fix: make deploy target

This PR address the issue sustainable-computing-io#381 by: * Enabling cert-manager that is necessary by webhooks during the deployment of Operator on k8s. * Adding support to deploy cert-manager when running `make deploy` target. * Including the installation of `cmctl`, a command line tool to manage cert-manager on k8s. Signed-off-by: Vibhu Prashar <[email protected]>
vprashar2929 · Jun 6, 2024 · ef0541a · ef0541a
1 parent 6f5762c
commit ef0541a
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 38 deletions.
diff --git a/Makefile b/Makefile
@@ -19,6 +19,9 @@ ENABLE_WEBHOOKS ?= true # enable webhooks by default
 GOOS := $(shell go env GOOS)
 GOARCH := $(shell go env GOARCH)
 
+# Cert manager version
+CERTMANAGER_VERSION ?=1.15.0
+
 # VERSION defines the project version for the bundle.
 # Update this value when you upgrade the version of your project.
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
@@ -245,7 +248,10 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified
 		kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
 .PHONY: deploy
-deploy: install ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+deploy: install cmctl ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	kubectl apply --server-side --force-conflicts -f \
+		https://github.com/jetstack/cert-manager/releases/download/v$(CERTMANAGER_VERSION)/cert-manager.yaml
+	$(CMCTL) check api --wait=5m
 	$(KUSTOMIZE) build config/default | \
 		sed  -e "s|<OPERATOR_IMG>|$(OPERATOR_IMG)|g" \
 		     -e "s|<KEPLER_IMG>|$(KEPLER_IMG)|g" \
@@ -256,6 +262,8 @@ deploy: install ## Deploy controller to the K8s cluster specified in ~/.kube/con
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | \
 		kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+	kubectl delete --ignore-not-found=true -f \
+		https://github.com/jetstack/cert-manager/releases/download/v${CERTMANAGER_VERSION}/cert-manager.yaml
 
 ##@ Build Dependencies
 
@@ -266,9 +274,11 @@ LOCALBIN ?= $(shell pwd)/tmp/bin
 KUSTOMIZE ?= $(LOCALBIN)/kustomize
 CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 CRDOC ?= $(LOCALBIN)/crdoc
+CMCTL ?= $(LOCALBIN)/cmctl
 
 # NOTE: please keep this list sorted so that it can be easily searched
 TOOLS = controller-gen \
+		cmctl \
 		crdoc \
 		govulncheck \
 		jq \

diff --git a/bundle/manifests/kepler-operator.clusterserviceversion.yaml b/bundle/manifests/kepler-operator.clusterserviceversion.yaml
@@ -310,6 +310,11 @@ spec:
                 runAsNonRoot: true
               serviceAccountName: kepler-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - name: cert
+                secret:
+                  defaultMode: 420
+                  secretName: webhook-server-cert
       permissions:
       - rules:
         - apiGroups:

diff --git a/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml b/bundle/manifests/kepler.system.sustainable.computing.io_keplers.yaml
@@ -2,6 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
+    cert-manager.io/inject-ca-from: kepler-operator-system/kepler-operator-serving-cert
     controller-gen.kubebuilder.io/version: v0.12.1
   creationTimestamp: null
   name: keplers.kepler.system.sustainable.computing.io

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -14,7 +14,7 @@ patchesStrategicMerge:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_keplers.yaml
+- patches/cainjection_in_keplers.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -20,7 +20,7 @@ bases:
 # crd/kustomization.yaml
 - ../webhook
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
+- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 - ../prometheus
 
@@ -39,34 +39,34 @@ patchesStrategicMerge:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
 # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
-#- webhookcainjection_patch.yaml
+- webhookcainjection_patch.yaml
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml
@@ -16,10 +16,8 @@ spec:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
-  # NOTE: this will be removed by the manager kustomization.yaml
-  # since OLM will add the volume
-  volumes:
-  - name: cert
-    secret:
-      defaultMode: 420
-      secretName: webhook-server-cert
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
diff --git a/hack/cluster.sh b/hack/cluster.sh
@@ -31,7 +31,6 @@ declare -r PROJECT_ROOT
 declare -r TMP_DIR="$PROJECT_ROOT/tmp"
 declare -r DEV_CLUSTER_DIR="$TMP_DIR/local-dev-cluster"
 declare -r BIN_DIR="$TMP_DIR/bin"
-declare -r OPERATOR_SDK_VERSION=${OPERATOR_SDK_VERSION:-v1.27.0}
 
 source "$PROJECT_ROOT/hack/utils.bash"
 

diff --git a/hack/tools.sh b/hack/tools.sh
@@ -37,13 +37,15 @@ declare -r OC_VERSION=${OC_VERSION:-4.13.0}
 declare -r KUBECTL_VERSION=${KUBECTL_VERSION:-v1.28.4}
 declare -r SHFMT_VERSION=${SHFMT_VERSION:-v3.7.0}
 declare -r JQ_VERSION=${JQ_VERSION:-1.7}
+declare -r CMCTL_VERSION=${CMCTL_VERSION:-v2.0.0}
 
 # install
 declare -r KUSTOMIZE_INSTALL_SCRIPT="https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 declare -r OPERATOR_SDK_INSTALL="https://github.com/operator-framework/operator-sdk/releases/download/$OPERATOR_SDK_VERSION/operator-sdk_${GOOS}_${GOARCH}"
 declare -r YQ_INSTALL="https://github.com/mikefarah/yq/releases/download/$YQ_VERSION/yq_${GOOS}_${GOARCH}"
 declare -r OC_URL="https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$OC_VERSION"
 declare -r JQ_INSTALL_URL="https://github.com/jqlang/jq/releases/download/jq-$JQ_VERSION"
+declare -r CMCTL_INSTALL_URL="https://github.com/cert-manager/cmctl/releases/download/$CMCTL_VERSION"
 
 source "$PROJECT_ROOT/hack/utils.bash"
 
@@ -225,9 +227,30 @@ install_oc() {
 	ok "oc was installed successfully"
 
 }
+
+version_cmctl() {
+	cmctl version --client
+}
+
+install_cmctl() {
+	validate_version cmctl "version --client" "$CMCTL_VERSION" && return 0
+
+	info "installing cmctl version: $CMCTL_VERSION"
+	local os="$GOOS"
+	[[ $os == "darwin" ]] && os="mac"
+
+	local install="$CMCTL_INSTALL_URL/cmctl_${os}_$GOARCH"
+	curl -sSLo "$LOCAL_BIN/cmctl" "$install" || {
+		fail "failed to install cmctl"
+	}
+	chmod +x "$LOCAL_BIN/cmctl"
+	ok "cmctl was installed successfully"
+}
+
 version_jq() {
 	jq --version
 }
+
 install_jq() {
 	validate_version jq --version "$JQ_VERSION" && {
 		return 0