From ef0541a04d5c6fa5730fb8c07a106d3ac837dec3 Mon Sep 17 00:00:00 2001 From: Vibhu Prashar Date: Thu, 6 Jun 2024 17:52:39 +0530 Subject: [PATCH] fix: make deploy target This PR address the issue #381 by: * Enabling cert-manager that is necessary by webhooks during the deployment of Operator on k8s. * Adding support to deploy cert-manager when running `make deploy` target. * Including the installation of `cmctl`, a command line tool to manage cert-manager on k8s. Signed-off-by: Vibhu Prashar --- Makefile | 12 +++- ...kepler-operator.clusterserviceversion.yaml | 5 ++ ...stem.sustainable.computing.io_keplers.yaml | 1 + config/crd/kustomization.yaml | 2 +- config/default/kustomization.yaml | 56 +++++++++---------- config/default/manager_webhook_patch.yaml | 12 ++-- hack/cluster.sh | 1 - hack/tools.sh | 23 ++++++++ 8 files changed, 74 insertions(+), 38 deletions(-) diff --git a/Makefile b/Makefile index 078bc1fb..c33a09e5 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,9 @@ ENABLE_WEBHOOKS ?= true # enable webhooks by default GOOS := $(shell go env GOOS) GOARCH := $(shell go env GOARCH) +# Cert manager version +CERTMANAGER_VERSION ?=1.15.0 + # VERSION defines the project version for the bundle. # Update this value when you upgrade the version of your project. # To re-generate a bundle for another specific version without changing the standard setup, you can: @@ -245,7 +248,10 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified kubectl delete --ignore-not-found=$(ignore-not-found) -f - .PHONY: deploy -deploy: install ## Deploy controller to the K8s cluster specified in ~/.kube/config. +deploy: install cmctl ## Deploy controller to the K8s cluster specified in ~/.kube/config. + kubectl apply --server-side --force-conflicts -f \ + https://github.com/jetstack/cert-manager/releases/download/v$(CERTMANAGER_VERSION)/cert-manager.yaml + $(CMCTL) check api --wait=5m $(KUSTOMIZE) build config/default | \ sed -e "s||$(OPERATOR_IMG)|g" \ -e "s||$(KEPLER_IMG)|g" \ @@ -256,6 +262,8 @@ deploy: install ## Deploy controller to the K8s cluster specified in ~/.kube/con undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | \ kubectl delete --ignore-not-found=$(ignore-not-found) -f - + kubectl delete --ignore-not-found=true -f \ + https://github.com/jetstack/cert-manager/releases/download/v${CERTMANAGER_VERSION}/cert-manager.yaml ##@ Build Dependencies @@ -266,9 +274,11 @@ LOCALBIN ?= $(shell pwd)/tmp/bin KUSTOMIZE ?= $(LOCALBIN)/kustomize CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen CRDOC ?= $(LOCALBIN)/crdoc +CMCTL ?= $(LOCALBIN)/cmctl # NOTE: please keep this list sorted so that it can be easily searched TOOLS = controller-gen \ + cmctl \ crdoc \ govulncheck \ jq \ diff --git a/bundle/manifests/kepler-operator.clusterserviceversion.yaml b/bundle/manifests/kepler-operator.clusterserviceversion.yaml index f24e15fd..0a7f06c1 100644 --- a/bundle/manifests/kepler-operator.clusterserviceversion.yaml +++ b/bundle/manifests/kepler-operator.clusterserviceversion.yaml @@ -310,6 +310,11 @@ spec: runAsNonRoot: true serviceAccountName: kepler-operator-controller-manager terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert permissions: - rules: - apiGroups: diff --git a/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml b/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml index dbe4039e..56537d52 100644 --- a/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml +++ b/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml @@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: + cert-manager.io/inject-ca-from: kepler-operator-system/kepler-operator-serving-cert controller-gen.kubebuilder.io/version: v0.12.1 creationTimestamp: null name: keplers.kepler.system.sustainable.computing.io diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 4d4f6536..2297998d 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -14,7 +14,7 @@ patchesStrategicMerge: # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_keplers.yaml +- patches/cainjection_in_keplers.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index fa298e61..59af2f39 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -20,7 +20,7 @@ bases: # crd/kustomization.yaml - ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager +- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. - ../prometheus @@ -39,34 +39,34 @@ patchesStrategicMerge: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml +- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldref: -# fieldpath: metadata.namespace -#- name: CERTIFICATE_NAME -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -#- name: SERVICE_NAMESPACE # namespace of the service -# objref: -# kind: Service -# version: v1 -# name: webhook-service -# fieldref: -# fieldpath: metadata.namespace -#- name: SERVICE_NAME -# objref: -# kind: Service -# version: v1 -# name: webhook-service +- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml +- name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml index 1c378047..349289c3 100644 --- a/config/default/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -16,10 +16,8 @@ spec: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - # NOTE: this will be removed by the manager kustomization.yaml - # since OLM will add the volume - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/hack/cluster.sh b/hack/cluster.sh index 25923187..0ff56187 100755 --- a/hack/cluster.sh +++ b/hack/cluster.sh @@ -31,7 +31,6 @@ declare -r PROJECT_ROOT declare -r TMP_DIR="$PROJECT_ROOT/tmp" declare -r DEV_CLUSTER_DIR="$TMP_DIR/local-dev-cluster" declare -r BIN_DIR="$TMP_DIR/bin" -declare -r OPERATOR_SDK_VERSION=${OPERATOR_SDK_VERSION:-v1.27.0} source "$PROJECT_ROOT/hack/utils.bash" diff --git a/hack/tools.sh b/hack/tools.sh index 5b5ccbc8..53bd594f 100755 --- a/hack/tools.sh +++ b/hack/tools.sh @@ -37,6 +37,7 @@ declare -r OC_VERSION=${OC_VERSION:-4.13.0} declare -r KUBECTL_VERSION=${KUBECTL_VERSION:-v1.28.4} declare -r SHFMT_VERSION=${SHFMT_VERSION:-v3.7.0} declare -r JQ_VERSION=${JQ_VERSION:-1.7} +declare -r CMCTL_VERSION=${CMCTL_VERSION:-v2.0.0} # install declare -r KUSTOMIZE_INSTALL_SCRIPT="https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" @@ -44,6 +45,7 @@ declare -r OPERATOR_SDK_INSTALL="https://github.com/operator-framework/operator- declare -r YQ_INSTALL="https://github.com/mikefarah/yq/releases/download/$YQ_VERSION/yq_${GOOS}_${GOARCH}" declare -r OC_URL="https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$OC_VERSION" declare -r JQ_INSTALL_URL="https://github.com/jqlang/jq/releases/download/jq-$JQ_VERSION" +declare -r CMCTL_INSTALL_URL="https://github.com/cert-manager/cmctl/releases/download/$CMCTL_VERSION" source "$PROJECT_ROOT/hack/utils.bash" @@ -225,9 +227,30 @@ install_oc() { ok "oc was installed successfully" } + +version_cmctl() { + cmctl version --client +} + +install_cmctl() { + validate_version cmctl "version --client" "$CMCTL_VERSION" && return 0 + + info "installing cmctl version: $CMCTL_VERSION" + local os="$GOOS" + [[ $os == "darwin" ]] && os="mac" + + local install="$CMCTL_INSTALL_URL/cmctl_${os}_$GOARCH" + curl -sSLo "$LOCAL_BIN/cmctl" "$install" || { + fail "failed to install cmctl" + } + chmod +x "$LOCAL_BIN/cmctl" + ok "cmctl was installed successfully" +} + version_jq() { jq --version } + install_jq() { validate_version jq --version "$JQ_VERSION" && { return 0