Fix up chart and bazel build rules

Signed-off-by: James Munnelly <james@munnelly.eu>
2020-04-01 13:27:20 +01:00 · 2020-04-01 13:27:20 +01:00 · b955abed17
commit b955abed17
parent 3f9c031f5d
21 changed files with 42 additions and 65 deletions
--- a/build/helm.bzl
+++ b/build/helm.bzl
@ -19,6 +19,7 @@ def helm_pkg(
    chart_name,
    chart_yaml,
    values_yaml,
+    readme_file,
    tpl_files,
    srcs = [],
    helm_cmd = "//hack/bin:helm",
@ -46,6 +47,7 @@ def helm_pkg(
        srcs = [
            chart_yaml,
            values_yaml,
+            readme_file,
        ],
        mode = "0644",
        visibility = ["//visibility:private"],
--- a/deploy/BUILD.bazel
+++ b/deploy/BUILD.bazel
@ -7,7 +7,7 @@ pkg_tar(
    mode = "0644",
    package_dir = "deploy",
    deps = [
-        "//deploy/charts/cert-manager",
+        "//deploy/charts/cert-manager:release-tar",
        "//deploy/manifests",
    ],
 )
--- a/deploy/charts/cert-manager/BUILD.bazel
+++ b/deploy/charts/cert-manager/BUILD.bazel
@ -4,9 +4,9 @@ load("@io_k8s_repo_infra//defs:pkg.bzl", "pkg_tar")
 load("//build:helm.bzl", "helm_pkg")

 pkg_tar(
-    name = "cert-manager",
+    name = "release-tar",
    srcs = [
-        ":package",
+        ":cert-manager",
    ],
    extension = "tar.gz",
    mode = "0644",
@ -15,10 +15,11 @@ pkg_tar(
 )

 helm_pkg(
-    name = "package",
+    name = "cert-manager",
    srcs = ["//deploy/charts/cert-manager/templates:chart-srcs"],
    chart_name = "cert-manager",
    chart_yaml = ":Chart.yaml",
+    readme_file = ":README.md",
    tpl_files = [
        "//deploy/charts/cert-manager/templates:_helpers.tpl",
    ],
--- a/deploy/charts/cert-manager/README.template.md
+++ b/deploy/charts/cert-manager/README.template.md
@ -130,8 +130,6 @@ The following table lists the configurable parameters of the cert-manager chart
 | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
 | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
 | `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
-| `webhook.serviceName` | The name of the Service resource deployed for the webhook pod | `cert-manager-webhook` |
-| `webhook.rootCASecretName` | The name of the Secret resource that will be used to store the webhook's root CA certificate | `cert-manager-webhook-ca` |
 | `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
 | `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
 | `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
--- a/deploy/charts/cert-manager/templates/_helpers.tpl
+++ b/deploy/charts/cert-manager/templates/_helpers.tpl
@ -64,6 +64,10 @@ If release name contains chart name it will be used as a full name.
 {{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

+{{- define "webhook.caRef" -}}
+{{ .Release.Namespace}}/{{ template "webhook.fullname" . }}-ca
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
--- a/deploy/charts/cert-manager/templates/webhook-deployment.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-deployment.yaml
@ -57,8 +57,8 @@ spec:
          {{- end }}
          - --secure-port={{ .Values.webhook.securePort }}
          - --dynamic-serving-ca-secret-namespace={{ .Release.Namespace }}
-          - --dynamic-serving-ca-secret-name={{ .Values.webhook.rootCASecretName }}
-          - --dynamic-serving-dns-names={{ .Values.webhook.serviceName }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }},{{ .Values.webhook.serviceName }}.{{ .Release.Namespace }}.svc
+          - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }},{{ template "webhook.fullname" . }}.{{ .Release.Namespace }}.svc
        {{- if .Values.webhook.extraArgs }}
 {{ toYaml .Values.webhook.extraArgs | indent 10 }}
        {{- end }}
--- a/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-mutating-webhook.yaml
@ -10,7 +10,7 @@ metadata:
    app.kubernetes.io/component: "webhook"
    helm.sh/chart: {{ include "webhook.chart" . }}
  annotations:
-    cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ .Values.webhook.rootCASecretName }}"
+    cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca"
 webhooks:
  - name: webhook.cert-manager.io
    rules:
@ -36,6 +36,6 @@ webhooks:
      caBundle: ""
 {{- end }}
      service:
-        name: {{ .Values.webhook.serviceName }}
+        name: {{ template "webhook.fullname" . }}
        namespace: {{ .Release.Namespace | quote }}
        path: /mutate
--- a/deploy/charts/cert-manager/templates/webhook-rbac.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-rbac.yaml
@ -15,7 +15,7 @@ rules:
 - apiGroups: [""]
  resources: ["secrets"]
  resourceNames:
-  - '{{ .Values.webhook.rootCASecretName }}'
+  - '{{ template "webhook.fullname" . }}-ca'
  verbs: ["get", "list", "watch", "update"]
 # It's not possible to grant CREATE permission on a single resourceName.
 - apiGroups: [""]
--- a/deploy/charts/cert-manager/templates/webhook-service.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-service.yaml
@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ .Values.webhook.serviceName }}
+  name: {{ template "webhook.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "webhook.name" . }}
--- a/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
+++ b/deploy/charts/cert-manager/templates/webhook-validating-webhook.yaml
@ -10,7 +10,7 @@ metadata:
    app.kubernetes.io/component: "webhook"
    helm.sh/chart: {{ include "webhook.chart" . }}
  annotations:
-    cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ .Values.webhook.rootCASecretName }}"
+    cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca"
 webhooks:
  - name: webhook.cert-manager.io
    namespaceSelector:
@ -46,6 +46,6 @@ webhooks:
      caBundle: ""
 {{- end }}
      service:
-        name: {{ .Values.webhook.serviceName }}
+        name: {{ template "webhook.fullname" . }}
        namespace: {{ .Release.Namespace | quote }}
        path: /mutate
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@ -155,23 +155,6 @@ tolerations: []
 webhook:
  replicaCount: 1

-  # The name of the webhook service is fixed in the values.yaml and not based
-  # on the name of the Helm release because the CRD manifests, which are not
-  # managed by Helm, need to hardcode the name of the service for their
-  # conversion webhook configuration.
-  # If you change this value, you must also manually update the
-  # `spec.conversion.webhookClientConfig.service.name` field on all
-  # cert-manager CRD resources.
-  serviceName: cert-manager-webhook
-  # The name of the Secret resource that will be created and used to store the
-  # root CA used to sign serving certificates for the webhook.
-  # This will be automatically injected into the Mutating, Validating and CRD
-  # resources by the cainjector component.
-  # If you change this value, you must also manually update the
-  # `cert-manager.io/inject-ca-from-secret` value on all cert-manager CRD
-  # resources.
-  rootCASecretName: cert-manager-webhook-ca
-
  strategy: {}
    # type: RollingUpdate
    # rollingUpdate:
--- a/deploy/crds/BUILD.bazel
+++ b/deploy/crds/BUILD.bazel
@ -46,6 +46,7 @@ genrule(
    srcs = [":templates.%s" % variant],
    chart_name = "cert-manager",
    chart_yaml = "//deploy/charts/cert-manager:Chart.yaml",
+    readme_file = "//deploy/charts/cert-manager:README.md",
    tpl_files = [
        "//deploy/charts/cert-manager/templates:_helpers.tpl",
    ],
@ -77,6 +78,7 @@ crds = [
    srcs = [":crd-%s.yaml" % crd],
    chart_name = "cert-manager",
    chart_yaml = "//deploy/charts/cert-manager:Chart.yaml",
+    readme_file = "//deploy/charts/cert-manager:README.md",
    tpl_files = [
        "//deploy/charts/cert-manager/templates:_helpers.tpl",
    ],
--- a/deploy/crds/crd-certificaterequests.yaml
+++ b/deploy/crds/crd-certificaterequests.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  name: certificaterequests.cert-manager.io
  annotations:
-    cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca'
+    cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -38,10 +38,8 @@ spec:
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
-        # If you have deployed cert-manager into a namespace other than
-        # 'cert-manager', be sure to update this value.
        namespace: '{{ .Release.Namespace }}'
-        name: cert-manager-webhook
+        name: '{{ template "webhook.fullname" . }}'
        path: /convert
  names:
    kind: CertificateRequest
--- a/deploy/crds/crd-certificates.yaml
+++ b/deploy/crds/crd-certificates.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  name: certificates.cert-manager.io
  annotations:
-    cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca'
+    "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}'
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -41,10 +41,8 @@ spec:
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
-        # If you have deployed cert-manager into a namespace other than
-        # 'cert-manager', be sure to update this value.
        namespace: '{{ .Release.Namespace }}'
-        name: cert-manager-webhook
+        name: '{{ template "webhook.fullname" . }}'
        path: /convert
  names:
    kind: Certificate
--- a/deploy/crds/crd-challenges.yaml
+++ b/deploy/crds/crd-challenges.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  name: challenges.acme.cert-manager.io
  annotations:
-    cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca'
+    "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}'
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -37,10 +37,8 @@ spec:
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
-        # If you have deployed cert-manager into a namespace other than
-        # 'cert-manager', be sure to update this value.
        namespace: '{{ .Release.Namespace }}'
-        name: cert-manager-webhook
+        name: '{{ template "webhook.fullname" . }}'
        path: /convert
  names:
    kind: Challenge
--- a/deploy/crds/crd-clusterissuers.yaml
+++ b/deploy/crds/crd-clusterissuers.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  name: clusterissuers.cert-manager.io
  annotations:
-    cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca'
+    cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -34,10 +34,8 @@ spec:
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
-        # If you have deployed cert-manager into a namespace other than
-        # 'cert-manager', be sure to update this value.
        namespace: '{{ .Release.Namespace }}'
-        name: cert-manager-webhook
+        name: '{{ template "webhook.fullname" . }}'
        path: /convert
  names:
    kind: ClusterIssuer
--- a/deploy/crds/crd-issuers.yaml
+++ b/deploy/crds/crd-issuers.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  name: issuers.cert-manager.io
  annotations:
-    cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca'
+    "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}'
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -34,10 +34,8 @@ spec:
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
-        # If you have deployed cert-manager into a namespace other than
-        # 'cert-manager', be sure to update this value.
        namespace: '{{ .Release.Namespace }}'
-        name: cert-manager-webhook
+        name: '{{ template "webhook.fullname" . }}'
        path: /convert
  names:
    kind: Issuer
--- a/deploy/crds/crd-orders.yaml
+++ b/deploy/crds/crd-orders.yaml
@ -3,7 +3,7 @@ kind: CustomResourceDefinition
 metadata:
  name: orders.acme.cert-manager.io
  annotations:
-    cert-manager.io/inject-ca-from-secret: '{{ .Release.Namespace }}/cert-manager-webhook-ca'
+    "cert-manager.io/inject-ca-from-secret": '{{ template "webhook.caRef" . }}'
  labels:
    app: '{{ template "cert-manager.name" . }}'
    app.kubernetes.io/name: '{{ template "cert-manager.name" . }}'
@ -38,10 +38,8 @@ spec:
    # webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
    webhookClientConfig:
      service:
-        # If you have deployed cert-manager into a namespace other than
-        # 'cert-manager', be sure to update this value.
        namespace: '{{ .Release.Namespace }}'
-        name: cert-manager-webhook
+        name: '{{ template "webhook.fullname" . }}'
        path: /convert
  names:
    kind: Order
--- a/deploy/manifests/BUILD.bazel
+++ b/deploy/manifests/BUILD.bazel
@ -27,7 +27,7 @@ VARIANTS = {

 [helm_tmpl(
    name = "%s.manifests" % name,
-    helm_pkg = "//deploy/charts/cert-manager:package",
+    helm_pkg = "//deploy/charts/cert-manager",
    release_name = RELEASE_NAME,
    release_namespace = RELEASE_NAMESPACE,
    values = meta["values"],
--- a/devel/addon/certmanager/install.sh
+++ b/devel/addon/certmanager/install.sh
@ -49,7 +49,7 @@ wait
 kubectl get namespace "${NAMESPACE}" || kubectl create namespace "${NAMESPACE}"

 # Build the Helm chart package .tgz
-bazel build //deploy/charts/cert-manager:package
+bazel build //deploy/charts/cert-manager

 # Upgrade or install Pebble
 helm upgrade \
--- a/hack/verify-chart-version.sh
+++ b/hack/verify-chart-version.sh
@ -24,19 +24,18 @@ chart_dir="deploy/charts/cert-manager"

 echo "Linting chart: ${chart_dir}"

-cleanup() {
-    rm "${REPO_ROOT}/${chart_dir}"/requirements.lock > /dev/null 2>&1 || true
-}
+bazel build //deploy/charts/cert-manager
+tmpdir="$(mktemp -d -p "${REPO_ROOT}")"
+trap "rm -rf ${tmpdir}" EXIT

-cleanup
-trap cleanup EXIT
+tar -C "${tmpdir}" -xvf bazel-bin/deploy/charts/cert-manager/cert-manager.tgz

-if ! docker run -v ${REPO_ROOT}:/workspace --workdir /workspace \
-    quay.io/helmpack/chart-testing:v2.3.3 \
+if ! docker run -v ${tmpdir}:/workspace --workdir /workspace \
+    quay.io/helmpack/chart-testing:v3.0.0-beta.2 \
    ct lint \
        --check-version-increment=false \
-        --charts "/workspace/${chart_dir}" \
        --validate-maintainers=false \
+        --charts "/workspace/cert-manager" \
        --debug; then
    echo "Linting failed"
    exit 1