this removes the update functionality from make/cluster.sh in favour of
the simpler logic in hack/latest-kind-images.sh
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
these scripts would choke in various ways on a vendored copy of go
ignoring `bin` is the correct behaviour anyway, and should speed up
running the scripts
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
If we're in the middle of a cert-manager release we'll have a git tag
created for that release, but won't have a GitHub release created yet.
That means that an attempt to download old CRDs for our versionchecker
test will fail for that version, with a 404 error.
An alternative approach would be to use the GitHub API to query for
existing non-draft releases - but that introduces a new point of failure
whereby we can easily hit a rate limit, or else introduces the need for
a GitHub API token.
The GitHub API also has the issue that it doesn't present every release
in one API call, which complicates fetching releases using curl and uses
even more rate-limit capacity.
The approach here is simple; we ignore tags for which the release 404s,
download manifests for which the release gives a 200, and bubble up any
other errors.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
To allow us to both upgrade the upstream library and keep supporting HMACMD5 as RFC2136 TSIG algorithm although it was deprecated in the upstream library
Signed-off-by: irbekrm <irbekrm@gmail.com>
This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm
Signed-off-by: irbekrm <irbekrm@gmail.com>
Also modifies the script to run without bazel, and tweaks it so that
it'll detect errors in itself too.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously, we had one .dockerignore that would do its best to only have
the binaries and licenses copied into the Docker (or nerdctl, or
buildah). Unfortunately, that meant it had to copy all of bin/server and
bin/cmctl, which could become quite large (I measured 1.6 GB).
Instead of relying on a single .dockerignore file, we copy the licenses
and binaries into a "scratch context" directory. The downside is that
all the binaries are in two different places (bin/server and
bin/scratch/containers). Note that we can't use symlinks because Docker
won't dereference them.
Signed-off-by: Maël Valais <mael@vls.dev>
These lean heavily on `go test` for everything possible.
Also adds setup for versionchecker test in make, and a script for
extracting CRDs from templated rendered YAML files
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
By default they were writing the generated files to $GOPATH if set.
(which it was on my laptop)
```
$ deepcopy-gen -h 2>&1 | grep output-base
-o, --output-base string Output base; defaults to $GOPATH/src/ or ./ if $GOPATH is not set. (default "/home/richard/go/src")
```
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
This slightly modifies our existing helm chart verification script to
accept the location of a tarball containing the chart we're verifying.
That in turn allows us to more generally use the script for both
validating the chart we build using make and the chart we build using
bazel.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
`securityContext.enabled` was deprecated and has already been replaced by
`securityContext` which supports arbitrary yaml.
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
the regex being replaced doesn't match files which only contain go:build
although as of go 1.17 (which we require for cert-manager) that's
totally valid.
this commit updates the regex to match upstream k8s, which is the
original source of the boilerplate verification script in any case
upstream:
47ff335d4c/hack/boilerplate/boilerplate.py (L219-L223)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Includes targets for:
- all "server" binaries, for all arches
- all containers for all server binaries for all arches
- all client binaries (kubectl plugin / cmctl) for all arches
- the cert-manager helm chart + signature
- the cert-manager static manifests + CRDs
- tools which bazel would download, with checksum verification
- (commented out) a signed SHA256SUM file for client binaries
Upgrades from the bazel flow include that:
- we use OS-specific base images rather than just using amd64 everywhere
- we easily add support for signing artifacts at build time
- we add ".exe" to the end of windows executables
- we add a zip file for windows executables, for easier consumption
- we concatenate YAML files more robustly
- staging a full release should be much faster
- hopefully, it's easier to change things!
- licenses are trimmed down to reduce bloat in images (the license
bundle was 1.4MB in size alone)
Changes from the bazel flow include:
- containers no longer have a symlink to the binary at an unusual
path, but instead just have the binary at a more predictable path
(e.g. /app/cmd/webhook/webhook instead of
/app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
hash.sh returns just the sha256sum of its input file
checkhash.sh uses ha.sh to get the sha256sum of its first argument and
then validates that the checksum matches the value provided in its
second argument
hash.sh isn't currently fully portable since sha256sum isn't present
by default on macOS, but it provides a single point around which we can
do hashing to validate checksums
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
* Generate CRDs for the sample API types
* Allow alternative CRDs to be loaded into the envtest API server
* Override the conversion configuration of the CRDs
* Show webhook server logs in tests
* Simplify the loading of the test API CRDs
* Allow the ConversionHandler to be overridden in tests
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
the script will need to be manually updated if we want to add a new
k8s version, but it should be trivial to do that
the actual kind image SHAsums aren't updated, so that the addition of
the script can be separate from the act of updating the images
also adds a make target for creating a kind cluster with CI deps
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
