Document Google Ambient Credentials, Add Timeout for Azure Access Token Generation, Add Env Variable Support

README.md

@@ -164,6 +164,7 @@ These credentials must be configured using a Kubernetes Secret. By default, the
 Command Issuer also supports ambient authentication, where a token is fetched from an Authorization Server using a cloud provider's auth infrastructure and passed to Command directly. The following methods are supported:
 
 - [Managed Identity Using Azure Entra ID Workload Identity](./docs/ambient-providers/azure.md) (if running in [AKS](https://azure.microsoft.com/en-us/products/kubernetes-service))
+- [Workload Identity Using Google Kubernetes Engine](./docs/ambient-providers/google.md) (if running in [GKE](https://cloud.google.com/kubernetes-engine))
 
 If you are running your Kubernetes workload in a cloud provider not listed above, you can use workload identity federation with [Azure AD](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation).
 

deploy/charts/command-cert-manager-issuer/README.md

@@ -83,4 +83,5 @@ The following table lists the configurable parameters of the `command-cert-manag
 | `resources`                                  | CPU/Memory resource requests/limits                                                                                                      | `{}` (with commented out options)                     |
 | `nodeSelector`                               | Node labels for pod assignment                                                                                                           | `{}`                                                  |
 | `tolerations`                                | Tolerations for pod assignment                                                                                                           | `[]`                                                  |
+| `env`                                        | Environmental variables set for pod                                                                                                      | `{}`                                                  |
 | `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole                                      | `false`                                               |

deploy/charts/command-cert-manager-issuer/templates/deployment.yaml

@@ -38,6 +38,10 @@ spec:
             {{- end}}
           command:
             - /manager
+          {{- with .Values.env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           livenessProbe:

deploy/charts/command-cert-manager-issuer/values.yaml

@@ -70,3 +70,10 @@ resources: {}
 nodeSelector: {}
 
 tolerations: []
+
+env: {}
+  # This can be used to set an http proxy to access the Keyfactor instance
+  # - name: https_proxy
+  #   value: http://someproxy:someport
+  # - name: no_proxy
+  #   value: .somedomain.com,.local,10.0.0.1