Skip to content

Commit

Permalink
Update nightly build to cover caBundle setup for webhook
Browse files Browse the repository at this point in the history
  • Loading branch information
SaschaSchwarze0 committed Sep 21, 2023
1 parent 7efcfbe commit bd3f915
Show file tree
Hide file tree
Showing 14 changed files with 117 additions and 43 deletions.
1 change: 0 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,6 @@ jobs:
version: v0.13.0
- name: Install Shipwright Build
run: |
make prepare-conversion
make install-controller-kind
kubectl -n shipwright-build rollout status deployment shipwright-build-controller --timeout=1m || true
kubectl -n shipwright-build rollout status deployment shipwright-build-webhook --timeout=1m || true
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/nightly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
# Install tools
- uses: ko-build/[email protected]
with:
version: v0.13.0
version: v0.14.1
- uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
- uses: sigstore/cosign-installer@v3

Expand All @@ -55,6 +55,9 @@ jobs:
mv sample-strategies.yaml nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml
gh release upload nightly nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml
echo ${{ steps.date.outputs.date }} > /tmp/latest.txt
gh release upload nightly /tmp/latest.txt --clobber
- name: Update latest tag of supporting images
working-directory: ./cmd
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,10 @@ jobs:
# Install tools
- uses: ko-build/[email protected]
with:
version: v0.13.0
version: v0.14.1
- uses: sigstore/cosign-installer@v3
- name: Install Spruce
run: make install-spruce

- name: Build Release Changelog
env:
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/verify.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,10 @@ jobs:
- name: Install Counterfeiter
run: |
make -C go/src/github.com/shipwright-io/build install-counterfeiter
- name: Install Spruce
run: |
make -C go/src/github.com/shipwright-io/build install-spruce
- name: Run verify-generate
run: |
export GOPATH="${GITHUB_WORKSPACE}"/go
make -C $GOPATH/src/github.com/shipwright-io/build verify-generate
make -C "${GOPATH}/src/github.com/shipwright-io/build" verify-generate
6 changes: 1 addition & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,6 @@ generate:
hack/generate-copyright.sh
hack/install-controller-gen.sh
"$(CONTROLLER_GEN)" crd rbac:roleName=manager-role webhook paths="./..." output:crd:dir=deploy/crds

.PHONY: prepare-conversion
prepare-conversion:
hack/generate-cert.sh
hack/install-spruce.sh
hack/patch-crds-with-conversion.sh

.PHONY: verify-generate
Expand Down Expand Up @@ -261,6 +256,7 @@ install-controller-kind: install-apis
ko apply \
--platform=$(GO_OS)/$(GO_ARCH) \
--filename=deploy
./hack/setup-webhook-cert.sh

.PHONY: install-strategies
install-strategies: install-apis
Expand Down
14 changes: 14 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ Shipwright supports any tool that can build container images in Kubernetes clust
```bash
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.44.0/release.yaml
```

If you are using OpenShift cluster refer [Running on OpenShift](#running-on-openshift) for some more configurations.

- Install the Shipwright deployment. To install the latest version, run:
Expand All @@ -51,12 +52,25 @@ Shipwright supports any tool that can build container images in Kubernetes clust
kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/release.yaml
```

To install the latest nightly release, run:

```bash
kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt).yaml" --server-side
curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/main/hack/setup-webhook-cert.sh | bash
```

- Install the Shipwright strategies. To install the latest version, run:

```bash
kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/sample-strategies.yaml
```

To install the latest nightly release, run:

```bash
kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt)-sample-strategies.yaml" --server-side
```

- Generate a secret to access your container registry, such as one on [Docker Hub](https://hub.docker.com/) or [Quay.io](https://quay.io/):

```bash
Expand Down
12 changes: 11 additions & 1 deletion deploy/crds/shipwright.io_buildruns.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand All @@ -7,6 +6,16 @@ metadata:
creationTimestamp: null
name: buildruns.shipwright.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: shp-build-webhook
namespace: shipwright-build
path: /convert
conversionReviewVersions:
- v1
group: shipwright.io
names:
kind: BuildRun
Expand Down Expand Up @@ -12246,3 +12255,4 @@ spec:
storage: false
subresources:
status: {}

12 changes: 11 additions & 1 deletion deploy/crds/shipwright.io_builds.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand All @@ -7,6 +6,16 @@ metadata:
creationTimestamp: null
name: builds.shipwright.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: shp-build-webhook
namespace: shipwright-build
path: /convert
conversionReviewVersions:
- v1
group: shipwright.io
names:
kind: Build
Expand Down Expand Up @@ -4090,3 +4099,4 @@ spec:
storage: false
subresources:
status: {}

12 changes: 11 additions & 1 deletion deploy/crds/shipwright.io_buildstrategies.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand All @@ -7,6 +6,16 @@ metadata:
creationTimestamp: null
name: buildstrategies.shipwright.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: shp-build-webhook
namespace: shipwright-build
path: /convert
conversionReviewVersions:
- v1
group: shipwright.io
names:
kind: BuildStrategy
Expand Down Expand Up @@ -4875,3 +4884,4 @@ spec:
storage: false
subresources:
status: {}

12 changes: 11 additions & 1 deletion deploy/crds/shipwright.io_clusterbuildstrategies.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand All @@ -7,6 +6,16 @@ metadata:
creationTimestamp: null
name: clusterbuildstrategies.shipwright.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: shp-build-webhook
namespace: shipwright-build
path: /convert
conversionReviewVersions:
- v1
group: shipwright.io
names:
kind: ClusterBuildStrategy
Expand Down Expand Up @@ -4875,3 +4884,4 @@ spec:
storage: false
subresources:
status: {}

1 change: 0 additions & 1 deletion hack/customization/conversion_webhook_block.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: CA_BUNDLE
service:
namespace: shipwright-build
name: shp-build-webhook
Expand Down
19 changes: 9 additions & 10 deletions hack/patch-crds-with-conversion.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,28 +7,27 @@
set -euo pipefail

DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)"
TARGET_DIR=/tmp/

if ! hash spruce > /dev/null 2>&1 ; then
echo "[ERROR] spruce binary is not installed, see the install-spruce target"
fi

echo "[INFO] Going to patch the Build CRD"
spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_builds.yaml > /tmp/shipwright.io_builds.yaml
mv /tmp/shipwright.io_builds.yaml "${DIR}"/deploy/crds/shipwright.io_builds.yaml
spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_builds.yaml" > /tmp/shipwright.io_builds.yaml
mv /tmp/shipwright.io_builds.yaml "${DIR}/deploy/crds/shipwright.io_builds.yaml"
echo "[INFO] Build CRD successfully patched"

echo "[INFO] Going to patch the BuildRun CRD"
spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildruns.yaml > /tmp/shipwright.io_buildruns.yaml
mv /tmp/shipwright.io_buildruns.yaml "${DIR}"/deploy/crds/shipwright.io_buildruns.yaml
spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildruns.yaml" > /tmp/shipwright.io_buildruns.yaml
mv /tmp/shipwright.io_buildruns.yaml "${DIR}/deploy/crds/shipwright.io_buildruns.yaml"
echo "[INFO] BuildRun CRD successfully patched"

echo "[INFO] Going to patch the BuildStrategy CRD"
spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildstrategies.yaml > /tmp/shipwright.io_buildstrategies.yaml
mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_buildstrategies.yaml
spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml" > /tmp/shipwright.io_buildstrategies.yaml
mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml"
echo "[INFO] BuildStrategy CRD successfully patched"

echo "[INFO] Going to patch the ClusterBuildStrategy CRD"
spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_clusterbuildstrategies.yaml > /tmp/shipwright.io_clusterbuildstrategies.yaml
mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_clusterbuildstrategies.yaml
echo "[INFO] ClusterBuildStrategy CRD successfully patched"
spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml" > /tmp/shipwright.io_clusterbuildstrategies.yaml
mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml"
echo "[INFO] ClusterBuildStrategy CRD successfully patched"
15 changes: 12 additions & 3 deletions hack/release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,28 @@ echo "Building container image"

echo "Adding io.shipwright.vcs-ref label with value: ${GITHUB_SHA}"

PLATFORM="${PLATFORM:-all}"

echo "[INFO] Building images and release.yaml"
KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS}" ko resolve \
--base-import-paths \
--recursive \
--tags "${TAG}" \
--image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
--platform=all -R -f deploy/ > release.yaml
--platform "${PLATFORM}" \
--filename deploy/ > release.yaml

echo "[INFO] Building debug images and release-debug.yaml"
KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS} -tags=pprof_enabled" ko resolve \
--base-import-paths \
--recursive \
--tags "${TAG}-debug" \
--image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
--platform=all -R -f deploy/ > release-debug.yaml
--platform "${PLATFORM}" \
--filename deploy/ > release-debug.yaml

# Bundle the sample cluster build strategies, remove namespace strategies first
echo "[INFO] Bundling sample build strategies"
find samples/buildstrategy -type f -print0 | xargs -0 grep -l "kind: BuildStrategy" | xargs rm -f
ko resolve -R -f samples/buildstrategy/ > sample-strategies.yaml
KO_DOCKER_REPO=dummy ko resolve --recursive --filename samples/buildstrategy/ > sample-strategies.yaml
git restore samples/buildstrategy
42 changes: 26 additions & 16 deletions hack/generate-cert.sh → hack/setup-webhook-cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,17 @@

set -euo pipefail

DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)"
if ! hash jq >/dev/null 2>&1 ; then
echo "[ERROR] jq is not installed"
exit 1
fi

echo "[INFO] Generating key for Shipwright Build Webhook"
if ! hash openssl >/dev/null 2>&1 ; then
echo "[ERROR] openssl is not installed"
exit 1
fi

echo "[INFO] Generating key and signing request for Shipwright Build Webhook"

cat <<EOF >/tmp/csr.conf
[req]
Expand All @@ -28,11 +36,11 @@ DNS.4 = shp-build-webhook.shipwright-build.svc.cluster.local
EOF

openssl genrsa -out /tmp/server-key.pem 2048
openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf
openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf

echo "[INFO] Deleting previous CertificateSigningRequest"
kubectl delete csr shipwright-build-webhook-csr --ignore-not-found


echo "[INFO] Create a CertificateSigningRequest"
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
Expand All @@ -42,7 +50,7 @@ metadata:
spec:
groups:
- system:authenticated
request: $(cat /tmp/server.csr | base64 | tr -d '\n')
request: $(base64 </tmp/server.csr | tr -d '\n')
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
Expand All @@ -53,7 +61,6 @@ EOF
echo "[INFO] Approve the CertificateSigningRequest"
kubectl certificate approve shipwright-build-webhook-csr


certificate=$(kubectl get csr shipwright-build-webhook-csr -o json | jq -r '.status.certificate')
while [ "${certificate}" == "null" ]; do
echo "[INFO] Waiting for certificate to be ready"
Expand All @@ -66,17 +73,20 @@ openssl base64 -d -A -out /tmp/server-cert.pem <<<"${certificate}"
echo "[INFO] Deleting the CertificateSigningRequest"
kubectl delete csr shipwright-build-webhook-csr --ignore-not-found


echo "[INFO] Creating shipwright-build namespace"
kubectl apply -f $DIR/deploy/100-namespace.yaml

echo "[INFO] Creating Opaque Secret with generated certificates"
kubectl create secret tls shipwright-build-webhook-cert -n shipwright-build --cert /tmp/server-cert.pem --key /tmp/server-key.pem

echo "[INFO] Creating TLS secret shipwright-build-webhook-cert"
kubectl -n shipwright-build delete secret shipwright-build-webhook-cert --ignore-not-found
kubectl -n shipwright-build create secret tls shipwright-build-webhook-cert --cert /tmp/server-cert.pem --key /tmp/server-key.pem
rm -rf /tmp/csr.conf /tmp/server-cert.pem /tmp/server-key.pem

echo "[INFO] Retrieving CABundle"
CA=$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')
CA="$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')"

echo "[INFO] Patching caBundle into CustomResourceDefinitions"
kubectl patch crd clusterbuildstrategies.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
kubectl patch crd buildstrategies.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
kubectl patch crd builds.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
kubectl patch crd buildruns.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"

echo "[INFO] Applying CABundle into customization/conversion_webhook_block.yaml"
sed -i "s/CA_BUNDLE/${CA}/g" $DIR/hack/customization/conversion_webhook_block.yaml
echo "[INFO] Restarting shipwright-build-webhook"
kubectl -n shipwright-build rollout restart deployment shipwright-build-webhook
kubectl -n shipwright-build rollout status deployment shipwright-build-webhook

0 comments on commit bd3f915

Please sign in to comment.