From 9403d6815080c93fe87cf333573875f20660bfce Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Fri, 21 Apr 2023 10:46:00 +0200 Subject: [PATCH] use Gardener cert-manager instead of jetstack cert-manager (#1076) --- .ci/component_descriptor | 2 + .ci/set_dependency_version | 2 + acre.yaml | 14 +--- components/cert-manager/cert/component.yaml | 1 - components/cert-manager/cert/deployment.yaml | 13 ++-- components/cert-manager/cert/export.yaml | 5 +- components/cert-manager/controller/action | 45 ------------ .../cert-manager/controller/component.yaml | 10 +-- .../cert-manager/controller/deployment.yaml | 69 ++++++++----------- components/cert-manager/solver/component.yaml | 17 ----- .../cert-manager/solver/deployment.yaml | 34 --------- components/cert-manager/solver/export.yaml | 1 - components/dns-controller/deployment.yaml | 1 + dependency-versions.yaml | 4 ++ 14 files changed, 53 insertions(+), 165 deletions(-) delete mode 100644 components/cert-manager/controller/action delete mode 100644 components/cert-manager/solver/component.yaml delete mode 100644 components/cert-manager/solver/deployment.yaml delete mode 100644 components/cert-manager/solver/export.yaml diff --git a/.ci/component_descriptor b/.ci/component_descriptor index 2cf07936..96f91476 100755 --- a/.ci/component_descriptor +++ b/.ci/component_descriptor @@ -38,6 +38,8 @@ ${ADD_DEPENDENCIES_CMD} \ --component-dependencies \ '{"name": "github.com/gardener/external-dns-management", "version": "'$(jq -r ".versions[\"dns-controller-manager\"].version" <<< $DEP_VERSIONS)'"}' \ --component-dependencies \ + '{"name": "github.com/gardener/cert-management", "version": "'$(jq -r ".versions[\"cert-management\"].version" <<< $DEP_VERSIONS)'"}' \ + --component-dependencies \ '{"name": "github.com/gardener/sow", "version": "'$SOW_VERSION'"}' \ --container-image-dependencies \ '{"image_reference": "eu.gcr.io/gardener-project/sow:'$SOW_VERSION'", "version": "'$SOW_VERSION'", "name": "sow"}' diff --git a/.ci/set_dependency_version b/.ci/set_dependency_version index 3d5ad53a..27db6703 100755 --- a/.ci/set_dependency_version +++ b/.ci/set_dependency_version @@ -54,6 +54,8 @@ elif dep_name == 'github.com/gardener/terminal-controller-manager': set_dep_version(dep_version, 'versions', 'dashboard', 'terminals', 'terminal-controller-manager', 'version') elif dep_name == 'github.com/gardener/external-dns-management': set_dep_version(dep_version, 'versions', 'dns-controller-manager', 'version') +elif dep_name == 'github.com/gardener/cert-management': + set_dep_version(dep_version, 'versions', 'cert-management', 'version') elif dep_name == 'github.com/gardener/sow': with sow_version_file.open(mode='w') as f: f.write(dep_version) diff --git a/acre.yaml b/acre.yaml index 9e8011dc..4ffba490 100644 --- a/acre.yaml +++ b/acre.yaml @@ -221,20 +221,10 @@ landscape: cert-manager: controller: <<: (( merge )) - tag: (( valid( branch ) -or valid( commit ) ? ~~ :helm_tag )) # only used for CRDs - repo: "https://github.com/jetstack/cert-manager.git" - helm_repo: "https://charts.jetstack.io" - helm_tag: "v1.8.1" - cainjector: - <<: (( merge )) - tag: (( valid( branch ) -or valid( commit ) ? ~~ :cert-manager.controller.helm_tag )) - image_tag: (( valid( tag ) ? tag :~~ )) - image_repo: (( ~~ )) - webhook: - <<: (( merge )) - tag: (( valid( branch ) -or valid( commit ) ? ~~ :cert-manager.controller.helm_tag )) + tag: (( valid( branch ) -or valid( commit ) ? ~~ :.dependency_versions.versions.cert-management.version )) image_tag: (( valid( tag ) ? tag :~~ )) image_repo: (( ~~ )) + repo: (( .dependency_versions.versions.cert-management.repo )) cert-dns-bridge: <<: (( merge )) tag: (( valid( branch ) -or valid( commit ) ? ~~ :"2.1.0" )) diff --git a/components/cert-manager/cert/component.yaml b/components/cert-manager/cert/component.yaml index cdaf9c59..785d2d8e 100644 --- a/components/cert-manager/cert/component.yaml +++ b/components/cert-manager/cert/component.yaml @@ -1,7 +1,6 @@ --- component: imports: - - cert-manager/solver - cert-controller: cert-manager/controller - namespace - ingress-controller diff --git a/components/cert-manager/cert/deployment.yaml b/components/cert-manager/cert/deployment.yaml index c5d336a6..f39982f5 100644 --- a/components/cert-manager/cert/deployment.yaml +++ b/components/cert-manager/cert/deployment.yaml @@ -18,15 +18,18 @@ plugins: cert: kubeconfig: (( .landscape.clusters[0].kubeconfig )) manifests: - - apiVersion: cert-manager.io/v1 + - apiVersion: cert.gardener.cloud/v1alpha1 kind: Certificate metadata: name: (( .settings.certificate.name )) namespace: (( .settings.certificate.namespace )) + annotations: + cert.gardener.cloud/class: (( imports.cert-controller.export.certClass )) spec: - secretName: (( .settings.certificate.secret_name )) - renewBefore: 360h # 15d - dnsNames: (( .settings.certificate.domains )) + commonName: (( .settings.certificate.domains[0] )) + dnsNames: (( .settings.certificate.domains[1..] )) + secretRef: + name: (( .settings.certificate.secret_name )) + namespace: (( .settings.certificate.namespace )) issuerRef: name: (( imports.cert-controller.export.issuerName )) - kind: ClusterIssuer diff --git a/components/cert-manager/cert/export.yaml b/components/cert-manager/cert/export.yaml index 39c8858a..2c34e93d 100644 --- a/components/cert-manager/cert/export.yaml +++ b/components/cert-manager/cert/export.yaml @@ -12,12 +12,11 @@ wait_for_certificate: - "-n" - (( .settings.certificate.namespace )) - "get" - - "certificate.cert-manager.io" + - "certificates.cert.gardener.cloud" - (( .settings.certificate.name )) - "-o" - "json" - result: (( sync( exec_uncached( check_command ), defined( value.status.conditions[0].status ) -and value.status.conditions[0].status == "True", value, 600 ) )) - b64dall: (( |x|-> sum[x|{}|s,k,v|-> s {k=base64_decode(v)}] )) + result: (( sync( exec_uncached( check_command ), defined( value.status.state ) -and value.status.state == "Ready", value, 600 ) )) export: <<: (( .settings )) \ No newline at end of file diff --git a/components/cert-manager/controller/action b/components/cert-manager/controller/action deleted file mode 100644 index 7f401eeb..00000000 --- a/components/cert-manager/controller/action +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -source "$SOWLIB/k8s" - -webhookready() -{ - if [ "$1" = "deploy" ]; then - PLUGIN_setup "$2" webhookready - K8S_setKubeConfig "$field_path" "$GENDIR/$field_path/kubeconfig" - - getRequiredValue namespace "namespace" PLUGINCONFIGJSON - - local starttime - local endtime - local timeout=600 - starttime=$(date +%s) - endtime=$(( starttime + timeout )) - - if [[ -z "$DRYRUN" ]]; then - debug "webhook replicas: $(kubectl -n "$namespace" get deployment cert-manager-webhook -o jsonpath='{.status.readyReplicas}')" - while [[ $(date +%s) -le $endtime ]]; do - replicas=$(kubectl -n "$namespace" get deployment cert-manager-webhook -o jsonpath='{.status.readyReplicas}') - if [[ ${replicas:-0} -gt 0 ]]; then - return - fi - echo "waiting for cert-manager webhook to be running" - sleep 10 - done - fail "cert-manager-webhook did not become ready within $timeout seconds" - fi - fi -} diff --git a/components/cert-manager/controller/component.yaml b/components/cert-manager/controller/component.yaml index 41ff999e..a170d9c7 100644 --- a/components/cert-manager/controller/component.yaml +++ b/components/cert-manager/controller/component.yaml @@ -12,9 +12,9 @@ component: - lib/templates/state.yaml plugins: - - chart-checkout + - git -chart-checkout: - repo: (( landscape.versions.cert-manager.controller.helm_repo )) - name: cert-manager - version: (( landscape.versions.cert-manager.controller.helm_tag )) \ No newline at end of file +git: + <<: (( landscape.versions.cert-manager.controller )) + files: + - charts \ No newline at end of file diff --git a/components/cert-manager/controller/deployment.yaml b/components/cert-manager/controller/deployment.yaml index 8b4f2124..3959616d 100644 --- a/components/cert-manager/controller/deployment.yaml +++ b/components/cert-manager/controller/deployment.yaml @@ -4,14 +4,12 @@ landscape: (( &temporary )) utilities: (( &temporary )) settings: - groupName: cert-bridge.gardener.cloud - solverName: certificate-dns-bridge namespace: cert-manager # will be created - don't choose an existing one! - serviceAccountName: cert-manager self-signed: (( .caSpec.url == "self-signed" )) issuerName: (( .settings.self-signed ? "ca-issuer" :"acme-issuer" )) issuerPrivateKey: (( .settings.self-signed -or (! valid( .landscape.cert-manager.privateKey ) ) ? ~ :.landscape.cert-manager.privateKey )) caSecret: "self-signed-ca" + certClass: "garden-setup" ca: given: (( &temporary ( valid( .caSpec.ca.crt ) -and ( ( ! .settings.self-signed ) -or valid( .caSpec.ca.key ) ) ) )) # a given CA needs crt and key for self-signed mode crt: (( given ? .caSpec.ca.crt :( .state.ca.value.cert || ~~ ) )) @@ -31,9 +29,8 @@ plugins: - helm - template - kubectl: helm - - webhookready - - -echo: (( .settings.self-signed ? ( .settings.ca.given ? "Using provided CA" :"Using self-signed CA" ) :"Using ACME server at " .caSpec.url )) - kubectl: issuer + - -echo: (( .settings.self-signed ? ( .settings.ca.given ? "Using provided CA" :"Using self-signed CA" ) :"Using ACME server at " .caSpec.url )) namespace: name: (( settings.namespace )) @@ -42,14 +39,8 @@ namespace: - apiVersion: v1 kind: Namespace metadata: - labels: - cert-manager.io/disable-validation: "true" name: (( .namespace.name )) -webhookready: - kubeconfig: (( .landscape.clusters.[0].kubeconfig )) - namespace: (( .settings.namespace )) - issuer: (( .settings.self-signed ? *ca_issuer :*acme_issuer )) issuer-secret: @@ -61,32 +52,26 @@ issuer-secret: name: (( settings.issuerName "-secret" )) namespace: (( .settings.namespace )) data: - tls.key: (( base64(settings.issuerPrivateKey) )) + privateKey: (( base64(settings.issuerPrivateKey) )) acme_issuer: <<: (( &template &temporary )) kubeconfig: (( landscape.clusters.[0].kubeconfig )) manifests: - <<: (( valid( .settings.issuerPrivateKey ) ? *issuer-secret :~ )) - - apiVersion: cert-manager.io/v1 - kind: ClusterIssuer + - apiVersion: cert.gardener.cloud/v1alpha1 + kind: Issuer metadata: - name: (( settings.issuerName )) + name: (( .settings.issuerName )) + namespace: (( .settings.namespace )) spec: acme: server: (( .caSpec.url )) email: (( .landscape.cert-manager.email || .landscape.identity.users[0].email )) + autoRegistration: (( ! valid( .settings.issuerPrivateKey ) )) privateKeySecretRef: - name: (( settings.issuerName "-secret" )) - solvers: - - dns01: - webhook: - groupName: (( settings.groupName )) - solverName: (( settings.solverName )) - config: - dns-class: (( .imports.dns-controller.export.dns-class )) - namespace: (( .imports.dns-controller.export.namespace )) - ttl: (( .landscape.defaultTTL )) + name: (( .settings.issuerName "-secret" )) + namespace: (( .settings.namespace )) ca_issuer: <<: (( &template &temporary )) @@ -101,13 +86,16 @@ ca_issuer: data: tls.crt: (( base64( .settings.ca.crt ) )) tls.key: (( base64( .settings.ca.key ) )) - - apiVersion: cert-manager.io/v1 - kind: ClusterIssuer + - apiVersion: cert.gardener.cloud/v1alpha1 + kind: Issuer metadata: - name: (( settings.issuerName )) + name: (( .settings.issuerName )) + namespace: (( .settings.namespace )) spec: ca: - secretName: (( .settings.caSecret )) + privateKeySecretRef: + name: (( .settings.caSecret )) + namespace: (( .settings.namespace )) servers: @@ -123,7 +111,7 @@ helm: kubeconfig: (( landscape.clusters.[0].kubeconfig )) files: - "helm/rendered_charts.yaml" - source: "chart-checkout/charts/cert-manager" + source: "git/repo/charts/cert-management" name: cert-manager namespace: (( .namespace.name )) flags: @@ -132,18 +120,15 @@ helm: image: repository: (( .landscape.versions.cert-manager.controller.image_repo || ~~ )) tag: (( .landscape.versions.cert-manager.controller.image_tag || ~~ )) - cainjector: - image: - repository: (( .landscape.versions.cert-manager.cainjector.image_repo || ~~ )) - tag: (( .landscape.versions.cert-manager.cainjector.image_tag || ~~ )) - webhook: - image: - repository: (( .landscape.versions.cert-manager.webhook.image_repo || ~~ )) - tag: (( .landscape.versions.cert-manager.webhook.image_tag || ~~ )) - serviceAccount: - create: true - name: (( .settings.serviceAccountName )) - installCRDs: true + createCRDs: + issuers: true + certificates: true + configuration: + dnsClass: (( .imports.dns-controller.export.dns-class )) + dnsNamespace: (( .settings.namespace )) + certClass: (( .settings.certClass )) + defaultIssuer: (( .settings.issuerName )) + issuerNamespace: (( .settings.namespace )) state: <<: (( &state(merge none) )) diff --git a/components/cert-manager/solver/component.yaml b/components/cert-manager/solver/component.yaml deleted file mode 100644 index bed6a008..00000000 --- a/components/cert-manager/solver/component.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -landscape: (( &temporary )) -component: - imports: - - dns-controller - - cert-controller: cert-manager/controller - - k8sversion - - stubs: [] - - plugins: - - git - -git: - <<: (( landscape.versions.cert-manager.cert-dns-bridge )) - files: - - charts \ No newline at end of file diff --git a/components/cert-manager/solver/deployment.yaml b/components/cert-manager/solver/deployment.yaml deleted file mode 100644 index e2a5a088..00000000 --- a/components/cert-manager/solver/deployment.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -imports: (( &temporary )) -landscape: (( &temporary )) - -plugins: (( .imports.cert-controller.export.self-signed ? .plugins_self_signed :plugins_not_self_signed )) - -plugins_self_signed: - - -echo: "Using self-signed certificates, no solver deployment necessary." - -plugins_not_self_signed: - - pinned: - - helm: - - helm - - template - - kubectl: helm - -helm: - kubeconfig: (( landscape.clusters.[0].kubeconfig )) - files: - - "helm/rendered_charts.yaml" - source: "git/repo/charts/certificate-dns-bridge" - name: certificate-dns-bridge - namespace: (( imports.cert-controller.export.namespace )) - flags: - deploy: (( "--kube-version=" .imports.k8sversion.export.k8sVersions.base )) - values: - groupName: (( imports.cert-controller.export.groupName )) - solverName: (( imports.cert-controller.export.solverName )) - certManager: - namespace: (( imports.cert-controller.export.namespace )) - serviceAccountName: (( imports.cert-controller.export.serviceAccountName )) - image: - repository: (( landscape.versions.cert-manager.cert-dns-bridge.image_repo || ~~ )) - tag: (( landscape.versions.cert-manager.cert-dns-bridge.image_tag || ~~ )) diff --git a/components/cert-manager/solver/export.yaml b/components/cert-manager/solver/export.yaml deleted file mode 100644 index ed97d539..00000000 --- a/components/cert-manager/solver/export.yaml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/components/dns-controller/deployment.yaml b/components/dns-controller/deployment.yaml index 32090a97..7639ca74 100644 --- a/components/dns-controller/deployment.yaml +++ b/components/dns-controller/deployment.yaml @@ -107,3 +107,4 @@ spec: kubeconfigId: (( .landscape.name )) controllers: "dnssources,compound" ttl: (( .landscape.dns.ttl || ~~ )) + disableNamespaceRestriction: true diff --git a/dependency-versions.yaml b/dependency-versions.yaml index 28703e33..9e9be509 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -83,6 +83,10 @@ "dns-controller-manager": { "repo": "https://github.com/gardener/external-dns-management.git", "version": "v0.15.2" + }, + "cert-management": { + "repo": "https://github.com/gardener/cert-management.git", + "version": "v0.10.4" } } } \ No newline at end of file