Skip to content

Commit

Permalink
updated controller-runtime (#373)
Browse files Browse the repository at this point in the history
* updated controller-runtime
- removed controller-filtered cache

fixed make bundle not generating alm-examples because the sample did not
match the apiVersion

needed to comment out the removing secret and apiservice temporarily to
avoid caching those resources

Signed-off-by: Henry H Li <henry.h.li@ibm.com>

* removed removeAPIService because unlikely to eixst
- APIService was something created before the cert-manager v1 migration
- will never exist in fresh install
- in upgrade scenarios, users must be running at least 3.19.9, which
  means APIService would have been removed already

Signed-off-by: Henry H Li <henry.h.li@ibm.com>

* changed removeOldSecret to be more robust
- because the old code was only concerned about checking if the pre v1
  cert-manager annotation was there, but what actually matters is if the
v1 annotation exists or not
- by deleting the old webhook secret if it does not contain the correct
  annotation (cert-manager.io/allow-direct-injection)
- also not setting up the cache for secrets at all to avoid overhead and
  directly reading from API server since this is infrequently invoked
code

Signed-off-by: Henry H Li <henry.h.li@ibm.com>

* removed APIService from cache

Signed-off-by: Henry H Li <henry.h.li@ibm.com>

* removed unused secretshare-operator code

Signed-off-by: Henry H Li <henry.h.li@ibm.com>

---------

Signed-off-by: Henry H Li <henry.h.li@ibm.com>
  • Loading branch information
bitscuit committed Oct 13, 2023
1 parent dcaa8a7 commit 687fe08
Show file tree
Hide file tree
Showing 16 changed files with 428 additions and 1,209 deletions.
14 changes: 14 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.

KUSTOMIZE_VERSION=v4.5.6

ARCH := $(shell uname -m)
LOCAL_ARCH := "amd64"
ifeq ($(ARCH),x86_64)
LOCAL_ARCH="amd64"
else ifeq ($(ARCH),ppc64le)
LOCAL_ARCH="ppc64le"
else ifeq ($(ARCH),s390x)
LOCAL_ARCH="s390x"
else
$(error "This system's ARCH $(ARCH) isn't recognized/supported")
endif

# This repo is build locally for dev/test by default;
# Override this variable in CI env.
BUILD_LOCALLY ?= 1
Expand Down
2 changes: 1 addition & 1 deletion bundle.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
LABEL operators.operatorframework.io.bundle.package.v1=ibm-cert-manager-operator
LABEL operators.operatorframework.io.bundle.channels.v1=alpha
LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0
LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.31.0
LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,13 @@ metadata:
categories: Security
certified: "false"
containerImage: icr.io/cpopen/ibm-cert-manager-operator:latest
createdAt: "2023-04-25T19:31:21Z"
createdAt: "2023-10-05T20:07:25Z"
description: Operator for managing deployment of cert-manager service.
olm.skipRange: <4.2.1
operatorframework.io/suggested-namespace: ibm-cert-manager
operators.operatorframework.io/builder: operator-sdk-v1.28.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
operators.openshift.io/infrastructure-features: '["disconnected"]'
operators.operatorframework.io/builder: operator-sdk-v1.31.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
support: IBM
labels:
operatorframework.io/arch.amd64: supported
Expand Down Expand Up @@ -541,7 +541,7 @@ spec:
- name: ICP_CERT_MANAGER_ACMESOLVER_IMAGE
value: icr.io/cpopen/cpfs/icp-cert-manager-acmesolver:1.11.0-jetstack.1.10.1
image: icr.io/cpopen/ibm-cert-manager-operator:latest
imagePullPolicy: IfNotPresent
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
Expand All @@ -561,8 +561,8 @@ spec:
memory: 300Mi
requests:
cpu: 10m
memory: 50Mi
ephemeral-storage: 256Mi
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand Down
134 changes: 119 additions & 15 deletions bundle/manifests/operator.ibm.com_certmanagerconfigs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,35 @@ spec:
description: CertManagerConfigSpec defines the desired state of CertManager
properties:
certManagerCAInjector:
description: CertManagerCAInjector includes spec for cert-manager-cainjector
description: CertManagerCAInjector describes spec for cert-manager-cainjector
workload
properties:
resources:
description: ResourceRequirements describes the compute resource
requirements.
properties:
claims:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
pod.spec.resourceClaims of the Pod where this field
is used. It makes that resource available inside a
container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
Expand All @@ -65,18 +87,41 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
type: object
certManagerController:
description: CertManagerController includes spec for cert-manager-controller
description: CertManagerController describes spec for cert-manager-controller
workload
properties:
resources:
description: ResourceRequirements describes the compute resource
requirements.
properties:
claims:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
pod.spec.resourceClaims of the Pod where this field
is used. It makes that resource available inside a
container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
Expand All @@ -97,18 +142,41 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
type: object
certManagerWebhook:
description: CertManagerWebhook includes spec for cert-manager-webhook
description: CertManagerWebhook describes spec for cert-manager-webhook
workload
properties:
resources:
description: ResourceRequirements describes the compute resource
requirements.
properties:
claims:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
pod.spec.resourceClaims of the Pod where this field
is used. It makes that resource available inside a
container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
Expand All @@ -129,18 +197,40 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
type: object
configMapWatcher:
description: ConfigMapWatcher includes spec for icp-configmap-watcher
workload
description: ConfigMapWatcher is not used
properties:
resources:
description: ResourceRequirements describes the compute resource
requirements.
properties:
claims:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
pod.spec.resourceClaims of the Pod where this field
is used. It makes that resource available inside a
container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
Expand All @@ -161,21 +251,28 @@ spec:
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
type: object
disableHostNetwork:
description: DisableHostNetwork disables
type: boolean
enableCertRefresh:
description: EnableCertRefresh is a flag that can be set to enable
the refresh of leaf certificates based on a root CA
description: EnableCertRefresh enables the refresh of leaf certificates
based on a CA certificate
type: boolean
enableWebhook:
description: Webhook enables the cert-manager-webhook operand
type: boolean
imagePostFix:
description: ImagePostFix describes a string that will be appended
to the end of the fully qualified image, e.g. imageRegistry/imageName:imageTagAndPostFix
type: string
imageRegistry:
description: ImageRegistry describes the image registry for the operands,
e.g. cert-manager-controller
type: string
license:
description: LicenseAcceptance defines the license specification in
Expand All @@ -197,9 +294,11 @@ spec:
type: object
refreshCertsBasedOnCA:
description: RefreshCertsBasedOnCA is a list of CA certificate names.
Leaf certificates created from the CA will be refreshed when the
CA is refreshed.
Leaf certificates created from any of the listed CA will be refreshed
when the CA is refreshed
items:
description: CACertificate describes a CA Certfiicate's name and
namespace
properties:
certName:
type: string
Expand All @@ -211,17 +310,22 @@ spec:
type: object
type: array
resourceNamespace:
description: ResourceNS describes the cluster-resource-namespace flag
for cert-manager-controller operand, which is used to configure
the namespace the operand will use for ClusterIssuer secretReferences
type: string
version:
description: Version descibes the version of cert-manager-operator.
Changing the value does not change the cert-manager-operator version
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
status:
description: CertManagerConfigStatus defines the observed state of CertManagerConfig
properties:
certManagerConfigStatus:
description: 'It will be as "OK when all objects are created successfully
TODO: convert these markers for spec descriptor'
description: OverallStatus describes whether cert-manager operands
have been successfully deployed or not.
type: string
required:
- certManagerConfigStatus
Expand Down
2 changes: 1 addition & 1 deletion bundle/metadata/annotations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ annotations:
operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.package.v1: ibm-cert-manager-operator
operators.operatorframework.io.bundle.channels.v1: alpha
operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0
operators.operatorframework.io.metrics.builder: operator-sdk-v1.31.0
operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3

Expand Down
Loading

0 comments on commit 687fe08

Please sign in to comment.