cert-manager: fast-forward to upstream 3945595b

[munnerz]

What this PR does / why we need it:

This PR should not be merged yet

This is a draft PR to update the Helm chart for the v0.5 cert-manager release.

I am opening it now ahead of time, as it involves a few larger changes than usual and I'd like to get review feedback ahead of cutting a release to ensure the PR can be accepted in its current form.

A breakdown of what is is included and corresponding PRs:

• added affinity and tolerations (added affinity and tolerations cert-manager/cert-manager#869)
• Add validating webhook and webhook tls autoconfiguration (Add validating webhook and webhook tls autoconfiguration cert-manager/cert-manager#478)
• chart: annotate all CRDs with "crd-install" hook (chart: annotate all CRDs with "crd-install" hook cert-manager/cert-manager#823)
• helm chart: remove endpoints from rbac resources (helm chart: remove endpoints from rbac resources cert-manager/cert-manager#769)

/hold
/cc @unguiculus

[munnerz]

Added a few comments to help with review!

[munnerz]

These will both be bumped to v0.5

[munnerz]

This change will be reverted and updated to v0.5.0 accordingly

[munnerz]

This file is only created when generating static deployment manifests, and the updates here are to keep it in line with default Helm 2.10 behaviour (and the second one is to help with the webhook deployment, and is effectively a no-op as we also match on the 'name' label)

[munnerz]

I noticed issues when adding the helm.sh/hook: crd-install hook with versions of Tiller that do not support the hook.

[munnerz]

This means we drop support for cert-manager v0.2.0-v0.2.2 (iirc). In general, our rule is v0.4.x of the chart is compatible with v0.4.y of cert-manager (i.e. we do not pin the patch version of appVersion and version, but we do pin minor versions).

[munnerz]

Will be updated to v0.5.0 and IfNotPresent

[munnerz]

We disable the new webhook chart by default

[cpanato]

can you add a test to validate when the webhook is true?

[cpanato]

@munnerz please sign the DCO and

• since you are introducing some new things please bump the minor version or move to 1.0.0, since this chart is in the stable folder and was discussed in the helm chart meeting last week that all charts in stable should be at least 1.0.0 and not 0.x.y

side question: why use a dev image?

[munnerz]

Hey @cpanato,

re: DCO - will do. I am just putting a few changes together for this PR (i.e. the image tags). As I say, still WIP 😄

... in the helm chart meeting last week that all charts in stable should be at least 1.0.0 and not 0.x.y

This goes against our own versioning strategy - as explained here #7644 (comment), to make user's lives easier, we pin our minor versions to each other so they can be sure that v0.4.x of the Helm chart works with (and deploys) v0.4.y of cert-manager. This makes users rolling back/forward far easier, and helps when users understand when they can and cannot use a simple helm upgrade cert-manager ... --set image.tag=v0.4.y.

We'd really like to not have to modify this behaviour, as I think it hurts usability and will generally just not help users at all.

As such, I'd like to request we can continue to use a v0.x.y format until cert-manager itself reaches (v1.0.0) (which will hopefully be within the next few months).

edit:

if not, I think it's best this chart is moved to incubator, or otherwise removed from stable so we can host it ourselves until cert-manager does reach 1.0

[cpanato]

thanks so much for the clarification.

Can you set the title if the PR to say that is in WIP? like [WIP] cert-manager: fast-forward to upstream 3945595b

[munnerz]

I've updated the version numbers as mentioned in my above comments.

It'd be great if someone can verify the use of a subchart here is correct 😄

[munnerz]

Removed the WIP designation - if someone could take a look, I can then go ahead and release v0.5 on our end 😄

[cpanato]

maybe add a better description of what that is.

[cpanato]

Is this image correct?

[munnerz]

Updating to v0.1.0

[munnerz]

Addressed comments @cpanato

[cpanato]

@munnerz test failed because the image does not exist in quay

[munnerz]

I've now cut the v0.5.0 release, so docker images should be available now!

This should be good to go 😄

/retest
/hold cancel

[munnerz]

@mattfarina looks like the dco-labeler is not working - could you give it a kick? I am not too sure what events you have configured the labeler bot to listen for so not sure how to trigger it myself!

[cpanato]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• stable/cert-manager/OWNERS [munnerz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cpanato]

/check-cla

[cpanato]

/check-dco

[munnerz]

Thanks @cpanato! I will remember the incantation for next time 😄

[cpanato]

/retest

[cpanato]

saw this error

Error: customresourcedefinitions.apiextensions.k8s.io "certificates.certmanager.k8s.io" already exists

should we provide a test input to change that? how was it done in the past?

@mattfarina

[cpanato]

@munnerz maybe you can add a test values.yaml to set the createCustomResource: true to false

[munnerz]

I think that'd work in this instance, but is surely a temporary workaround?

I see two reasons for that error:

1. cert-manager is being used in the test cluster for some other purpose already, meaning the CRD exists (seems unlikely)
2. a previous helm install half succeeded (i.e. created the CRD resource), but eventually failed, meaning helm delete was not run (thus leaving the CRD installed).

Perhaps I am wrong 😄 setting createCustomResource: false would work, until that test cluster is rebuilt and the CRD is removed.

I've not run into this problem before, which leads me to think this is caused by (2) 😄

[cpanato]

lets try a retest again 😄

/retest

[cpanato]

Then if the delete failed or did not run for any reason, we will need someone from the inside to make some cleanup

[mattfarina]

/retest

[mattfarina]

The issue is that the CRDs were not cleaned up, for some reason, in the test cluster on a previous run.

[cpanato]

@mattfarina thanks for fixing/cleaning

[Antiarchitect]

I have an issue that CRD's are not created at all.
Upgrading from 0.3.1 to 0.5.0 and having latest Tiller:

Client: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}

I have this while deploying:

Error: UPGRADE FAILED: unable to recognize "": no matches for kind "ClusterIssuer" in version "certmanager.k8s.io/v1alpha1"

@munnerz

[eldondevat]

@Antiarchitect are you still encountering this bug, I believe I am, too. Did you ever find a workaround?