Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add v1beta1 API with Conversion Webhook and Cert-Manager #140

Merged
merged 1 commit into from
Sep 25, 2023
Merged

Add v1beta1 API with Conversion Webhook and Cert-Manager #140

merged 1 commit into from
Sep 25, 2023

Conversation

jkhelil
Copy link
Contributor

@jkhelil jkhelil commented Sep 5, 2023
edited by adambkaplan
Loading

Changes

  • update release.yaml kodata file with v1beta1 apis and conversion sec
  • update release.yaml kodata file with webhook deployment, service, and serviceaccount
  • Add new env var USE_MANAGED_WEBHOOK_CERTS that controls whether the operator installs and managed tls for the webhook
  • ReconcileCertManager installs a secret with public/private key pair for the webhook ssl function
  • Add cert-manager as dependency on the bundle used by the ci
  • update doc

Fixes #142

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Note

- Upgrade Shipwright Build with v1beta1 support (v0.12 release candidate)
- Automatic deployment of cert-manager through OLM API dependency resolution.
- Use cert-manager to manage CA certificates for the new conversion webhook. This can be disabled by setting the `USE_MANAGED_WEBHOOK_CERTS` environment variable to `false` in the operator's subscription.

ACTION REQUIRED: automatic deployment of cert-manager requires an operator in the catalog that provides cert-manager APIs. This may not be guaranteed.

@pull-request-size pull-request-size bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 5, 2023
@jkhelil jkhelil changed the title add support for builds v1beta1 api WIP add support for builds v1beta1 api Sep 5, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 5, 2023
adambkaplan
adambkaplan reviewed Sep 5, 2023
View reviewed changes
kodata/release.yaml Outdated Show resolved Hide resolved
config/manifests/bases/shipwright-operator.clusterserviceversion.yaml Outdated Show resolved Hide resolved
docs/shipwrightbuild.md Outdated Show resolved Hide resolved
@jkhelil jkhelil changed the title WIP add support for builds v1beta1 api Add Conversion Webhook with CA Manager Strategies Sep 12, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 12, 2023
@jkhelil jkhelil force-pushed the support_v1beta1 branch 8 times, most recently from 2d76647 to badfce7 Compare September 17, 2023 08:21
@jkhelil
Copy link
Contributor Author

jkhelil commented Sep 17, 2023

/assign @adambkaplan
/assign @coreydaley
@adambkaplan @coreydaley can you review please ?

adambkaplan
adambkaplan reviewed Sep 18, 2023
View reviewed changes
Copy link
Member

@adambkaplan adambkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

This is a good first step at getting the operator to support the beta API and associated conversion webhook. There are a few things that I would like to see before merging:

  1. Squashed commits, with a detailed commit message explaining what was added here.
  2. Add a similarly robust release note in the PR description. This is a significant change and probably needs an "ACTION REQUIRED" note due to the added cert-manager dependency.
  3. Update the README to clarify any prerequisites needed if the operator is installed/managed via OLM. For example, does the admin need to separately install the Tekton and Cert-manager operators?

One other thing I noticed that is a bit outside the scope is that our e2e test only checks that the operator installs the component. It doesn't, say, do a smoke test of running a Shipwright build and making sure it works fully end to end. This should be taken up as a separate item.

README.md Outdated Show resolved Hide resolved
bundle/manifests/shipwright-operator.clusterserviceversion.yaml
Comment on lines +43 to +45
- kind: Certificate
name: certificates.cert-manager.io
version: v1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Does this mean that a cluster admin also needs to install cert-manager?
  2. Does OLM do this automatically, or will an admin need to do this separately? See https://olm.operatorframework.io/docs/concepts/olm-architecture/dependency-resolution/#declaring-dependencies

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Via the bundle we provide, OLM installs automatically the dependencies, tekton and cert-manager

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should release the operator to provide the olm bundle in the operatorhubio

controllers/shipwrightbuild_controller.go Show resolved Hide resolved
pkg/certmanager/cert_manager.go
}
}

manifest, err := common.SetupManifestival(client, "certificates.yaml", logger)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not blocking - noticing that this setup code is being run through every reconcile loop. Follow up PRs can refactor things a bit so we only do this setup once. Perhaps use a separate controller?

pkg/tekton/tekton.go Show resolved Hide resolved
test/catalog/operatorhubio/shipwright-operator-bundle.json Show resolved Hide resolved
README.md
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to update the README to also recommend Tekton and Cert-Manager be installed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

README updated

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 18, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 18, 2023
@qu1queee qu1queee mentioned this pull request Sep 20, 2023
Closed
1 task
@jkhelil jkhelil mentioned this pull request Sep 21, 2023
Closed
@adambkaplan adambkaplan added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 21, 2023
adambkaplan
adambkaplan approved these changes Sep 21, 2023
View reviewed changes
Copy link
Member

@adambkaplan adambkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One final nit on the README, otherwise looks good.

@shipwright-io/operator-reviewers ptal for lgtm.

README.md
Comment on lines +16 to +20
## OLM Dependencies
When installed via OLM using the provided SHipwright Operator Bundle, the Shipwright operator has two dependencies to:
- The Tekton operator needed by the Shipright Build Controller
- The Cert-Manager operator needed in case you delegate to the Shipwright operator the ssl certificates management of the Shipwright Conversion webhook
The two operators are then installed automatically by OLM.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit to clean up some of the grammar:

Suggested change
## OLM Dependencies
When installed via OLM using the provided SHipwright Operator Bundle, the Shipwright operator has two dependencies to:
- The Tekton operator needed by the Shipright Build Controller
- The Cert-Manager operator needed in case you delegate to the Shipwright operator the ssl certificates management of the Shipwright Conversion webhook
The two operators are then installed automatically by OLM.
## OLM Dependencies
When installed via OLM using the provided Shipwright Operator Bundle, the Shipwright operator will ask OLM to deploy the following operators:
- The [Tekton operator](https://tekton.dev/docs/operator/) to deploy and manage Tekton Pipelines.
- The [Cert-Manager operator](https://cert-manager.io/docs/installation/operator-lifecycle-manager/) to provision certificates for admission/conversion webhooks.
For this to work, the Shipwright operator must be included in a catalog that includes these other operators.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@adambkaplan adambkaplan changed the title Add Conversion Webhook with CA Manager Strategies Add v1beta1 API with Conversion Webhook and Cert-Manager Sep 21, 2023
@jkhelil
Add support for builds v1beta1 api and conversion webhook
30d77ba 
- Update release.yaml with nightly release
- Add cert-manager as shipwright operator dependency
- ReconcileCertManager to generate ssl key pair for the webhook
- Generate rbac, manifests and bundle
- update doc
@jkhelil
Copy link
Contributor Author

jkhelil commented Sep 22, 2023

@shipwright-io/operator-reviewers for lgtm

@qu1queee qu1queee self-requested a review September 25, 2023 13:13
qu1queee
qu1queee approved these changes Sep 25, 2023
View reviewed changes
Copy link

@qu1queee qu1queee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2023
@openshift-merge-robot openshift-merge-robot merged commit f244a06 into shipwright-io:main Sep 25, 2023
3 checks passed
@adambkaplan adambkaplan mentioned this pull request Sep 27, 2023
Closed
@SaschaSchwarze0 SaschaSchwarze0 added this to the release-v0.12.0 milestone Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qu1queee qu1queee qu1queee approved these changes

@adambkaplan adambkaplan adambkaplan approved these changes

@HeavyWombat HeavyWombat Awaiting requested review from HeavyWombat

@SaschaSchwarze0 SaschaSchwarze0 Awaiting requested review from SaschaSchwarze0

Assignees

@adambkaplan adambkaplan

@qu1queee qu1queee

@coreydaley coreydaley

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note-action-required size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
Shipwright Overview
Archived in project
Milestone
release-v0.12.0
Development

Successfully merging this pull request may close these issues.

[FEATURE] Deploy Beta API with Conversion Webhook
6 participants
@jkhelil @adambkaplan @qu1queee @coreydaley @openshift-merge-robot @SaschaSchwarze0