Keyfactor · indrora · Apr 1, 2026 · Sep 25, 2025 · Sep 26, 2025 · Feb 10, 2026
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -28,9 +28,16 @@ jobs:
       # Run Go linters
       # https://github.com/golangci/golangci-lint-action
       - name: Run linters
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
-          version: v1.64.5
+          version: v2.4.0
+
+      - name: Regenerate CRDs
+        run: make generate manifests
+      - name: Check for CRD drift
+        run: |
+          git diff --compact-summary --exit-code || \
+            (echo; echo "Unexpected difference in directories after code generation. Run 'make generate manifests' and commit."; exit 1)
 
   test:
     name: Go Test

diff --git a/.golangci.yml b/.golangci.yml
@@ -1,31 +1,47 @@
-run:
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
-  timeout: 12m
-
-issues:
-  exclude-dirs:
-    - testdata$
-    - test/mock
-  exclude-files:
-    - ".*\\.pb\\.go"
-
+version: "2"
 linters:
   enable:
     - bodyclose
     - durationcheck
     - errorlint
-    - goimports
-    - revive
+    - gocritic
     - gosec
     - misspell
     - nakedret
+    - nolintlint
+    - revive
     - unconvert
     - unparam
     - whitespace
-    - gocritic
-    - nolintlint
-
-linters-settings:
-  revive:
-    # minimal confidence for issues, default is 0.8
-    confidence: 0.0
+  settings:
+    revive:
+      confidence: 0
+      rules:
+        - name: var-naming
+          disabled: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - .*\.pb\.go
+      - testdata$
+      - test/mock
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - .*\.pb\.go
+      - testdata$
+      - test/mock
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,13 @@
+# v2.2.0
+## Features:
+- Add support to specify a ConfigMap for CA trust bundles in Issuer / ClusterIssuer resources via the caBundleConfigMapName specification.
+- Add support for specifying a key on a Secret / ConfigMap resource for the CA trust bundle via the `caBundleKey` specification on an Issuer / ClusterIssuer resource.
+- On EJBCA 9.3.3 and above, if the certificate profile has "Allow Validity Override" enabled, the certificate's "Not After" will be set according to the `duration` property of the Certificate resource, otherwise it will be set according to the default validity configured in EJBCA for the relevant CA. 
+## Chores:
+- Update README links with updated EJBCA links
+- Update dependencies
+
+
 # v2.1.3
 ## Chores:
 - Build Docker image from Go 1.24 instead of 1.24.6

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -5,8 +5,8 @@ For information on how to contribute to EJBCA and related tools, see [EJBCA Cont
 # EJBCA Cert Manager Issuer Contribution Guide
 
 ## Requirements
-- Go (>= 1.24)
-- golangci-lint (v1.64.5) ([installation notes](https://github.com/golangci/golangci-lint?tab=readme-ov-file#install-golangci-lint))
+- Go (>= 1.25)
+- golangci-lint (>= 2.4.0) ([installation notes](https://github.com/golangci/golangci-lint?tab=readme-ov-file#install-golangci-lint))
 
 ## Installing dependencies
 Project dependencies can be installed by running the following:
@@ -28,6 +28,13 @@ The following command can be run to run the project unit tests:
 go test -v ./...
 ```
 
+## Running linters
+The project uses golangci-lint to lint the codebase. The following command can be run to run the linters:
+
+```bash
+golangci-lint run
+```
+
 ## Running end-to-end tests
 A comprehensive end-to-end test suite is available to verify the issuer code works against cert-manager and an EJBCA instance.
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-ARG GOIMAGE=golang:1.24
+ARG GOIMAGE=golang:1.25
 ARG BASEIMAGE=gcr.io/distroless/static:nonroot
 ARG TARGETOS
 ARG TARGETARCH

diff --git a/Makefile b/Makefile
@@ -50,6 +50,7 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	mv config/rbac/role.yaml config/rbac/manager_clusterrole.yaml
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -64,13 +65,16 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 .PHONY: test
-test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out
+test: ## Run unit tests.
+	go test -v ./...
+
+.PHONY: check
+check: manifests generate fmt vet envtest test ## Run full project checks (lint, manifests, generate, tests)
 
 # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
 .PHONY: test-e2e  # Run the e2e tests against a Kind k8s instance that is spun up.
 test-e2e:
-	go test ./test/e2e/ -v -ginkgo.v
+	cd test/e2e && . .env && ./run_tests.sh
 
 .PHONY: lint
 lint: golangci-lint ## Run golangci-lint linter & yamllint
@@ -95,7 +99,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 # More info: https://docs.docker.com/develop/develop-images/build_enhancements/
 .PHONY: docker-build
 docker-build: ## Build docker image with the manager.
-	$(CONTAINER_TOOL) build -t ${IMG} . --build-arg="GOIMAGE=golang:1.24.6" 
+	$(CONTAINER_TOOL) build -t ${IMG} . --build-arg="GOIMAGE=golang:1.25.6" 
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
@@ -167,9 +171,9 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION)
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.3.0
-CONTROLLER_TOOLS_VERSION ?= v0.15.0
+CONTROLLER_TOOLS_VERSION ?= v0.17.3
 ENVTEST_VERSION ?= latest
-GOLANGCI_LINT_VERSION ?= v1.64.5
+GOLANGCI_LINT_VERSION ?= v2.4.0
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -189,7 +193,12 @@ $(ENVTEST): $(LOCALBIN)
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})
+	@[ -f $(GOLANGCI_LINT) ] || { \
+	set -e; \
+	echo "Downloading golangci-lint $(GOLANGCI_LINT_VERSION)" ;\
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(LOCALBIN) $(GOLANGCI_LINT_VERSION) ;\
+	mv $(LOCALBIN)/golangci-lint $(GOLANGCI_LINT) ;\
+	}
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)