fix: generate certificates with cert-manager (#267)

Skarlso · web-flow · commit c9cbb9618bcf · 2023-10-11T15:45:44.000+02:00
* fix: change generating certificates with cert-manager

* add mkcert and missing ci certificate extension

* changed the key algo

* fixed option for base64

* remove cert-manager manfiest and download it instead

* added release docs
diff --git a/.gitignore b/.gitignore
@@ -43,6 +43,7 @@ e2e/testdata/testSignedOCIRegistryComponents/podinfo/frontend/manifests/*
 e2e/testdata/testSignedOCIRegistryComponents/podinfo/redis/manifests/*
 
 # ignore generated certificates
-hack/certs
+hack/rootCA.pem
+hack/cert-manager.yaml
 
 transport-archive
diff --git a/Makefile b/Makefile
@@ -80,16 +80,16 @@ test: manifests generate fmt vet build-wasm-testdata envtest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
 
 .PHONY: e2e
-e2e: generate-developer-certs test-summary-tool ## Runs e2e tests
+e2e: prime-test-cluster test-summary-tool ## Runs e2e tests
 	$(GOTESTSUM) --format testname -- -count=1 -tags=e2e ./e2e
 
 .PHONY: e2e-verbose
-e2e-verbose: generate-developer-certs test-summary-tool ## Runs e2e tests in verbose
+e2e-verbose: prime-test-cluster test-summary-tool ## Runs e2e tests in verbose
 	$(GOTESTSUM) --format standard-verbose -- -count=1 -tags=e2e ./e2e
 
-.PHONY: generate-developer-certs
-generate-developer-certs: mkcert
-	./hack/create_developer_certificate_secrets.sh
+.PHONY: prime-test-cluster
+prime-test-cluster: mkcert
+	./hack/prime_test_cluster.sh
 
 .PHONY: build-wasm-testdata
 build-wasm-testdata:
diff --git a/Tiltfile b/Tiltfile
@@ -81,9 +81,8 @@ def create_verification_keys():
 # check if flux is needed
 bootstrap_or_install_flux()
 
-# https registry
-print('applying generated secrets')
-k8s_yaml('./hack/certs/registry_certs_secret.yaml', allow_duplicates = True)
+print('install certificate bootstrap')
+k8s_yaml(read_file('e2e/certmanager/bootstrap.yaml'), allow_duplicates = True)
 
 # Use kustomize to build the install yaml files
 install = kustomize('config/default')
diff --git a/docs/release_notes/v0.14.0.md b/docs/release_notes/v0.14.0.md
@@ -0,0 +1,5 @@
+# Release 0.14.0
+
+- fix: generate certificates with cert-manager (#267)
+- New PR Template (#264)
+- Implement ResourcePipeline  (#236)
diff --git a/e2e/certmanager/bootstrap.yaml b/e2e/certmanager/bootstrap.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ocm-registry-tls-certs
+  namespace: ocm-system
+spec:
+  secretName: ocm-registry-tls-certs
+  dnsNames:
+    - registry.ocm-system.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: mpas-certificate-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/e2e/suite_test.go b/e2e/suite_test.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"testing"
 
+	"sigs.k8s.io/e2e-framework/klient/conf"
 	"sigs.k8s.io/e2e-framework/pkg/env"
 	"sigs.k8s.io/e2e-framework/pkg/envconf"
 	"sigs.k8s.io/e2e-framework/pkg/envfuncs"
@@ -32,7 +33,8 @@ var (
 func TestMain(m *testing.M) {
 	setupLog("starting e2e test suite")
 
-	cfg, _ := envconf.NewFromFlags()
+	path := conf.ResolveKubeConfigFile()
+	cfg := envconf.NewWithKubeConfig(path)
 	testEnv = env.NewWithConfig(cfg)
 	kindClusterName = envconf.RandomName("ocm-ctrl-e2e", 32)
 	ocmNamespace = "ocm-system"
@@ -41,7 +43,7 @@ func TestMain(m *testing.M) {
 	stopChannelGitea := make(chan struct{}, 1)
 
 	testEnv.Setup(
-		envfuncs.CreateKindCluster(kindClusterName),
+		//envfuncs.CreateKindCluster(kindClusterName),
 		envfuncs.CreateNamespace(ocmNamespace),
 		shared.StartGitServer(ocmNamespace),
 		shared.InstallFlux("latest"),
@@ -55,8 +57,8 @@ func TestMain(m *testing.M) {
 		shared.ShutdownPortForward(stopChannelRegistry),
 		shared.ShutdownPortForward(stopChannelGitea),
 		envfuncs.DeleteNamespace(ocmNamespace),
-		envfuncs.DestroyKindCluster(kindClusterName),
+		//envfuncs.DestroyKindCluster(kindClusterName),
 	)
 
 	os.Exit(testEnv.Run(m))
-}
+}
diff --git a/hack/certs/README.md b/hack/certs/README.md
diff --git a/hack/cluster_issuer.yaml b/hack/cluster_issuer.yaml
@@ -0,0 +1,42 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: mpas-bootstrap-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mpas-bootstrap-certificate
+  namespace: cert-manager
+spec:
+  # this is discouraged but required by ios
+  commonName: cert-manager-ocm-tls
+  isCA: true
+  secretName: ocm-registry-tls-certs
+  subject:
+    organizations:
+      - ocm.software
+  dnsNames:
+    - registry.ocm-system.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: mpas-bootstrap-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: mpas-certificate-issuer
+spec:
+  ca:
+    secretName: ocm-registry-tls-certs
diff --git a/hack/create_developer_certificate_secrets.sh b/hack/create_developer_certificate_secrets.sh
diff --git a/hack/prime_test_cluster.sh b/hack/prime_test_cluster.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# cleanup
+rm -fr hack/rootCA.pem
+
+CERT_MANAGER_VERSION=${CERT_MANAGER_VERSION:-v1.13.1}
+
+if [ ! -e 'hack/cert-manager.yaml' ]; then
+  echo "fetching cert-manager manifest for version ${CERT_MANAGER_VERSION}"
+  curl -L https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml -o hack/cert-manager.yaml
+fi
+
+kind create cluster --name=e2e-test-cluster
+
+echo -n 'installing cert-manager'
+kubectl apply -f hack/cert-manager.yaml
+kubectl wait --for=condition=Available=True Deployment/cert-manager -n cert-manager --timeout=60s
+kubectl wait --for=condition=Available=True Deployment/cert-manager-webhook -n cert-manager --timeout=60s
+kubectl wait --for=condition=Available=True Deployment/cert-manager-cainjector -n cert-manager --timeout=60s
+echo 'done'
+
+echo -n 'applying root certificate issuer'
+kubectl apply -f hack/cluster_issuer.yaml
+echo 'done'
+
+echo -n 'waiting for root certificate to be generated...'
+kubectl wait --for=condition=Ready=true Certificate/mpas-bootstrap-certificate -n cert-manager --timeout=60s
+echo 'done'
+
+kubectl get secret ocm-registry-tls-certs -n cert-manager -o jsonpath="{.data['tls\.crt']}" | base64 -d > hack/rootCA.pem
+echo -n 'installing root certificate into local trust store...'
+CAROOT=hack ./bin/mkcert -install
+rootCAPath="./hack/rootCA.pem"
+
+if [ -e '/etc/ssl/certs/ca-certificates.crt' ]; then
+  echo "updating root certificate"
+  sudo cat "${rootCAPath}" | sudo tee -a /etc/ssl/certs/ca-certificates.crt || echo "failed to append to ca-certificates. Ignoring the failure"
+fi
+
+echo 'done'
diff --git a/pkg/version/release.go b/pkg/version/release.go
@@ -5,7 +5,7 @@
 package version
 
 // ReleaseVersion is the version number in semver format "vX.Y.Z", prefixed with "v".
-var ReleaseVersion = "v0.13.0"
+var ReleaseVersion = "v0.14.0"
 
 // ReleaseCandidate is the release candidate ID in format "rc.X", which will be appended to the release version.
 var ReleaseCandidate = "rc.1"
