- runs "make update-codegen"
- adds codegen verification to make tests
- changes hack/(update|verify)-codegen.sh to just call make
- removes bazel codegen test so it's not automatically run in CI
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This could pick up files from vendored go and include them in bazel
We can't (easily) ignore "bin" also since we have other dirs called
"bin" which we don't want to ignore.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This is needed because go and other tools will ignore directories
starting with "_" or "." but would treat a dir called "bin" as a regular
directory.
This in turn meant that when we vendored Go in bin, these tools would by
default scan the whole stdlib included with the bundled vendored go.
See https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns for details
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
this removes the update functionality from make/cluster.sh in favour of
the simpler logic in hack/latest-kind-images.sh
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
these scripts would choke in various ways on a vendored copy of go
ignoring `bin` is the correct behaviour anyway, and should speed up
running the scripts
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
If we're in the middle of a cert-manager release we'll have a git tag
created for that release, but won't have a GitHub release created yet.
That means that an attempt to download old CRDs for our versionchecker
test will fail for that version, with a 404 error.
An alternative approach would be to use the GitHub API to query for
existing non-draft releases - but that introduces a new point of failure
whereby we can easily hit a rate limit, or else introduces the need for
a GitHub API token.
The GitHub API also has the issue that it doesn't present every release
in one API call, which complicates fetching releases using curl and uses
even more rate-limit capacity.
The approach here is simple; we ignore tags for which the release 404s,
download manifests for which the release gives a 200, and bubble up any
other errors.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
To allow us to both upgrade the upstream library and keep supporting HMACMD5 as RFC2136 TSIG algorithm although it was deprecated in the upstream library
Signed-off-by: irbekrm <irbekrm@gmail.com>
This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm
Signed-off-by: irbekrm <irbekrm@gmail.com>
Also modifies the script to run without bazel, and tweaks it so that
it'll detect errors in itself too.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously, we had one .dockerignore that would do its best to only have
the binaries and licenses copied into the Docker (or nerdctl, or
buildah). Unfortunately, that meant it had to copy all of bin/server and
bin/cmctl, which could become quite large (I measured 1.6 GB).
Instead of relying on a single .dockerignore file, we copy the licenses
and binaries into a "scratch context" directory. The downside is that
all the binaries are in two different places (bin/server and
bin/scratch/containers). Note that we can't use symlinks because Docker
won't dereference them.
Signed-off-by: Maël Valais <mael@vls.dev>
These lean heavily on `go test` for everything possible.
Also adds setup for versionchecker test in make, and a script for
extracting CRDs from templated rendered YAML files
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
By default they were writing the generated files to $GOPATH if set.
(which it was on my laptop)
```
$ deepcopy-gen -h 2>&1 | grep output-base
-o, --output-base string Output base; defaults to $GOPATH/src/ or ./ if $GOPATH is not set. (default "/home/richard/go/src")
```
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
This slightly modifies our existing helm chart verification script to
accept the location of a tarball containing the chart we're verifying.
That in turn allows us to more generally use the script for both
validating the chart we build using make and the chart we build using
bazel.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
`securityContext.enabled` was deprecated and has already been replaced by
`securityContext` which supports arbitrary yaml.
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
the regex being replaced doesn't match files which only contain go:build
although as of go 1.17 (which we require for cert-manager) that's
totally valid.
this commit updates the regex to match upstream k8s, which is the
original source of the boilerplate verification script in any case
upstream:
47ff335d4c/hack/boilerplate/boilerplate.py (L219-L223)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Includes targets for:
- all "server" binaries, for all arches
- all containers for all server binaries for all arches
- all client binaries (kubectl plugin / cmctl) for all arches
- the cert-manager helm chart + signature
- the cert-manager static manifests + CRDs
- tools which bazel would download, with checksum verification
- (commented out) a signed SHA256SUM file for client binaries
Upgrades from the bazel flow include that:
- we use OS-specific base images rather than just using amd64 everywhere
- we easily add support for signing artifacts at build time
- we add ".exe" to the end of windows executables
- we add a zip file for windows executables, for easier consumption
- we concatenate YAML files more robustly
- staging a full release should be much faster
- hopefully, it's easier to change things!
- licenses are trimmed down to reduce bloat in images (the license
bundle was 1.4MB in size alone)
Changes from the bazel flow include:
- containers no longer have a symlink to the binary at an unusual
path, but instead just have the binary at a more predictable path
(e.g. /app/cmd/webhook/webhook instead of
/app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
hash.sh returns just the sha256sum of its input file
checkhash.sh uses ha.sh to get the sha256sum of its first argument and
then validates that the checksum matches the value provided in its
second argument
hash.sh isn't currently fully portable since sha256sum isn't present
by default on macOS, but it provides a single point around which we can
do hashing to validate checksums
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
* Generate CRDs for the sample API types
* Allow alternative CRDs to be loaded into the envtest API server
* Override the conversion configuration of the CRDs
* Show webhook server logs in tests
* Simplify the loading of the test API CRDs
* Allow the ConversionHandler to be overridden in tests
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
the script will need to be manually updated if we want to add a new
k8s version, but it should be trivial to do that
the actual kind image SHAsums aren't updated, so that the addition of
the script can be separate from the act of updating the images
also adds a make target for creating a kind cluster with CI deps
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Following the release of cert-manager v1.6.0, it was observed that an
update to the keystore-go library was backwards-incompatible; it
introduced a 6-character minimum length on passwords which wasn't
previously in force.
This led to https://github.com/pavel-v-chernykh/keystore-go/issues/30
which in turn led to https://github.com/pavel-v-chernykh/keystore-go/pull/31
This commit bumps to use the new version, which by default doesn't have
a min password length
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
So that we don't pull the same image for each test run.
Also run helm install with --debug so that it outputs more information.
Signed-off-by: irbekrm <irbekrm@gmail.com>
This is necessary because some CD tools don't accept resource configs with predefined status fields, but controllergen currently adds this field when a CRD yaml is generated
Signed-off-by: irbekrm <irbekrm@gmail.com>
there seems to be justification for setting GOSUMDB to a universal value
here, but setting GOPROXY doesn't seem to provide value here
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
