART_VERSION=local to use the local chart, or use a published version (default: local)
 HELM_CHART_NAME="command-cert-manager-issuer"
-# HELM_CHART_VERSION="2.1.0" # Uncomment if you want to use a specific version from the Helm repository
-HELM_CHART_VERSION="local" # Uncomment if you want to use the local Helm chart
+HELM_CHART_VERSION="${HELM_CHART_VERSION:-local}"
 
 IS_LOCAL_DEPLOYMENT=$([ "$IMAGE_TAG" = "local" ] && echo "true" || echo "false")
 IS_LOCAL_HELM=$([ "$HELM_CHART_VERSION" = "local" ] && echo "true" || echo "false")
@@ -58,11 +60,11 @@ ISSUER_CR_NAME="issuer"
 ISSUER_CRD_FQTN="issuers.command-issuer.keyfactor.com"
 CLUSTER_ISSUER_CRD_FQTN="clusterissuers.command-issuer.keyfactor.com"
 
-ENROLLMENT_PATTERN_ID=1
-ENROLLMENT_PATTERN_NAME="Test Enrollment Pattern"
+ENROLLMENT_PATTERN_ID=${E2E_ENROLLMENT_PATTERN_ID:-1}
+ENROLLMENT_PATTERN_NAME="${E2E_ENROLLMENT_PATTERN_NAME:-Default Pattern}"
 
-OWNER_ROLE_ID=2
-OWNER_ROLE_NAME="InstanceOwner"
+OWNER_ROLE_ID=${E2E_OWNER_ROLE_ID:-2}
+OWNER_ROLE_NAME="${E2E_OWNER_ROLE_NAME:-InstanceOwner}"
 
 CHART_PATH="./deploy/charts/command-cert-manager-issuer"
 
@@ -854,18 +856,20 @@ cd ..
 echo "⚙️ Local image deployment: ${IS_LOCAL_DEPLOYMENT}"
 echo "⚙️ Local Helm chart: ${IS_LOCAL_HELM}"
 
-if ! minikube status &> /dev/null; then
-    echo "Error: Minikube is not running. Please start it with 'minikube start'"
-    exit 1
+# Use existing kubeconfig context (set USE_MINIKUBE=true to use minikube)
+if [ "${USE_MINIKUBE:-false}" = "true" ]; then
+    if ! minikube status &> /dev/null; then
+        echo "Error: Minikube is not running. Please start it with 'minikube start'"
+        exit 1
+    fi
+    kubectl config use-context minikube
+    echo "📡 Connecting to Minikube Docker environment..."
+    eval $(minikube docker-env)
+else
+    echo "📡 Using current kubeconfig context..."
 fi
-
-kubectl config use-context minikube
 echo "Connected to Kubernetes context: $(kubectl config current-context)..."
-
-# 1. Connect to minikube Docker env
-echo "📡 Connecting to Minikube Docker environment..."
-eval $(minikube docker-env)
-echo "🚀 Starting deployment to Minikube..."
+echo "🚀 Starting deployment..."
 
 # 2. Deploy cert-manager Helm chart if not exists
 echo "🔐 Checking for cert-manager installation..."
@@ -883,11 +887,25 @@ kubectl create namespace ${MANAGER_NAMESPACE} --dry-run=client -o yaml | kubectl
 
 # 4. Build the command-cert-manager-issuer Docker image
 # This step is only needed if the image tag is "local"
-if "$IS_LOCAL_DEPLOYMENT" = "true"; then
+if [ "$IS_LOCAL_DEPLOYMENT" = "true" ]; then
+    if [ "${USE_MINIKUBE:-false}" != "true" ]; then
+        echo "⚠️  WARNING: Local deployment without minikube requires pushing the image to a registry."
+        echo "⚠️  Set IMAGE_REGISTRY env var to push, or use a published IMAGE_TAG instead."
+    fi
     echo "🐳 Building ${FULL_IMAGE_NAME} Docker image..."
     docker build -t ${FULL_IMAGE_NAME} .
     echo "✅ Docker image built successfully"
 
+    # If IMAGE_REGISTRY is set, push the image
+    if [ -n "${IMAGE_REGISTRY:-}" ]; then
+        REMOTE_IMAGE="${IMAGE_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
+        echo "📤 Tagging and pushing image to ${REMOTE_IMAGE}..."
+        docker tag ${FULL_IMAGE_NAME} ${REMOTE_IMAGE}
+        docker push ${REMOTE_IMAGE}
+        FULL_IMAGE_NAME="${REMOTE_IMAGE}"
+        echo "✅ Image pushed successfully"
+    fi
+
     echo "📦 Listing Docker images..."
     docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.CreatedAt}}\t{{.Size}}" | head -5
 fi

go.mod

@@ -1,11 +1,9 @@
 module github.com/Keyfactor/command-cert-manager-issuer
 
-go 1.24
-
-toolchain go1.24.0
+go 1.24.0
 
 require (
-	github.com/Keyfactor/keyfactor-auth-client-go v1.3.0
+	github.com/Keyfactor/keyfactor-auth-client-go v1.3.1
 	github.com/Keyfactor/keyfactor-go-client-sdk/v25 v25.0.2
 	github.com/cert-manager/cert-manager v1.16.2
 	github.com/go-logr/logr v1.4.2

go.sum

@@ -22,8 +22,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJ
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/Keyfactor/keyfactor-auth-client-go v1.3.0 h1:otC213b6CYzqeN9b3CRlH1Qj1hTFIN5nqPA8gTlHdLg=
-github.com/Keyfactor/keyfactor-auth-client-go v1.3.0/go.mod h1:97vCisBNkdCK0l2TuvOSdjlpvQa4+GHsMut1UTyv1jo=
+github.com/Keyfactor/keyfactor-auth-client-go v1.3.1 h1:G45WsqH5CqMYSAcNHa7tm9fhvKHsc1BaFQS1X1eCfs4=
+github.com/Keyfactor/keyfactor-auth-client-go v1.3.1/go.mod h1:97vCisBNkdCK0l2TuvOSdjlpvQa4+GHsMut1UTyv1jo=
 github.com/Keyfactor/keyfactor-go-client-sdk/v25 v25.0.2 h1:7VsZOYgMHAO2a1eeyVgDKel9TJXXYRQpd1EvSvp8lKA=
 github.com/Keyfactor/keyfactor-go-client-sdk/v25 v25.0.2/go.mod h1:VnVW8x+pChhnOWBR1PNYPeCQQjlWIK1bwHI8i8j7UPI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=