This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm
Signed-off-by: irbekrm <irbekrm@gmail.com>
Also modifies the script to run without bazel, and tweaks it so that
it'll detect errors in itself too.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously, we had one .dockerignore that would do its best to only have
the binaries and licenses copied into the Docker (or nerdctl, or
buildah). Unfortunately, that meant it had to copy all of bin/server and
bin/cmctl, which could become quite large (I measured 1.6 GB).
Instead of relying on a single .dockerignore file, we copy the licenses
and binaries into a "scratch context" directory. The downside is that
all the binaries are in two different places (bin/server and
bin/scratch/containers). Note that we can't use symlinks because Docker
won't dereference them.
Signed-off-by: Maël Valais <mael@vls.dev>
These lean heavily on `go test` for everything possible.
Also adds setup for versionchecker test in make, and a script for
extracting CRDs from templated rendered YAML files
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
By default they were writing the generated files to $GOPATH if set.
(which it was on my laptop)
```
$ deepcopy-gen -h 2>&1 | grep output-base
-o, --output-base string Output base; defaults to $GOPATH/src/ or ./ if $GOPATH is not set. (default "/home/richard/go/src")
```
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
This slightly modifies our existing helm chart verification script to
accept the location of a tarball containing the chart we're verifying.
That in turn allows us to more generally use the script for both
validating the chart we build using make and the chart we build using
bazel.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
the regex being replaced doesn't match files which only contain go:build
although as of go 1.17 (which we require for cert-manager) that's
totally valid.
this commit updates the regex to match upstream k8s, which is the
original source of the boilerplate verification script in any case
upstream:
47ff335d4c/hack/boilerplate/boilerplate.py (L219-L223)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Includes targets for:
- all "server" binaries, for all arches
- all containers for all server binaries for all arches
- all client binaries (kubectl plugin / cmctl) for all arches
- the cert-manager helm chart + signature
- the cert-manager static manifests + CRDs
- tools which bazel would download, with checksum verification
- (commented out) a signed SHA256SUM file for client binaries
Upgrades from the bazel flow include that:
- we use OS-specific base images rather than just using amd64 everywhere
- we easily add support for signing artifacts at build time
- we add ".exe" to the end of windows executables
- we add a zip file for windows executables, for easier consumption
- we concatenate YAML files more robustly
- staging a full release should be much faster
- hopefully, it's easier to change things!
- licenses are trimmed down to reduce bloat in images (the license
bundle was 1.4MB in size alone)
Changes from the bazel flow include:
- containers no longer have a symlink to the binary at an unusual
path, but instead just have the binary at a more predictable path
(e.g. /app/cmd/webhook/webhook instead of
/app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
hash.sh returns just the sha256sum of its input file
checkhash.sh uses ha.sh to get the sha256sum of its first argument and
then validates that the checksum matches the value provided in its
second argument
hash.sh isn't currently fully portable since sha256sum isn't present
by default on macOS, but it provides a single point around which we can
do hashing to validate checksums
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
* Generate CRDs for the sample API types
* Allow alternative CRDs to be loaded into the envtest API server
* Override the conversion configuration of the CRDs
* Show webhook server logs in tests
* Simplify the loading of the test API CRDs
* Allow the ConversionHandler to be overridden in tests
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
the script will need to be manually updated if we want to add a new
k8s version, but it should be trivial to do that
the actual kind image SHAsums aren't updated, so that the addition of
the script can be separate from the act of updating the images
also adds a make target for creating a kind cluster with CI deps
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Following the release of cert-manager v1.6.0, it was observed that an
update to the keystore-go library was backwards-incompatible; it
introduced a 6-character minimum length on passwords which wasn't
previously in force.
This led to https://github.com/pavel-v-chernykh/keystore-go/issues/30
which in turn led to https://github.com/pavel-v-chernykh/keystore-go/pull/31
This commit bumps to use the new version, which by default doesn't have
a min password length
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
So that we don't pull the same image for each test run.
Also run helm install with --debug so that it outputs more information.
Signed-off-by: irbekrm <irbekrm@gmail.com>
