This uses cmctl instead of kubectl_cert-manager, uses make instead of
bazel and fixes an incorrect container name in
test/fixtures/upgrade/overlay/cainjector-ops.yaml
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
this allows us to maintain the bazel build files until they're removed,
but tries to avoid accidentally encouraging their use
`make update-all` implementes a non-bazel version of
`hack/update-all.sh`, with `hack/update-all.sh` now calling make but
also doing the bazel stuff it used to.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Uses go-licenses to create a CSV file which replaces LICENSES.
The replacement is much smaller and easier to parse for both humans
and for machines.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
- includes a run of make update-crds which causes some trivial changes
- updates version of YQ to latest
- makes hack/update-crds.sh just call make
- makes hack/verify-crds.sh just call make
- moves functionality of hack/verify-crds.sh to hack/check-crds.sh,
using the makefile for generating alternative CRDs for comparison
- removes the bazel test associated with CRDs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
- runs "make update-codegen"
- adds codegen verification to make tests
- changes hack/(update|verify)-codegen.sh to just call make
- removes bazel codegen test so it's not automatically run in CI
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This could pick up files from vendored go and include them in bazel
We can't (easily) ignore "bin" also since we have other dirs called
"bin" which we don't want to ignore.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
This is needed because go and other tools will ignore directories
starting with "_" or "." but would treat a dir called "bin" as a regular
directory.
This in turn meant that when we vendored Go in bin, these tools would by
default scan the whole stdlib included with the bundled vendored go.
See https://pkg.go.dev/cmd/go#hdr-Package_lists_and_patterns for details
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
this removes the update functionality from make/cluster.sh in favour of
the simpler logic in hack/latest-kind-images.sh
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
these scripts would choke in various ways on a vendored copy of go
ignoring `bin` is the correct behaviour anyway, and should speed up
running the scripts
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
If we're in the middle of a cert-manager release we'll have a git tag
created for that release, but won't have a GitHub release created yet.
That means that an attempt to download old CRDs for our versionchecker
test will fail for that version, with a 404 error.
An alternative approach would be to use the GitHub API to query for
existing non-draft releases - but that introduces a new point of failure
whereby we can easily hit a rate limit, or else introduces the need for
a GitHub API token.
The GitHub API also has the issue that it doesn't present every release
in one API call, which complicates fetching releases using curl and uses
even more rate-limit capacity.
The approach here is simple; we ignore tags for which the release 404s,
download manifests for which the release gives a 200, and bubble up any
other errors.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
To allow us to both upgrade the upstream library and keep supporting HMACMD5 as RFC2136 TSIG algorithm although it was deprecated in the upstream library
Signed-off-by: irbekrm <irbekrm@gmail.com>
This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm
Signed-off-by: irbekrm <irbekrm@gmail.com>
Also modifies the script to run without bazel, and tweaks it so that
it'll detect errors in itself too.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Previously, we had one .dockerignore that would do its best to only have
the binaries and licenses copied into the Docker (or nerdctl, or
buildah). Unfortunately, that meant it had to copy all of bin/server and
bin/cmctl, which could become quite large (I measured 1.6 GB).
Instead of relying on a single .dockerignore file, we copy the licenses
and binaries into a "scratch context" directory. The downside is that
all the binaries are in two different places (bin/server and
bin/scratch/containers). Note that we can't use symlinks because Docker
won't dereference them.
Signed-off-by: Maël Valais <mael@vls.dev>
These lean heavily on `go test` for everything possible.
Also adds setup for versionchecker test in make, and a script for
extracting CRDs from templated rendered YAML files
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
By default they were writing the generated files to $GOPATH if set.
(which it was on my laptop)
```
$ deepcopy-gen -h 2>&1 | grep output-base
-o, --output-base string Output base; defaults to $GOPATH/src/ or ./ if $GOPATH is not set. (default "/home/richard/go/src")
```
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
This slightly modifies our existing helm chart verification script to
accept the location of a tarball containing the chart we're verifying.
That in turn allows us to more generally use the script for both
validating the chart we build using make and the chart we build using
bazel.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
`securityContext.enabled` was deprecated and has already been replaced by
`securityContext` which supports arbitrary yaml.
Signed-off-by: Dean Coakley <dean.s.coakley@gmail.com>
the regex being replaced doesn't match files which only contain go:build
although as of go 1.17 (which we require for cert-manager) that's
totally valid.
this commit updates the regex to match upstream k8s, which is the
original source of the boilerplate verification script in any case
upstream:
47ff335d4c/hack/boilerplate/boilerplate.py (L219-L223)
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
