From 827710dc642f357b9f3d2cfea86d8944ba16c4fc Mon Sep 17 00:00:00 2001 From: Sascha Schwarze Date: Sun, 17 Sep 2023 21:52:39 +0200 Subject: [PATCH] Update nightly build to cover caBundle setup for webhook --- .github/workflows/ci.yml | 1 - .github/workflows/nightly.yaml | 7 +++- .github/workflows/release.yaml | 4 +- Makefile | 6 +-- README.md | 14 +++++++ deploy/crds/shipwright.io_buildruns.yaml | 12 +++++- deploy/crds/shipwright.io_builds.yaml | 12 +++++- .../crds/shipwright.io_buildstrategies.yaml | 12 +++++- .../shipwright.io_clusterbuildstrategies.yaml | 12 +++++- .../conversion_webhook_block.yaml | 1 - hack/patch-crds-with-conversion.sh | 19 ++++----- hack/release.sh | 15 +++++-- ...generate-cert.sh => setup-webhook-cert.sh} | 42 ++++++++++++------- 13 files changed, 115 insertions(+), 42 deletions(-) rename hack/{generate-cert.sh => setup-webhook-cert.sh} (51%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index be2ededd0c..9de48fec6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -178,7 +178,6 @@ jobs: version: v0.13.0 - name: Install Shipwright Build run: | - make prepare-conversion make install-controller-kind kubectl -n shipwright-build rollout status deployment shipwright-build-controller --timeout=1m || true kubectl -n shipwright-build rollout status deployment shipwright-build-webhook --timeout=1m || true diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 017e74ef6d..821f8e670a 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -29,9 +29,11 @@ jobs: # Install tools - uses: ko-build/setup-ko@v0.6 with: - version: v0.13.0 + version: v0.14.1 - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 - uses: sigstore/cosign-installer@v3 + - name: Install Spruce + run: make install-spruce - name: Get current date id: date @@ -55,6 +57,9 @@ jobs: mv sample-strategies.yaml nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml gh release upload nightly nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml + echo ${{ steps.date.outputs.date }} > /tmp/latest.txt + gh release upload nightly /tmp/latest.txt --clobber + - name: Update latest tag of supporting images working-directory: ./cmd run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f54c13569a..c22e19162b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -37,8 +37,10 @@ jobs: # Install tools - uses: ko-build/setup-ko@v0.6 with: - version: v0.13.0 + version: v0.14.1 - uses: sigstore/cosign-installer@v3 + - name: Install Spruce + run: make install-spruce - name: Build Release Changelog env: diff --git a/Makefile b/Makefile index a6af76d754..057e50032c 100644 --- a/Makefile +++ b/Makefile @@ -113,11 +113,6 @@ generate: hack/generate-copyright.sh hack/install-controller-gen.sh "$(CONTROLLER_GEN)" crd rbac:roleName=manager-role webhook paths="./..." output:crd:dir=deploy/crds - -.PHONY: prepare-conversion -prepare-conversion: - hack/generate-cert.sh - hack/install-spruce.sh hack/patch-crds-with-conversion.sh .PHONY: verify-generate @@ -261,6 +256,7 @@ install-controller-kind: install-apis ko apply \ --platform=$(GO_OS)/$(GO_ARCH) \ --filename=deploy + ./hack/setup-webhook-cert.sh .PHONY: install-strategies install-strategies: install-apis diff --git a/README.md b/README.md index d12ed8cb5b..203a9dd65f 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Shipwright supports any tool that can build container images in Kubernetes clust ```bash kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.44.0/release.yaml ``` + If you are using OpenShift cluster refer [Running on OpenShift](#running-on-openshift) for some more configurations. - Install the Shipwright deployment. To install the latest version, run: @@ -51,12 +52,25 @@ Shipwright supports any tool that can build container images in Kubernetes clust kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/release.yaml ``` + To install the latest nightly release, run: + + ```bash + kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt).yaml" --server-side + curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/main/hack/setup-webhook-cert.sh | bash + ``` + - Install the Shipwright strategies. To install the latest version, run: ```bash kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/sample-strategies.yaml ``` + To install the latest nightly release, run: + + ```bash + kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt)-sample-strategies.yaml" --server-side + ``` + - Generate a secret to access your container registry, such as one on [Docker Hub](https://hub.docker.com/) or [Quay.io](https://quay.io/): ```bash diff --git a/deploy/crds/shipwright.io_buildruns.yaml b/deploy/crds/shipwright.io_buildruns.yaml index d29e03082e..7c20b53880 100644 --- a/deploy/crds/shipwright.io_buildruns.yaml +++ b/deploy/crds/shipwright.io_buildruns.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: buildruns.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: BuildRun @@ -12246,3 +12255,4 @@ spec: storage: false subresources: status: {} + diff --git a/deploy/crds/shipwright.io_builds.yaml b/deploy/crds/shipwright.io_builds.yaml index bfa8e8c74e..a467b4b339 100644 --- a/deploy/crds/shipwright.io_builds.yaml +++ b/deploy/crds/shipwright.io_builds.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: builds.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: Build @@ -4090,3 +4099,4 @@ spec: storage: false subresources: status: {} + diff --git a/deploy/crds/shipwright.io_buildstrategies.yaml b/deploy/crds/shipwright.io_buildstrategies.yaml index e557e5282b..b86d99df10 100644 --- a/deploy/crds/shipwright.io_buildstrategies.yaml +++ b/deploy/crds/shipwright.io_buildstrategies.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: buildstrategies.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: BuildStrategy @@ -4875,3 +4884,4 @@ spec: storage: false subresources: status: {} + diff --git a/deploy/crds/shipwright.io_clusterbuildstrategies.yaml b/deploy/crds/shipwright.io_clusterbuildstrategies.yaml index 226681eadc..ddc3944fc0 100644 --- a/deploy/crds/shipwright.io_clusterbuildstrategies.yaml +++ b/deploy/crds/shipwright.io_clusterbuildstrategies.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,6 +6,16 @@ metadata: creationTimestamp: null name: clusterbuildstrategies.shipwright.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: shp-build-webhook + namespace: shipwright-build + path: /convert + conversionReviewVersions: + - v1 group: shipwright.io names: kind: ClusterBuildStrategy @@ -4875,3 +4884,4 @@ spec: storage: false subresources: status: {} + diff --git a/hack/customization/conversion_webhook_block.yaml b/hack/customization/conversion_webhook_block.yaml index bc522af260..0b6828b527 100644 --- a/hack/customization/conversion_webhook_block.yaml +++ b/hack/customization/conversion_webhook_block.yaml @@ -3,7 +3,6 @@ spec: strategy: Webhook webhook: clientConfig: - caBundle: CA_BUNDLE service: namespace: shipwright-build name: shp-build-webhook diff --git a/hack/patch-crds-with-conversion.sh b/hack/patch-crds-with-conversion.sh index b1487b503e..3f551e21c7 100755 --- a/hack/patch-crds-with-conversion.sh +++ b/hack/patch-crds-with-conversion.sh @@ -7,28 +7,27 @@ set -euo pipefail DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)" -TARGET_DIR=/tmp/ if ! hash spruce > /dev/null 2>&1 ; then echo "[ERROR] spruce binary is not installed, see the install-spruce target" fi echo "[INFO] Going to patch the Build CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_builds.yaml > /tmp/shipwright.io_builds.yaml -mv /tmp/shipwright.io_builds.yaml "${DIR}"/deploy/crds/shipwright.io_builds.yaml +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_builds.yaml" > /tmp/shipwright.io_builds.yaml +mv /tmp/shipwright.io_builds.yaml "${DIR}/deploy/crds/shipwright.io_builds.yaml" echo "[INFO] Build CRD successfully patched" echo "[INFO] Going to patch the BuildRun CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildruns.yaml > /tmp/shipwright.io_buildruns.yaml -mv /tmp/shipwright.io_buildruns.yaml "${DIR}"/deploy/crds/shipwright.io_buildruns.yaml +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildruns.yaml" > /tmp/shipwright.io_buildruns.yaml +mv /tmp/shipwright.io_buildruns.yaml "${DIR}/deploy/crds/shipwright.io_buildruns.yaml" echo "[INFO] BuildRun CRD successfully patched" echo "[INFO] Going to patch the BuildStrategy CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_buildstrategies.yaml > /tmp/shipwright.io_buildstrategies.yaml -mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_buildstrategies.yaml +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml" > /tmp/shipwright.io_buildstrategies.yaml +mv /tmp/shipwright.io_buildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_buildstrategies.yaml" echo "[INFO] BuildStrategy CRD successfully patched" echo "[INFO] Going to patch the ClusterBuildStrategy CRD" -spruce merge $DIR/hack/customization/conversion_webhook_block.yaml $DIR/deploy/crds/shipwright.io_clusterbuildstrategies.yaml > /tmp/shipwright.io_clusterbuildstrategies.yaml -mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}"/deploy/crds/shipwright.io_clusterbuildstrategies.yaml -echo "[INFO] ClusterBuildStrategy CRD successfully patched" \ No newline at end of file +spruce merge "${DIR}/hack/customization/conversion_webhook_block.yaml" "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml" > /tmp/shipwright.io_clusterbuildstrategies.yaml +mv /tmp/shipwright.io_clusterbuildstrategies.yaml "${DIR}/deploy/crds/shipwright.io_clusterbuildstrategies.yaml" +echo "[INFO] ClusterBuildStrategy CRD successfully patched" diff --git a/hack/release.sh b/hack/release.sh index 9f388265ed..3e6ca638bc 100755 --- a/hack/release.sh +++ b/hack/release.sh @@ -13,19 +13,28 @@ echo "Building container image" echo "Adding io.shipwright.vcs-ref label with value: ${GITHUB_SHA}" +PLATFORM="${PLATFORM:-all}" + +echo "[INFO] Building images and release.yaml" KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS}" ko resolve \ --base-import-paths \ + --recursive \ --tags "${TAG}" \ --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \ - --platform=all -R -f deploy/ > release.yaml + --platform "${PLATFORM}" \ + --filename deploy/ > release.yaml +echo "[INFO] Building debug images and release-debug.yaml" KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS} -tags=pprof_enabled" ko resolve \ --base-import-paths \ + --recursive \ --tags "${TAG}-debug" \ --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \ - --platform=all -R -f deploy/ > release-debug.yaml + --platform "${PLATFORM}" \ + --filename deploy/ > release-debug.yaml # Bundle the sample cluster build strategies, remove namespace strategies first +echo "[INFO] Bundling sample build strategies" find samples/buildstrategy -type f -print0 | xargs -0 grep -l "kind: BuildStrategy" | xargs rm -f -ko resolve -R -f samples/buildstrategy/ > sample-strategies.yaml +KO_DOCKER_REPO=dummy ko resolve --recursive --filename samples/buildstrategy/ > sample-strategies.yaml git restore samples/buildstrategy diff --git a/hack/generate-cert.sh b/hack/setup-webhook-cert.sh similarity index 51% rename from hack/generate-cert.sh rename to hack/setup-webhook-cert.sh index 5023293c73..84dfc65c17 100755 --- a/hack/generate-cert.sh +++ b/hack/setup-webhook-cert.sh @@ -6,9 +6,17 @@ set -euo pipefail -DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)" +if ! hash jq >/dev/null 2>&1 ; then + echo "[ERROR] jq is not installed" + exit 1 +fi -echo "[INFO] Generating key for Shipwright Build Webhook" +if ! hash openssl >/dev/null 2>&1 ; then + echo "[ERROR] openssl is not installed" + exit 1 +fi + +echo "[INFO] Generating key and signing request for Shipwright Build Webhook" cat </tmp/csr.conf [req] @@ -28,11 +36,11 @@ DNS.4 = shp-build-webhook.shipwright-build.svc.cluster.local EOF openssl genrsa -out /tmp/server-key.pem 2048 -openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf +openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf + echo "[INFO] Deleting previous CertificateSigningRequest" kubectl delete csr shipwright-build-webhook-csr --ignore-not-found - echo "[INFO] Create a CertificateSigningRequest" cat <