Skip to content

Commit

Permalink
Merge pull request dana-team#198 from dvirgilad/feat/cert-external-is…
Browse files Browse the repository at this point in the history 
…suer

feat: replace certificate-operator with cert-external-issuer
  • Loading branch information
@dana-prow-ci
dana-prow-ci[bot] authored Aug 17, 2024
2 parents 9b045f0 + cd39b4d commit 7d5ecc2
Show file tree
Hide file tree
Showing 17 changed files with 169 additions and 131 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ The `container-app-operator` project can work as a standalone solution, but is m

4. The `provider-dns` is a `Crossplane Provider` which reconciles the DNS Record CRs in the cluster and creates DNS Records in the pre-configured DNS provider (bring your own DNS provider).

5. The `certificate-operator` reconciles `Certificate` CRs in the cluster and creates certificates using the Cert API.
5. The `cert-external-issuer` reconciles `Certificate` CRs in the cluster and creates certificates using the Cert API.

6. The `logging-operator controller` reconciles the `Flow` and `Output` CRs in the cluster and collects logs from the pods' `stdout` and sends them to a pre-existing `Elasticsearch` index (bring your own indexes).

Expand Down Expand Up @@ -51,7 +51,7 @@ The `container-app-operator` project can work as a standalone solution, but is m

4. `provider-dns` and `Crossplane` installed on the cluster (you can [follow the instructions](https://github.com/dana-team/provider-dns) for the provider and [for Crossplane](https://docs.crossplane.io/latest/software/install/)).

5. `certificate-operator` installed on the cluster (you can [use the `install.yaml`](https://github.com/dana-team/certificate-operator/releases)).
5. `certificate-external-issuer` installed on the cluster (you can [use the `install.yaml`](https://github.com/dana-team/cert-external-issuer/releases)).

6. `logging-operator` installed on the cluster (you can [use the Helm Chart](https://kube-logging.dev/docs/install/#deploy-logging-operator-with-helm)).

Expand Down
4 changes: 2 additions & 2 deletions api/v1alpha1/capp_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ limitations under the License.
package v1alpha1

import (
certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
nfspvcv1alpha1 "github.com/dana-team/nfspvc-operator/api/v1alpha1"
dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1"
loggingv1beta1 "github.com/kube-logging/logging-operator/pkg/sdk/logging/api/v1beta1"
Expand Down Expand Up @@ -187,7 +187,7 @@ type RouteStatus struct {

// CertificateObjectStatus is the status of the underlying Certificate object
// +optional
CertificateObjectStatus certv1alpha1.CertificateStatus `json:"certificateObjectStatus,omitempty"`
CertificateObjectStatus cmapi.CertificateStatus `json:"certificateObjectStatus,omitempty"`
}

type DNSRecordObjectStatus struct {
Expand Down
12 changes: 7 additions & 5 deletions charts/capp-prereq-helmfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,12 @@ releases:
needs:
- cert-manager/cert-manager

- name: certificate-operator
namespace: certificate-operator-system
- name: cert-external-issuer
namespace: cert-external-issuer-system
createNamespace: true
chart: oci://ghcr.io/dana-team/helm-charts/certificate-operator
version: v0.1.3
chart: oci://ghcr.io/dana-team/helm-charts/cert-external-issuer
version: v0.1.0
wait: true
disableValidationOnInstall: true
disableValidationOnInstall: true
needs:
- cert-manager/cert-manager
2 changes: 1 addition & 1 deletion charts/container-app-operator/templates/manager-rbac-cluster-role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ rules:
- list
- watch
- apiGroups:
- cert.dana.io
- cert-manager.io
resources:
- certificates
verbs:
Expand Down
6 changes: 3 additions & 3 deletions cmd/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ import (
"flag"
"os"

dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"

certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1"
dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1"

cappv1alpha1 "github.com/dana-team/container-app-operator/api/v1alpha1"
cappcontroller "github.com/dana-team/container-app-operator/internal/kinds/capp/controllers"
Expand Down Expand Up @@ -60,7 +60,7 @@ func init() {
utilruntime.Must(knativev1beta1.AddToScheme(scheme))
utilruntime.Must(cappv1alpha1.AddToScheme(scheme))
utilruntime.Must(nfspvcv1alpha1.AddToScheme(scheme))
utilruntime.Must(certv1alpha1.AddToScheme(scheme))
utilruntime.Must(cmapi.AddToScheme(scheme))
utilruntime.Must(dnsrecordv1alpha1.AddToScheme(scheme))

//+kubebuilder:scaffold:scheme
Expand Down
142 changes: 81 additions & 61 deletions config/crd/bases/rcs.dana.io_capps.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8699,103 +8699,123 @@ spec:
Certificate object
properties:
conditions:
description: Conditions represent the current conditions of
the Certificate.
description: |-
List of status conditions to indicate the status of certificates.
Known condition types are `Ready` and `Issuing`.
items:
description: "Condition contains details for one aspect
of the current state of this API Resource.\n---\nThis
struct is intended for direct use as an array at the field
path .status.conditions. For example,\n\n\n\ttype FooStatus
struct{\n\t // Represents the observations of a foo's
current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t
\ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t
\ // +listType=map\n\t // +listMapKey=type\n\t Conditions
[]metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\"
patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
description: CertificateCondition contains condition information
for an Certificate.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
LastTransitionTime is the timestamp corresponding to the last status
change of this condition.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
Message is a human readable description of the details of the last
transition, complementing reason.
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
If set, this represents the .metadata.generation that the condition was
set based upon.
For instance, if .metadata.generation is currently 12, but the
.status.condition[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the Certificate.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
Reason is a brief machine readable explanation for the condition's last
transition.
type: string
status:
description: status of the condition, one of True, False,
Unknown.
description: Status of the condition, one of (`True`,
`False`, `Unknown`).
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
description: Type of the condition, known values are
(`Ready`, `Issuing`).
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
guid:
description: Guid is a unique identifier for the certificate.
type: string
issuer:
description: Issuer is the entity that issued the certificate.
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
failedIssuanceAttempts:
description: |-
The number of continuous failed issuance attempts up till now. This
field gets removed (if set) on a successful issuance and gets set to
1 if unset and an issuance has failed. If an issuance has failed, the
delay till the next issuance will be calculated using formula
time.Hour * 2 ^ (failedIssuanceAttempts - 1).
type: integer
lastFailureTime:
description: |-
LastFailureTime is set only if the lastest issuance for this
Certificate failed and contains the time of the failure. If an
issuance has failed, the delay till the next issuance will be
calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
1). If the latest issuance has succeeded this field will be unset.
format: date-time
type: string
secretName:
description: SecretName is the name of the Kubernetes Secret
where the extracted certificate is stored.
nextPrivateKeySecretName:
description: |-
The name of the Secret resource containing the private key to be used
for the next certificate iteration.
The keymanager controller will automatically set this field if the
`Issuing` condition is set to `True`.
It will automatically unset this field when the Issuing condition is
not set or False.
type: string
signatureHashAlgorithm:
description: SignatureHashAlgorithm is the algorithm used
to sign the certificate.
notAfter:
description: |-
The expiration time of the certificate stored in the secret named
by this resource in `spec.secretName`.
format: date-time
type: string
validFrom:
description: ValidFrom represents the time when the certificate
becomes valid.
notBefore:
description: |-
The time after which the certificate stored in the secret named
by this resource in `spec.secretName` is valid.
format: date-time
type: string
validTo:
description: ValidTo represents the time when the certificate
expires.
renewalTime:
description: |-
RenewalTime is the time at which the certificate will be next
renewed.
If not set, no upcoming renewal is scheduled.
format: date-time
type: string
revision:
description: |-
The current 'revision' of the certificate as issued.


When a CertificateRequest resource is created, it will have the
`cert-manager.io/certificate-revision` set to one greater than the
current value of this field.


Upon issuance, this field will be set to the value of the annotation
on the CertificateRequest resource used to issue the certificate.


Persisting the value on the CertificateRequest resource allows the
certificates controller to know whether a request is part of an old
issuance or if it is part of the ongoing revision's issuance by
checking if the revision value in the annotation is greater than this
field.
type: integer
type: object
dnsRecordObjectStatus:
description: ARecordSetObjectStatus is the status of the underlying
Expand Down
2 changes: 1 addition & 1 deletion config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ rules:
- list
- watch
- apiGroups:
- cert.dana.io
- cert-manager.io
resources:
- certificates
verbs:
Expand Down
6 changes: 4 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ module github.com/dana-team/container-app-operator
go 1.22.2

require (
github.com/cert-manager/cert-manager v1.15.3
github.com/cisco-open/operator-tools v0.36.0
github.com/crossplane/crossplane-runtime v1.16.0
github.com/dana-team/certificate-operator v0.1.2
github.com/dana-team/cert-external-issuer v0.1.0
github.com/dana-team/nfspvc-operator v0.3.0
github.com/dana-team/provider-dns v0.1.0
github.com/go-logr/logr v1.4.2
Expand Down Expand Up @@ -93,7 +94,7 @@ require (
github.com/prometheus/client_golang v1.19.1 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.54.0 // indirect
github.com/prometheus/procfs v0.14.0 // indirect
github.com/prometheus/procfs v0.15.0 // indirect
github.com/sergi/go-diff v1.2.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/cast v1.6.0 // indirect
Expand Down Expand Up @@ -125,6 +126,7 @@ require (
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect
knative.dev/networking v0.0.0-20240716111826-bab7f2a3e556 // indirect
sigs.k8s.io/gateway-api v1.1.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
Expand Down
Loading

0 comments on commit 7d5ecc2

Please sign in to comment.