weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

rename BINDIR to bin_dir in preparation for makefile modules

Browse Source 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
This commit is contained in:
Tim Ramlot 2024-02-08 15:57:34 +01:00
parent 63bd488bfa
commit b8759139a2
No known key found for this signature in database
GPG Key ID: 47428728E0C2878D
15 changed files with 294 additions and 293 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Makefile
View File

@ -22,11 +22,11 @@ SHELL := /usr/bin/env bash
.DELETE_ON_ERROR:
.SUFFIXES:
BINDIR := _bin
bin_dir := _bin
include make/util.mk
# SOURCES contains all go files except those in $(BINDIR), the old bindir `bin`, or in
# SOURCES contains all go files except those in $(bin_dir), the old bindir `bin`, or in
# the make dir.
# NB: we skip `bin/` since users might have a `bin` directory left over in repos they were
# using before the bin dir was renamed
@ -84,13 +84,13 @@ include make/help.mk
## @category Development
clean: | $(NEEDS_KIND)
@$(eval KIND_CLUSTER_NAME ?= kind)
$(KIND) delete cluster --name=$(shell cat $(BINDIR)/scratch/kind-exists 2>/dev/null || echo $(KIND_CLUSTER_NAME)) -q 2>/dev/null || true
rm -rf $(filter-out $(BINDIR)/downloaded,$(wildcard $(BINDIR)/*))
$(KIND) delete cluster --name=$(shell cat $(bin_dir)/scratch/kind-exists 2>/dev/null || echo $(KIND_CLUSTER_NAME)) -q 2>/dev/null || true
rm -rf $(filter-out $(bin_dir)/downloaded,$(wildcard $(bin_dir)/*))
rm -rf bazel-bin bazel-cert-manager bazel-out bazel-testlogs
.PHONY: clean-all
clean-all: clean
rm -rf $(BINDIR)/
rm -rf $(bin_dir)/
# FORCE is a helper target to force a file to be rebuilt whenever its
# target is invoked.

6
make/README.md
View File

@ -84,14 +84,14 @@ Otherwise, your dependency should be normal.
For example:
```make
$(BINDIR)/awesome-stuff/my-file: README.md | $(BINDIR)/awesome-stuff $(NEEDS_KIND)
# write the kind version to $(BINDIR)/awesome-stuff/my-file
$(bin_dir)/awesome-stuff/my-file: README.md | $(bin_dir)/awesome-stuff $(NEEDS_KIND)
# write the kind version to $(bin_dir)/awesome-stuff/my-file
$(KIND) --version > $@
# append README.md
cat README.md >> $@
```
This target will be rebuilt if `README.md` changes, but not if the installed version of kind changes or the `$(BINDIR)/awesome-stuff` folder changes.
This target will be rebuilt if `README.md` changes, but not if the installed version of kind changes or the `$(bin_dir)/awesome-stuff` folder changes.
The dependencies you'll need will inevitably depend on the target you're writing. If in doubt, feel free to ask!

54
make/ci.mk
View File

@ -21,7 +21,7 @@ ci-presubmit: verify-imports verify-errexit verify-boilerplate verify-codegen ve
.PHONY: verify-golangci-lint
verify-golangci-lint: | $(NEEDS_GOLANGCI-LINT)
find . -name go.mod -not \( -path "./$(BINDIR)/*" -prune \) -execdir $(GOLANGCI-LINT) run --timeout=30m --config=$(CURDIR)/.golangci.ci.yaml \;
find . -name go.mod -not \( -path "./$(bin_dir)/*" -prune \) -execdir $(GOLANGCI-LINT) run --timeout=30m --config=$(CURDIR)/.golangci.ci.yaml \;
.PHONY: verify-modules
verify-modules: | $(NEEDS_CMREL)
@ -32,7 +32,7 @@ verify-imports: | $(NEEDS_GOIMPORTS)
./hack/verify-goimports.sh $(GOIMPORTS)
.PHONY: verify-chart
verify-chart: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz
verify-chart: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz
DOCKER=$(CTR) ./hack/verify-chart-version.sh $<
.PHONY: verify-errexit
@ -47,15 +47,15 @@ verify-boilerplate: | $(NEEDS_BOILERSUITE)
## Check that the LICENSES file is up to date; must pass before a change to go.mod can be merged
##
## @category CI
verify-licenses: $(BINDIR)/scratch/LATEST-LICENSES $(BINDIR)/scratch/LATEST-LICENSES-acmesolver $(BINDIR)/scratch/LATEST-LICENSES-cainjector $(BINDIR)/scratch/LATEST-LICENSES-controller $(BINDIR)/scratch/LATEST-LICENSES-startupapicheck $(BINDIR)/scratch/LATEST-LICENSES-webhook $(BINDIR)/scratch/LATEST-LICENSES-integration-tests $(BINDIR)/scratch/LATEST-LICENSES-e2e-tests
@diff $(BINDIR)/scratch/LATEST-LICENSES LICENSES >/dev/null || (echo -e "\033[0;33mLICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-acmesolver cmd/acmesolver/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/acmesolver/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-cainjector cmd/cainjector/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/cainjector/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-startupapicheck cmd/startupapicheck/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/startupapicheck/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-controller cmd/controller/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/controller/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-webhook cmd/webhook/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/webhook/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-integration-tests test/integration/LICENSES >/dev/null || (echo -e "\033[0;33mtest/integration/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(BINDIR)/scratch/LATEST-LICENSES-e2e-tests test/e2e/LICENSES >/dev/null || (echo -e "\033[0;33mtest/e2e/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
verify-licenses: $(bin_dir)/scratch/LATEST-LICENSES $(bin_dir)/scratch/LATEST-LICENSES-acmesolver $(bin_dir)/scratch/LATEST-LICENSES-cainjector $(bin_dir)/scratch/LATEST-LICENSES-controller $(bin_dir)/scratch/LATEST-LICENSES-startupapicheck $(bin_dir)/scratch/LATEST-LICENSES-webhook $(bin_dir)/scratch/LATEST-LICENSES-integration-tests $(bin_dir)/scratch/LATEST-LICENSES-e2e-tests
@diff $(bin_dir)/scratch/LATEST-LICENSES LICENSES >/dev/null || (echo -e "\033[0;33mLICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-acmesolver cmd/acmesolver/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/acmesolver/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-cainjector cmd/cainjector/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/cainjector/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-startupapicheck cmd/startupapicheck/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/startupapicheck/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-controller cmd/controller/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/controller/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-webhook cmd/webhook/LICENSES >/dev/null || (echo -e "\033[0;33mcmd/webhook/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-integration-tests test/integration/LICENSES >/dev/null || (echo -e "\033[0;33mtest/integration/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
@diff $(bin_dir)/scratch/LATEST-LICENSES-e2e-tests test/e2e/LICENSES >/dev/null || (echo -e "\033[0;33mtest/e2e/LICENSES seems to be out of date; update with 'make update-licenses'\033[0m" && exit 1)
.PHONY: verify-crds
verify-crds: | $(NEEDS_GO) $(NEEDS_CONTROLLER-GEN) $(NEEDS_YQ)
@ -88,25 +88,25 @@ patch-crds: | $(NEEDS_CONTROLLER-GEN)
verify-codegen: | k8s-codegen-tools $(NEEDS_GO)
VERIFY_ONLY="true" ./hack/k8s-codegen.sh \
$(GO) \
./$(BINDIR)/tools/client-gen \
./$(BINDIR)/tools/deepcopy-gen \
./$(BINDIR)/tools/informer-gen \
./$(BINDIR)/tools/lister-gen \
./$(BINDIR)/tools/defaulter-gen \
./$(BINDIR)/tools/conversion-gen \
./$(BINDIR)/tools/openapi-gen
./$(bin_dir)/tools/client-gen \
./$(bin_dir)/tools/deepcopy-gen \
./$(bin_dir)/tools/informer-gen \
./$(bin_dir)/tools/lister-gen \
./$(bin_dir)/tools/defaulter-gen \
./$(bin_dir)/tools/conversion-gen \
./$(bin_dir)/tools/openapi-gen
.PHONY: update-codegen
update-codegen: | k8s-codegen-tools $(NEEDS_GO)
./hack/k8s-codegen.sh \
$(GO) \
./$(BINDIR)/tools/client-gen \
./$(BINDIR)/tools/deepcopy-gen \
./$(BINDIR)/tools/informer-gen \
./$(BINDIR)/tools/lister-gen \
./$(BINDIR)/tools/defaulter-gen \
./$(BINDIR)/tools/conversion-gen \
./$(BINDIR)/tools/openapi-gen
./$(bin_dir)/tools/client-gen \
./$(bin_dir)/tools/deepcopy-gen \
./$(bin_dir)/tools/informer-gen \
./$(bin_dir)/tools/lister-gen \
./$(bin_dir)/tools/defaulter-gen \
./$(bin_dir)/tools/conversion-gen \
./$(bin_dir)/tools/openapi-gen
# inject_helm_docs performs `helm-tool inject` using $1 as the output file and $2 as the values input
define inject_helm_docs
@ -123,8 +123,8 @@ verify-helm-docs: | $(NEEDS_HELM-TOOL)
echo "\033[0;33mdeploy/charts/cert-manager/README.template.md has been modified and could be out of date; update with 'make update-helm-docs'\033[0m" ; \
exit 1 ; \
fi
@cp deploy/charts/cert-manager/README.template.md $(BINDIR)/scratch/LATEST_HELM_README-$(HELM-TOOL_VERSION) && $(call inject_helm_docs,$(BINDIR)/scratch/LATEST_HELM_README-$(HELM-TOOL_VERSION),deploy/charts/cert-manager/values.yaml)
@diff $(BINDIR)/scratch/LATEST_HELM_README-$(HELM-TOOL_VERSION) deploy/charts/cert-manager/README.template.md || (echo -e "\033[0;33mdeploy/charts/cert-manager/README.template.md seems to be out of date; update with 'make update-helm-docs'\033[0m" && exit 1)
@cp deploy/charts/cert-manager/README.template.md $(bin_dir)/scratch/LATEST_HELM_README-$(HELM-TOOL_VERSION) && $(call inject_helm_docs,$(bin_dir)/scratch/LATEST_HELM_README-$(HELM-TOOL_VERSION),deploy/charts/cert-manager/values.yaml)
@diff $(bin_dir)/scratch/LATEST_HELM_README-$(HELM-TOOL_VERSION) deploy/charts/cert-manager/README.template.md || (echo -e "\033[0;33mdeploy/charts/cert-manager/README.template.md seems to be out of date; update with 'make update-helm-docs'\033[0m" && exit 1)
.PHONY: update-all
## Update CRDs, code generation and licenses to the latest versions.

34
make/containers.mk
View File

@ -52,9 +52,9 @@ BASE_IMAGE_startupapicheck-linux-arm:=$($(BASE_IMAGE_TYPE)_BASE_IMAGE_arm)
all-containers: cert-manager-controller-linux cert-manager-webhook-linux cert-manager-acmesolver-linux cert-manager-cainjector-linux cert-manager-startupapicheck-linux
.PHONY: cert-manager-controller-linux
cert-manager-controller-linux: $(BINDIR)/containers/cert-manager-controller-linux-amd64.tar.gz $(BINDIR)/containers/cert-manager-controller-linux-arm64.tar.gz $(BINDIR)/containers/cert-manager-controller-linux-s390x.tar.gz $(BINDIR)/containers/cert-manager-controller-linux-ppc64le.tar.gz $(BINDIR)/containers/cert-manager-controller-linux-arm.tar.gz
cert-manager-controller-linux: $(bin_dir)/containers/cert-manager-controller-linux-amd64.tar.gz $(bin_dir)/containers/cert-manager-controller-linux-arm64.tar.gz $(bin_dir)/containers/cert-manager-controller-linux-s390x.tar.gz $(bin_dir)/containers/cert-manager-controller-linux-ppc64le.tar.gz $(bin_dir)/containers/cert-manager-controller-linux-arm.tar.gz
$(BINDIR)/containers/cert-manager-controller-linux-amd64.tar $(BINDIR)/containers/cert-manager-controller-linux-arm64.tar $(BINDIR)/containers/cert-manager-controller-linux-s390x.tar $(BINDIR)/containers/cert-manager-controller-linux-ppc64le.tar $(BINDIR)/containers/cert-manager-controller-linux-arm.tar: $(BINDIR)/containers/cert-manager-controller-linux-%.tar: $(BINDIR)/scratch/build-context/cert-manager-controller-linux-%/controller hack/containers/Containerfile.controller $(BINDIR)/scratch/build-context/cert-manager-controller-linux-%/cert-manager.license $(BINDIR)/scratch/build-context/cert-manager-controller-linux-%/cert-manager.licenses_notice $(BINDIR)/release-version | $(BINDIR)/containers
$(bin_dir)/containers/cert-manager-controller-linux-amd64.tar $(bin_dir)/containers/cert-manager-controller-linux-arm64.tar $(bin_dir)/containers/cert-manager-controller-linux-s390x.tar $(bin_dir)/containers/cert-manager-controller-linux-ppc64le.tar $(bin_dir)/containers/cert-manager-controller-linux-arm.tar: $(bin_dir)/containers/cert-manager-controller-linux-%.tar: $(bin_dir)/scratch/build-context/cert-manager-controller-linux-%/controller hack/containers/Containerfile.controller $(bin_dir)/scratch/build-context/cert-manager-controller-linux-%/cert-manager.license $(bin_dir)/scratch/build-context/cert-manager-controller-linux-%/cert-manager.licenses_notice $(bin_dir)/release-version | $(bin_dir)/containers
@$(eval TAG := cert-manager-controller-$*:$(RELEASE_VERSION))
@$(eval BASE := BASE_IMAGE_controller-linux-$*)
$(CTR) build --quiet \
@ -65,9 +65,9 @@ $(BINDIR)/containers/cert-manager-controller-linux-amd64.tar $(BINDIR)/container
$(CTR) save $(TAG) -o $@ >/dev/null
.PHONY: cert-manager-webhook-linux
cert-manager-webhook-linux: $(BINDIR)/containers/cert-manager-webhook-linux-amd64.tar.gz $(BINDIR)/containers/cert-manager-webhook-linux-arm64.tar.gz $(BINDIR)/containers/cert-manager-webhook-linux-s390x.tar.gz $(BINDIR)/containers/cert-manager-webhook-linux-ppc64le.tar.gz $(BINDIR)/containers/cert-manager-webhook-linux-arm.tar.gz
cert-manager-webhook-linux: $(bin_dir)/containers/cert-manager-webhook-linux-amd64.tar.gz $(bin_dir)/containers/cert-manager-webhook-linux-arm64.tar.gz $(bin_dir)/containers/cert-manager-webhook-linux-s390x.tar.gz $(bin_dir)/containers/cert-manager-webhook-linux-ppc64le.tar.gz $(bin_dir)/containers/cert-manager-webhook-linux-arm.tar.gz
$(BINDIR)/containers/cert-manager-webhook-linux-amd64.tar $(BINDIR)/containers/cert-manager-webhook-linux-arm64.tar $(BINDIR)/containers/cert-manager-webhook-linux-s390x.tar $(BINDIR)/containers/cert-manager-webhook-linux-ppc64le.tar $(BINDIR)/containers/cert-manager-webhook-linux-arm.tar: $(BINDIR)/containers/cert-manager-webhook-linux-%.tar: $(BINDIR)/scratch/build-context/cert-manager-webhook-linux-%/webhook hack/containers/Containerfile.webhook $(BINDIR)/scratch/build-context/cert-manager-webhook-linux-%/cert-manager.license $(BINDIR)/scratch/build-context/cert-manager-webhook-linux-%/cert-manager.licenses_notice $(BINDIR)/release-version | $(BINDIR)/containers
$(bin_dir)/containers/cert-manager-webhook-linux-amd64.tar $(bin_dir)/containers/cert-manager-webhook-linux-arm64.tar $(bin_dir)/containers/cert-manager-webhook-linux-s390x.tar $(bin_dir)/containers/cert-manager-webhook-linux-ppc64le.tar $(bin_dir)/containers/cert-manager-webhook-linux-arm.tar: $(bin_dir)/containers/cert-manager-webhook-linux-%.tar: $(bin_dir)/scratch/build-context/cert-manager-webhook-linux-%/webhook hack/containers/Containerfile.webhook $(bin_dir)/scratch/build-context/cert-manager-webhook-linux-%/cert-manager.license $(bin_dir)/scratch/build-context/cert-manager-webhook-linux-%/cert-manager.licenses_notice $(bin_dir)/release-version | $(bin_dir)/containers
@$(eval TAG := cert-manager-webhook-$*:$(RELEASE_VERSION))
@$(eval BASE := BASE_IMAGE_webhook-linux-$*)
$(CTR) build --quiet \
@ -78,9 +78,9 @@ $(BINDIR)/containers/cert-manager-webhook-linux-amd64.tar $(BINDIR)/containers/c
$(CTR) save $(TAG) -o $@ >/dev/null
.PHONY: cert-manager-cainjector-linux
cert-manager-cainjector-linux: $(BINDIR)/containers/cert-manager-cainjector-linux-amd64.tar.gz $(BINDIR)/containers/cert-manager-cainjector-linux-arm64.tar.gz $(BINDIR)/containers/cert-manager-cainjector-linux-s390x.tar.gz $(BINDIR)/containers/cert-manager-cainjector-linux-ppc64le.tar.gz $(BINDIR)/containers/cert-manager-cainjector-linux-arm.tar.gz
cert-manager-cainjector-linux: $(bin_dir)/containers/cert-manager-cainjector-linux-amd64.tar.gz $(bin_dir)/containers/cert-manager-cainjector-linux-arm64.tar.gz $(bin_dir)/containers/cert-manager-cainjector-linux-s390x.tar.gz $(bin_dir)/containers/cert-manager-cainjector-linux-ppc64le.tar.gz $(bin_dir)/containers/cert-manager-cainjector-linux-arm.tar.gz
$(BINDIR)/containers/cert-manager-cainjector-linux-amd64.tar $(BINDIR)/containers/cert-manager-cainjector-linux-arm64.tar $(BINDIR)/containers/cert-manager-cainjector-linux-s390x.tar $(BINDIR)/containers/cert-manager-cainjector-linux-ppc64le.tar $(BINDIR)/containers/cert-manager-cainjector-linux-arm.tar: $(BINDIR)/containers/cert-manager-cainjector-linux-%.tar: $(BINDIR)/scratch/build-context/cert-manager-cainjector-linux-%/cainjector hack/containers/Containerfile.cainjector $(BINDIR)/scratch/build-context/cert-manager-cainjector-linux-%/cert-manager.license $(BINDIR)/scratch/build-context/cert-manager-cainjector-linux-%/cert-manager.licenses_notice $(BINDIR)/release-version | $(BINDIR)/containers
$(bin_dir)/containers/cert-manager-cainjector-linux-amd64.tar $(bin_dir)/containers/cert-manager-cainjector-linux-arm64.tar $(bin_dir)/containers/cert-manager-cainjector-linux-s390x.tar $(bin_dir)/containers/cert-manager-cainjector-linux-ppc64le.tar $(bin_dir)/containers/cert-manager-cainjector-linux-arm.tar: $(bin_dir)/containers/cert-manager-cainjector-linux-%.tar: $(bin_dir)/scratch/build-context/cert-manager-cainjector-linux-%/cainjector hack/containers/Containerfile.cainjector $(bin_dir)/scratch/build-context/cert-manager-cainjector-linux-%/cert-manager.license $(bin_dir)/scratch/build-context/cert-manager-cainjector-linux-%/cert-manager.licenses_notice $(bin_dir)/release-version | $(bin_dir)/containers
@$(eval TAG := cert-manager-cainjector-$*:$(RELEASE_VERSION))
@$(eval BASE := BASE_IMAGE_cainjector-linux-$*)
$(CTR) build --quiet \
@ -91,9 +91,9 @@ $(BINDIR)/containers/cert-manager-cainjector-linux-amd64.tar $(BINDIR)/container
$(CTR) save $(TAG) -o $@ >/dev/null
.PHONY: cert-manager-acmesolver-linux
cert-manager-acmesolver-linux: $(BINDIR)/containers/cert-manager-acmesolver-linux-amd64.tar.gz $(BINDIR)/containers/cert-manager-acmesolver-linux-arm64.tar.gz $(BINDIR)/containers/cert-manager-acmesolver-linux-s390x.tar.gz $(BINDIR)/containers/cert-manager-acmesolver-linux-ppc64le.tar.gz $(BINDIR)/containers/cert-manager-acmesolver-linux-arm.tar.gz
cert-manager-acmesolver-linux: $(bin_dir)/containers/cert-manager-acmesolver-linux-amd64.tar.gz $(bin_dir)/containers/cert-manager-acmesolver-linux-arm64.tar.gz $(bin_dir)/containers/cert-manager-acmesolver-linux-s390x.tar.gz $(bin_dir)/containers/cert-manager-acmesolver-linux-ppc64le.tar.gz $(bin_dir)/containers/cert-manager-acmesolver-linux-arm.tar.gz
$(BINDIR)/containers/cert-manager-acmesolver-linux-amd64.tar $(BINDIR)/containers/cert-manager-acmesolver-linux-arm64.tar $(BINDIR)/containers/cert-manager-acmesolver-linux-s390x.tar $(BINDIR)/containers/cert-manager-acmesolver-linux-ppc64le.tar $(BINDIR)/containers/cert-manager-acmesolver-linux-arm.tar: $(BINDIR)/containers/cert-manager-acmesolver-linux-%.tar: $(BINDIR)/scratch/build-context/cert-manager-acmesolver-linux-%/acmesolver hack/containers/Containerfile.acmesolver $(BINDIR)/scratch/build-context/cert-manager-acmesolver-linux-%/cert-manager.license $(BINDIR)/scratch/build-context/cert-manager-acmesolver-linux-%/cert-manager.licenses_notice $(BINDIR)/release-version | $(BINDIR)/containers
$(bin_dir)/containers/cert-manager-acmesolver-linux-amd64.tar $(bin_dir)/containers/cert-manager-acmesolver-linux-arm64.tar $(bin_dir)/containers/cert-manager-acmesolver-linux-s390x.tar $(bin_dir)/containers/cert-manager-acmesolver-linux-ppc64le.tar $(bin_dir)/containers/cert-manager-acmesolver-linux-arm.tar: $(bin_dir)/containers/cert-manager-acmesolver-linux-%.tar: $(bin_dir)/scratch/build-context/cert-manager-acmesolver-linux-%/acmesolver hack/containers/Containerfile.acmesolver $(bin_dir)/scratch/build-context/cert-manager-acmesolver-linux-%/cert-manager.license $(bin_dir)/scratch/build-context/cert-manager-acmesolver-linux-%/cert-manager.licenses_notice $(bin_dir)/release-version | $(bin_dir)/containers
@$(eval TAG := cert-manager-acmesolver-$*:$(RELEASE_VERSION))
@$(eval BASE := BASE_IMAGE_acmesolver-linux-$*)
$(CTR) build --quiet \
@ -104,9 +104,9 @@ $(BINDIR)/containers/cert-manager-acmesolver-linux-amd64.tar $(BINDIR)/container
$(CTR) save $(TAG) -o $@ >/dev/null
.PHONY: cert-manager-startupapicheck-linux
cert-manager-startupapicheck-linux: $(BINDIR)/containers/cert-manager-startupapicheck-linux-amd64.tar.gz $(BINDIR)/containers/cert-manager-startupapicheck-linux-arm64.tar.gz $(BINDIR)/containers/cert-manager-startupapicheck-linux-s390x.tar.gz $(BINDIR)/containers/cert-manager-startupapicheck-linux-ppc64le.tar.gz $(BINDIR)/containers/cert-manager-startupapicheck-linux-arm.tar.gz
cert-manager-startupapicheck-linux: $(bin_dir)/containers/cert-manager-startupapicheck-linux-amd64.tar.gz $(bin_dir)/containers/cert-manager-startupapicheck-linux-arm64.tar.gz $(bin_dir)/containers/cert-manager-startupapicheck-linux-s390x.tar.gz $(bin_dir)/containers/cert-manager-startupapicheck-linux-ppc64le.tar.gz $(bin_dir)/containers/cert-manager-startupapicheck-linux-arm.tar.gz
$(BINDIR)/containers/cert-manager-startupapicheck-linux-amd64.tar $(BINDIR)/containers/cert-manager-startupapicheck-linux-arm64.tar $(BINDIR)/containers/cert-manager-startupapicheck-linux-s390x.tar $(BINDIR)/containers/cert-manager-startupapicheck-linux-ppc64le.tar $(BINDIR)/containers/cert-manager-startupapicheck-linux-arm.tar: $(BINDIR)/containers/cert-manager-startupapicheck-linux-%.tar: $(BINDIR)/scratch/build-context/cert-manager-startupapicheck-linux-%/startupapicheck hack/containers/Containerfile.startupapicheck $(BINDIR)/scratch/build-context/cert-manager-startupapicheck-linux-%/cert-manager.license $(BINDIR)/scratch/build-context/cert-manager-startupapicheck-linux-%/cert-manager.licenses_notice $(BINDIR)/release-version | $(BINDIR)/containers
$(bin_dir)/containers/cert-manager-startupapicheck-linux-amd64.tar $(bin_dir)/containers/cert-manager-startupapicheck-linux-arm64.tar $(bin_dir)/containers/cert-manager-startupapicheck-linux-s390x.tar $(bin_dir)/containers/cert-manager-startupapicheck-linux-ppc64le.tar $(bin_dir)/containers/cert-manager-startupapicheck-linux-arm.tar: $(bin_dir)/containers/cert-manager-startupapicheck-linux-%.tar: $(bin_dir)/scratch/build-context/cert-manager-startupapicheck-linux-%/startupapicheck hack/containers/Containerfile.startupapicheck $(bin_dir)/scratch/build-context/cert-manager-startupapicheck-linux-%/cert-manager.license $(bin_dir)/scratch/build-context/cert-manager-startupapicheck-linux-%/cert-manager.licenses_notice $(bin_dir)/release-version | $(bin_dir)/containers
@$(eval TAG := cert-manager-startupapicheck-$*:$(RELEASE_VERSION))
@$(eval BASE := BASE_IMAGE_startupapicheck-linux-$*)
$(CTR) build --quiet \
@ -119,10 +119,10 @@ $(BINDIR)/containers/cert-manager-startupapicheck-linux-amd64.tar $(BINDIR)/cont
# At first, we used .INTERMEDIATE to remove the intermediate .tar files.
# But it meant "make install" would always have to rebuild
# the tar files.
$(BINDIR)/containers/cert-manager-%.tar.gz: $(BINDIR)/containers/cert-manager-%.tar
$(bin_dir)/containers/cert-manager-%.tar.gz: $(bin_dir)/containers/cert-manager-%.tar
gzip -c $< > $@
$(BINDIR)/containers:
$(bin_dir)/containers:
@mkdir -p $@
# When running "docker build .", the "build context" was getting too big (1.1 GB
@ -134,16 +134,16 @@ $(BINDIR)/containers:
#
# Note that we can't use symlinks in the build context. In order to avoid the
# cost of multiple copies of the same binary, we use hard links which shouldn't
# be a problem since the $(BINDIR)/ folder is entirely managed by make.
# be a problem since the $(bin_dir)/ folder is entirely managed by make.
$(foreach arch,$(ARCHS),$(foreach bin,$(BINS), $(BINDIR)/scratch/build-context/cert-manager-$(bin)-linux-$(arch))):
$(foreach arch,$(ARCHS),$(foreach bin,$(BINS), $(bin_dir)/scratch/build-context/cert-manager-$(bin)-linux-$(arch))):
@mkdir -p $@
$(BINDIR)/scratch/build-context/cert-manager-%/cert-manager.license: $(BINDIR)/scratch/cert-manager.license | $(BINDIR)/scratch/build-context/cert-manager-%
$(bin_dir)/scratch/build-context/cert-manager-%/cert-manager.license: $(bin_dir)/scratch/cert-manager.license | $(bin_dir)/scratch/build-context/cert-manager-%
@ln -f $< $@
$(BINDIR)/scratch/build-context/cert-manager-%/cert-manager.licenses_notice: $(BINDIR)/scratch/cert-manager.licenses_notice | $(BINDIR)/scratch/build-context/cert-manager-%
$(bin_dir)/scratch/build-context/cert-manager-%/cert-manager.licenses_notice: $(bin_dir)/scratch/cert-manager.licenses_notice | $(bin_dir)/scratch/build-context/cert-manager-%
@ln -f $< $@
$(BINDIR)/scratch/build-context/cert-manager-%/controller $(BINDIR)/scratch/build-context/cert-manager-%/acmesolver $(BINDIR)/scratch/build-context/cert-manager-%/cainjector $(BINDIR)/scratch/build-context/cert-manager-%/webhook $(BINDIR)/scratch/build-context/cert-manager-%/startupapicheck: $(BINDIR)/server/% | $(BINDIR)/scratch/build-context/cert-manager-%
$(bin_dir)/scratch/build-context/cert-manager-%/controller $(bin_dir)/scratch/build-context/cert-manager-%/acmesolver $(bin_dir)/scratch/build-context/cert-manager-%/cainjector $(bin_dir)/scratch/build-context/cert-manager-%/webhook $(bin_dir)/scratch/build-context/cert-manager-%/startupapicheck: $(bin_dir)/server/% | $(bin_dir)/scratch/build-context/cert-manager-%
@ln -f $< $@

76
make/e2e-setup.mk
View File

@ -75,7 +75,7 @@ e2e-setup-kind: kind-exists
# This is the actual target that creates the kind cluster.
#
# The presence of the file $(BINDIR)/scratch/kind-exists indicates that your kube
# The presence of the file $(bin_dir)/scratch/kind-exists indicates that your kube
# config's current context points to a kind cluster. The file contains the
# name of the kind cluster.
#
@ -83,13 +83,13 @@ e2e-setup-kind: kind-exists
# used as a prerequisite. If we were to use .PHONY, then the file's
# timestamp would not be used to check whether targets should be rebuilt,
# and they would get constantly rebuilt.
$(BINDIR)/scratch/kind-exists: make/config/kind/cluster.yaml preload-kind-image make/cluster.sh FORCE | $(BINDIR)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_YQ)
$(bin_dir)/scratch/kind-exists: make/config/kind/cluster.yaml preload-kind-image make/cluster.sh FORCE | $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_YQ)
@$(eval KIND_CLUSTER_NAME ?= kind)
@make/cluster.sh --name $(KIND_CLUSTER_NAME)
@if [ "$(shell cat $@ 2>/dev/null)" != $(KIND_CLUSTER_NAME) ]; then echo $(KIND_CLUSTER_NAME) > $@; else touch $@; fi
.PHONY: kind-exists
kind-exists: $(BINDIR)/scratch/kind-exists
kind-exists: $(bin_dir)/scratch/kind-exists
# Component Used in IP A record in bind
# --------- ------- -- ----------------
@ -111,7 +111,7 @@ e2e-setup: e2e-setup-gatewayapi e2e-setup-certmanager e2e-setup-vault e2e-setup-
#
# returns the following path:
#
# $(BINDIR)/downloaded/containers/amd64/docker.io/traefik+2.4.9@sha256+bfba204252.tar
# $(bin_dir)/downloaded/containers/amd64/docker.io/traefik+2.4.9@sha256+bfba204252.tar
# <---> <--------------------------------------->
# CRI_ARCH IMAGE_kyverno_amd64
# (with ":" replaced with "+")
@ -121,9 +121,9 @@ e2e-setup: e2e-setup-gatewayapi e2e-setup-certmanager e2e-setup-vault e2e-setup-
# in image names.
#
# When an image isn't available, i.e., IMAGE_imagename_arm64 is empty, we still
# return a string of the form "$(BINDIR)/downloaded/containers/amd64/missing-imagename.tar".
# return a string of the form "$(bin_dir)/downloaded/containers/amd64/missing-imagename.tar".
define image-tar
$(BINDIR)/downloaded/containers/$(CRI_ARCH)/$(if $(IMAGE_$(1)_$(CRI_ARCH)),$(subst :,+,$(IMAGE_$(1)_$(CRI_ARCH))),missing-$(1)).tar
$(bin_dir)/downloaded/containers/$(CRI_ARCH)/$(if $(IMAGE_$(1)_$(CRI_ARCH)),$(subst :,+,$(IMAGE_$(1)_$(CRI_ARCH))),missing-$(1)).tar
endef
# The function "local-image-tar" returns the path to the image tarball for a given local
@ -133,7 +133,7 @@ endef
#
# returns the following path:
#
# $(BINDIR)/containers/samplewebhook+local.tar
# $(bin_dir)/containers/samplewebhook+local.tar
# <--------------------->
# LOCALIMAGE_samplewebhook
# (with ":" replaced with "+")
@ -143,15 +143,15 @@ endef
# in image names.
#
# When an image isn't available, i.e., IMAGE_imagename is empty, we still
# return a string of the form "$(BINDIR)/containers/missing-imagename.tar".
# return a string of the form "$(bin_dir)/containers/missing-imagename.tar".
define local-image-tar
$(BINDIR)/containers/$(if $(LOCALIMAGE_$(1)),$(subst :,+,$(LOCALIMAGE_$(1))),missing-$(1)).tar
$(bin_dir)/containers/$(if $(LOCALIMAGE_$(1)),$(subst :,+,$(LOCALIMAGE_$(1))),missing-$(1)).tar
endef
# Let's separate the pulling of the Kind image so that more tasks can be
# run in parallel when running "make -j e2e-setup". In CI, the Docker
# engine being stripped on every job, we save the kind image to
# "$(BINDIR)/downloads". Side note: we don't use "$(CI)" directly since we would
# "$(bin_dir)/downloads". Side note: we don't use "$(CI)" directly since we would
# get the message "warning: undefined variable 'CI'".
.PHONY: preload-kind-image
ifeq ($(shell printenv CI),)
@ -162,10 +162,10 @@ preload-kind-image: $(call image-tar,kind)
$(CTR) inspect $(IMAGE_kind_$(CRI_ARCH)) 2>/dev/null >&2 || $(CTR) load -i $<
endif
LOAD_TARGETS=load-$(call image-tar,ingressnginx) load-$(call image-tar,kyverno) load-$(call image-tar,kyvernopre) load-$(call image-tar,bind) load-$(call image-tar,projectcontour) load-$(call image-tar,sampleexternalissuer) load-$(call local-image-tar,vaultretagged) load-$(call local-image-tar,pebble) load-$(call local-image-tar,samplewebhook) load-$(BINDIR)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar load-$(BINDIR)/containers/cert-manager-acmesolver-linux-$(CRI_ARCH).tar load-$(BINDIR)/containers/cert-manager-cainjector-linux-$(CRI_ARCH).tar load-$(BINDIR)/containers/cert-manager-webhook-linux-$(CRI_ARCH).tar load-$(BINDIR)/containers/cert-manager-startupapicheck-linux-$(CRI_ARCH).tar
LOAD_TARGETS=load-$(call image-tar,ingressnginx) load-$(call image-tar,kyverno) load-$(call image-tar,kyvernopre) load-$(call image-tar,bind) load-$(call image-tar,projectcontour) load-$(call image-tar,sampleexternalissuer) load-$(call local-image-tar,vaultretagged) load-$(call local-image-tar,pebble) load-$(call local-image-tar,samplewebhook) load-$(bin_dir)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar load-$(bin_dir)/containers/cert-manager-acmesolver-linux-$(CRI_ARCH).tar load-$(bin_dir)/containers/cert-manager-cainjector-linux-$(CRI_ARCH).tar load-$(bin_dir)/containers/cert-manager-webhook-linux-$(CRI_ARCH).tar load-$(bin_dir)/containers/cert-manager-startupapicheck-linux-$(CRI_ARCH).tar
.PHONY: $(LOAD_TARGETS)
$(LOAD_TARGETS): load-%: % $(BINDIR)/scratch/kind-exists | $(NEEDS_KIND)
$(KIND) load image-archive --name=$(shell cat $(BINDIR)/scratch/kind-exists) $*
$(LOAD_TARGETS): load-%: % $(bin_dir)/scratch/kind-exists | $(NEEDS_KIND)
$(KIND) load image-archive --name=$(shell cat $(bin_dir)/scratch/kind-exists) $*
# Download a single-arch image
#
@ -188,7 +188,7 @@ $(LOAD_TARGETS): load-%: % $(BINDIR)/scratch/kind-exists | $(NEEDS_KIND)
# tag. The rule will fail and the new digest will be printed out.
# 3. It prevents us accidentally using the wrong digest when we pin the images
# in the variables above.
$(call image-tar,vault) $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE)
$(call image-tar,vault) $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(bin_dir)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE)
@$(eval IMAGE=$(subst +,:,$*))
@$(eval IMAGE_WITHOUT_DIGEST=$(shell cut -d@ -f1 <<<"$(IMAGE)"))
@$(eval DIGEST=$(subst $(IMAGE_WITHOUT_DIGEST)@,,$(IMAGE)))
@ -246,8 +246,8 @@ E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_URL_SUM := $(shell sha256sum <<<$(E2E_
## it does not exist.
##
## @category Development
E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE ?= $(BINDIR)/scratch/values-bestpractice-$(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_URL_SUM).yaml
$(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE): | $(BINDIR)/scratch
E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE ?= $(bin_dir)/scratch/values-bestpractice-$(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_URL_SUM).yaml
$(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE): | $(bin_dir)/scratch
$(CURL) $(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_URL) -o $@
# Dependencies which will be added to e2e-setup-certmanager depending on the
@ -277,18 +277,18 @@ feature_gates_cainjector := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBe
# * Kyverno: so that it can check the cert-manager manifests against the policy in `config/kyverno/`
# (only installed if E2E_SETUP_OPTION_BESTPRACTICE is set).
.PHONY: e2e-setup-certmanager
e2e-setup-certmanager: $(BINDIR)/cert-manager.tgz $(foreach binaryname,controller acmesolver cainjector webhook startupapicheck,$(BINDIR)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) $(foreach binaryname,controller acmesolver cainjector webhook startupapicheck,load-$(BINDIR)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) e2e-setup-gatewayapi $(E2E_SETUP_OPTION_DEPENDENCIES) $(BINDIR)/scratch/kind-exists | $(NEEDS_KUBECTL) $(NEEDS_KIND) $(NEEDS_HELM)
@$(eval TAG = $(shell tar xfO $(BINDIR)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
e2e-setup-certmanager: $(bin_dir)/cert-manager.tgz $(foreach binaryname,controller acmesolver cainjector webhook startupapicheck,$(bin_dir)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) $(foreach binaryname,controller acmesolver cainjector webhook startupapicheck,load-$(bin_dir)/containers/cert-manager-$(binaryname)-linux-$(CRI_ARCH).tar) e2e-setup-gatewayapi $(E2E_SETUP_OPTION_DEPENDENCIES) $(bin_dir)/scratch/kind-exists | $(NEEDS_KUBECTL) $(NEEDS_KIND) $(NEEDS_HELM)
@$(eval TAG = $(shell tar xfO $(bin_dir)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
$(HELM) upgrade \
--install \
--create-namespace \
--wait \
--namespace cert-manager \
--set image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set cainjector.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-cainjector-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set webhook.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-webhook-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set acmesolver.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-acmesolver-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set startupapicheck.image.repository="$(shell tar xfO $(BINDIR)/containers/cert-manager-startupapicheck-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set image.repository="$(shell tar xfO $(bin_dir)/containers/cert-manager-controller-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set cainjector.image.repository="$(shell tar xfO $(bin_dir)/containers/cert-manager-cainjector-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set webhook.image.repository="$(shell tar xfO $(bin_dir)/containers/cert-manager-webhook-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set acmesolver.image.repository="$(shell tar xfO $(bin_dir)/containers/cert-manager-acmesolver-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set startupapicheck.image.repository="$(shell tar xfO $(bin_dir)/containers/cert-manager-startupapicheck-linux-$(CRI_ARCH).tar manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f1)" \
--set image.tag="$(TAG)" \
--set cainjector.image.tag="$(TAG)" \
--set webhook.image.tag="$(TAG)" \
@ -305,14 +305,14 @@ e2e-setup-certmanager: $(BINDIR)/cert-manager.tgz $(foreach binaryname,controlle
cert-manager $< >/dev/null
.PHONY: e2e-setup-bind
e2e-setup-bind: $(call image-tar,bind) load-$(call image-tar,bind) $(wildcard make/config/bind/*.yaml) $(BINDIR)/scratch/kind-exists | $(NEEDS_KUBECTL)
e2e-setup-bind: $(call image-tar,bind) load-$(call image-tar,bind) $(wildcard make/config/bind/*.yaml) $(bin_dir)/scratch/kind-exists | $(NEEDS_KUBECTL)
@$(eval IMAGE = $(shell tar xfO $< manifest.json | jq '.[0].RepoTags[0]' -r))
$(KUBECTL) get ns bind 2>/dev/null >&2 || $(KUBECTL) create ns bind
sed -e "s|{SERVICE_IP_PREFIX}|$(SERVICE_IP_PREFIX)|g" -e "s|{IMAGE}|$(IMAGE)|g" make/config/bind/*.yaml | $(KUBECTL) apply -n bind -f - >/dev/null
.PHONY: e2e-setup-gatewayapi
e2e-setup-gatewayapi: $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml $(BINDIR)/scratch/kind-exists $(NEEDS_KUBECTL)
$(KUBECTL) apply --server-side -f $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml > /dev/null
e2e-setup-gatewayapi: $(bin_dir)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml $(bin_dir)/scratch/kind-exists $(NEEDS_KUBECTL)
$(KUBECTL) apply --server-side -f $(bin_dir)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml > /dev/null
# v1 NGINX-Ingress by default only watches Ingresses with Ingress class
@ -345,7 +345,7 @@ e2e-setup-ingressnginx: $(call image-tar,ingressnginx) load-$(call image-tar,ing
ingress-nginx ingress-nginx/ingress-nginx >/dev/null
.PHONY: e2e-setup-kyverno
e2e-setup-kyverno: $(call image-tar,kyverno) $(call image-tar,kyvernopre) load-$(call image-tar,kyverno) load-$(call image-tar,kyvernopre) make/config/kyverno/policy.yaml $(BINDIR)/scratch/kind-exists | $(NEEDS_KUBECTL) $(NEEDS_HELM)
e2e-setup-kyverno: $(call image-tar,kyverno) $(call image-tar,kyvernopre) load-$(call image-tar,kyverno) load-$(call image-tar,kyvernopre) make/config/kyverno/policy.yaml $(bin_dir)/scratch/kind-exists | $(NEEDS_KUBECTL) $(NEEDS_HELM)
@$(eval TAG=$(shell tar xfO $< manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
$(HELM) repo add kyverno --force-update https://kyverno.github.io/kyverno/ >/dev/null
$(HELM) upgrade \
@ -362,13 +362,13 @@ e2e-setup-kyverno: $(call image-tar,kyverno) $(call image-tar,kyvernopre) load-$
@$(KUBECTL) create ns cert-manager >/dev/null 2>&1 || true
$(KUBECTL) apply --server-side -f make/config/kyverno/policy.yaml >/dev/null
$(BINDIR)/downloaded/pebble-$(PEBBLE_COMMIT).tar.gz: | $(BINDIR)/downloaded
$(bin_dir)/downloaded/pebble-$(PEBBLE_COMMIT).tar.gz: | $(bin_dir)/downloaded
$(CURL) https://github.com/letsencrypt/pebble/archive/$(PEBBLE_COMMIT).tar.gz -o $@
# We can't use GOBIN with "go install" because cross-compilation is not
# possible with go install. That's a problem when cross-compiling for
# linux/arm64 when running on darwin/arm64.
$(call local-image-tar,pebble).dir/pebble: $(BINDIR)/downloaded/pebble-$(PEBBLE_COMMIT).tar.gz | $(NEEDS_GO)
$(call local-image-tar,pebble).dir/pebble: $(bin_dir)/downloaded/pebble-$(PEBBLE_COMMIT).tar.gz | $(NEEDS_GO)
@mkdir -p $(dir $@)
tar xzf $< -C /tmp
cd /tmp/pebble-$(PEBBLE_COMMIT) && GOOS=linux GOARCH=$(CRI_ARCH) CGO_ENABLED=$(CGO_ENABLED) GOMAXPROCS=$(GOBUILDPROCS) $(GOBUILD) $(GOFLAGS) -o $(CURDIR)/$@ ./cmd/pebble
@ -383,7 +383,7 @@ $(call local-image-tar,pebble): $(call local-image-tar,pebble).dir/pebble make/c
$(CTR) save local/pebble:local -o $@ >/dev/null
.PHONY: e2e-setup-pebble
e2e-setup-pebble: load-$(call local-image-tar,pebble) $(BINDIR)/scratch/kind-exists | $(NEEDS_HELM)
e2e-setup-pebble: load-$(call local-image-tar,pebble) $(bin_dir)/scratch/kind-exists | $(NEEDS_HELM)
$(HELM) upgrade \
--install \
--wait \
@ -405,7 +405,7 @@ $(call local-image-tar,samplewebhook): $(call local-image-tar,samplewebhook).dir
$(CTR) save local/samplewebhook:local -o $@ >/dev/null
.PHONY: e2e-setup-samplewebhook
e2e-setup-samplewebhook: load-$(call local-image-tar,samplewebhook) e2e-setup-certmanager $(BINDIR)/scratch/kind-exists | $(NEEDS_HELM)
e2e-setup-samplewebhook: load-$(call local-image-tar,samplewebhook) e2e-setup-certmanager $(bin_dir)/scratch/kind-exists | $(NEEDS_HELM)
$(HELM) upgrade \
--install \
--wait \
@ -414,7 +414,7 @@ e2e-setup-samplewebhook: load-$(call local-image-tar,samplewebhook) e2e-setup-ce
samplewebhook make/config/samplewebhook/chart >/dev/null
.PHONY: e2e-setup-projectcontour
e2e-setup-projectcontour: $(call image-tar,projectcontour) load-$(call image-tar,projectcontour) make/config/projectcontour/gateway.yaml make/config/projectcontour/contour.yaml $(BINDIR)/scratch/kind-exists | $(NEEDS_HELM) $(NEEDS_KUBECTL)
e2e-setup-projectcontour: $(call image-tar,projectcontour) load-$(call image-tar,projectcontour) make/config/projectcontour/gateway.yaml make/config/projectcontour/contour.yaml $(bin_dir)/scratch/kind-exists | $(NEEDS_HELM) $(NEEDS_KUBECTL)
@$(eval TAG=$(shell tar xfO $< manifest.json | jq '.[0].RepoTags[0]' -r | cut -d: -f2))
$(HELM) repo add bitnami --force-update https://charts.bitnami.com/bitnami >/dev/null
# Warning: When upgrading the version of this helm chart, bear in mind that the IMAGE_projectcontour_* images above might need to be updated, too.
@ -440,23 +440,23 @@ e2e-setup-projectcontour: $(call image-tar,projectcontour) load-$(call image-tar
$(KUBECTL) apply --server-side -f make/config/projectcontour/gateway.yaml
.PHONY: e2e-setup-sampleexternalissuer
e2e-setup-sampleexternalissuer: load-$(call image-tar,sampleexternalissuer) $(BINDIR)/scratch/kind-exists | $(NEEDS_KUBECTL)
e2e-setup-sampleexternalissuer: load-$(call image-tar,sampleexternalissuer) $(bin_dir)/scratch/kind-exists | $(NEEDS_KUBECTL)
$(KUBECTL) apply -n sample-external-issuer-system -f https://github.com/cert-manager/sample-external-issuer/releases/download/v0.4.0/install.yaml >/dev/null
$(KUBECTL) patch -n sample-external-issuer-system deployments.apps sample-external-issuer-controller-manager --type=json -p='[{"op": "add", "path": "/spec/template/spec/containers/1/imagePullPolicy", "value": "Never"}]' >/dev/null
# Note that the end-to-end tests are dealing with the Helm installation. We
# do not need to Helm install here.
.PHONY: e2e-setup-vault
e2e-setup-vault: load-$(call local-image-tar,vaultretagged) $(BINDIR)/scratch/kind-exists | $(NEEDS_HELM)
e2e-setup-vault: load-$(call local-image-tar,vaultretagged) $(bin_dir)/scratch/kind-exists | $(NEEDS_HELM)
# Exported because it needs to flow down to make/e2e.sh.
export ARTIFACTS ?= $(shell pwd)/$(BINDIR)/artifacts
export ARTIFACTS ?= $(shell pwd)/$(bin_dir)/artifacts
.PHONY: kind-logs
kind-logs: $(BINDIR)/scratch/kind-exists | $(NEEDS_KIND)
kind-logs: $(bin_dir)/scratch/kind-exists | $(NEEDS_KIND)
rm -rf $(ARTIFACTS)/cert-manager-e2e-logs
mkdir -p $(ARTIFACTS)/cert-manager-e2e-logs
$(KIND) export logs $(ARTIFACTS)/cert-manager-e2e-logs --name=$(shell cat $(BINDIR)/scratch/kind-exists)
$(KIND) export logs $(ARTIFACTS)/cert-manager-e2e-logs --name=$(shell cat $(bin_dir)/scratch/kind-exists)
$(BINDIR)/scratch:
$(bin_dir)/scratch:
@mkdir -p $@

10
make/git.mk
View File

@ -32,18 +32,18 @@ release-version:
@echo "$(RELEASE_VERSION)"
# The file "release-version" gets updated whenever git describe --tags changes.
# This is used by the $(BINDIR)/containers/*.tar.gz targets to make sure that the
# This is used by the $(bin_dir)/containers/*.tar.gz targets to make sure that the
# containers, which use the output of "git describe --tags" as their tag, get
# rebuilt whenever you check out a different commit. If we didn't do this, the
# Helm chart $(BINDIR)/cert-manager-*.tgz would refer to an image tag that doesn't
# exist in $(BINDIR)/containers/*.tar.gz.
# Helm chart $(bin_dir)/cert-manager-*.tgz would refer to an image tag that doesn't
# exist in $(bin_dir)/containers/*.tar.gz.
#
# We use FORCE instead of .PHONY because this is a real file that can be used as
# a prerequisite. If we were to use .PHONY, then the file's timestamp would not
# be used to check whether targets should be rebuilt, and they would get
# constantly rebuilt.
$(BINDIR)/release-version: FORCE | $(BINDIR)
$(bin_dir)/release-version: FORCE | $(bin_dir)
@test "$(RELEASE_VERSION)" == "$(shell cat $@ 2>/dev/null)" || echo $(RELEASE_VERSION) > $@
$(BINDIR)/scratch/git:
$(bin_dir)/scratch/git:
@mkdir -p $@

22
make/ko.mk
View File

@ -50,7 +50,7 @@ KO_BINS ?= controller acmesolver cainjector webhook startupapicheck
## @category Experimental/ko
KO_HELM_VALUES_FILES ?=
export KOCACHE = $(BINDIR)/scratch/ko/cache
export KOCACHE = $(bin_dir)/scratch/ko/cache
KO_IMAGE_REFS = $(foreach bin,$(KO_BINS),_bin/scratch/ko/$(bin).yaml)
$(KO_IMAGE_REFS): _bin/scratch/ko/%.yaml: FORCE | $(NEEDS_KO) $(NEEDS_YQ)
@ -71,21 +71,21 @@ ko-images-push: $(KO_IMAGE_REFS)
.PHONY: ko-deploy-certmanager
## Deploy cert-manager after pushing docker images to an OCI registry using ko.
## @category Experimental/ko
ko-deploy-certmanager: $(BINDIR)/cert-manager.tgz $(KO_IMAGE_REFS)
@$(eval ACME_HTTP01_SOLVER_IMAGE = $(shell $(YQ) '.repository + "@" + .digest' $(BINDIR)/scratch/ko/acmesolver.yaml))
ko-deploy-certmanager: $(bin_dir)/cert-manager.tgz $(KO_IMAGE_REFS)
@$(eval ACME_HTTP01_SOLVER_IMAGE = $(shell $(YQ) '.repository + "@" + .digest' $(bin_dir)/scratch/ko/acmesolver.yaml))
$(HELM) upgrade cert-manager $< \
--install \
--create-namespace \
--wait \
--namespace cert-manager \
$(and $(KO_HELM_VALUES_FILES),--values $(KO_HELM_VALUES_FILES)) \
--set image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/controller.yaml)" \
--set image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/controller.yaml)" \
--set cainjector.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/cainjector.yaml)" \
--set cainjector.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/cainjector.yaml)" \
--set webhook.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/webhook.yaml)" \
--set webhook.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/webhook.yaml)" \
--set startupapicheck.image.repository="$(shell $(YQ) .repository $(BINDIR)/scratch/ko/startupapicheck.yaml)" \
--set startupapicheck.image.digest="$(shell $(YQ) .digest $(BINDIR)/scratch/ko/startupapicheck.yaml)" \
--set image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/controller.yaml)" \
--set image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/controller.yaml)" \
--set cainjector.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/cainjector.yaml)" \
--set cainjector.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/cainjector.yaml)" \
--set webhook.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/webhook.yaml)" \
--set webhook.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/webhook.yaml)" \
--set startupapicheck.image.repository="$(shell $(YQ) .repository $(bin_dir)/scratch/ko/startupapicheck.yaml)" \
--set startupapicheck.image.digest="$(shell $(YQ) .digest $(bin_dir)/scratch/ko/startupapicheck.yaml)" \
--set installCRDs=true \
--set "extraArgs={--acme-http01-solver-image=$(ACME_HTTP01_SOLVER_IMAGE)}"

24
make/licenses.mk
View File

@ -19,20 +19,20 @@
LICENSE_YEAR=2022
# Creates the boilerplate header for YAML files from the template in hack/
$(BINDIR)/scratch/license.yaml: hack/boilerplate-yaml.txt | $(BINDIR)/scratch
$(bin_dir)/scratch/license.yaml: hack/boilerplate-yaml.txt | $(bin_dir)/scratch
sed -e "s/YEAR/$(LICENSE_YEAR)/g" < $< > $@
# The references LICENSES file is 1.4MB at the time of writing. Bundling it into every container image
# seems wasteful in terms of bytes stored and bytes transferred on the wire just to add a file
# which presumably nobody will ever read or care about. Instead, just add a little footnote pointing
# to the cert-manager repo in case anybody actually decides that they care.
$(BINDIR)/scratch/license-footnote.yaml: | $(BINDIR)/scratch
$(bin_dir)/scratch/license-footnote.yaml: | $(bin_dir)/scratch
@echo -e "# To view licenses for cert-manager dependencies, see the LICENSES file in the\n# cert-manager repo: https://github.com/cert-manager/cert-manager/blob/$(GITCOMMIT)/LICENSES" > $@
$(BINDIR)/scratch/cert-manager.license: $(BINDIR)/scratch/license.yaml $(BINDIR)/scratch/license-footnote.yaml | $(BINDIR)/scratch
$(bin_dir)/scratch/cert-manager.license: $(bin_dir)/scratch/license.yaml $(bin_dir)/scratch/license-footnote.yaml | $(bin_dir)/scratch
cat $^ > $@
$(BINDIR)/scratch/cert-manager.licenses_notice: $(BINDIR)/scratch/license-footnote.yaml | $(BINDIR)/scratch
$(bin_dir)/scratch/cert-manager.licenses_notice: $(bin_dir)/scratch/license-footnote.yaml | $(bin_dir)/scratch
cp $< $@
# Create a go.work file so that go-licenses can discover the LICENCE file of the
@ -45,18 +45,18 @@ $(BINDIR)/scratch/cert-manager.licenses_notice: $(BINDIR)/scratch/license-footno
# The go.work file is in a non-standard location, because we made a decision not
# to commit a go.work file to the repository root for reasons given in:
# https://github.com/cert-manager/cert-manager/pull/5935
LICENSES_GO_WORK := $(BINDIR)/scratch/LICENSES.go.work
$(LICENSES_GO_WORK): $(BINDIR)/scratch
LICENSES_GO_WORK := $(bin_dir)/scratch/LICENSES.go.work
$(LICENSES_GO_WORK): $(bin_dir)/scratch
$(MAKE) go-workspace GOWORK=$(abspath $@)
LICENSES $(BINDIR)/scratch/LATEST-LICENSES: export GOWORK=$(abspath $(LICENSES_GO_WORK))
LICENSES $(BINDIR)/scratch/LATEST-LICENSES: $(LICENSES_GO_WORK) go.mod go.sum | $(NEEDS_GO-LICENSES)
LICENSES $(bin_dir)/scratch/LATEST-LICENSES: export GOWORK=$(abspath $(LICENSES_GO_WORK))
LICENSES $(bin_dir)/scratch/LATEST-LICENSES: $(LICENSES_GO_WORK) go.mod go.sum | $(NEEDS_GO-LICENSES)
GOOS=linux GOARCH=amd64 $(GO-LICENSES) csv ./... > $@
cmd/%/LICENSES $(BINDIR)/scratch/LATEST-LICENSES-%: export GOWORK=$(abspath $(LICENSES_GO_WORK))
cmd/%/LICENSES $(BINDIR)/scratch/LATEST-LICENSES-%: $(LICENSES_GO_WORK) cmd/%/go.mod cmd/%/go.sum | $(NEEDS_GO-LICENSES)
cmd/%/LICENSES $(bin_dir)/scratch/LATEST-LICENSES-%: export GOWORK=$(abspath $(LICENSES_GO_WORK))
cmd/%/LICENSES $(bin_dir)/scratch/LATEST-LICENSES-%: $(LICENSES_GO_WORK) cmd/%/go.mod cmd/%/go.sum | $(NEEDS_GO-LICENSES)
cd cmd/$* && GOOS=linux GOARCH=amd64 $(GO-LICENSES) csv ./... > ../../$@
test/%/LICENSES $(BINDIR)/scratch/LATEST-LICENSES-%-tests: export GOWORK=$(abspath $(LICENSES_GO_WORK))
test/%/LICENSES $(BINDIR)/scratch/LATEST-LICENSES-%-tests: $(LICENSES_GO_WORK) test/%/go.mod test/%/go.sum | $(NEEDS_GO-LICENSES)
test/%/LICENSES $(bin_dir)/scratch/LATEST-LICENSES-%-tests: export GOWORK=$(abspath $(LICENSES_GO_WORK))
test/%/LICENSES $(bin_dir)/scratch/LATEST-LICENSES-%-tests: $(LICENSES_GO_WORK) test/%/go.mod test/%/go.sum | $(NEEDS_GO-LICENSES)
cd test/$* && GOOS=linux GOARCH=amd64 $(GO-LICENSES) csv ./... > ../../$@

92
make/manifests.mk
View File

@ -13,10 +13,10 @@
# limitations under the License.
CRDS_SOURCES=$(wildcard deploy/crds/*.yaml)
CRDS_TEMPLATED=$(CRDS_SOURCES:deploy/crds/%.yaml=$(BINDIR)/yaml/templated-crds/%.templated.yaml)
CRDS_TEMPLATED=$(CRDS_SOURCES:deploy/crds/%.yaml=$(bin_dir)/yaml/templated-crds/%.templated.yaml)
HELM_TEMPLATE_SOURCES=$(wildcard deploy/charts/cert-manager/templates/*.yaml)
HELM_TEMPLATE_TARGETS=$(patsubst deploy/charts/cert-manager/templates/%,$(BINDIR)/helm/cert-manager/templates/%,$(HELM_TEMPLATE_SOURCES))
HELM_TEMPLATE_TARGETS=$(patsubst deploy/charts/cert-manager/templates/%,$(bin_dir)/helm/cert-manager/templates/%,$(HELM_TEMPLATE_SOURCES))
####################
# Friendly Targets #
@ -25,16 +25,16 @@ HELM_TEMPLATE_TARGETS=$(patsubst deploy/charts/cert-manager/templates/%,$(BINDIR
# These targets provide friendly names for the various manifests / charts we build
.PHONY: helm-chart
helm-chart: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz
helm-chart: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz
$(BINDIR)/cert-manager.tgz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz
$(bin_dir)/cert-manager.tgz: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz
@ln -s -f $(notdir $<) $@
.PHONY: helm-chart-signature
helm-chart-signature: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov
helm-chart-signature: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz.prov
.PHONY: static-manifests
static-manifests: $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml
static-manifests: $(bin_dir)/yaml/cert-manager.crds.yaml $(bin_dir)/yaml/cert-manager.yaml
###################
# Release Targets #
@ -44,7 +44,7 @@ static-manifests: $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-mana
## Build YAML manifests and helm charts (but not the helm chart signature)
##
## @category Release
release-manifests: $(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz
release-manifests: $(bin_dir)/scratch/cert-manager-manifests-unsigned.tar.gz
.PHONY: release-manifests-signed
## Build YAML manifests and helm charts including the helm chart signature
@ -53,29 +53,29 @@ release-manifests: $(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz
## Prefer `make release-manifests` locally.
##
## @category Release
release-manifests-signed: $(BINDIR)/release/cert-manager-manifests.tar.gz $(BINDIR)/metadata/cert-manager-manifests.tar.gz.metadata.json
release-manifests-signed: $(bin_dir)/release/cert-manager-manifests.tar.gz $(bin_dir)/metadata/cert-manager-manifests.tar.gz.metadata.json
$(BINDIR)/release/cert-manager-manifests.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov | $(BINDIR)/scratch/manifests-signed $(BINDIR)/release
mkdir -p $(BINDIR)/scratch/manifests-signed/deploy/chart/
mkdir -p $(BINDIR)/scratch/manifests-signed/deploy/manifests/
cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov $(BINDIR)/scratch/manifests-signed/deploy/chart/
cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests-signed/deploy/manifests/
$(bin_dir)/release/cert-manager-manifests.tar.gz: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz $(bin_dir)/yaml/cert-manager.crds.yaml $(bin_dir)/yaml/cert-manager.yaml $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz.prov | $(bin_dir)/scratch/manifests-signed $(bin_dir)/release
mkdir -p $(bin_dir)/scratch/manifests-signed/deploy/chart/
mkdir -p $(bin_dir)/scratch/manifests-signed/deploy/manifests/
cp $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz.prov $(bin_dir)/scratch/manifests-signed/deploy/chart/
cp $(bin_dir)/yaml/cert-manager.crds.yaml $(bin_dir)/yaml/cert-manager.yaml $(bin_dir)/scratch/manifests-signed/deploy/manifests/
# removes leading ./ from archived paths
find $(BINDIR)/scratch/manifests-signed -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests-signed -T -
rm -rf $(BINDIR)/scratch/manifests-signed
find $(bin_dir)/scratch/manifests-signed -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(bin_dir)/scratch/manifests-signed -T -
rm -rf $(bin_dir)/scratch/manifests-signed
$(BINDIR)/scratch/cert-manager-manifests-unsigned.tar.gz: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml | $(BINDIR)/scratch/manifests-unsigned
mkdir -p $(BINDIR)/scratch/manifests-unsigned/deploy/chart/
mkdir -p $(BINDIR)/scratch/manifests-unsigned/deploy/manifests/
cp $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz $(BINDIR)/scratch/manifests-unsigned/deploy/chart/
cp $(BINDIR)/yaml/cert-manager.crds.yaml $(BINDIR)/yaml/cert-manager.yaml $(BINDIR)/scratch/manifests-unsigned/deploy/manifests/
$(bin_dir)/scratch/cert-manager-manifests-unsigned.tar.gz: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz $(bin_dir)/yaml/cert-manager.crds.yaml $(bin_dir)/yaml/cert-manager.yaml | $(bin_dir)/scratch/manifests-unsigned
mkdir -p $(bin_dir)/scratch/manifests-unsigned/deploy/chart/
mkdir -p $(bin_dir)/scratch/manifests-unsigned/deploy/manifests/
cp $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz $(bin_dir)/scratch/manifests-unsigned/deploy/chart/
cp $(bin_dir)/yaml/cert-manager.crds.yaml $(bin_dir)/yaml/cert-manager.yaml $(bin_dir)/scratch/manifests-unsigned/deploy/manifests/
# removes leading ./ from archived paths
find $(BINDIR)/scratch/manifests-unsigned -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(BINDIR)/scratch/manifests-unsigned -T -
rm -rf $(BINDIR)/scratch/manifests-unsigned
find $(bin_dir)/scratch/manifests-unsigned -maxdepth 1 -mindepth 1 | sed 's|.*/||' | tar czf $@ -C $(bin_dir)/scratch/manifests-unsigned -T -
rm -rf $(bin_dir)/scratch/manifests-unsigned
# This metadata blob is constructed slightly differently and doesn't use hack/artifact-metadata.template.json directly;
# this is because the bazel staged releases didn't include an "os" or "architecture" field for this artifact
$(BINDIR)/metadata/cert-manager-manifests.tar.gz.metadata.json: $(BINDIR)/release/cert-manager-manifests.tar.gz hack/artifact-metadata.template.json | $(BINDIR)/metadata
$(bin_dir)/metadata/cert-manager-manifests.tar.gz.metadata.json: $(bin_dir)/release/cert-manager-manifests.tar.gz hack/artifact-metadata.template.json | $(bin_dir)/metadata
jq -n --arg name "$(notdir $<)" \
--arg sha256 "$(shell ./hack/util/hash.sh $<)" \
'.name = $$name | .sha256 = $$sha256' > $@
@ -86,36 +86,36 @@ $(BINDIR)/metadata/cert-manager-manifests.tar.gz.metadata.json: $(BINDIR)/releas
# These targets provide for building and signing the cert-manager helm chart.
$(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz: $(BINDIR)/helm/cert-manager/README.md $(BINDIR)/helm/cert-manager/Chart.yaml $(BINDIR)/helm/cert-manager/values.yaml $(HELM_TEMPLATE_TARGETS) $(BINDIR)/helm/cert-manager/templates/NOTES.txt $(BINDIR)/helm/cert-manager/templates/_helpers.tpl $(BINDIR)/helm/cert-manager/templates/crds.yaml | $(NEEDS_HELM) $(BINDIR)/helm/cert-manager
$(HELM) package --app-version=$(RELEASE_VERSION) --version=$(RELEASE_VERSION) --destination "$(dir $@)" ./$(BINDIR)/helm/cert-manager
$(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz: $(bin_dir)/helm/cert-manager/README.md $(bin_dir)/helm/cert-manager/Chart.yaml $(bin_dir)/helm/cert-manager/values.yaml $(HELM_TEMPLATE_TARGETS) $(bin_dir)/helm/cert-manager/templates/NOTES.txt $(bin_dir)/helm/cert-manager/templates/_helpers.tpl $(bin_dir)/helm/cert-manager/templates/crds.yaml | $(NEEDS_HELM) $(bin_dir)/helm/cert-manager
$(HELM) package --app-version=$(RELEASE_VERSION) --version=$(RELEASE_VERSION) --destination "$(dir $@)" ./$(bin_dir)/helm/cert-manager
$(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz.prov: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_CMREL) $(BINDIR)/helm/cert-manager
$(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz.prov: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_CMREL) $(bin_dir)/helm/cert-manager
ifeq ($(strip $(CMREL_KEY)),)
$(error Trying to sign helm chart but CMREL_KEY is empty)
endif
cd $(dir $<) && $(CMREL) sign helm --chart-path "$(notdir $<)" --key "$(CMREL_KEY)"
$(BINDIR)/helm/cert-manager/templates/%.yaml: deploy/charts/cert-manager/templates/%.yaml | $(BINDIR)/helm/cert-manager/templates
$(bin_dir)/helm/cert-manager/templates/%.yaml: deploy/charts/cert-manager/templates/%.yaml | $(bin_dir)/helm/cert-manager/templates
cp -f $^ $@
$(BINDIR)/helm/cert-manager/templates/_helpers.tpl: deploy/charts/cert-manager/templates/_helpers.tpl | $(BINDIR)/helm/cert-manager/templates
$(bin_dir)/helm/cert-manager/templates/_helpers.tpl: deploy/charts/cert-manager/templates/_helpers.tpl | $(bin_dir)/helm/cert-manager/templates
cp $< $@
$(BINDIR)/helm/cert-manager/templates/NOTES.txt: deploy/charts/cert-manager/templates/NOTES.txt | $(BINDIR)/helm/cert-manager/templates
$(bin_dir)/helm/cert-manager/templates/NOTES.txt: deploy/charts/cert-manager/templates/NOTES.txt | $(bin_dir)/helm/cert-manager/templates
cp $< $@
$(BINDIR)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(BINDIR)/helm/cert-manager/templates
$(bin_dir)/helm/cert-manager/templates/crds.yaml: $(CRDS_SOURCES) | $(bin_dir)/helm/cert-manager/templates
echo '{{- if .Values.installCRDs }}' > $@
./hack/concat-yaml.sh $^ >> $@
echo '{{- end }}' >> $@
$(BINDIR)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(BINDIR)/helm/cert-manager
$(bin_dir)/helm/cert-manager/values.yaml: deploy/charts/cert-manager/values.yaml | $(bin_dir)/helm/cert-manager
cp $< $@
$(BINDIR)/helm/cert-manager/README.md: deploy/charts/cert-manager/README.template.md | $(BINDIR)/helm/cert-manager
$(bin_dir)/helm/cert-manager/README.md: deploy/charts/cert-manager/README.template.md | $(bin_dir)/helm/cert-manager
sed -e "s:{{RELEASE_VERSION}}:$(RELEASE_VERSION):g" < $< > $@
$(BINDIR)/helm/cert-manager/Chart.yaml: deploy/charts/cert-manager/Chart.template.yaml deploy/charts/cert-manager/signkey_annotation.txt | $(NEEDS_YQ) $(BINDIR)/helm/cert-manager
$(bin_dir)/helm/cert-manager/Chart.yaml: deploy/charts/cert-manager/Chart.template.yaml deploy/charts/cert-manager/signkey_annotation.txt | $(NEEDS_YQ) $(bin_dir)/helm/cert-manager
@# this horrible mess is taken from the YQ manual's example of multiline string blocks from a file:
@# https://mikefarah.gitbook.io/yq/operators/string-operators#string-blocks-bash-and-newlines
@# we set a bash variable called SIGNKEY_ANNOTATION using read, and then use that bash variable in yq
@ -133,27 +133,27 @@ $(BINDIR)/helm/cert-manager/Chart.yaml: deploy/charts/cert-manager/Chart.templat
# with templating completed, and then concatenate with the cert-manager namespace and the CRDs.
# Renders all resources except the namespace and the CRDs
$(BINDIR)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(BINDIR)/scratch/yaml
$(bin_dir)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml
@# The sed command removes the first line but only if it matches "---", which helm adds
$(HELM) template --api-versions="" --namespace=cert-manager --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \
sed -e "1{/^---$$/d;}" > $@
$(BINDIR)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(BINDIR)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(BINDIR)/scratch/yaml
$(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml: $(bin_dir)/cert-manager-$(RELEASE_VERSION).tgz | $(NEEDS_HELM) $(bin_dir)/scratch/yaml
@# The sed command removes the first line but only if it matches "---", which helm adds
$(HELM) template --api-versions="" --namespace=cert-manager --set="installCRDs=true" --set="creator=static" --set="startupapicheck.enabled=false" cert-manager $< | \
sed -e "1{/^---$$/d;}" > $@
$(BINDIR)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(BINDIR)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(BINDIR)/scratch/yaml
$(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml: $(bin_dir)/scratch/yaml/cert-manager.all.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/scratch/yaml
$(GO) run hack/extractcrd/main.go $< > $@
$(BINDIR)/yaml/cert-manager.yaml: $(BINDIR)/scratch/license.yaml deploy/manifests/namespace.yaml $(BINDIR)/scratch/yaml/cert-manager.crds.unlicensed.yaml $(BINDIR)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml | $(BINDIR)/yaml
$(bin_dir)/yaml/cert-manager.yaml: $(bin_dir)/scratch/license.yaml deploy/manifests/namespace.yaml $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml $(bin_dir)/scratch/yaml/cert-manager.noncrd.unlicensed.yaml | $(bin_dir)/yaml
@# NB: filter-out removes the license (the first dependency, $<) from the YAML concatenation
./hack/concat-yaml.sh $(filter-out $<, $^) | cat $< - > $@
$(BINDIR)/yaml/cert-manager.crds.yaml: $(BINDIR)/scratch/license.yaml $(BINDIR)/scratch/yaml/cert-manager.crds.unlicensed.yaml | $(BINDIR)/yaml
$(bin_dir)/yaml/cert-manager.crds.yaml: $(bin_dir)/scratch/license.yaml $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml | $(bin_dir)/yaml
cat $^ > $@
$(CRDS_TEMPLATED): $(BINDIR)/yaml/templated-crds/crd-%.templated.yaml: $(BINDIR)/scratch/license.yaml $(BINDIR)/scratch/yaml/cert-manager.crds.unlicensed.yaml | $(NEEDS_GO) $(BINDIR)/yaml/templated-crds
$(CRDS_TEMPLATED): $(bin_dir)/yaml/templated-crds/crd-%.templated.yaml: $(bin_dir)/scratch/license.yaml $(bin_dir)/scratch/yaml/cert-manager.crds.unlicensed.yaml | $(NEEDS_GO) $(bin_dir)/yaml/templated-crds
cat $< > $@
$(GO) run hack/extractcrd/main.go $(word 2,$^) $* >> $@
@ -166,23 +166,23 @@ templated-crds: $(CRDS_TEMPLATED)
# These targets are trivial, to ensure that dirs exist
$(BINDIR)/yaml:
$(bin_dir)/yaml:
@mkdir -p $@
$(BINDIR)/helm/cert-manager:
$(bin_dir)/helm/cert-manager:
@mkdir -p $@
$(BINDIR)/helm/cert-manager/templates:
$(bin_dir)/helm/cert-manager/templates:
@mkdir -p $@
$(BINDIR)/scratch/yaml:
$(bin_dir)/scratch/yaml:
@mkdir -p $@
$(BINDIR)/scratch/manifests-unsigned:
$(bin_dir)/scratch/manifests-unsigned:
@mkdir -p $@
$(BINDIR)/scratch/manifests-signed:
$(bin_dir)/scratch/manifests-signed:
@mkdir -p $@
$(BINDIR)/yaml/templated-crds:
$(bin_dir)/yaml/templated-crds:
@mkdir -p $@

46
make/release.mk
View File

@ -53,7 +53,7 @@ release-artifacts-signed: release-artifacts release-manifests-signed
##
## @category Release
release: release-artifacts-signed
$(MAKE) --no-print-directory $(BINDIR)/release/metadata.json
$(MAKE) --no-print-directory $(bin_dir)/release/metadata.json
.PHONY: upload-release
## Create a complete release and then upload it to a target GCS bucket specified by
@ -64,11 +64,11 @@ upload-release: release | $(NEEDS_RCLONE)
ifeq ($(strip $(RELEASE_TARGET_BUCKET)),)
$(error Trying to upload-release but RELEASE_TARGET_BUCKET is empty)
endif
$(RCLONE) copyto ./$(BINDIR)/release :gcs:$(RELEASE_TARGET_BUCKET)/stage/gcb/release/$(RELEASE_VERSION)
$(RCLONE) copyto ./$(bin_dir)/release :gcs:$(RELEASE_TARGET_BUCKET)/stage/gcb/release/$(RELEASE_VERSION)
# Takes all metadata files in $(BINDIR)/metadata and combines them into one.
# Takes all metadata files in $(bin_dir)/metadata and combines them into one.
$(BINDIR)/release/metadata.json: $(wildcard $(BINDIR)/metadata/*.json) | $(BINDIR)/release
$(bin_dir)/release/metadata.json: $(wildcard $(bin_dir)/metadata/*.json) | $(bin_dir)/release
jq -n \
--arg releaseVersion "$(RELEASE_VERSION)" \
--arg buildSource "make" \
@ -79,12 +79,12 @@ $(BINDIR)/release/metadata.json: $(wildcard $(BINDIR)/metadata/*.json) | $(BINDI
release-containers: release-container-bundles release-container-metadata
.PHONY: release-container-bundles
release-container-bundles: $(BINDIR)/release/cert-manager-server-linux-amd64.tar.gz $(BINDIR)/release/cert-manager-server-linux-arm64.tar.gz $(BINDIR)/release/cert-manager-server-linux-s390x.tar.gz $(BINDIR)/release/cert-manager-server-linux-ppc64le.tar.gz $(BINDIR)/release/cert-manager-server-linux-arm.tar.gz
release-container-bundles: $(bin_dir)/release/cert-manager-server-linux-amd64.tar.gz $(bin_dir)/release/cert-manager-server-linux-arm64.tar.gz $(bin_dir)/release/cert-manager-server-linux-s390x.tar.gz $(bin_dir)/release/cert-manager-server-linux-ppc64le.tar.gz $(bin_dir)/release/cert-manager-server-linux-arm.tar.gz
$(BINDIR)/release/cert-manager-server-linux-amd64.tar.gz $(BINDIR)/release/cert-manager-server-linux-arm64.tar.gz $(BINDIR)/release/cert-manager-server-linux-s390x.tar.gz $(BINDIR)/release/cert-manager-server-linux-ppc64le.tar.gz $(BINDIR)/release/cert-manager-server-linux-arm.tar.gz: $(BINDIR)/release/cert-manager-server-linux-%.tar.gz: $(BINDIR)/containers/cert-manager-acmesolver-linux-%.tar.gz $(BINDIR)/containers/cert-manager-cainjector-linux-%.tar.gz $(BINDIR)/containers/cert-manager-controller-linux-%.tar.gz $(BINDIR)/containers/cert-manager-webhook-linux-%.tar.gz $(BINDIR)/containers/cert-manager-startupapicheck-linux-%.tar.gz $(BINDIR)/scratch/cert-manager.license | $(BINDIR)/release $(BINDIR)/scratch
$(bin_dir)/release/cert-manager-server-linux-amd64.tar.gz $(bin_dir)/release/cert-manager-server-linux-arm64.tar.gz $(bin_dir)/release/cert-manager-server-linux-s390x.tar.gz $(bin_dir)/release/cert-manager-server-linux-ppc64le.tar.gz $(bin_dir)/release/cert-manager-server-linux-arm.tar.gz: $(bin_dir)/release/cert-manager-server-linux-%.tar.gz: $(bin_dir)/containers/cert-manager-acmesolver-linux-%.tar.gz $(bin_dir)/containers/cert-manager-cainjector-linux-%.tar.gz $(bin_dir)/containers/cert-manager-controller-linux-%.tar.gz $(bin_dir)/containers/cert-manager-webhook-linux-%.tar.gz $(bin_dir)/containers/cert-manager-startupapicheck-linux-%.tar.gz $(bin_dir)/scratch/cert-manager.license | $(bin_dir)/release $(bin_dir)/scratch
@# use basename twice to strip both "tar" and "gz"
@$(eval CTR_BASENAME := $(basename $(basename $(notdir $@))))
@$(eval CTR_SCRATCHDIR := $(BINDIR)/scratch/release-container-bundle/$(CTR_BASENAME))
@$(eval CTR_SCRATCHDIR := $(bin_dir)/scratch/release-container-bundle/$(CTR_BASENAME))
mkdir -p $(CTR_SCRATCHDIR)/server/images
echo "$(RELEASE_VERSION)" > $(CTR_SCRATCHDIR)/version
echo "$(RELEASE_VERSION)" > $(CTR_SCRATCHDIR)/server/images/acmesolver.docker_tag
@ -92,20 +92,20 @@ $(BINDIR)/release/cert-manager-server-linux-amd64.tar.gz $(BINDIR)/release/cert-
echo "$(RELEASE_VERSION)" > $(CTR_SCRATCHDIR)/server/images/controller.docker_tag
echo "$(RELEASE_VERSION)" > $(CTR_SCRATCHDIR)/server/images/webhook.docker_tag
echo "$(RELEASE_VERSION)" > $(CTR_SCRATCHDIR)/server/images/startupapicheck.docker_tag
cp $(BINDIR)/scratch/cert-manager.license $(CTR_SCRATCHDIR)/LICENSES
gunzip -c $(BINDIR)/containers/cert-manager-acmesolver-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/acmesolver.tar
gunzip -c $(BINDIR)/containers/cert-manager-cainjector-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/cainjector.tar
gunzip -c $(BINDIR)/containers/cert-manager-controller-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/controller.tar
gunzip -c $(BINDIR)/containers/cert-manager-webhook-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/webhook.tar
gunzip -c $(BINDIR)/containers/cert-manager-startupapicheck-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/startupapicheck.tar
cp $(bin_dir)/scratch/cert-manager.license $(CTR_SCRATCHDIR)/LICENSES
gunzip -c $(bin_dir)/containers/cert-manager-acmesolver-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/acmesolver.tar
gunzip -c $(bin_dir)/containers/cert-manager-cainjector-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/cainjector.tar
gunzip -c $(bin_dir)/containers/cert-manager-controller-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/controller.tar
gunzip -c $(bin_dir)/containers/cert-manager-webhook-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/webhook.tar
gunzip -c $(bin_dir)/containers/cert-manager-startupapicheck-linux-$*.tar.gz >$(CTR_SCRATCHDIR)/server/images/startupapicheck.tar
chmod -R 755 $(CTR_SCRATCHDIR)/server/images/*
tar czf $@ -C $(BINDIR)/scratch/release-container-bundle $(CTR_BASENAME)
tar czf $@ -C $(bin_dir)/scratch/release-container-bundle $(CTR_BASENAME)
rm -rf $(CTR_SCRATCHDIR)
.PHONY: release-container-metadata
release-container-metadata: $(BINDIR)/metadata/cert-manager-server-linux-amd64.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-arm64.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-s390x.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-ppc64le.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-arm.tar.gz.metadata.json
release-container-metadata: $(bin_dir)/metadata/cert-manager-server-linux-amd64.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-arm64.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-s390x.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-ppc64le.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-arm.tar.gz.metadata.json
$(BINDIR)/metadata/cert-manager-server-linux-amd64.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-arm64.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-s390x.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-ppc64le.tar.gz.metadata.json $(BINDIR)/metadata/cert-manager-server-linux-arm.tar.gz.metadata.json: $(BINDIR)/metadata/cert-manager-server-linux-%.tar.gz.metadata.json: $(BINDIR)/release/cert-manager-server-linux-%.tar.gz hack/artifact-metadata.template.json | $(BINDIR)/metadata
$(bin_dir)/metadata/cert-manager-server-linux-amd64.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-arm64.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-s390x.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-ppc64le.tar.gz.metadata.json $(bin_dir)/metadata/cert-manager-server-linux-arm.tar.gz.metadata.json: $(bin_dir)/metadata/cert-manager-server-linux-%.tar.gz.metadata.json: $(bin_dir)/release/cert-manager-server-linux-%.tar.gz hack/artifact-metadata.template.json | $(bin_dir)/metadata
jq --arg name "$(notdir $<)" \
--arg sha256 "$(shell ./hack/util/hash.sh $<)" \
--arg os "linux" \
@ -116,17 +116,17 @@ $(BINDIR)/metadata/cert-manager-server-linux-amd64.tar.gz.metadata.json $(BINDIR
# This target allows us to set all the modified times for all files in bin to the same time, which
# is similar to what bazel does. We might not want this, and it's not currently used.
.PHONY: forcetime
forcetime: | $(BINDIR)
find $(BINDIR) | xargs touch -d "2000-01-01 00:00:00" -
forcetime: | $(bin_dir)
find $(bin_dir) | xargs touch -d "2000-01-01 00:00:00" -
$(BINDIR)/release $(BINDIR)/metadata:
$(bin_dir)/release $(bin_dir)/metadata:
@mkdir -p $@
# Example of how we can generate a SHA256SUMS file and sign it using cosign
#$(BINDIR)/SHA256SUMS: $(wildcard ...)
# @# The patsubst means "all dependencies, but with "$(BINDIR)/" trimmed off the beginning
#$(bin_dir)/SHA256SUMS: $(wildcard ...)
# @# The patsubst means "all dependencies, but with "$(bin_dir)/" trimmed off the beginning
# @# We cd into bin so that SHA256SUMS file doesn't have a prefix of `bin` on everything
# cd $(dir $@) && sha256sum $(patsubst $(BINDIR)/%,%,$^) > $(notdir $@)
# cd $(dir $@) && sha256sum $(patsubst $(bin_dir)/%,%,$^) > $(notdir $@)
#$(BINDIR)/SHA256SUMS.sig: $(BINDIR)/SHA256SUMS | $(NEEDS_COSIGN)
#$(bin_dir)/SHA256SUMS.sig: $(bin_dir)/SHA256SUMS | $(NEEDS_COSIGN)
# $(COSIGN) sign-blob --key $(COSIGN_KEY) $< > $@

10
make/scan.mk
View File

@ -22,21 +22,21 @@
trivy-scan-all: trivy-scan-controller trivy-scan-acmesolver trivy-scan-webhook trivy-scan-cainjector trivy-scan-startupapicheck
.PHONY: trivy-scan-controller
trivy-scan-controller: $(BINDIR)/containers/cert-manager-controller-linux-amd64.tar | $(NEEDS_TRIVY)
trivy-scan-controller: $(bin_dir)/containers/cert-manager-controller-linux-amd64.tar | $(NEEDS_TRIVY)
$(TRIVY) image --input $< --format json --exit-code 1
.PHONY: trivy-scan-acmesolver
trivy-scan-acmesolver: $(BINDIR)/containers/cert-manager-acmesolver-linux-amd64.tar | $(NEEDS_TRIVY)
trivy-scan-acmesolver: $(bin_dir)/containers/cert-manager-acmesolver-linux-amd64.tar | $(NEEDS_TRIVY)
$(TRIVY) image --input $< --format json --exit-code 1
.PHONY: trivy-scan-webhook
trivy-scan-webhook: $(BINDIR)/containers/cert-manager-webhook-linux-amd64.tar | $(NEEDS_TRIVY)
trivy-scan-webhook: $(bin_dir)/containers/cert-manager-webhook-linux-amd64.tar | $(NEEDS_TRIVY)
$(TRIVY) image --input $< --format json --exit-code 1
.PHONY: trivy-scan-cainjector
trivy-scan-cainjector: $(BINDIR)/containers/cert-manager-cainjector-linux-amd64.tar | $(NEEDS_TRIVY)
trivy-scan-cainjector: $(bin_dir)/containers/cert-manager-cainjector-linux-amd64.tar | $(NEEDS_TRIVY)
$(TRIVY) image --input $< --format json --exit-code 1
.PHONY: trivy-scan-startupapicheck
trivy-scan-startupapicheck: $(BINDIR)/containers/cert-manager-startupapicheck-linux-amd64.tar | $(NEEDS_TRIVY)
trivy-scan-startupapicheck: $(bin_dir)/containers/cert-manager-startupapicheck-linux-amd64.tar | $(NEEDS_TRIVY)
$(TRIVY) image --input $< --format json --exit-code 1

62
make/server.mk
View File

@ -15,95 +15,95 @@
.PHONY: server-binaries
server-binaries: controller acmesolver webhook cainjector
$(BINDIR)/server:
$(bin_dir)/server:
@mkdir -p $@
.PHONY: controller
controller: $(BINDIR)/server/controller-linux-amd64 $(BINDIR)/server/controller-linux-arm64 $(BINDIR)/server/controller-linux-s390x $(BINDIR)/server/controller-linux-ppc64le $(BINDIR)/server/controller-linux-arm | $(NEEDS_GO) $(BINDIR)/server
controller: $(bin_dir)/server/controller-linux-amd64 $(bin_dir)/server/controller-linux-arm64 $(bin_dir)/server/controller-linux-s390x $(bin_dir)/server/controller-linux-ppc64le $(bin_dir)/server/controller-linux-arm | $(NEEDS_GO) $(bin_dir)/server
$(BINDIR)/server/controller-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/controller-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/controller && GOOS=linux GOARCH=amd64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/controller-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/controller-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/controller && GOOS=linux GOARCH=arm64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/controller-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/controller-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/controller && GOOS=linux GOARCH=s390x $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/controller-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/controller-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/controller && GOOS=linux GOARCH=ppc64le $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/controller-linux-arm: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/controller-linux-arm: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/controller && GOOS=linux GOARCH=arm GOARM=7 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
.PHONY: acmesolver
acmesolver: $(BINDIR)/server/acmesolver-linux-amd64 $(BINDIR)/server/acmesolver-linux-arm64 $(BINDIR)/server/acmesolver-linux-s390x $(BINDIR)/server/acmesolver-linux-ppc64le $(BINDIR)/server/acmesolver-linux-arm | $(NEEDS_GO) $(BINDIR)/server
acmesolver: $(bin_dir)/server/acmesolver-linux-amd64 $(bin_dir)/server/acmesolver-linux-arm64 $(bin_dir)/server/acmesolver-linux-s390x $(bin_dir)/server/acmesolver-linux-ppc64le $(bin_dir)/server/acmesolver-linux-arm | $(NEEDS_GO) $(bin_dir)/server
$(BINDIR)/server/acmesolver-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/acmesolver-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/acmesolver && GOOS=linux GOARCH=amd64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/acmesolver-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/acmesolver-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/acmesolver && GOOS=linux GOARCH=arm64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/acmesolver-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/acmesolver-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/acmesolver && GOOS=linux GOARCH=s390x $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/acmesolver-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/acmesolver-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/acmesolver && GOOS=linux GOARCH=ppc64le $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/acmesolver-linux-arm: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/acmesolver-linux-arm: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/acmesolver && GOOS=linux GOARCH=arm GOARM=7 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
.PHONY: webhook
webhook: $(BINDIR)/server/webhook-linux-amd64 $(BINDIR)/server/webhook-linux-arm64 $(BINDIR)/server/webhook-linux-s390x $(BINDIR)/server/webhook-linux-ppc64le $(BINDIR)/server/webhook-linux-arm | $(NEEDS_GO) $(BINDIR)/server
webhook: $(bin_dir)/server/webhook-linux-amd64 $(bin_dir)/server/webhook-linux-arm64 $(bin_dir)/server/webhook-linux-s390x $(bin_dir)/server/webhook-linux-ppc64le $(bin_dir)/server/webhook-linux-arm | $(NEEDS_GO) $(bin_dir)/server
$(BINDIR)/server/webhook-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/webhook-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/webhook && GOOS=linux GOARCH=amd64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/webhook-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/webhook-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/webhook && GOOS=linux GOARCH=arm64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/webhook-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/webhook-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/webhook && GOOS=linux GOARCH=s390x $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/webhook-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/webhook-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/webhook && GOOS=linux GOARCH=ppc64le $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/webhook-linux-arm: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/webhook-linux-arm: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/webhook && GOOS=linux GOARCH=arm GOARM=7 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
.PHONY: cainjector
cainjector: $(BINDIR)/server/cainjector-linux-amd64 $(BINDIR)/server/cainjector-linux-arm64 $(BINDIR)/server/cainjector-linux-s390x $(BINDIR)/server/cainjector-linux-ppc64le $(BINDIR)/server/cainjector-linux-arm | $(NEEDS_GO) $(BINDIR)/server
cainjector: $(bin_dir)/server/cainjector-linux-amd64 $(bin_dir)/server/cainjector-linux-arm64 $(bin_dir)/server/cainjector-linux-s390x $(bin_dir)/server/cainjector-linux-ppc64le $(bin_dir)/server/cainjector-linux-arm | $(NEEDS_GO) $(bin_dir)/server
$(BINDIR)/server/cainjector-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/cainjector-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/cainjector && GOOS=linux GOARCH=amd64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/cainjector-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/cainjector-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/cainjector && GOOS=linux GOARCH=arm64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/cainjector-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/cainjector-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/cainjector && GOOS=linux GOARCH=s390x $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/cainjector-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/cainjector-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/cainjector && GOOS=linux GOARCH=ppc64le $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/cainjector-linux-arm: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/cainjector-linux-arm: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/cainjector && GOOS=linux GOARCH=arm GOARM=7 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
.PHONY: startupapicheck
cainjector: $(BINDIR)/server/startupapicheck-linux-amd64 $(BINDIR)/server/startupapicheck-linux-arm64 $(BINDIR)/server/startupapicheck-linux-s390x $(BINDIR)/server/startupapicheck-linux-ppc64le $(BINDIR)/server/startupapicheck-linux-arm | $(NEEDS_GO) $(BINDIR)/server
cainjector: $(bin_dir)/server/startupapicheck-linux-amd64 $(bin_dir)/server/startupapicheck-linux-arm64 $(bin_dir)/server/startupapicheck-linux-s390x $(bin_dir)/server/startupapicheck-linux-ppc64le $(bin_dir)/server/startupapicheck-linux-arm | $(NEEDS_GO) $(bin_dir)/server
$(BINDIR)/server/startupapicheck-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/startupapicheck-linux-amd64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/startupapicheck && GOOS=linux GOARCH=amd64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/startupapicheck-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/startupapicheck-linux-arm64: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/startupapicheck && GOOS=linux GOARCH=arm64 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/startupapicheck-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/startupapicheck-linux-s390x: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/startupapicheck && GOOS=linux GOARCH=s390x $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/startupapicheck-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/startupapicheck-linux-ppc64le: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/startupapicheck && GOOS=linux GOARCH=ppc64le $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go
$(BINDIR)/server/startupapicheck-linux-arm: $(SOURCES) | $(NEEDS_GO) $(BINDIR)/server
$(bin_dir)/server/startupapicheck-linux-arm: $(SOURCES) | $(NEEDS_GO) $(bin_dir)/server
cd cmd/startupapicheck && GOOS=linux GOARCH=arm GOARM=7 $(GOBUILD) -o ../../$@ $(GOFLAGS) -ldflags '$(GOLDFLAGS)' main.go

17
make/test.mk
View File

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
export KUBEBUILDER_ASSETS=$(PWD)/$(BINDIR)/tools
export KUBEBUILDER_ASSETS=$(PWD)/$(bin_dir)/tools
# GOTESTSUM_CI_FLAGS contains flags which are common to invocations of gotestsum in CI environments
GOTESTSUM_CI_FLAGS := --junitfile-testsuite-name short --junitfile-testcase-classname relative
@ -118,8 +118,9 @@ E2E_OPENSHIFT ?= false
## For more information about GINKGO_FOCUS, see "make/e2e.sh --help".
##
## @category Development
e2e: $(BINDIR)/scratch/kind-exists | $(NEEDS_KUBECTL) $(NEEDS_GINKGO)
make/e2e.sh
e2e: $(bin_dir)/scratch/kind-exists | $(NEEDS_KUBECTL) $(NEEDS_GINKGO)
BINDIR=$(bin_dir) \
make/e2e.sh
.PHONY: e2e-ci
e2e-ci: | $(NEEDS_GO)
@ -127,9 +128,9 @@ e2e-ci: | $(NEEDS_GO)
$(MAKE) e2e-setup-kind e2e-setup
make/e2e-ci.sh
$(BINDIR)/test/e2e.test: FORCE | $(NEEDS_GINKGO) $(BINDIR)/test
$(bin_dir)/test/e2e.test: FORCE | $(NEEDS_GINKGO) $(bin_dir)/test
CGO_ENABLED=0 $(GINKGO) build --ldflags="-w -s" --trimpath --tags e2e_test test/e2e
mv test/e2e/e2e.test $(BINDIR)/test/e2e.test
mv test/e2e/e2e.test $(bin_dir)/test/e2e.test
.PHONY: e2e-build
## Build an end-to-end test binary
@ -153,14 +154,14 @@ $(BINDIR)/test/e2e.test: FORCE | $(NEEDS_GINKGO) $(BINDIR)/test
## ./_bin/test/e2e.test --repo-root=/dev/null --ginkgo.focus="CA\ Issuer" --ginkgo.skip="Gateway"
##
## @category Development
e2e-build: $(BINDIR)/test/e2e.test
e2e-build: $(bin_dir)/test/e2e.test
.PHONY: test-upgrade
test-upgrade: | $(NEEDS_HELM) $(NEEDS_KIND) $(NEEDS_YTT) $(NEEDS_KUBECTL) $(NEEDS_CMCTL)
./hack/verify-upgrade.sh $(HELM) $(KIND) $(YTT) $(KUBECTL) $(CMCTL)
$(BINDIR)/test:
$(bin_dir)/test:
@mkdir -p $@
$(BINDIR)/testlogs:
$(bin_dir)/testlogs:
@mkdir -p $@

120
make/tools.mk
View File

@ -13,14 +13,14 @@
# limitations under the License.
# To make sure we use the right version of each tool, we put symlink in
# $(BINDIR)/tools, and the actual binaries are in $(BINDIR)/downloaded. When bumping
# $(bin_dir)/tools, and the actual binaries are in $(bin_dir)/downloaded. When bumping
# the version of the tools, this symlink gets updated.
# Let's have $(BINDIR)/tools in front of the PATH so that we don't inavertedly
# Let's have $(bin_dir)/tools in front of the PATH so that we don't inavertedly
# pick up the wrong binary somewhere. Watch out, $(shell echo $$PATH) will
# still print the original PATH, since GNU make does not honor exported
# variables: https://stackoverflow.com/questions/54726457
export PATH := $(PWD)/$(BINDIR)/tools:$(PATH)
export PATH := $(PWD)/$(bin_dir)/tools:$(PATH)
CTR=docker
@ -82,8 +82,8 @@ TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION)
VENDORED_GO_VERSION := 1.21.7
# When switching branches which use different versions of the tools, we
# need a way to re-trigger the symlinking from $(BINDIR)/downloaded to $(BINDIR)/tools.
$(BINDIR)/scratch/%_VERSION: FORCE | $(BINDIR)/scratch
# need a way to re-trigger the symlinking from $(bin_dir)/downloaded to $(bin_dir)/tools.
$(bin_dir)/scratch/%_VERSION: FORCE | $(bin_dir)/scratch
@test "$($*_VERSION)" == "$(shell cat $@ 2>/dev/null)" || echo $($*_VERSION) > $@
# The reason we don't use "go env GOOS" or "go env GOARCH" is that the "go"
@ -107,13 +107,13 @@ endif
# --retry-connrefused = retry even if the initial connection was refused
CURL = curl --silent --show-error --fail --location --retry 10 --retry-connrefused
# In Prow, the pod has the folder "$(BINDIR)/downloaded" mounted into the
# In Prow, the pod has the folder "$(bin_dir)/downloaded" mounted into the
# container. For some reason, even though the permissions are correct,
# binaries that are mounted with hostPath can't be executed. When in CI, we
# copy the binaries to work around that. Using $(LN) is only required when
# dealing with binaries. Other files and folders can be symlinked.
#
# Details on how "$(BINDIR)/downloaded" gets cached are available in the
# Details on how "$(bin_dir)/downloaded" gets cached are available in the
# description of the PR https://github.com/jetstack/testing/pull/651.
#
# We use "printenv CI" instead of just "ifeq ($(CI),)" because otherwise we
@ -143,23 +143,23 @@ TOOL_NAMES :=
# the absolute path should be used when executing the binary
# in targets or in scripts, because it is agnostic to the
# working directory
# - an unversioned target $(BINDIR)/tools/xxx is generated that
# - an unversioned target $(bin_dir)/tools/xxx is generated that
# creates a copy/ link to the corresponding versioned target:
# $(BINDIR)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH)
# $(bin_dir)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH)
define tool_defs
TOOL_NAMES += $1
$(call UC,$1)_VERSION ?= $2
NEEDS_$(call UC,$1) := $$(BINDIR)/tools/$1
$(call UC,$1) := $$(PWD)/$$(BINDIR)/tools/$1
NEEDS_$(call UC,$1) := $$(bin_dir)/tools/$1
$(call UC,$1) := $$(PWD)/$$(bin_dir)/tools/$1
$$(BINDIR)/tools/$1: $$(BINDIR)/scratch/$(call UC,$1)_VERSION | $$(BINDIR)/downloaded/tools/$1@$$($(call UC,$1)_VERSION)_$$(HOST_OS)_$$(HOST_ARCH) $$(BINDIR)/tools
cd $$(dir $$@) && $$(LN) $$(patsubst $$(BINDIR)/%,../%,$$(word 1,$$|)) $$(notdir $$@)
$$(bin_dir)/tools/$1: $$(bin_dir)/scratch/$(call UC,$1)_VERSION | $$(bin_dir)/downloaded/tools/$1@$$($(call UC,$1)_VERSION)_$$(HOST_OS)_$$(HOST_ARCH) $$(bin_dir)/tools
cd $$(dir $$@) && $$(LN) $$(patsubst $$(bin_dir)/%,../%,$$(word 1,$$|)) $$(notdir $$@)
endef
$(foreach TOOL,$(TOOLS),$(eval $(call tool_defs,$(word 1,$(subst =, ,$(TOOL))),$(word 2,$(subst =, ,$(TOOL))))))
TOOLS_PATHS := $(TOOL_NAMES:%=$(BINDIR)/tools/%)
TOOLS_PATHS := $(TOOL_NAMES:%=$(bin_dir)/tools/%)
######
# Go #
@ -168,20 +168,20 @@ TOOLS_PATHS := $(TOOL_NAMES:%=$(BINDIR)/tools/%)
# $(NEEDS_GO) is a target that is set as an order-only prerequisite in
# any target that calls $(GO), e.g.:
#
# $(BINDIR)/tools/crane: $(NEEDS_GO)
# $(GO) build -o $(BINDIR)/tools/crane
# $(bin_dir)/tools/crane: $(NEEDS_GO)
# $(GO) build -o $(bin_dir)/tools/crane
#
# $(NEEDS_GO) is empty most of the time, except when running "make vendor-go"
# or when "make vendor-go" was previously run, in which case $(NEEDS_GO) is set
# to $(BINDIR)/tools/go, since $(BINDIR)/tools/go is a prerequisite of
# to $(bin_dir)/tools/go, since $(bin_dir)/tools/go is a prerequisite of
# any target depending on Go when "make vendor-go" was run.
NEEDS_GO := $(if $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(BINDIR)/tools/go ] && echo yes), $(BINDIR)/tools/go,)
NEEDS_GO := $(if $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(bin_dir)/tools/go ] && echo yes), $(bin_dir)/tools/go,)
ifeq ($(NEEDS_GO),)
GO := go
else
export GOROOT := $(PWD)/$(BINDIR)/tools/goroot
export PATH := $(PWD)/$(BINDIR)/tools/goroot/bin:$(PATH)
GO := $(PWD)/$(BINDIR)/tools/go
export GOROOT := $(PWD)/$(bin_dir)/tools/goroot
export PATH := $(PWD)/$(bin_dir)/tools/goroot/bin:$(PATH)
GO := $(PWD)/$(bin_dir)/tools/go
endif
GOBUILD := CGO_ENABLED=$(CGO_ENABLED) GOEXPERIMENT=$(GOEXPERIMENT) GOMAXPROCS=$(GOBUILDPROCS) $(GO) build
@ -196,13 +196,13 @@ GOTESTSUM := CGO_ENABLED=$(CGO_ENABLED) GOEXPERIMENT=$(GOEXPERIMENT) $(GOTESTSUM
## disable vendoring, run "make unvendor-go". When vendoring is enabled,
## you will want to set the following:
##
## export PATH="$PWD/$(BINDIR)/tools:$PATH"
## export GOROOT="$PWD/$(BINDIR)/tools/goroot"
vendor-go: $(BINDIR)/tools/go
## export PATH="$PWD/$(bin_dir)/tools:$PATH"
## export GOROOT="$PWD/$(bin_dir)/tools/goroot"
vendor-go: $(bin_dir)/tools/go
.PHONY: unvendor-go
unvendor-go: $(BINDIR)/tools/go
rm -rf $(BINDIR)/tools/go $(BINDIR)/tools/goroot
unvendor-go: $(bin_dir)/tools/go
rm -rf $(bin_dir)/tools/go $(bin_dir)/tools/goroot
.PHONY: which-go
## Print the version and path of go which will be used for building and
@ -211,25 +211,25 @@ which-go: | $(NEEDS_GO)
@$(GO) version
@echo "go binary used for above version information: $(GO)"
$(BINDIR)/tools/go: $(BINDIR)/scratch/VENDORED_GO_VERSION | $(BINDIR)/tools/goroot $(BINDIR)/tools
$(bin_dir)/tools/go: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/tools/goroot $(bin_dir)/tools
cd $(dir $@) && $(LN) ./goroot/bin/go $(notdir $@)
@touch $@ # making sure the target of the symlink is newer than *_VERSION
# The "_" in "_bin" prevents "go mod tidy" from trying to tidy the vendored goroot.
$(BINDIR)/tools/goroot: $(BINDIR)/scratch/VENDORED_GO_VERSION | $(BINDIR)/go_vendor/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot $(BINDIR)/tools
@rm -rf $(BINDIR)/tools/goroot
cd $(dir $@) && $(LN) $(patsubst $(BINDIR)/%,../%,$(word 1,$|)) $(notdir $@)
$(bin_dir)/tools/goroot: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/go_vendor/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot $(bin_dir)/tools
@rm -rf $(bin_dir)/tools/goroot
cd $(dir $@) && $(LN) $(patsubst $(bin_dir)/%,../%,$(word 1,$|)) $(notdir $@)
@touch $@ # making sure the target of the symlink is newer than *_VERSION
# Extract the tar to the _bin/go directory, this directory is not cached across CI runs.
$(BINDIR)/go_vendor/go@$(VENDORED_GO_VERSION)_%/goroot: | $(BINDIR)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz
$(bin_dir)/go_vendor/go@$(VENDORED_GO_VERSION)_%/goroot: | $(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz
@rm -rf $@ && mkdir -p $(dir $@)
tar xzf $| -C $(dir $@)
mv $(dir $@)/go $(dir $@)/goroot
# Keep the downloaded tar so it is cached across CI runs.
.PRECIOUS: $(BINDIR)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz
$(BINDIR)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz: | $(BINDIR)/downloaded/tools
.PRECIOUS: $(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz
$(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz: | $(bin_dir)/downloaded/tools
$(CURL) https://go.dev/dl/go$(VENDORED_GO_VERSION).$(subst _,-,$*).tar.gz -o $@
###################
@ -251,7 +251,7 @@ GO_DEPENDENCIES += helm-tool=github.com/cert-manager/helm-tool
GO_DEPENDENCIES += cmctl=github.com/cert-manager/cmctl/v2
define go_dependency
$$(BINDIR)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(BINDIR)/downloaded/tools
$$(bin_dir)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(bin_dir)/downloaded/tools
GOBIN=$$(PWD)/$$(dir $$@) $$(GO) install $2@$($(call UC,$1)_VERSION)
@mv $$(PWD)/$$(dir $$@)/$1 $$@
endef
@ -267,7 +267,7 @@ HELM_darwin_amd64_SHA256SUM=1bdbbeec5a12dd0c1cd4efd8948a156d33e1e2f51140e2a51e1e
HELM_darwin_arm64_SHA256SUM=240b0a7da9cae208000eff3d3fb95e0fa1f4903d95be62c3f276f7630b12dae1
HELM_linux_arm64_SHA256SUM=79ef06935fb47e432c0c91bdefd140e5b543ec46376007ca14a52e5ed3023088
$(BINDIR)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(bin_dir)/downloaded/tools
$(CURL) https://get.helm.sh/helm-$(HELM_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz
./hack/util/checkhash.sh $@.tar.gz $(HELM_$*_SHA256SUM)
@# O writes the specified file to stdout
@ -287,7 +287,7 @@ KUBECTL_darwin_amd64_SHA256SUM=d6b8f2bac5f828478eade0acf15fb7dde02d7613fc9e644dc
KUBECTL_darwin_arm64_SHA256SUM=8fe9f753383574863959335d8b830908e67a40c3f51960af63892d969bfc1b10
KUBECTL_linux_arm64_SHA256SUM=46954a604b784a8b0dc16754cfc3fa26aabca9fd4ffd109cd028bfba99d492f6
$(BINDIR)/downloaded/tools/kubectl@$(KUBECTL_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/kubectl@$(KUBECTL_VERSION)_%: | $(bin_dir)/downloaded/tools
$(CURL) https://storage.googleapis.com/kubernetes-release/release/$(KUBECTL_VERSION)/bin/$(subst _,/,$*)/kubectl -o $@
./hack/util/checkhash.sh $@ $(KUBECTL_$*_SHA256SUM)
chmod +x $@
@ -301,7 +301,7 @@ KIND_darwin_amd64_SHA256SUM=09bc4cc9db750f874d12d333032e6e087f3ad06bff4813123086
KIND_darwin_arm64_SHA256SUM=d9c7c5d0cf6b9953be73207a0ad798ec6f015305b1aa6ee9f61468b222acbf99
KIND_linux_arm64_SHA256SUM=d56d98fe8a22b5a9a12e35d5ff7be254ae419b0cfe93b6241d0d14ece8f5adc8
$(BINDIR)/downloaded/tools/kind@$(KIND_VERSION)_%: | $(BINDIR)/downloaded/tools $(BINDIR)/tools
$(bin_dir)/downloaded/tools/kind@$(KIND_VERSION)_%: | $(bin_dir)/downloaded/tools $(bin_dir)/tools
$(CURL) https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(subst _,-,$*) -o $@
./hack/util/checkhash.sh $@ $(KIND_$*_SHA256SUM)
chmod +x $@
@ -317,7 +317,7 @@ COSIGN_linux_arm64_SHA256SUM=b4d323090efb98eded011ef17fe8228194eed8912f8e205361a
# TODO: cosign also provides signatures on all of its binaries, but they can't be validated without already having cosign
# available! We could do something like "if system cosign is available, verify using that", but for now we'll skip
$(BINDIR)/downloaded/tools/cosign@$(COSIGN_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/cosign@$(COSIGN_VERSION)_%: | $(bin_dir)/downloaded/tools
$(CURL) https://github.com/sigstore/cosign/releases/download/$(COSIGN_VERSION)/cosign-$(subst _,-,$*) -o $@
./hack/util/checkhash.sh $@ $(COSIGN_$*_SHA256SUM)
chmod +x $@
@ -331,7 +331,7 @@ RCLONE_darwin_amd64_SHA256SUM=9ef83833296876f3182b87030b4f2e851b56621bad4ca4d7a1
RCLONE_darwin_arm64_SHA256SUM=9183f495b28acb12c872175c6af1f6ba8ca677650cb9d2774caefea273294c8a
RCLONE_linux_arm64_SHA256SUM=b5a6cb3aef4fd1a2165fb8c21b1b1705f3cb754a202adc81931b47cd39c64749
$(BINDIR)/downloaded/tools/rclone@$(RCLONE_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/rclone@$(RCLONE_VERSION)_%: | $(bin_dir)/downloaded/tools
$(eval OS_AND_ARCH := $(subst darwin,osx,$*))
$(CURL) https://github.com/rclone/rclone/releases/download/$(RCLONE_VERSION)/rclone-$(RCLONE_VERSION)-$(subst _,-,$(OS_AND_ARCH)).zip -o $@.zip
./hack/util/checkhash.sh $@.zip $(RCLONE_$*_SHA256SUM)
@ -350,7 +350,7 @@ TRIVY_darwin_amd64_SHA256SUM=997622dee1d07de0764f903b72d16ec4314daaf202d91c95713
TRIVY_darwin_arm64_SHA256SUM=68aa451f395fa5418f5af59ce4081ef71075c857b95a297dc61da49c6a229a45
TRIVY_linux_arm64_SHA256SUM=a192edfcef8766fa7e3e96a6a5faf50cd861371785891857471548e4af7cb60b
$(BINDIR)/downloaded/tools/trivy@$(TRIVY_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/trivy@$(TRIVY_VERSION)_%: | $(bin_dir)/downloaded/tools
$(eval OS_AND_ARCH := $(subst darwin,macOS,$*))
$(eval OS_AND_ARCH := $(subst linux,Linux,$(OS_AND_ARCH)))
$(eval OS_AND_ARCH := $(subst arm64,ARM64,$(OS_AND_ARCH)))
@ -371,7 +371,7 @@ YTT_darwin_amd64_SHA256SUM=2b6d173dec1b6087e22690386474786fd9a2232c4479d8975cc98
YTT_darwin_arm64_SHA256SUM=3e6f092bfe7a121d15126a0de6503797818c6b6745fbc97213f519d35fab08f9
YTT_linux_arm64_SHA256SUM=cbfc85f11ffd8e61d63accf799b8997caaebe46ee046290cc1c4d05ed1ab145b
$(BINDIR)/downloaded/tools/ytt@$(YTT_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/ytt@$(YTT_VERSION)_%: | $(bin_dir)/downloaded/tools
$(CURL) -sSfL https://github.com/vmware-tanzu/carvel-ytt/releases/download/$(YTT_VERSION)/ytt-$(subst _,-,$*) -o $@
./hack/util/checkhash.sh $@ $(YTT_$*_SHA256SUM)
chmod +x $@
@ -385,7 +385,7 @@ YQ_darwin_amd64_SHA256SUM=b2ff70e295d02695b284755b2a41bd889cfb37454e1fa71abc3a6e
YQ_darwin_arm64_SHA256SUM=e9fc15db977875de982e0174ba5dc2cf5ae4a644e18432a4262c96d4439b1686
YQ_linux_arm64_SHA256SUM=1d830254fe5cc2fb046479e6c781032976f5cf88f9d01a6385898c29182f9bed
$(BINDIR)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(bin_dir)/downloaded/tools
$(CURL) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@
./hack/util/checkhash.sh $@ $(YQ_$*_SHA256SUM)
chmod +x $@
@ -399,7 +399,7 @@ KO_darwin_amd64_SHA256SUM=b879ea58255c9f2be2d4d6c4f6bd18209c78e9e0b890dbce621954
KO_darwin_arm64_SHA256SUM=8d41c228da3e04e3de293f0f5bfe1775a4c74582ba21c86ad32244967095189f
KO_linux_arm64_SHA256SUM=9a355b8a9fe88e9d65d3aa1116d943746e3cea86944f4566e47886fd260dd3e9
$(BINDIR)/downloaded/tools/ko@$(KO_VERSION)_%: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/ko@$(KO_VERSION)_%: | $(bin_dir)/downloaded/tools
$(eval OS_AND_ARCH := $(subst darwin,Darwin,$*))
$(eval OS_AND_ARCH := $(subst linux,Linux,$(OS_AND_ARCH)))
$(eval OS_AND_ARCH := $(subst amd64,x86_64,$(OS_AND_ARCH)))
@ -415,16 +415,16 @@ $(BINDIR)/downloaded/tools/ko@$(KO_VERSION)_%: | $(BINDIR)/downloaded/tools
#####################
K8S_CODEGEN_TOOLS := client-gen conversion-gen deepcopy-gen defaulter-gen informer-gen lister-gen openapi-gen
K8S_CODEGEN_TOOLS_PATHS := $(K8S_CODEGEN_TOOLS:%=$(BINDIR)/tools/%)
K8S_CODEGEN_TOOLS_DOWNLOADS := $(K8S_CODEGEN_TOOLS:%=$(BINDIR)/downloaded/tools/%@$(K8S_CODEGEN_VERSION))
K8S_CODEGEN_TOOLS_PATHS := $(K8S_CODEGEN_TOOLS:%=$(bin_dir)/tools/%)
K8S_CODEGEN_TOOLS_DOWNLOADS := $(K8S_CODEGEN_TOOLS:%=$(bin_dir)/downloaded/tools/%@$(K8S_CODEGEN_VERSION))
.PHONY: k8s-codegen-tools
k8s-codegen-tools: $(K8S_CODEGEN_TOOLS_PATHS)
$(K8S_CODEGEN_TOOLS_PATHS): $(BINDIR)/tools/%-gen: $(BINDIR)/scratch/K8S_CODEGEN_VERSION | $(BINDIR)/downloaded/tools/%-gen@$(K8S_CODEGEN_VERSION) $(BINDIR)/tools
cd $(dir $@) && $(LN) $(patsubst $(BINDIR)/%,../%,$(word 1,$|)) $(notdir $@)
$(K8S_CODEGEN_TOOLS_PATHS): $(bin_dir)/tools/%-gen: $(bin_dir)/scratch/K8S_CODEGEN_VERSION | $(bin_dir)/downloaded/tools/%-gen@$(K8S_CODEGEN_VERSION) $(bin_dir)/tools
cd $(dir $@) && $(LN) $(patsubst $(bin_dir)/%,../%,$(word 1,$|)) $(notdir $@)
$(K8S_CODEGEN_TOOLS_DOWNLOADS): $(BINDIR)/downloaded/tools/%-gen@$(K8S_CODEGEN_VERSION): $(NEEDS_GO) | $(BINDIR)/downloaded/tools
$(K8S_CODEGEN_TOOLS_DOWNLOADS): $(bin_dir)/downloaded/tools/%-gen@$(K8S_CODEGEN_VERSION): $(NEEDS_GO) | $(bin_dir)/downloaded/tools
GOBIN=$(PWD)/$(dir $@) $(GO) install k8s.io/code-generator/cmd/$(notdir $@)
@mv $(subst @$(K8S_CODEGEN_VERSION),,$@) $@
@ -444,17 +444,17 @@ KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=a02e33a3981712c8d2702520f95357bd6c7d03d
KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=c87c6b3c0aec4233e68a12dc9690bcbe2f8d6cd72c23e670602b17b2d7118325
KUBEBUILDER_TOOLS_linux_arm64_SHA256SUM=69bfcdfa468a066d005b0207a07347078f4546f89060f7d9a6131d305d229aad
$(BINDIR)/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(bin_dir)/downloaded/tools
./hack/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
@# O writes the specified file to stdout
tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@
$(BINDIR)/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(bin_dir)/downloaded/tools
./hack/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
@# O writes the specified file to stdout
tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@
$(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(BINDIR)/downloaded/tools
$(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(bin_dir)/downloaded/tools
$(CURL) https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@
##############
@ -463,18 +463,18 @@ $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOS
GATEWAY_API_SHA256SUM=6c601dced7872a940d76fa667ae126ba718cb4c6db970d0bab49128ecc1192a3
$(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml: | $(BINDIR)/downloaded
$(bin_dir)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml: | $(bin_dir)/downloaded
$(CURL) https://github.com/kubernetes-sigs/gateway-api/releases/download/$(GATEWAY_API_VERSION)/experimental-install.yaml -o $@
./hack/util/checkhash.sh $(BINDIR)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml $(GATEWAY_API_SHA256SUM)
./hack/util/checkhash.sh $(bin_dir)/downloaded/gateway-api-$(GATEWAY_API_VERSION).yaml $(GATEWAY_API_SHA256SUM)
#################
# Other Targets #
#################
$(BINDIR) $(BINDIR)/tools $(BINDIR)/downloaded $(BINDIR)/downloaded/tools:
$(bin_dir) $(bin_dir)/tools $(bin_dir)/downloaded $(bin_dir)/downloaded/tools:
@mkdir -p $@
# Although we "vendor" most tools in $(BINDIR)/tools, we still require some binaries
# Although we "vendor" most tools in $(bin_dir)/tools, we still require some binaries
# to be available on the system. The vendor-go MAKECMDGOALS trick prevents the
# check for the presence of Go when 'make vendor-go' is run.
@ -502,8 +502,8 @@ update-kind-images:
./hack/latest-kind-images.sh $(KIND_VERSION)
.PHONY: update-base-images
update-base-images: $(BINDIR)/tools/crane
CRANE=./$(BINDIR)/tools/crane ./hack/latest-base-images.sh
update-base-images: $(bin_dir)/tools/crane
CRANE=./$(bin_dir)/tools/crane ./hack/latest-base-images.sh
.PHONY: tidy
## Run "go mod tidy" on each module in this repo
@ -537,9 +537,9 @@ go-workspace:
##
## @category Development
learn-sha-tools:
rm -rf ./$(BINDIR)
mkdir ./$(BINDIR)
$(eval export LEARN_FILE=$(PWD)/$(BINDIR)/learn_file)
rm -rf ./$(bin_dir)
mkdir ./$(bin_dir)
$(eval export LEARN_FILE=$(PWD)/$(bin_dir)/learn_file)
echo -n "" > "$(LEARN_FILE)"
HOST_OS=linux HOST_ARCH=amd64 $(MAKE) tools

4
make/util.mk
View File

@ -18,12 +18,12 @@
# understand. It causes find to prune entire search branches and not search inside the path.
# If we used "-not -path X" instead, find would _still look inside X_.
define get-sources
$(shell find . -not \( -path "./$(BINDIR)/*" -prune \) -not \( -path "./bin/*" -prune \) -not \( -path "./make/*" -prune \) -name "*.go" | $(1))
$(shell find . -not \( -path "./$(bin_dir)/*" -prune \) -not \( -path "./bin/*" -prune \) -not \( -path "./make/*" -prune \) -name "*.go" | $(1))
endef
.PHONY: print-bindir
print-bindir:
@echo $(BINDIR)
@echo $(bin_dir)
.PHONY: print-sources
print-sources: