command-cert-manager-issuer 2.6.0: Optional CA, Updated Default Healthcheck Interval, Updated Service Account Token Lifecycle

[irby]

v2.6.0

Features

• Allow certificateAuthorityLogicalName to be optional when using an enrollment pattern.
• The default healthcheck interval has been bumped from 1 minute to 10 minutes.

Security

• The Helm chart now defaults serviceAccount.automountServiceAccountToken to false,
  replacing the long-lived auto-mounted token with a short-lived projected token (~1 hour, automatically rotated by kubelet). The token is still mounted at the standard path /var/run/secrets/kubernetes.io/serviceaccount so no application changes are required.
• Go version has been bumped from 1.24 to 1.26.2+ to fix CVE-2026-27143 (affects Go compiler versions below 1.25.9, and 1.26.0-1.26.1).

Important

Upgrade Notes

• Rolling restart: Upgrading from v2.5.x will patch the ServiceAccount and update the Deployment spec, triggering an automatic rolling restart. Plan accordingly if downtime is a concern in your environment.
• Bring-your-own ServiceAccount: If you set serviceAccount.create: false and manage your own ServiceAccount, you must either set automountServiceAccountToken: true in your values.yaml to preserve the previous behavior, or manually add automountServiceAccountToken: false and the projected volume to your ServiceAccount and Deployment manifests.
• To restore the previous behavior explicitly, set in your values.yaml:

serviceAccount:
  automountServiceAccountToken: true

[Copilot]

Pull request overview

This PR prepares the command-cert-manager-issuer v2.6.0 release by updating issuer behavior (optional CA with enrollment patterns), changing default healthcheck timing, improving Helm chart ServiceAccount token handling, and bumping the Go toolchain version for security.

Changes:

• Make certificateAuthorityLogicalName optional when using an enrollment pattern (with updated validation, docs, and e2e coverage).
• Increase the default issuer healthcheck interval from 1 minute to 10 minutes (code, CRDs, Helm docs, tests).
• Update Helm defaults to disable ServiceAccount token automount and mount a short-lived projected token at the standard ServiceAccount path.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
README.md	Updates API endpoint links, installation/docs text, and adds healthcheck documentation; documents optional CA behavior.
docsource/content.md	Mirrors README documentation updates for generated docs.
CHANGELOG.md	Adds v2.6.0 changelog entry with features/security/upgrade notes.
api/v1alpha1/issuer_types.go	Marks certificateAuthorityLogicalName as optional and updates healthcheck interval docs.
internal/command/command.go	Updates signer config validation; improves enrollment failure hints; adds helpers for CA/pattern presence.
internal/command/command_test.go	Updates validation tests and adds coverage for new enrollment error message hints.
internal/controller/issuer_controller_test.go	Updates reconcile tests to expect the new default 10-minute requeue interval.
cmd/main.go	Changes the default --default-health-check-interval to 10m.
config/crd/bases/command-issuer.keyfactor.com_issuers.yaml	Updates CRD schema descriptions for optional CA and 10-minute default healthcheck interval.
config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml	Updates CRD schema descriptions for optional CA and 10-minute default healthcheck interval.
deploy/charts/command-cert-manager-issuer/values.yaml	Adds ServiceAccount token automount toggle and projected token volume settings (defaults).
deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml	Applies automountServiceAccountToken setting to the ServiceAccount resource.
deploy/charts/command-cert-manager-issuer/templates/deployment.yaml	Adds projected token volume + mount at /var/run/secrets/kubernetes.io/serviceaccount when automount is disabled.
deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml	Updates Helm-rendered CRD docs for optional CA and 10-minute default healthcheck interval.
deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml	Updates Helm-rendered CRD docs for optional CA and 10-minute default healthcheck interval.
deploy/charts/command-cert-manager-issuer/README.md	Updates chart docs for the new default healthcheck interval.
e2e/run_tests.sh	Adds e2e test coverage for “CA optional when enrollment pattern is used”.
go.mod	Bumps Go language/toolchain version reference to 1.26.2.
Dockerfile	Updates builder image to Go 1.26.

Comments suppressed due to low confidence (1)

deploy/charts/command-cert-manager-issuer/README.md:89

• The chart values table was updated for the new default healthcheck interval, but it doesn't document the newly added serviceAccount.automountServiceAccountToken and serviceAccount.projectedTokenVolume.* values introduced in values.yaml. Please add these parameters to the configuration table so operators know how to configure/override the new token behavior.

| `env`                                        | Environmental variables set for pod                                                                                                      | `{}`                                                  |
| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole                                      | `false`                                               |
| `defaultHealthCheckInterval`                 | Specifies the default health check interval for issuers                                                        | `""` (uses the default in the code which is 10 minutes)                                 |

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.