From fb9348629feedd8fff3c1a4ecdbddd90e4cb32e0 Mon Sep 17 00:00:00 2001 From: Sascha Schwarze Date: Sun, 17 Sep 2023 21:52:39 +0200 Subject: [PATCH 1/2] Update nightly build to cover caBundle setup for webhook --- .github/workflows/ci.yml | 5 +-- .github/workflows/nightly.yaml | 5 ++- .github/workflows/release.yaml | 2 +- .github/workflows/verify.yaml | 5 ++- Makefile | 6 +-- README.md | 14 +++++++ deploy/crds/shipwright.io_buildruns.yaml | 12 +++++- deploy/crds/shipwright.io_builds.yaml | 12 +++++- .../crds/shipwright.io_buildstrategies.yaml | 12 +++++- .../shipwright.io_clusterbuildstrategies.yaml | 12 +++++- .../conversion_webhook_block.yaml | 1 - hack/patch-crds-with-conversion.sh | 19 ++++----- hack/release.sh | 15 +++++-- ...generate-cert.sh => setup-webhook-cert.sh} | 42 ++++++++++++------- 14 files changed, 117 insertions(+), 45 deletions(-) rename hack/{generate-cert.sh => setup-webhook-cert.sh} (51%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be2ededd0..b609386ef 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,7 +73,7 @@ jobs: - name: Install Ko uses: ko-build/setup-ko@v0.6 with: - version: v0.13.0 + version: v0.14.1 - name: Install kubectl uses: azure/setup-kubectl@v3 with: @@ -175,10 +175,9 @@ jobs: - name: Install Ko uses: ko-build/setup-ko@v0.6 with: - version: v0.13.0 + version: v0.14.1 - name: Install Shipwright Build run: | - make prepare-conversion make install-controller-kind kubectl -n shipwright-build rollout status deployment shipwright-build-controller --timeout=1m || true kubectl -n shipwright-build rollout status deployment shipwright-build-webhook --timeout=1m || true diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 017e74ef6..e1ba4e607 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -29,7 +29,7 @@ jobs: # Install tools - uses: ko-build/setup-ko@v0.6 with: - version: v0.13.0 + version: v0.14.1 - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 - uses: sigstore/cosign-installer@v3 @@ -55,6 +55,9 @@ jobs: mv sample-strategies.yaml nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml gh release upload nightly nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml + echo ${{ steps.date.outputs.date }} > /tmp/latest.txt + gh release upload nightly /tmp/latest.txt --clobber + - name: Update latest tag of supporting images working-directory: ./cmd run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f54c13569..8836d8c98 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -37,7 +37,7 @@ jobs: # Install tools - uses: ko-build/setup-ko@v0.6 with: - version: v0.13.0 + version: v0.14.1 - uses: sigstore/cosign-installer@v3 - name: Build Release Changelog diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 8463222f6..b9c25dbd2 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -37,7 +37,10 @@ jobs: - name: Install Counterfeiter run: | make -C go/src/github.com/shipwright-io/build install-counterfeiter + - name: Install Spruce + run: | + make -C go/src/github.com/shipwright-io/build install-spruce - name: Run verify-generate run: | export GOPATH="${GITHUB_WORKSPACE}"/go - make -C $GOPATH/src/github.com/shipwright-io/build verify-generate + make -C go/src/github.com/shipwright-io/build verify-generate diff --git a/Makefile b/Makefile index a6af76d75..057e50032 100644 --- a/Makefile +++ b/Makefile @@ -113,11 +113,6 @@ generate: hack/generate-copyright.sh hack/install-controller-gen.sh "$(CONTROLLER_GEN)" crd rbac:roleName=manager-role webhook paths="./..." output:crd:dir=deploy/crds - -.PHONY: prepare-conversion -prepare-conversion: - hack/generate-cert.sh - hack/install-spruce.sh hack/patch-crds-with-conversion.sh .PHONY: verify-generate @@ -261,6 +256,7 @@ install-controller-kind: install-apis ko apply \ --platform=$(GO_OS)/$(GO_ARCH) \ --filename=deploy + ./hack/setup-webhook-cert.sh .PHONY: install-strategies install-strategies: install-apis diff --git a/README.md b/README.md index d12ed8cb5..203a9dd65 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Shipwright supports any tool that can build container images in Kubernetes clust ```bash kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.44.0/release.yaml ``` + If you are using OpenShift cluster refer [Running on OpenShift](#running-on-openshift) for some more configurations. - Install the Shipwright deployment. To install the latest version, run: @@ -51,12 +52,25 @@ Shipwright supports any tool that can build container images in Kubernetes clust kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/release.yaml ``` + To install the latest nightly release, run: + + ```bash + kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt).yaml" --server-side + curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/main/hack/setup-webhook-cert.sh | bash + ``` + - Install the Shipwright strategies. To install the latest version, run: ```bash kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/sample-strategies.yaml ``` + To install the latest nightly release, run: + + ```bash + kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt)-sample-strategies.yaml" --server-side + ``` + - Generate a secret to access your container registry, such as one on [Docker Hub](https://hub.docker.com/) or [Quay.io](https://quay.io/): ```bash diff --git a/deploy/crds/shipwright.io_buildruns.yaml b/deploy/crds/shipwright.io_buildruns.yaml index d29e03082..7c20b5388 100644 --- a/deploy/crds/shipwright.io_buildruns.yaml +++ b/deploy/crds/shipwright.io_buildruns.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: buildruns.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: BuildRun @@ -12246,3 +12255,4 @@ spec: storage: false subresources: status: {} + diff --git a/deploy/crds/shipwright.io_builds.yaml b/deploy/crds/shipwright.io_builds.yaml index bfa8e8c74..a467b4b33 100644 --- a/deploy/crds/shipwright.io_builds.yaml +++ b/deploy/crds/shipwright.io_builds.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: builds.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: Build @@ -4090,3 +4099,4 @@ spec: storage: false subresources: status: {} + diff --git a/deploy/crds/shipwright.io_buildstrategies.yaml b/deploy/crds/shipwright.io_buildstrategies.yaml index e557e5282..b86d99df1 100644 --- a/deploy/crds/shipwright.io_buildstrategies.yaml +++ b/deploy/crds/shipwright.io_buildstrategies.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: buildstrategies.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: BuildStrategy @@ -4875,3 +4884,4 @@ spec: storage: false subresources: status: {} + diff --git a/deploy/crds/shipwright.io_clusterbuildstrategies.yaml b/deploy/crds/shipwright.io_clusterbuildstrategies.yaml index 226681ead..ddc3944fc 100644 --- a/deploy/crds/shipwright.io_clusterbuildstrategies.yaml +++ b/deploy/crds/shipwright.io_clusterbuildstrategies.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: clusterbuildstrategies.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: ClusterBuildStrategy @@ -4875,3 +4884,4 @@ spec: storage: false subresources: status: {} + diff --git a/hack/customization/conversion_webhook_block.yaml b/hack/customization/conversion_webhook_block.yaml index bc522af26..0b6828b52 100644 --- a/hack/customization/conversion_webhook_block.yaml +++ b/hack/customization/conversion_webhook_block.yaml @@ -3,7 +3,6 @@ spec: strategy: Webhook webhook: clientConfig: - caBundle: CA_BUNDLE service: namespace: shipwright-build name: shp-build-webhook diff --git a/hack/patch-crds-with-conversion.sh b/hack/patch-crds-with-conversion.sh index b1487b503..3f551e21c 100755 --- a/hack/patch-crds-with-conversion.sh +++ b/hack/patch-crds-with-conversion.sh @@ -7,28 +7,27 @@ set -euo pipefail DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)" -TARGET_DIR=/tmp/ if ! hash spruce > /dev/null 2>&1 ; then echo "[ERROR] spruce binary is not installed, see the install-spruce target" fi echo "[INFO] Going to patch the Build CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_builds.yaml > /tmp/shipwright.io_builds.yaml -mv /tmp/shipwright.io_builds.yaml "${DIR}"/deploy/crds/shipwright.io_builds.yaml +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_builds.yaml" > /tmp/shipwright.io_builds.yaml +mv /tmp/shipwright.io_builds.yaml "${DIR}/deploy/crds/shipwright.io_builds.yaml" echo "[INFO] Build CRD successfully patched" echo "[INFO] Going to patch the BuildRun CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildruns.yaml > /tmp/shipwright.io_buildruns.yaml -mv /tmp/shipwright.io_buildruns.yaml "${DIR}"/deploy/crds/shipwright.io_buildruns.yaml +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildruns.yaml" > /tmp/shipwright.io_buildruns.yaml +mv /tmp/shipwright.io_buildruns.yaml "${DIR}/deploy/crds/shipwright.io_buildruns.yaml" echo "[INFO] BuildRun CRD successfully patched" echo "[INFO] Going to patch the BuildStrategy CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildstrategies.yaml > /tmp/shipwright.io_buildstrategies.yaml -mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_buildstrategies.yaml +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml" > /tmp/shipwright.io_buildstrategies.yaml +mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml" echo "[INFO] BuildStrategy CRD successfully patched" echo "[INFO] Going to patch the ClusterBuildStrategy CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_clusterbuildstrategies.yaml > /tmp/shipwright.io_clusterbuildstrategies.yaml -mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_clusterbuildstrategies.yaml -echo "[INFO] ClusterBuildStrategy CRD successfully patched" \ No newline at end of file +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml" > /tmp/shipwright.io_clusterbuildstrategies.yaml +mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml" +echo "[INFO] ClusterBuildStrategy CRD successfully patched" diff --git a/hack/release.sh b/hack/release.sh index 9f388265e..3e6ca638b 100755 --- a/hack/release.sh +++ b/hack/release.sh @@ -13,19 +13,28 @@ echo "Building container image" echo "Adding io.shipwright.vcs-ref label with value: ${GITHUB_SHA}" +PLATFORM="${PLATFORM:-all}" + +echo "[INFO] Building images and release.yaml" KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS}" ko resolve \ --base-import-paths \ + --recursive \ --tags "${TAG}" \ --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \ - --platform=all -R -f deploy/ > release.yaml + --platform "${PLATFORM}" \ + --filename deploy/ > release.yaml +echo "[INFO] Building debug images and release-debug.yaml" KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS} -tags=pprof_enabled" ko resolve \ --base-import-paths \ + --recursive \ --tags "${TAG}-debug" \ --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \ - --platform=all -R -f deploy/ > release-debug.yaml + --platform "${PLATFORM}" \ + --filename deploy/ > release-debug.yaml # Bundle the sample cluster build strategies, remove namespace strategies first +echo "[INFO] Bundling sample build strategies" find samples/buildstrategy -type f -print0 | xargs -0 grep -l "kind: BuildStrategy" | xargs rm -f -ko resolve -R -f samples/buildstrategy/ > sample-strategies.yaml +KO_DOCKER_REPO=dummy ko resolve --recursive --filename samples/buildstrategy/ > sample-strategies.yaml git restore samples/buildstrategy diff --git a/hack/generate-cert.sh b/hack/setup-webhook-cert.sh similarity index 51% rename from hack/generate-cert.sh rename to hack/setup-webhook-cert.sh index 5023293c7..84dfc65c1 100755 --- a/hack/generate-cert.sh +++ b/hack/setup-webhook-cert.sh @@ -6,9 +6,17 @@ set -euo pipefail -DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)" +if ! hash jq >/dev/null 2>&1 ; then + echo "[ERROR] jq is not installed" + exit 1 +fi -echo "[INFO] Generating key for Shipwright Build Webhook" +if ! hash openssl >/dev/null 2>&1 ; then + echo "[ERROR] openssl is not installed" + exit 1 +fi + +echo "[INFO] Generating key and signing request for Shipwright Build Webhook" cat </tmp/csr.conf [req] @@ -28,11 +36,11 @@ DNS.4 = shp-build-webhook.shipwright-build.svc.cluster.local EOF openssl genrsa -out /tmp/server-key.pem 2048 -openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf +openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf + echo "[INFO] Deleting previous CertificateSigningRequest" kubectl delete csr shipwright-build-webhook-csr --ignore-not-found - echo "[INFO] Create a CertificateSigningRequest" cat < Date: Fri, 22 Sep 2023 23:03:41 +0200 Subject: [PATCH 2/2] Setup webhook in integration test --- .github/workflows/ci.yml | 5 + Makefile | 16 ++- hack/setup-webhook-cert-integration-test.sh | 81 ++++++++++++++ test/integration/integration_suite_test.go | 16 ++- test/utils/environment.go | 7 +- test/utils/namespaces.go | 3 +- test/utils/webhook.go | 110 ++++++++++++++++++++ 7 files changed, 228 insertions(+), 10 deletions(-) create mode 100755 hack/setup-webhook-cert-integration-test.sh create mode 100644 test/utils/webhook.go diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b609386ef..43a4894bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -111,7 +111,12 @@ jobs: kubectl -n tekton-pipelines rollout status deployment tekton-pipelines-webhook --timeout=1m - name: Test run: | + # host.docker.internal does not work in a GitHub action + docker exec kind-control-plane bash -c "echo '172.17.0.1 host.docker.internal' >>/etc/hosts" + + # Build and load the Git image export GIT_CONTAINER_IMAGE="$(KO_DOCKER_REPO=kind.local ko publish ./cmd/git)" + make test-integration e2e: diff --git a/Makefile b/Makefile index 057e50032..f87c79e71 100644 --- a/Makefile +++ b/Makefile @@ -39,7 +39,7 @@ TEST_NAMESPACE ?= default TEKTON_VERSION ?= v0.44.0 # E2E test flags -TEST_E2E_FLAGS ?= --fail-fast -p --randomize-all -timeout=1h -trace -vv +TEST_E2E_FLAGS ?= -p --randomize-all -timeout=1h -trace -v # E2E test service account name to be used for the build runs, can be set to generated to use the generated service account feature TEST_E2E_SERVICEACCOUNT_NAME ?= pipeline @@ -204,6 +204,7 @@ test-unit-ginkgo: ginkgo # Based on https://github.com/kubernetes/community/blob/master/contributors/devel/sig-testing/integration-tests.md .PHONY: test-integration test-integration: install-apis ginkgo + ./hack/setup-webhook-cert-integration-test.sh $(GINKGO) \ --randomize-all \ --randomize-suites \ @@ -211,7 +212,6 @@ test-integration: install-apis ginkgo -trace \ test/integration/... - .PHONY: test-e2e test-e2e: install-strategies test-e2e-plain @@ -237,7 +237,17 @@ install-with-pprof: GOOS=$(GO_OS) GOARCH=$(GO_ARCH) GOFLAGS="$(GO_FLAGS) -tags=pprof_enabled" ko apply -R -f deploy/ -- --server-side install-apis: - kubectl apply -f deploy/crds/ --server-side + for resource in buildruns builds buildstrategies clusterbuildstrategies ; do \ + if kubectl get crd "$${resource}.shipwright.io" >/dev/null 2>&1 ; then \ + if [ "$$(kubectl get crd "$${resource}.shipwright.io" -o go-template='{{.spec.conversion.webhook.clientConfig.caBundle}}')" == "" ] ; then \ + kubectl replace -f "deploy/crds/shipwright.io_$${resource}.yaml" ; \ + else \ + kubectl apply -f "deploy/crds/shipwright.io_$${resource}.yaml" --server-side ; \ + fi ; \ + else \ + kubectl create -f "deploy/crds/shipwright.io_$${resource}.yaml" ; \ + fi ; \ + done for i in 1 2 3 ; do \ kubectl wait --timeout=$(TIMEOUT) --for="condition=Established" crd/clusterbuildstrategies.shipwright.io && \ break ; \ diff --git a/hack/setup-webhook-cert-integration-test.sh b/hack/setup-webhook-cert-integration-test.sh new file mode 100755 index 000000000..fa795d5b0 --- /dev/null +++ b/hack/setup-webhook-cert-integration-test.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +# Copyright The Shipwright Contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +if ! hash jq >/dev/null 2>&1 ; then + echo "[ERROR] jq is not installed" + exit 1 +fi + +if ! hash openssl >/dev/null 2>&1 ; then + echo "[ERROR] openssl is not installed" + exit 1 +fi + +echo "[INFO] Generating key and signing request for Shipwright Build Webhook" + +cat </tmp/csr.conf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = host.docker.internal +EOF + +openssl genrsa -out /tmp/server-key.pem 2048 +openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:host.docker.internal" -out /tmp/server.csr -config /tmp/csr.conf + +echo "[INFO] Deleting previous CertificateSigningRequest" +kubectl delete csr shipwright-build-webhook-csr --ignore-not-found + +echo "[INFO] Create a CertificateSigningRequest" +cat <