diff --git a/README.md b/README.md index 3892a03c..4df14a4e 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ The `container-app-operator` project can work as a standalone solution, but is m 4. The `provider-dns` is a `Crossplane Provider` which reconciles the DNS Record CRs in the cluster and creates DNS Records in the pre-configured DNS provider (bring your own DNS provider). -5. The `certificate-operator` reconciles `Certificate` CRs in the cluster and creates certificates using the Cert API. +5. The `cert-external-issuer` reconciles `Certificate` CRs in the cluster and creates certificates using the Cert API. 6. The `logging-operator controller` reconciles the `Flow` and `Output` CRs in the cluster and collects logs from the pods' `stdout` and sends them to a pre-existing `Elasticsearch` index (bring your own indexes). @@ -51,7 +51,7 @@ The `container-app-operator` project can work as a standalone solution, but is m 4. `provider-dns` and `Crossplane` installed on the cluster (you can [follow the instructions](https://github.com/dana-team/provider-dns) for the provider and [for Crossplane](https://docs.crossplane.io/latest/software/install/)). -5. `certificate-operator` installed on the cluster (you can [use the `install.yaml`](https://github.com/dana-team/certificate-operator/releases)). +5. `certificate-external-issuer` installed on the cluster (you can [use the `install.yaml`](https://github.com/dana-team/cert-external-issuer/releases)). 6. `logging-operator` installed on the cluster (you can [use the Helm Chart](https://kube-logging.dev/docs/install/#deploy-logging-operator-with-helm)). diff --git a/api/v1alpha1/capp_types.go b/api/v1alpha1/capp_types.go index 3af7fbce..7eab2cb6 100755 --- a/api/v1alpha1/capp_types.go +++ b/api/v1alpha1/capp_types.go @@ -17,7 +17,7 @@ limitations under the License. package v1alpha1 import ( - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" nfspvcv1alpha1 "github.com/dana-team/nfspvc-operator/api/v1alpha1" dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" loggingv1beta1 "github.com/kube-logging/logging-operator/pkg/sdk/logging/api/v1beta1" @@ -187,7 +187,7 @@ type RouteStatus struct { // CertificateObjectStatus is the status of the underlying Certificate object // +optional - CertificateObjectStatus certv1alpha1.CertificateStatus `json:"certificateObjectStatus,omitempty"` + CertificateObjectStatus cmapi.CertificateStatus `json:"certificateObjectStatus,omitempty"` } type DNSRecordObjectStatus struct { diff --git a/charts/capp-prereq-helmfile.yaml b/charts/capp-prereq-helmfile.yaml index dec72018..23a8acf2 100644 --- a/charts/capp-prereq-helmfile.yaml +++ b/charts/capp-prereq-helmfile.yaml @@ -64,10 +64,12 @@ releases: needs: - cert-manager/cert-manager - - name: certificate-operator - namespace: certificate-operator-system + - name: cert-external-issuer + namespace: cert-external-issuer-system createNamespace: true - chart: oci://ghcr.io/dana-team/helm-charts/certificate-operator - version: v0.1.3 + chart: oci://ghcr.io/dana-team/helm-charts/cert-external-issuer + version: v0.1.0 wait: true - disableValidationOnInstall: true \ No newline at end of file + disableValidationOnInstall: true + needs: + - cert-manager/cert-manager \ No newline at end of file diff --git a/charts/container-app-operator/templates/manager-rbac-cluster-role.yaml b/charts/container-app-operator/templates/manager-rbac-cluster-role.yaml index 747c71c1..968e89db 100644 --- a/charts/container-app-operator/templates/manager-rbac-cluster-role.yaml +++ b/charts/container-app-operator/templates/manager-rbac-cluster-role.yaml @@ -41,7 +41,7 @@ rules: - list - watch - apiGroups: - - cert.dana.io + - cert-manager.io resources: - certificates verbs: diff --git a/cmd/main.go b/cmd/main.go index 708a4182..01b25c26 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -20,9 +20,9 @@ import ( "flag" "os" - dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" + dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" cappv1alpha1 "github.com/dana-team/container-app-operator/api/v1alpha1" cappcontroller "github.com/dana-team/container-app-operator/internal/kinds/capp/controllers" @@ -60,7 +60,7 @@ func init() { utilruntime.Must(knativev1beta1.AddToScheme(scheme)) utilruntime.Must(cappv1alpha1.AddToScheme(scheme)) utilruntime.Must(nfspvcv1alpha1.AddToScheme(scheme)) - utilruntime.Must(certv1alpha1.AddToScheme(scheme)) + utilruntime.Must(cmapi.AddToScheme(scheme)) utilruntime.Must(dnsrecordv1alpha1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme diff --git a/config/crd/bases/rcs.dana.io_capps.yaml b/config/crd/bases/rcs.dana.io_capps.yaml index 87d67b43..70201095 100644 --- a/config/crd/bases/rcs.dana.io_capps.yaml +++ b/config/crd/bases/rcs.dana.io_capps.yaml @@ -8699,103 +8699,123 @@ spec: Certificate object properties: conditions: - description: Conditions represent the current conditions of - the Certificate. + description: |- + List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. items: - description: "Condition contains details for one aspect - of the current state of this API Resource.\n---\nThis - struct is intended for direct use as an array at the field - path .status.conditions. For example,\n\n\n\ttype FooStatus - struct{\n\t // Represents the observations of a foo's - current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t - \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t - \ // +listType=map\n\t // +listMapKey=type\n\t Conditions - []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" - patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: CertificateCondition contains condition information + for an Certificate. properties: lastTransitionTime: description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. format: date-time type: string message: description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 + Message is a human readable description of the details of the last + transition, complementing reason. type: string observedGeneration: description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Certificate. format: int64 - minimum: 0 type: integer reason: description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + Reason is a brief machine readable explanation for the condition's last + transition. type: string status: - description: status of the condition, one of True, False, - Unknown. + description: Status of the condition, one of (`True`, + `False`, `Unknown`). enum: - "True" - "False" - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + description: Type of the condition, known values are + (`Ready`, `Issuing`). type: string required: - - lastTransitionTime - - message - - reason - status - type type: object type: array - guid: - description: Guid is a unique identifier for the certificate. - type: string - issuer: - description: Issuer is the entity that issued the certificate. + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: |- + The number of continuous failed issuance attempts up till now. This + field gets removed (if set) on a successful issuance and gets set to + 1 if unset and an issuance has failed. If an issuance has failed, the + delay till the next issuance will be calculated using formula + time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: |- + LastFailureTime is set only if the lastest issuance for this + Certificate failed and contains the time of the failure. If an + issuance has failed, the delay till the next issuance will be + calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - + 1). If the latest issuance has succeeded this field will be unset. + format: date-time type: string - secretName: - description: SecretName is the name of the Kubernetes Secret - where the extracted certificate is stored. + nextPrivateKeySecretName: + description: |- + The name of the Secret resource containing the private key to be used + for the next certificate iteration. + The keymanager controller will automatically set this field if the + `Issuing` condition is set to `True`. + It will automatically unset this field when the Issuing condition is + not set or False. type: string - signatureHashAlgorithm: - description: SignatureHashAlgorithm is the algorithm used - to sign the certificate. + notAfter: + description: |- + The expiration time of the certificate stored in the secret named + by this resource in `spec.secretName`. + format: date-time type: string - validFrom: - description: ValidFrom represents the time when the certificate - becomes valid. + notBefore: + description: |- + The time after which the certificate stored in the secret named + by this resource in `spec.secretName` is valid. format: date-time type: string - validTo: - description: ValidTo represents the time when the certificate - expires. + renewalTime: + description: |- + RenewalTime is the time at which the certificate will be next + renewed. + If not set, no upcoming renewal is scheduled. format: date-time type: string + revision: + description: |- + The current 'revision' of the certificate as issued. + + + When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. + + + Upon issuance, this field will be set to the value of the annotation + on the CertificateRequest resource used to issue the certificate. + + + Persisting the value on the CertificateRequest resource allows the + certificates controller to know whether a request is part of an old + issuance or if it is part of the ongoing revision's issuance by + checking if the revision value in the annotation is greater than this + field. + type: integer type: object dnsRecordObjectStatus: description: ARecordSetObjectStatus is the status of the underlying diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a01e9311..481bf597 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -40,7 +40,7 @@ rules: - list - watch - apiGroups: - - cert.dana.io + - cert-manager.io resources: - certificates verbs: diff --git a/go.mod b/go.mod index 3a4c5377..9e008c15 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,10 @@ module github.com/dana-team/container-app-operator go 1.22.2 require ( + github.com/cert-manager/cert-manager v1.15.3 github.com/cisco-open/operator-tools v0.36.0 github.com/crossplane/crossplane-runtime v1.16.0 - github.com/dana-team/certificate-operator v0.1.2 + github.com/dana-team/cert-external-issuer v0.1.0 github.com/dana-team/nfspvc-operator v0.3.0 github.com/dana-team/provider-dns v0.1.0 github.com/go-logr/logr v1.4.2 @@ -93,7 +94,7 @@ require ( github.com/prometheus/client_golang v1.19.1 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.54.0 // indirect - github.com/prometheus/procfs v0.14.0 // indirect + github.com/prometheus/procfs v0.15.0 // indirect github.com/sergi/go-diff v1.2.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect @@ -125,6 +126,7 @@ require ( k8s.io/klog/v2 v2.120.1 // indirect k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect knative.dev/networking v0.0.0-20240716111826-bab7f2a3e556 // indirect + sigs.k8s.io/gateway-api v1.1.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/go.sum b/go.sum index cbf106f4..a017dc0f 100644 --- a/go.sum +++ b/go.sum @@ -29,6 +29,8 @@ github.com/blendle/zapdriver v1.3.1 h1:C3dydBOWYRiOk+B8X9IVZ5IOe+7cl+tGOexN4QqHf github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc= github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g= github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cert-manager/cert-manager v1.15.3 h1:/u9T0griwd5MegPfWbB7v0KcVcT9OJrEvPNhc9tl7xQ= +github.com/cert-manager/cert-manager v1.15.3/go.mod h1:stBge/DTvrhfQMB/93+Y62s+gQgZBsfL1o0C/4AL/mI= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cisco-open/operator-tools v0.36.0 h1:CHh7OCq0NaBBRZ81K7LZZXqRLQmHpUIOIEaIcvhvlp8= @@ -38,8 +40,10 @@ github.com/crossplane/crossplane-runtime v1.16.0 h1:lz+l0wEB3qowdTmN7t0PZkfuNSvf github.com/crossplane/crossplane-runtime v1.16.0/go.mod h1:Pz2tdGVMF6KDGzHZOkvKro0nKc8EzK0sb/nSA7pH4Dc= github.com/crossplane/upjet v1.3.0 h1:qRgcfqLz4M2v7enUku3xEriY5poc5XVbRl98nbvvu+E= github.com/crossplane/upjet v1.3.0/go.mod h1:3pDVtCgyBc5f2Zx4K5HEPxxhjndmOc5CHCJNpIivK/g= -github.com/dana-team/certificate-operator v0.1.2 h1:X2Purs96Ae/HOjcK1WHxZ3+rpPmautnE7xhelpn4Ews= -github.com/dana-team/certificate-operator v0.1.2/go.mod h1:gY9hjV3gk3LTBxi2UbkmdXlKF3eI8kr5+XxSzMgp6hU= +github.com/dana-team/cert-external-issuer v0.0.0-20240812103756-3404b13d86da h1:DX1Qdv1bxgyk+HGSR3ssZVDww5bLvQNEQTdWgjYjLSQ= +github.com/dana-team/cert-external-issuer v0.0.0-20240812103756-3404b13d86da/go.mod h1:LYZ8pCQZFmfot0+SwIh1OxyGZelMZjKuJM1W5JUxBIY= +github.com/dana-team/cert-external-issuer v0.1.0 h1:ObSY+ioxhEqwsLVnfqNznpHKH0CDJbYL8UcGVT44MuM= +github.com/dana-team/cert-external-issuer v0.1.0/go.mod h1:LYZ8pCQZFmfot0+SwIh1OxyGZelMZjKuJM1W5JUxBIY= github.com/dana-team/nfspvc-operator v0.3.0 h1:K8++dWanaDGLxm5kqLUG6fqeaW/nLR+hrSr04MKC2d0= github.com/dana-team/nfspvc-operator v0.3.0/go.mod h1:E32D1+U6DX/ZlVKprdYMOV2wV5E3TOS2jqRCEu/umHI= github.com/dana-team/provider-dns v0.1.0 h1:lp3KsHg51P+phQdKAFR3Grx/O1azOnGumTfJhZGoGcU= @@ -116,8 +120,8 @@ github.com/google/pprof v0.0.0-20240508145209-1db217f89380/go.mod h1:kf6iHlnVGwg github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 h1:1/D3zfFHttUKaCaGKZ/dR2roBXv0vKbSCnssIldfQdI= github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBMaudVLy8fmjf9Npq1dq9RalhveqZG5w/yz3mHWs= github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I= @@ -221,12 +225,12 @@ github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.54.0 h1:ZlZy0BgJhTwVZUn7dLOkwCZHUkrAqd3WYtcFCWnM1D8= github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ= -github.com/prometheus/procfs v0.14.0 h1:Lw4VdGGoKEZilJsayHf0B+9YgLGREba2C6xr+Fdfq6s= -github.com/prometheus/procfs v0.14.0/go.mod h1:XL+Iwz8k8ZabyZfMFHPiilCniixqQarAy5Mu67pHlNQ= +github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek= +github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk= github.com/prometheus/statsd_exporter v0.22.7 h1:7Pji/i2GuhK6Lu7DHrtTkFmNBCudCPT1pX2CziuyQR0= github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -364,7 +368,7 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ= +google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 h1:+rdxYoE3E5htTEWIe15GlN6IfvbURM//Jt0mmkmm6ZU= google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117/go.mod h1:OimBR/bc1wPO9iV4NC2bpyjy3VnAwZh5EBPQdtaE5oo= google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8= @@ -415,6 +419,8 @@ knative.dev/serving v0.42.1 h1:iDx0eYAFRcWYPZ0gizu5lqXDAZ+hSGrUXHrFGiop1KM= knative.dev/serving v0.42.1/go.mod h1:3cgU8/864RcqA0ZPrc3jFcmS3uJL/mOlUZiYsXonwaE= sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= +sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/internal/kinds/capp/controllers/controller.go b/internal/kinds/capp/controllers/controller.go index 1f6f95f7..8de3a5b7 100644 --- a/internal/kinds/capp/controllers/controller.go +++ b/internal/kinds/capp/controllers/controller.go @@ -5,12 +5,12 @@ import ( "fmt" "time" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + "github.com/dana-team/container-app-operator/internal/kinds/capp/utils" dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" - loggingv1beta1 "github.com/kube-logging/logging-operator/pkg/sdk/logging/api/v1beta1" "k8s.io/apimachinery/pkg/types" @@ -64,7 +64,7 @@ type CappReconciler struct { // +kubebuilder:rbac:groups="events.k8s.io",resources=events,verbs=get;list;watch;update;create;patch // +kubebuilder:rbac:groups="nfspvc.dana.io",resources=nfspvcs,verbs=get;list;watch;update;create;delete // +kubebuilder:rbac:groups="record.dns.crossplane.io",resources=cnamerecords,verbs=get;list;watch;update;create;delete -// +kubebuilder:rbac:groups="cert.dana.io",resources=certificates,verbs=get;list;watch;update;create;delete +// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;update;create;delete // SetupWithManager sets up the controller with the Manager. func (r *CappReconciler) SetupWithManager(mgr ctrl.Manager) error { @@ -81,7 +81,7 @@ func (r *CappReconciler) SetupWithManager(mgr ctrl.Manager) error { builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}), ). Watches( - &certv1alpha1.Certificate{}, + &cmapi.Certificate{}, handler.EnqueueRequestsFromMapFunc(r.findCappFromHostname), builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}), ). diff --git a/internal/kinds/capp/resourceclient/resourcepreparers.go b/internal/kinds/capp/resourceclient/resourcepreparers.go index 01f5ed3d..2a70a8bd 100644 --- a/internal/kinds/capp/resourceclient/resourcepreparers.go +++ b/internal/kinds/capp/resourceclient/resourcepreparers.go @@ -1,7 +1,7 @@ package resourceclient import ( - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" nfspvcv1alpha1 "github.com/dana-team/nfspvc-operator/api/v1alpha1" dnsvrecord1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" loggingv1beta1 "github.com/kube-logging/logging-operator/pkg/sdk/logging/api/v1beta1" @@ -31,8 +31,8 @@ func GetBareDomainMapping(name, namespace string) knativev1beta1.DomainMapping { } // GetBareCertificate returns a Certificate object with only ObjectMeta set. -func GetBareCertificate(name, namespace string) certv1alpha1.Certificate { - return certv1alpha1.Certificate{ +func GetBareCertificate(name, namespace string) cmapi.Certificate { + return cmapi.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: namespace, diff --git a/internal/kinds/capp/resourcemanagers/certificate.go b/internal/kinds/capp/resourcemanagers/certificate.go index 00f9a402..2e41f751 100644 --- a/internal/kinds/capp/resourcemanagers/certificate.go +++ b/internal/kinds/capp/resourcemanagers/certificate.go @@ -2,9 +2,13 @@ package resourcemanagers import ( "context" + "fmt" - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" + certv1alpha1 "github.com/dana-team/cert-external-issuer/api/v1alpha1" + + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" cappv1alpha1 "github.com/dana-team/container-app-operator/api/v1alpha1" "github.com/dana-team/container-app-operator/internal/kinds/capp/utils" corev1 "k8s.io/api/core/v1" @@ -23,8 +27,9 @@ const ( Certificate = "certificate" eventCappCertificateCreationFailed = "CertificateCreationFailed" eventCappCertificateCreated = "CertificateCreated" - certificateForm = "pfx" - certificateConfig = "certificateconfig-capp" + PrivateKeySize = 4096 + clusterIssuerName = "cert-external-issuer-clusterissuer" + clusterIssuerKind = "ClusterIssuer" ) type CertificateManager struct { @@ -35,21 +40,21 @@ type CertificateManager struct { } // prepareResource prepares a Certificate resource based on the provided Capp. -func (c CertificateManager) prepareResource(capp cappv1alpha1.Capp) (certv1alpha1.Certificate, error) { +func (c CertificateManager) prepareResource(capp cappv1alpha1.Capp) (cmapi.Certificate, error) { dnsConfig, err := utils.GetDNSConfig(c.Ctx, c.K8sclient) if err != nil { - return certv1alpha1.Certificate{}, err + return cmapi.Certificate{}, err } zone, err := utils.GetZoneFromConfig(dnsConfig) if err != nil { - return certv1alpha1.Certificate{}, err + return cmapi.Certificate{}, err } resourceName := utils.GenerateResourceName(capp.Spec.RouteSpec.Hostname, zone) secretName := utils.GenerateSecretName(capp) - certificate := certv1alpha1.Certificate{ + certificate := cmapi.Certificate{ TypeMeta: metav1.TypeMeta{}, ObjectMeta: metav1.ObjectMeta{ Name: resourceName, @@ -59,20 +64,21 @@ func (c CertificateManager) prepareResource(capp cappv1alpha1.Capp) (certv1alpha utils.ManagedByLabelKey: utils.CappKey, }, }, - Spec: certv1alpha1.CertificateSpec{ - CertificateData: certv1alpha1.CertificateData{ - Subject: certv1alpha1.Subject{ - CommonName: resourceName, - }, - San: certv1alpha1.San{ - DNS: []string{resourceName}, - }, - Form: certificateForm, + Spec: cmapi.CertificateSpec{ + CommonName: resourceName, + DNSNames: []string{resourceName}, + PrivateKey: &cmapi.CertificatePrivateKey{ + Algorithm: cmapi.RSAKeyAlgorithm, + Encoding: cmapi.PKCS1, + Size: PrivateKeySize, }, - SecretName: secretName, - ConfigRef: certv1alpha1.ConfigReference{ - Name: certificateConfig, + IsCA: false, + IssuerRef: cmmeta.ObjectReference{ + Name: clusterIssuerName, + Kind: clusterIssuerKind, + Group: certv1alpha1.GroupVersion.Group, }, + SecretName: secretName, }, } @@ -117,7 +123,7 @@ func (c CertificateManager) create(capp cappv1alpha1.Capp) error { return fmt.Errorf("failed to prepare Certificate: %w", err) } - certificate := certv1alpha1.Certificate{} + certificate := cmapi.Certificate{} resourceManager := rclient.ResourceManagerClient{Ctx: c.Ctx, K8sclient: c.K8sclient, Log: c.Log} if err := c.K8sclient.Get(c.Ctx, types.NamespacedName{Namespace: capp.Namespace, Name: certificateFromCapp.Name}, &certificate); err != nil { @@ -140,7 +146,7 @@ func (c CertificateManager) create(capp cappv1alpha1.Capp) error { } // createCertificate creates a new Certificate and emits an event. -func (c CertificateManager) createCertificate(capp cappv1alpha1.Capp, certificateFromCapp certv1alpha1.Certificate, resourceManager rclient.ResourceManagerClient) error { +func (c CertificateManager) createCertificate(capp cappv1alpha1.Capp, certificateFromCapp cmapi.Certificate, resourceManager rclient.ResourceManagerClient) error { if err := resourceManager.CreateResource(&certificateFromCapp); err != nil { c.EventRecorder.Event(&capp, corev1.EventTypeWarning, eventCappCertificateCreationFailed, fmt.Sprintf("Failed to create Certificate %s", certificateFromCapp.Name)) @@ -179,8 +185,8 @@ func (c CertificateManager) handlePreviousCertificates(capp cappv1alpha1.Capp, r } // getPreviousCertificates returns a list of all Certificate objects that are related to the given Capp. -func (c CertificateManager) getPreviousCertificates(capp cappv1alpha1.Capp) (certv1alpha1.CertificateList, error) { - certificates := certv1alpha1.CertificateList{} +func (c CertificateManager) getPreviousCertificates(capp cappv1alpha1.Capp) (cmapi.CertificateList, error) { + certificates := cmapi.CertificateList{} set := labels.Set{ utils.CappResourceKey: capp.Name, @@ -195,7 +201,7 @@ func (c CertificateManager) getPreviousCertificates(capp cappv1alpha1.Capp) (cer } // deletePreviousCertificates deletes all previous Certificates associated with a Capp. -func (c CertificateManager) deletePreviousCertificates(certificates certv1alpha1.CertificateList, resourceManager rclient.ResourceManagerClient, hostname string) error { +func (c CertificateManager) deletePreviousCertificates(certificates cmapi.CertificateList, resourceManager rclient.ResourceManagerClient, hostname string) error { for _, certificate := range certificates.Items { if certificate.Name != hostname { cert := rclient.GetBareCertificate(certificate.Name, certificate.Namespace) diff --git a/internal/kinds/capp/status/route.go b/internal/kinds/capp/status/route.go index 7918a1e1..25fe1278 100644 --- a/internal/kinds/capp/status/route.go +++ b/internal/kinds/capp/status/route.go @@ -3,11 +3,12 @@ package status import ( "context" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + rmanagers "github.com/dana-team/container-app-operator/internal/kinds/capp/resourcemanagers" "github.com/dana-team/container-app-operator/internal/kinds/capp/utils" dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" cappv1alpha1 "github.com/dana-team/container-app-operator/api/v1alpha1" "k8s.io/apimachinery/pkg/types" knativev1beta1 "knative.dev/serving/pkg/apis/serving/v1beta1" @@ -69,15 +70,15 @@ func buildDomainMappingStatus(ctx context.Context, kubeClient client.Client, cap // buildCertificateStatus partly constructs the Route Status of the Capp object in accordance to the // status of the corresponding Certificate object. -func buildCertificateStatus(ctx context.Context, kubeClient client.Client, capp cappv1alpha1.Capp, isRequired bool, zone string) (certv1alpha1.CertificateStatus, error) { +func buildCertificateStatus(ctx context.Context, kubeClient client.Client, capp cappv1alpha1.Capp, isRequired bool, zone string) (cmapi.CertificateStatus, error) { if !isRequired { - return certv1alpha1.CertificateStatus{}, nil + return cmapi.CertificateStatus{}, nil } - certificate := &certv1alpha1.Certificate{} + certificate := &cmapi.Certificate{} certificateName := utils.GenerateResourceName(capp.Spec.RouteSpec.Hostname, zone) if err := kubeClient.Get(ctx, types.NamespacedName{Namespace: capp.Namespace, Name: certificateName}, certificate); err != nil { - return certv1alpha1.CertificateStatus{}, err + return cmapi.CertificateStatus{}, err } return certificate.Status, nil diff --git a/test/e2e_tests/certificate_e2e_test.go b/test/e2e_tests/certificate_e2e_test.go index 2ce4f173..614b8853 100644 --- a/test/e2e_tests/certificate_e2e_test.go +++ b/test/e2e_tests/certificate_e2e_test.go @@ -47,7 +47,7 @@ var _ = Describe("Validate Certificate functionality", func() { Eventually(func() []string { updatedCertificateObject = utilst.GetCertificate(k8sClient, updatedRouteHostname, toBeUpdatedCapp.Namespace) - return updatedCertificateObject.Spec.CertificateData.San.DNS + return updatedCertificateObject.Spec.DNSNames }, testconsts.Timeout, testconsts.Interval).Should(Equal([]string{updatedRouteHostname})) By("Deleting the Capp instance and checking if the Certificate was deleted successfully") diff --git a/test/e2e_tests/helper.go b/test/e2e_tests/helper.go index b538b64e..2b5414be 100644 --- a/test/e2e_tests/helper.go +++ b/test/e2e_tests/helper.go @@ -1,7 +1,7 @@ package e2e_tests import ( - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cappv1alpha1 "github.com/dana-team/container-app-operator/api/v1alpha1" nfspvcv1alpha1 "github.com/dana-team/nfspvc-operator/api/v1alpha1" dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" @@ -29,7 +29,7 @@ func newScheme() *runtime.Scheme { utilruntime.Must(knativev1beta1.AddToScheme(scheme)) utilruntime.Must(cappv1alpha1.AddToScheme(scheme)) utilruntime.Must(nfspvcv1alpha1.AddToScheme(scheme)) - utilruntime.Must(certv1alpha1.AddToScheme(scheme)) + utilruntime.Must(cmapi.AddToScheme(scheme)) utilruntime.Must(dnsrecordv1alpha1.AddToScheme(scheme)) return scheme diff --git a/test/e2e_tests/mocks/route.go b/test/e2e_tests/mocks/route.go index d427a6d6..c2975fd0 100644 --- a/test/e2e_tests/mocks/route.go +++ b/test/e2e_tests/mocks/route.go @@ -1,7 +1,7 @@ package mocks import ( - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" knativev1beta1 "knative.dev/serving/pkg/apis/serving/v1beta1" @@ -18,8 +18,8 @@ func CreateDomainMappingObject(name string) *knativev1beta1.DomainMapping { } // CreateCertificateObject returns an empty DomainMapping object. -func CreateCertificateObject(name string) *certv1alpha1.Certificate { - return &certv1alpha1.Certificate{ +func CreateCertificateObject(name string) *cmapi.Certificate { + return &cmapi.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: NSName, diff --git a/test/e2e_tests/utils/route_adapter.go b/test/e2e_tests/utils/route_adapter.go index 3d6e8adc..84556bde 100644 --- a/test/e2e_tests/utils/route_adapter.go +++ b/test/e2e_tests/utils/route_adapter.go @@ -3,9 +3,10 @@ package utils import ( "strings" + cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + dnsrecordv1alpha1 "github.com/dana-team/provider-dns/apis/record/v1alpha1" - certv1alpha1 "github.com/dana-team/certificate-operator/api/v1alpha1" cappv1alpha1 "github.com/dana-team/container-app-operator/api/v1alpha1" mock "github.com/dana-team/container-app-operator/test/e2e_tests/mocks" knativev1beta1 "knative.dev/serving/pkg/apis/serving/v1beta1" @@ -50,8 +51,8 @@ func GetDNSRecord(k8sClient client.Client, name string) *dnsrecordv1alpha1.CNAME } // GetCertificate fetches and returns an existing instance of a Certificate. -func GetCertificate(k8sClient client.Client, name string, namespace string) *certv1alpha1.Certificate { - certificate := &certv1alpha1.Certificate{} +func GetCertificate(k8sClient client.Client, name string, namespace string) *cmapi.Certificate { + certificate := &cmapi.Certificate{} GetResource(k8sClient, certificate, name, namespace) return certificate }