Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump net-certmanager manifests and add kapp ordering overlay #14148

Merged
merged 2 commits into from
Jul 10, 2023
Merged

Bump net-certmanager manifests and add kapp ordering overlay #14148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3f97d8d
update net-certmanager manifests
ReToCode Jul 10, 2023
e70f53c
allow cert-manager webhook to be called with net-istio
ReToCode Jul 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions test/config/ytt/certmanager/kapp-order.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#! The resources in net-certmanager expect cert-manager to be up and running.
#! This overlay tells kapp to wait with applying net-certmanager until cert-manager ready.

#@ load("@ytt:overlay", "overlay")
#@ load("helpers.lib.yaml", "subset", "label_subset")

#@overlay/match by=subset(namespace="cert-manager"), expects="1+"
---
metadata:
#@overlay/match missing_ok=True
annotations:
#@overlay/match missing_ok=True
kapp.k14s.io/change-group: "cert-manager.io"

#@overlay/match by=label_subset("app.kubernetes.io/component", "net-certmanager"), expects="1+"
---
metadata:
#@overlay/match missing_ok=True
#@overlay/match-child-defaults missing_ok=True
annotations:
kapp.k14s.io/change-group: "knative.dev/net-certmanager"
kapp.k14s.io/change-rule: "upsert after upserting cert-manager.io"

1 change: 1 addition & 0 deletions test/e2e-common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@
local curl_flags='-L --show-error --silent'

if [ -n "${GITHUB_TOKEN-}" ]; then
curl $curl_flags -H "Authorization: Bearer $GITHUB_TOKEN" $url > $curl_output

Check warning on line 73 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:73:-    curl $curl_flags -H "Authorization: ***" $url > $curl_output
test/e2e-common.sh:73:+    curl "$curl_flags" -H "Authorization: ***" $url > "$curl_output"
else
curl $curl_flags $url > $curl_output

Check warning on line 75 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:75:-    curl $curl_flags $url > $curl_output
test/e2e-common.sh:75:+    curl "$curl_flags" $url > "$curl_output"
fi

jq --arg major_minor "$major_minor" -r \
Expand All @@ -82,7 +82,7 @@
sub("v";"") |
split(".") |
map(tonumber) ) |
reverse[0]' $curl_output

Check warning on line 85 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:85:-    reverse[0]' $curl_output
test/e2e-common.sh:85:+    reverse[0]' "$curl_output"
}

# Latest serving release. If user does not supply this as a flag, the latest
Expand Down Expand Up @@ -294,6 +294,7 @@
fi

YTT_FILES+=("${REPO_ROOT_DIR}/test/config/ytt/ingress/${ingress}")
YTT_FILES+=("${REPO_ROOT_DIR}/test/config/ytt/certmanager/kapp-order.yaml")
YTT_FILES+=("${REPO_ROOT_DIR}/third_party/cert-manager-${CERT_MANAGER_VERSION}/cert-manager.yaml")
YTT_FILES+=("${REPO_ROOT_DIR}/third_party/cert-manager-${CERT_MANAGER_VERSION}/net-certmanager.yaml")

Expand Down Expand Up @@ -339,7 +340,7 @@

# use ytt to wrangle the yaml & kapp to apply the resources
# to the cluster and wait
run_ytt ${ytt_flags} \

Check warning on line 343 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:343:-  run_ytt ${ytt_flags} \
test/e2e-common.sh:343:+  run_ytt "${ytt_flags}" \
--data-value serving.namespaces.system="${SYSTEM_NAMESPACE}" \
--data-value k8s.cluster.domain="${CLUSTER_DOMAIN}" \
> "${ytt_result}" \
Expand Down Expand Up @@ -389,7 +390,7 @@
export SERVER_NAME=knative.dev
fi
echo "Restart activator to mount the certificates"
kubectl delete pod -n ${SYSTEM_NAMESPACE} -l app=activator

Check warning on line 393 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:393:-    kubectl delete pod -n ${SYSTEM_NAMESPACE} -l app=activator
test/e2e-common.sh:394:-    kubectl wait --timeout=60s --for=condition=Available deployment  -n ${SYSTEM_NAMESPACE} activator
test/e2e-common.sh:393:+    kubectl delete pod -n "${SYSTEM_NAMESPACE}" -l app=activator
test/e2e-common.sh:394:+    kubectl wait --timeout=60s --for=condition=Available deployment  -n "${SYSTEM_NAMESPACE}" activator
kubectl wait --timeout=60s --for=condition=Available deployment -n ${SYSTEM_NAMESPACE} activator
fi
}
Expand Down Expand Up @@ -423,7 +424,7 @@
add_trap "kill $kail_pid || true" EXIT

echo ">> Uploading test images..."
${REPO_ROOT_DIR}/test/upload-test-images.sh || return 1

Check warning on line 427 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:427:-  ${REPO_ROOT_DIR}/test/upload-test-images.sh || return 1
test/e2e-common.sh:427:+  "${REPO_ROOT_DIR}"/test/upload-test-images.sh || return 1
}

# Dump more information when test fails.
Expand Down Expand Up @@ -461,7 +462,7 @@
local STATE="$2"
local CONFIG="${3:-config-features}"
echo -n "Setting feature ${FEATURE} to ${STATE}"
kubectl patch cm "${CONFIG}" -n "${SYSTEM_NAMESPACE}" -p '{"data":{"'${FEATURE}'":"'${STATE}'"}}'

Check warning on line 465 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:465:-  kubectl patch cm "${CONFIG}" -n "${SYSTEM_NAMESPACE}" -p '{"data":{"'${FEATURE}'":"'${STATE}'"}}'
test/e2e-common.sh:465:+  kubectl patch cm "${CONFIG}" -n "${SYSTEM_NAMESPACE}" -p '{"data":{"'"${FEATURE}"'":"'"${STATE}"'"}}'
# We don't have a good mechanism for positive handoff so sleep :(
echo "Waiting 30s for change to get picked up."
sleep 30
Expand Down Expand Up @@ -570,10 +571,10 @@
continue
fi
target="${file/${source_dir}/$target_dir}"
mkdir -p $(dirname $target)

Check warning on line 574 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:574:-    mkdir -p $(dirname $target)
test/e2e-common.sh:574:+    mkdir -p $(dirname "$target")

if grep -Fq "ko://" "${file}"; then
local ko_target="$(mktemp -d)/$(basename $file)"

Check warning on line 577 in test/e2e-common.sh

View workflow job for this annotation

GitHub Actions / style / suggester / shell 

[shellcheck] reported by reviewdog 🐶


Raw Output:
test/e2e-common.sh:577:-      local ko_target="$(mktemp -d)/$(basename $file)"
test/e2e-common.sh:577:+      local ko_target="$(mktemp -d)/$(basename "$file")"
echo building "${file/$REPO_ROOT_DIR/}"
ko resolve $(ko_flags) -f "${file}" > "${ko_target}" || fail_test "failed to build test resource"
file="${ko_target}"
Expand Down
82 changes: 69 additions & 13 deletions third_party/cert-manager-latest/net-certmanager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ metadata:
name: knative-serving-certmanager
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
serving.knative.dev/controller: "true"
networking.knative.dev/certificate-provider: cert-manager
Expand Down Expand Up @@ -52,7 +52,7 @@ metadata:
name: config.webhook.net-certmanager.networking.internal.knative.dev
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
webhooks:
Expand Down Expand Up @@ -93,7 +93,7 @@ metadata:
namespace: knative-serving
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager

Expand All @@ -119,7 +119,7 @@ metadata:
namespace: knative-serving
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
data:
Expand All @@ -138,14 +138,24 @@ data:
# These sample configuration options may be copied out of
# this block and unindented to actually change the configuration.

# issuerRef is a reference to the issuer for this certificate.
# issuerRef is a reference to the issuer for cluster external certificates used for ingress.
# IssuerRef should be either `ClusterIssuer` or `Issuer`.
# Please refer `IssuerRef` in https://github.com/cert-manager/cert-manager/tree/master/pkg/apis/certmanager/v1/types_certificate.go
# for more details about IssuerRef configuration.
# If the issuerRef is not specified, the self-signed `knative-internal-encryption-ca` ClusterIssuer is used.
issuerRef: |
kind: ClusterIssuer
name: letsencrypt-issuer

# clusterInternalIssuerRef is a reference to the issuer for cluster internal certificates used for ingress.
# ClusterInternalIssuerRef should be either `ClusterIssuer` or `Issuer`.
# Please refer `IssuerRef` in https://github.com/cert-manager/cert-manager/tree/master/pkg/apis/certmanager/v1/types_certificate.go
# for more details about ClusterInternalIssuerRef configuration.
# If the clusterInternalIssuerRef is not specified, the self-signed `knative-internal-encryption-ca` ClusterIssuer is used.
clusterInternalIssuerRef: |
kind: ClusterIssuer
name: knative-internal-encryption-issuer

---
# Copyright 2020 The Knative Authors
#
Expand All @@ -168,7 +178,7 @@ metadata:
namespace: knative-serving
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
spec:
Expand All @@ -180,15 +190,15 @@ spec:
labels:
app: net-certmanager-controller
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
spec:
serviceAccountName: controller
containers:
- name: controller
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/controller@sha256:87a3aed9a69781059052a0754997d8c9004482c76d9556344b47351a6671ea15
image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/controller@sha256:c386efb2dfac5835b85d21d143b28153ce0f6707fbbcf5f785c78c8e3368d789
resources:
requests:
cpu: 30m
Expand Down Expand Up @@ -227,7 +237,7 @@ metadata:
labels:
app: net-certmanager-controller
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
name: net-certmanager-controller
Expand All @@ -244,6 +254,52 @@ spec:
selector:
app: net-certmanager-controller

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: devel
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: knative-internal-encryption-issuer
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: devel
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
spec:
ca:
secretName: knative-internal-encryption-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: knative-internal-encryption-ca
namespace: cert-manager # If you want to use it as a ClusterIssuer the secret must be in the cert-manager namespace.
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: devel
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
spec:
secretName: knative-internal-encryption-ca
commonName: knative.dev
usages:
- server auth
isCA: true
issuerRef:
kind: ClusterIssuer
name: selfsigned-cluster-issuer

---
# Copyright 2020 The Knative Authors
#
Expand All @@ -266,7 +322,7 @@ metadata:
namespace: knative-serving
labels:
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
spec:
Expand All @@ -279,7 +335,7 @@ spec:
labels:
app: net-certmanager-webhook
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
role: net-certmanager-webhook
spec:
Expand All @@ -288,7 +344,7 @@ spec:
- name: webhook
# This is the Go import path for the binary that is containerized
# and substituted here.
image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/webhook@sha256:a8e5e35eb1a50f3a4073b812cc868c3c74a0162951ead774537a5a90968bb3a4
image: gcr.io/knative-nightly/knative.dev/net-certmanager/cmd/webhook@sha256:62ca22cb69a509668bc61300b3cdc92b9ecb6c76e6bddbb6327195d038b050f7
resources:
requests:
cpu: 20m
Expand Down Expand Up @@ -352,7 +408,7 @@ metadata:
labels:
role: net-certmanager-webhook
app.kubernetes.io/component: net-certmanager
app.kubernetes.io/version: "20230630-3ff3c987"
app.kubernetes.io/version: "20230705-d6805af2"
app.kubernetes.io/name: knative-serving
networking.knative.dev/certificate-provider: cert-manager
spec:
Expand Down
Loading