Merge pull request #1384 from SaschaSchwarze0/sascha-cabundle

Update release process for webhook certificate

.github/workflows/ci.yml

@@ -73,7 +73,7 @@ jobs:
       - name: Install Ko
         uses: ko-build/[email protected]
         with:
-          version: v0.13.0
+          version: v0.14.1
       - name: Install kubectl
         uses: azure/setup-kubectl@v3
         with:
@@ -111,7 +111,12 @@ jobs:
           kubectl -n tekton-pipelines rollout status deployment tekton-pipelines-webhook --timeout=1m
       - name: Test
         run: |
+          # host.docker.internal does not work in a GitHub action
+          docker exec kind-control-plane bash -c "echo '172.17.0.1 host.docker.internal' >>/etc/hosts"
+
+          # Build and load the Git image
           export GIT_CONTAINER_IMAGE="$(KO_DOCKER_REPO=kind.local ko publish ./cmd/git)"
+
           make test-integration
 
   e2e:
@@ -175,10 +180,9 @@ jobs:
       - name: Install Ko
         uses: ko-build/[email protected]
         with:
-          version: v0.13.0
+          version: v0.14.1
       - name: Install Shipwright Build
         run: |
-          make prepare-conversion
           make install-controller-kind
           kubectl -n shipwright-build rollout status deployment shipwright-build-controller --timeout=1m || true
           kubectl -n shipwright-build rollout status deployment shipwright-build-webhook --timeout=1m || true

.github/workflows/nightly.yaml

@@ -29,7 +29,7 @@ jobs:
     # Install tools
     - uses: ko-build/[email protected]
       with:
-        version: v0.13.0
+        version: v0.14.1
     - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
     - uses: sigstore/cosign-installer@v3
 
@@ -55,6 +55,9 @@ jobs:
         mv sample-strategies.yaml nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml
         gh release upload nightly nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml
 
+        echo ${{ steps.date.outputs.date }} > /tmp/latest.txt
+        gh release upload nightly /tmp/latest.txt --clobber
+
     - name: Update latest tag of supporting images
       working-directory: ./cmd
       run: |

.github/workflows/release.yaml

@@ -37,7 +37,7 @@ jobs:
     # Install tools
     - uses: ko-build/[email protected]
       with:
-        version: v0.13.0
+        version: v0.14.1
     - uses: sigstore/cosign-installer@v3
 
     - name: Build Release Changelog

.github/workflows/verify.yaml

@@ -37,7 +37,10 @@ jobs:
     - name: Install Counterfeiter
       run: |
         make -C go/src/github.com/shipwright-io/build install-counterfeiter
+    - name: Install Spruce
+      run: |
+        make -C go/src/github.com/shipwright-io/build install-spruce
     - name: Run verify-generate
       run: |
         export GOPATH="${GITHUB_WORKSPACE}"/go
-        make -C $GOPATH/src/github.com/shipwright-io/build verify-generate
+        make -C go/src/github.com/shipwright-io/build verify-generate

Makefile

@@ -39,7 +39,7 @@ TEST_NAMESPACE ?= default
 TEKTON_VERSION ?= v0.44.0
 
 # E2E test flags
-TEST_E2E_FLAGS ?= --fail-fast -p --randomize-all -timeout=1h -trace -vv
+TEST_E2E_FLAGS ?= -p --randomize-all -timeout=1h -trace -v
 
 # E2E test service account name to be used for the build runs, can be set to generated to use the generated service account feature
 TEST_E2E_SERVICEACCOUNT_NAME ?= pipeline
@@ -113,11 +113,6 @@ generate:
 	hack/generate-copyright.sh
 	hack/install-controller-gen.sh
 	"$(CONTROLLER_GEN)" crd rbac:roleName=manager-role webhook paths="./..." output:crd:dir=deploy/crds
-
-.PHONY: prepare-conversion
-prepare-conversion:
-	hack/generate-cert.sh
-	hack/install-spruce.sh
 	hack/patch-crds-with-conversion.sh
 
 .PHONY: verify-generate
@@ -209,14 +204,14 @@ test-unit-ginkgo: ginkgo
 # Based on https://github.com/kubernetes/community/blob/master/contributors/devel/sig-testing/integration-tests.md
 .PHONY: test-integration
 test-integration: install-apis ginkgo
+	./hack/setup-webhook-cert-integration-test.sh
 	$(GINKGO) \
 		--randomize-all \
 		--randomize-suites \
 		--fail-on-pending \
 		-trace \
 		test/integration/...
 
-
 .PHONY: test-e2e
 test-e2e: install-strategies test-e2e-plain
 
@@ -242,7 +237,17 @@ install-with-pprof:
 	GOOS=$(GO_OS) GOARCH=$(GO_ARCH) GOFLAGS="$(GO_FLAGS) -tags=pprof_enabled" ko apply -R -f deploy/ -- --server-side
 
 install-apis:
-	kubectl apply -f deploy/crds/ --server-side
+	for resource in buildruns builds buildstrategies clusterbuildstrategies ; do \
+		if kubectl get crd "$${resource}.shipwright.io" >/dev/null 2>&1 ; then \
+			if [ "$$(kubectl get crd "$${resource}.shipwright.io" -o go-template='{{.spec.conversion.webhook.clientConfig.caBundle}}')" == "<no value>" ] ; then \
+				kubectl replace -f "deploy/crds/shipwright.io_$${resource}.yaml" ; \
+			else \
+				kubectl apply -f "deploy/crds/shipwright.io_$${resource}.yaml" --server-side ; \
+			fi ; \
+		else \
+			kubectl create -f "deploy/crds/shipwright.io_$${resource}.yaml" ; \
+		fi ; \
+	done
 	for i in 1 2 3 ; do \
 		kubectl wait --timeout=$(TIMEOUT) --for="condition=Established" crd/clusterbuildstrategies.shipwright.io && \
 		break ; \
@@ -261,6 +266,7 @@ install-controller-kind: install-apis
 	ko apply \
 	  --platform=$(GO_OS)/$(GO_ARCH) \
 	  --filename=deploy
+	./hack/setup-webhook-cert.sh
 
 .PHONY: install-strategies
 install-strategies: install-apis

README.md

@@ -43,6 +43,7 @@ Shipwright supports any tool that can build container images in Kubernetes clust
   ```bash
   kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.44.0/release.yaml
   ```
+
   If you are using OpenShift cluster refer [Running on OpenShift](#running-on-openshift) for some more configurations.
 
 - Install the Shipwright deployment. To install the latest version, run:
@@ -51,12 +52,25 @@ Shipwright supports any tool that can build container images in Kubernetes clust
   kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/release.yaml
   ```
 
+  To install the latest nightly release, run:
+
+  ```bash
+  kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt).yaml" --server-side
+  curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/main/hack/setup-webhook-cert.sh | bash
+  ```
+
 - Install the Shipwright strategies. To install the latest version, run:
 
   ```bash
   kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/sample-strategies.yaml
   ```
 
+  To install the latest nightly release, run:
+
+  ```bash
+  kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt)-sample-strategies.yaml" --server-side
+  ```
+
 - Generate a secret to access your container registry, such as one on [Docker Hub](https://hub.docker.com/) or [Quay.io](https://quay.io/):
 
   ```bash

deploy/crds/shipwright.io_buildruns.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -7,6 +6,16 @@ metadata:
   creationTimestamp: null
   name: buildruns.shipwright.io
 spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: shp-build-webhook
+          namespace: shipwright-build
+          path: /convert
+      conversionReviewVersions:
+      - v1
   group: shipwright.io
   names:
     kind: BuildRun
@@ -12246,3 +12255,4 @@ spec:
     storage: false
     subresources:
       status: {}
+

deploy/crds/shipwright.io_builds.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -7,6 +6,16 @@ metadata:
   creationTimestamp: null
   name: builds.shipwright.io
 spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: shp-build-webhook
+          namespace: shipwright-build
+          path: /convert
+      conversionReviewVersions:
+      - v1
   group: shipwright.io
   names:
     kind: Build
@@ -4090,3 +4099,4 @@ spec:
     storage: false
     subresources:
       status: {}
+

deploy/crds/shipwright.io_buildstrategies.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -7,6 +6,16 @@ metadata:
   creationTimestamp: null
   name: buildstrategies.shipwright.io
 spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: shp-build-webhook
+          namespace: shipwright-build
+          path: /convert
+      conversionReviewVersions:
+      - v1
   group: shipwright.io
   names:
     kind: BuildStrategy
@@ -4875,3 +4884,4 @@ spec:
     storage: false
     subresources:
       status: {}
+

deploy/crds/shipwright.io_clusterbuildstrategies.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -7,6 +6,16 @@ metadata:
   creationTimestamp: null
   name: clusterbuildstrategies.shipwright.io
 spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: shp-build-webhook
+          namespace: shipwright-build
+          path: /convert
+      conversionReviewVersions:
+      - v1
   group: shipwright.io
   names:
     kind: ClusterBuildStrategy
@@ -4875,3 +4884,4 @@ spec:
     storage: false
     subresources:
       status: {}
+

hack/customization/conversion_webhook_block.yaml

@@ -3,7 +3,6 @@ spec:
     strategy: Webhook
     webhook:
       clientConfig:
-        caBundle: CA_BUNDLE
         service:
           namespace: shipwright-build
           name: shp-build-webhook

hack/patch-crds-with-conversion.sh

@@ -7,28 +7,27 @@
 set -euo pipefail
 
 DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)"
-TARGET_DIR=/tmp/
 
 if ! hash spruce > /dev/null 2>&1 ; then
     echo "[ERROR] spruce binary is not installed, see the install-spruce target"
 fi
 
 echo "[INFO] Going to patch the Build CRD"
-spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_builds.yaml > /tmp/shipwright.io_builds.yaml
-mv /tmp/shipwright.io_builds.yaml "${DIR}"/deploy/crds/shipwright.io_builds.yaml
+spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_builds.yaml" > /tmp/shipwright.io_builds.yaml
+mv /tmp/shipwright.io_builds.yaml "${DIR}/deploy/crds/shipwright.io_builds.yaml"
 echo "[INFO] Build CRD successfully patched"
 
 echo "[INFO] Going to patch the BuildRun CRD"
-spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildruns.yaml > /tmp/shipwright.io_buildruns.yaml
-mv /tmp/shipwright.io_buildruns.yaml "${DIR}"/deploy/crds/shipwright.io_buildruns.yaml
+spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildruns.yaml" > /tmp/shipwright.io_buildruns.yaml
+mv /tmp/shipwright.io_buildruns.yaml "${DIR}/deploy/crds/shipwright.io_buildruns.yaml"
 echo "[INFO] BuildRun CRD successfully patched"
 
 echo "[INFO] Going to patch the BuildStrategy CRD"
-spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildstrategies.yaml > /tmp/shipwright.io_buildstrategies.yaml
-mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_buildstrategies.yaml
+spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml" > /tmp/shipwright.io_buildstrategies.yaml
+mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml"
 echo "[INFO] BuildStrategy CRD successfully patched"
 
 echo "[INFO] Going to patch the ClusterBuildStrategy CRD"
-spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_clusterbuildstrategies.yaml > /tmp/shipwright.io_clusterbuildstrategies.yaml
-mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_clusterbuildstrategies.yaml
-echo "[INFO] ClusterBuildStrategy CRD successfully patched"
+spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml" > /tmp/shipwright.io_clusterbuildstrategies.yaml
+mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml"
+echo "[INFO] ClusterBuildStrategy CRD successfully patched"

hack/release.sh

@@ -13,19 +13,28 @@ echo "Building container image"
 
 echo "Adding io.shipwright.vcs-ref label with value: ${GITHUB_SHA}"
 
+PLATFORM="${PLATFORM:-all}"
+
+echo "[INFO] Building images and release.yaml"
 KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS}" ko resolve \
   --base-import-paths \
+  --recursive \
   --tags "${TAG}" \
   --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
-  --platform=all -R -f deploy/ > release.yaml
+  --platform "${PLATFORM}" \
+  --filename deploy/ > release.yaml
 
+echo "[INFO] Building debug images and release-debug.yaml"
 KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS} -tags=pprof_enabled" ko resolve \
   --base-import-paths \
+  --recursive \
   --tags "${TAG}-debug" \
   --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
-  --platform=all -R -f deploy/ > release-debug.yaml
+  --platform "${PLATFORM}" \
+  --filename deploy/ > release-debug.yaml
 
 # Bundle the sample cluster build strategies, remove namespace strategies first
+echo "[INFO] Bundling sample build strategies"
 find samples/buildstrategy -type f -print0 | xargs -0 grep -l "kind: BuildStrategy" | xargs rm -f
-ko resolve -R -f samples/buildstrategy/ > sample-strategies.yaml
+KO_DOCKER_REPO=dummy ko resolve --recursive --filename samples/buildstrategy/ > sample-strategies.yaml
 git restore samples/buildstrategy