{"id":22220867,"url":"https://github.com/nokia/adcs-issuer","last_synced_at":"2025-07-27T16:30:32.976Z","repository":{"id":46599958,"uuid":"229279083","full_name":"nokia/adcs-issuer","owner":"nokia","description":null,"archived":false,"fork":false,"pushed_at":"2022-11-07T11:47:51.000Z","size":1032,"stargazers_count":40,"open_issues_count":5,"forks_count":40,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-06-19T00:35:02.282Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nokia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-20T14:25:04.000Z","updated_at":"2024-06-19T00:35:02.282Z","dependencies_parsed_at":"2022-08-28T07:42:38.742Z","dependency_job_id":null,"html_url":"https://github.com/nokia/adcs-issuer","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fadcs-issuer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fadcs-issuer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fadcs-issuer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nokia%2Fadcs-issuer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nokia","download_url":"https://codeload.github.com/nokia/adcs-issuer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227817162,"owners_count":17824199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-02T23:10:41.615Z","updated_at":"2024-12-02T23:10:42.235Z","avatar_url":"https://github.com/nokia.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ADCS Issuer\n\nSorry, but this project is no longer maintained. We do not address any issues or pr-s opened.\n\nADCS Issuer is a [cert-manager's](https://github.com/jetstack/cert-manager) CertificateRequest controller that uses MS Active Directory Certificate Service to sign certificates \n(see [this design document](https://github.com/jetstack/cert-manager/blob/master/design/20190708.certificate-request-crd.md) for details on CertificateRequest CRD). \n\nADCS provides HTTP GUI that can be normally used to request new certificates or see status of existing requests. This implementation is simply a HTTP client that interacts with the\nADCS server sending appropriately prepared HTTP requests and interpretting the server's HTTP responses (the approach inspired by [this Python ADCS client](https://github.com/magnuswatn/certsrv)).\nIt supports NTLM authentication.\n\n## Description\n\n### Requirements\nADCS Issuer has been tested with cert-manager v.0.11.0 and currently supports CertificateRequest CRD API version v1alpha2 only.\n\n## Configuration and usage\n\n### Issuers\nThe ADCS service data can be configured in `AdcsIssuer` or `ClusterAdcsIssuer` CRD objects e.g.:\n```\napiVersion: adcs.certmanager.csf.nokia.com/v1\nkind: AdcsIssuer\nmetadata:\n  name: test-adcs\n  namespace: \u003cnamespace\u003e\nspec:\n  caBundle: \u003cbase64-encoded-ca-certificate\u003e\n  credentialsRef:\n    name: test-adcs-issuer-credentials\n  statusCheckInterval: 6h\n  retryInterval: 1h\n  url: \u003cadcs-certice-url\u003e\n```\n\nThe `caBundle` parameter is BASE64-encoded CA certificate which is used by the ADCS server itself, which may not be the same certificate that will be used to sign your request.\n\nThe `statusCheckInterval` indicates how often the status of the request should be tested. Typically, it can take a few hours or even days before the certificate is issued.\n\nThe `retryInterval` says how long to wait before retrying requests that errored.\n\nThe `credentialsRef.name` is name of a secret that stores user credentials used for NTLM authentication. The secret must be `Opaque` and contain `password` and `username` fields only e.g.:\n```\napiVersion: v1\ndata:\n  password: cGFzc3dvcmQ=\n  username: dXNlcm5hbWU=\nkind: Secret\nmetadata:\n  name: test-adcs-issuer-credentials\n  namespace: \u003cnamespace\u003e\ntype: Opaque\n```\nIf cluster level issuer configuration is needed then ClusterAdcsUssuer can be defined like this:\n```\napiVersion: adcs.certmanager.csf.nokia.com/v1\nkind: ClusterAdcsIssuer\nmetadata:\n  name: test-adcs\nspec:\n  caBundle: \u003cbase64-encoded-ca-certificate\u003e\n  credentialsRef:\n    name: test-adcs-issuer-credentials\n  statusCheckInterval: 6h\n  retryInterval: 1h\n  url: \u003cadcs-certice-url\u003e\n```\nThe secret used by the `ClusterAdcsIssuer` must be defined in the namespace where controller's pod is running.\n\n### Requesting certificates\n\nTo request a certificate with `AdcsIssuer` the standard `certificate.cert-manager.io` object needs to be created. The `issuerRef` must be set to point to `AdcsIssuer` or `ClusterAdcsIssuer` object\nfrom group `adcs.certmanager.csf.nokie.com` e.g.:\n```\napiVersion: cert-manager.io/v1alpha2\nkind: Certificate\nmetadata:\n  annotations:\n  name: adcs-cert\n  namespace: \u003cnamespace\u003e\nspec:\n  commonName: example.com\n  dnsNames:\n  - service1.example.com\n  - service2.example.com\n  issuerRef:\n    group: adcs.certmanager.csf.nokia.com\n    kind: AdcsIssuer\n    name: test-adcs\n  organization:\n  - Your organization\n  secretName: adcs-cert\n```\nCert-manager is responsible for creating the `Secret` with a key and `CertificateRequest` with proper CSR data.\n\n\nADCS Issuer creates `AdcsRequest` CRD object that keep actual state of the processing. Its name is always the same as the corresponding `CertificateRequest` object (there is strict one-to-one mapping).\nThe `AdcsRequest` object stores the ID of request assigned by the ADCS server as wall as the current status which can be one of:\n* **Pending** - the request has been sent to ADCS and is waiting for acceptance (status will be checked periodically),\n* **Ready** - the request has been successfully processed and the certificate is ready and stored in secret defined in the original `Certificate` object,\n* **Rejected** - the request was rejected by ADCS and will be re-tried unless the `Certificate` is updated,\n* **Errored**  - unrecoverable problem occured.\n\n```\napiVersion: adcs.certmanager.csf.nokia.com/v1\nkind: AdcsRequest\nmetadata:\n  name: adcs-cert-3831834799\n  namespace: c1\n  ownerReferences:\n  - apiVersion: cert-manager.io/v1alpha2\n    blockOwnerDeletion: true\n    controller: true\n    kind: CertificateRequest\n    name: adcs-cert-3831834799\n    uid: f5cf630d-f4cf-11e9-95eb-fa163e038ef8\n  uid: f5d22b47-f4cf-11e9-95eb-fa163e038ef8\nspec:\n  csr: \u003cbase64-encoded-csr\u003e\n  issuerRef:\n    group: adcs.certmanager.csf.nokia.com\n    kind: AdcsIssuer\n    name: test-adcs\nstatus:\n  id: \"18\"\n  state: ready\n```\n\n#### Auto-request certificate from ingress\nAdd the following to an `Ingress` for cert-manager to auto-generate a\n`Certificate` using `Ingress` information with ingress-shim\n```\nmetadata:\n  name: test-ingress\n    annotations:\n        cert-manager.io/issuer: \"adcs-issuer\" #use specific name of issuer\n        cert-manager.io/issuer-kind: \"AdcsIssuer\" #or AdcsClusterIssuer\n        cert-manager.io/issuer-group: \"adcs.certmanager.csf.nokia.com\"\n```\nin addition to\n```\nspec:\n  tls:\n    - hosts:\n        - test-host.com\n            secretName: ingress-secret # secret cert-manager stores certificate in\n```\n\n## Installation\n\nThis controller is implemented using [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder). Automatically generated Makefile contains targets needed for build and installation. \nGenerated CRD manifests are stored in `config/crd`. RBAC roles and bindings can be found in config/rbac. There's also a Make target to build controller's Docker image and\nstore it in local docker repo (Docker must be installed).\n\n\n### Disable Approval Check\n\nThe ADCS Issuer will wait for CertificateRequests to have an [approved condition\nset](https://cert-manager.io/docs/concepts/certificaterequest/#approval) before\nsigning. If using an older version of cert-manager (pre v1.3), you can disable\nthis check by supplying the command line flag `-enable-approved-check=false` to\nthe Issuer Deployment.\n\n## Testing considerations\n\n### ADCS Simulator\nThe test/adcs-sim directory contains a simple ADCS simulator that can be used for basic tests (run `make sim-install` to build it and install in /usr/local directory tree). The simulator can be started on the host and work as ADCS server that will sign certificates using provided self-signed certificate and key (`root.pem` and `root.key` files). If needed the certificate can be replaced with any other available.\n\nThe simulator accepts directives to control its behavior. The directives are set as additional domain names in the certificate request:\n* **delay.\u003ctime\u003e.sim**  where \u003ctime\u003e is e.g. 10m, 15h etc - the certificate will be issued after the specified time\n* **reject.sim** - the certificate will be rejected\n* **unauthorized.sim** - the certificate request will be rejected because of authorization problems (to simulate invalid user permissions)\n\nMore then one directive can be used at a time. e.g. to simulate rejecting the certificate after 10 minutes add the following domain names:\n\n```\n- delay.10m.sim\n- reject.sim\n```\n\n## Open issues\n \n* Cert-manger limits the identity of the requestor to Organization and CommonName. Full X509 Distinguished Name support is needed. See: [Full X509 Distinguished Name support](https://github.com/jetstack/cert-manager/issues/2288)\n* When request is rejected by ADCS because of invalid data then there's a problem to indicate in CertificateReuqest that it should not be re-tried. See: [Problem with automatic retry of failed requests](https://github.com/jetstack/cert-manager/issues/2289)\n\n## ToDos\n\n* Webhook\n* Helm chart\n* ...\n\n\n\n## License\n\nThis project is licensed under the BSD-3-Clause license - see the [LICENSE](https://github.com/nokia/adcs-issuer/blob/master/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnokia%2Fadcs-issuer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnokia%2Fadcs-issuer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnokia%2Fadcs-issuer/lists"}