forked from cert-manager/aws-privateca-issuer
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Makefile
314 lines (257 loc) · 11.9 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
# The version which will be reported by the --version argument of each binary
# and which will be used as the Docker image tag
VERSION := $(shell git remote add mainRepo https://github.com/cert-manager/aws-privateca-issuer.git && git fetch mainRepo --tags && git describe --tags | awk -F"-" '{print $$1}' && git remote remove mainRepo)
# Default bundle image tag
BUNDLE_IMG ?= controller-bundle:$(VERSION)
# Options for 'bundle-build'
ifneq ($(origin CHANNELS), undefined)
BUNDLE_CHANNELS := --channels=$(CHANNELS)
endif
ifneq ($(origin DEFAULT_CHANNEL), undefined)
BUNDLE_DEFAULT_CHANNEL := --default-channel=$(DEFAULT_CHANNEL)
endif
BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
MAKEFLAGS += --warn-undefined-variables
SHELL := bash
.DELETE_ON_ERROR:
.SUFFIXES:
.ONESHELL:
# The Docker repository name, overridden in CI.
DOCKER_REGISTRY ?= ghcr.io
DOCKER_IMAGE_NAME ?= cert-manager/aws-privateca-issuer/controller
# Image URL to use all building/pushing image targets
IMG ?= ${DOCKER_REGISTRY}/${DOCKER_IMAGE_NAME}:${VERSION}
# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false"
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
else
GOBIN=$(shell go env GOBIN)
endif
# BIN is the directory where tools will be installed
export BIN ?= ${CURDIR}/bin
OS := $(shell go env GOOS)
ARCH := $(shell go env GOARCH)
# Kind
KIND_VERSION := 0.11.1
KIND := ${BIN}/kind-${KIND_VERSION}
K8S_CLUSTER_NAME := pca-external-issuer
# cert-manager
CERT_MANAGER_VERSION ?= v1.11.0
# Controller tools
CONTROLLER_GEN_VERSION := 0.5.0
CONTROLLER_GEN := ${BIN}/controller-gen-${CONTROLLER_GEN_VERSION}
INSTALL_YAML ?= build/install.yaml
all: manager
# Run tests
ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
test: generate fmt vet lint manifests
mkdir -p ${ENVTEST_ASSETS_DIR}
test -f ${ENVTEST_ASSETS_DIR}/setup-envtest.sh || curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.7.0/hack/setup-envtest.sh
source ${ENVTEST_ASSETS_DIR}/setup-envtest.sh; fetch_envtest_tools $(ENVTEST_ASSETS_DIR); setup_envtest_env $(ENVTEST_ASSETS_DIR); go test -v ./pkg/... -coverprofile cover.out
e2etest: test
mkdir -p ${ENVTEST_ASSETS_DIR}
test -f ${ENVTEST_ASSETS_DIR}/setup-envtest.sh || curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.7.0/hack/setup-envtest.sh
source ${ENVTEST_ASSETS_DIR}/setup-envtest.sh; fetch_envtest_tools $(ENVTEST_ASSETS_DIR); setup_envtest_env $(ENVTEST_ASSETS_DIR); go test -v ./e2e/... -coverprofile cover.out
helm-test: manager kind-cluster
$$SHELL e2e/helm_test.sh
blog-test:
$$SHELL e2e/blog_test.sh
# Build manager binary
manager: generate fmt vet lint
go build \
-ldflags="-X github.com/cert-manager/aws-privateca-issuer/pkg/api/injections.PlugInVersion=${VERSION}" \
-o bin/manager main.go
# Run against the configured Kubernetes cluster in ~/.kube/config
run: generate fmt vet lint manifests
go run ./main.go
# Install CRDs into a cluster
install: manifests kustomize
$(KUSTOMIZE) build config/crd | kubectl apply -f - --kubeconfig=${TEST_KUBECONFIG_LOCATION}
# Uninstall CRDs from a cluster
uninstall: manifests kustomize
$(KUSTOMIZE) build config/crd | kubectl delete -f - --kubeconfig=${TEST_KUBECONFIG_LOCATION}
.PHONY: ${INSTALL_YAML} kustomize
${INSTALL_YAML}: kustomize
mkdir -p $(dir ${INSTALL_YAML})
rm -rf kustomization.yaml
$(KUSTOMIZE) create --resources ./config/default
$(KUSTOMIZE) edit set image controller=${IMG}
$(KUSTOMIZE) build . > ${INSTALL_YAML}
# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: ${INSTALL_YAML}
kubectl apply -f ${INSTALL_YAML} --kubeconfig=${TEST_KUBECONFIG_LOCATION}
# UnDeploy controller from the configured Kubernetes cluster in ~/.kube/config
undeploy:
$(KUSTOMIZE) build config/default | kubectl delete -f - --kubeconfig=${TEST_KUBECONFIG_LOCATION}
# Generate manifests e.g. CRD, RBAC etc.
manifests: controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
# Run go fmt against code
fmt:
go fmt ./...
# Run go vet against code
vet:
go vet ./...
lint:
echo "Linter is deprecated with go1.18!"
#lint: golangci-lint golint
#$(GOLANGCILINT) run --timeout 10m
#$(GOLINT) ./...
# Generate code
generate: controller-gen
$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
# Build the docker image
docker-build: test
docker build \
--build-arg pkg_version=${VERSION} \
--tag ${IMG} \
--file Dockerfile \
${CURDIR}
# Push the docker image
docker-push:
docker push ${IMG}
CONTROLLER_GEN = $(shell pwd)/bin/controller-gen
controller-gen:
$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/[email protected])
# Download kustomize locally if necessary
KUSTOMIZE = $(shell pwd)/bin/kustomize
kustomize:
$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/[email protected])
GOLINT = $(shell pwd)/bin/golint
golint:
echo "golint is deprecated, skipping"
#$(call go-install-tool,$(GOLINT),golang.org/x/lint/golint)
GOLANGCILINT = $(shell pwd)/bin/golangci-lint
golangci-lint:
$(call go-install-tool,$(GOLANGCILINT),github.com/golangci/golangci-lint/cmd/[email protected])
# go-install-tool will 'go get' any package $2 and install it to $1.
PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
define go-install-tool
@[ -f $(1) ] || { \
set -e ;\
TMP_DIR=$$(mktemp -d) ;\
cd $$TMP_DIR ;\
go mod init tmp ;\
echo "Downloading $(2)" ;\
GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
rm -rf $$TMP_DIR ;\
}
endef
# Generate bundle manifests and metadata, then validate generated files.
.PHONY: bundle
bundle: manifests kustomize
operator-sdk generate kustomize manifests -q
cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
operator-sdk bundle validate ./bundle
# Build the bundle image.
.PHONY: bundle-build
bundle-build:
docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) .
# ==================================
# E2E testing
# ==================================
REGISTRY_NAME := "kind-registry"
REGISTRY_PORT := 5000
LOCAL_IMAGE := "localhost:${REGISTRY_PORT}/aws-privateca-issuer"
NAMESPACE := aws-privateca-issuer
SERVICE_ACCOUNT := ${NAMESPACE}-sa
TEST_KUBECONFIG_LOCATION := /tmp/pca_kubeconfig
create-local-registry:
RUNNING=$$(docker inspect -f '{{.State.Running}}' ${REGISTRY_NAME} 2>/dev/null || true)
if [ "$$RUNNING" != 'true' ]; then
docker run -d --restart=always -p "127.0.0.1:${REGISTRY_PORT}:5000" --name ${REGISTRY_NAME} registry:2
fi
sleep 15
docker-push-local:
docker tag ${IMG} ${LOCAL_IMAGE}
docker push ${LOCAL_IMAGE}
.PHONY: kind-cluster
kind-cluster: ## Use Kind to create a Kubernetes cluster for E2E tests
kind-cluster: ${KIND}
if [[ -z "$$OIDC_S3_BUCKET_NAME" ]]; then \
echo "OIDC_S3_BUCKET_NAME env var is not set, the cluster will not be enabled for IRSA"; \
echo "If you wish to have IRSA enabled, recreate the cluster with OIDC_S3_BUCKET_NAME set"; \
cp e2e/kind_config/config.yaml /tmp/config.yaml;
else \
cat e2e/kind_config/config.yaml | sed "s/S3_BUCKET_NAME_PLACEHOLDER/$$OIDC_S3_BUCKET_NAME/g" \
> /tmp/config.yaml
fi
${KIND} get clusters | grep ${K8S_CLUSTER_NAME} || \
${KIND} create cluster --name ${K8S_CLUSTER_NAME} --config=/tmp/config.yaml
${KIND} get kubeconfig --name ${K8S_CLUSTER_NAME} > ${TEST_KUBECONFIG_LOCATION}
docker network connect "kind" ${REGISTRY_NAME} || true
kubectl apply -f e2e/kind_config/registry_configmap.yaml --kubeconfig=${TEST_KUBECONFIG_LOCATION}
#Create namespace and service account
kubectl get namespace ${NAMESPACE} --kubeconfig=${TEST_KUBECONFIG_LOCATION} || \
kubectl create namespace ${NAMESPACE} --kubeconfig=${TEST_KUBECONFIG_LOCATION}
kubectl get serviceaccount ${SERVICE_ACCOUNT} -n ${NAMESPACE} --kubeconfig=${TEST_KUBECONFIG_LOCATION} || \
kubectl create serviceaccount ${SERVICE_ACCOUNT} -n ${NAMESPACE} --kubeconfig=${TEST_KUBECONFIG_LOCATION}
.PHONY: setup-eks-webhook
setup-eks-webhook:
#Ensure that there is a OIDC role and S3 bucket available
if [[ -z "$$OIDC_S3_BUCKET_NAME" || -z "$$OIDC_IAM_ROLE" ]]; then \
echo "Please set OIDC_S3_BUCKET_NAME and OIDC_IAM_ROLE to use IRSA"; \
exit 1; \
fi
#Get open id configuration from API server
kubectl apply -f e2e/kind_config/unauth_role.yaml --kubeconfig=${TEST_KUBECONFIG_LOCATION}
APISERVER=$$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' --kubeconfig=${TEST_KUBECONFIG_LOCATION})
TOKEN=$$(kubectl get secret $(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}' --kubeconfig=${TEST_KUBECONFIG_LOCATION}) \
-o jsonpath='{.data.token}' --kubeconfig=${TEST_KUBECONFIG_LOCATION} | base64 --decode )
curl $$APISERVER/.well-known/openid-configuration --header "Authorization: Bearer $$TOKEN" --insecure -o openid-configuration
curl $$APISERVER/openid/v1/jwks --header "Authorization: Bearer $$TOKEN" --insecure -o jwks
#Put idP configuration in public S3 bucket
aws s3 cp --acl public-read jwks s3://$$OIDC_S3_BUCKET_NAME/cluster/my-oidc-cluster/openid/v1/jwks
aws s3 cp --acl public-read openid-configuration s3://$$OIDC_S3_BUCKET_NAME/cluster/my-oidc-cluster/.well-known/openid-configuration
sleep 60
kubectl apply -f e2e/kind_config/install_eks.yaml --kubeconfig=${TEST_KUBECONFIG_LOCATION}
kubectl wait --for=condition=Available --timeout 300s deployment pod-identity-webhook --kubeconfig=${TEST_KUBECONFIG_LOCATION}
kubectl annotate serviceaccount ${SERVICE_ACCOUNT} -n ${NAMESPACE} eks.amazonaws.com/role-arn=$$OIDC_IAM_ROLE --kubeconfig=${TEST_KUBECONFIG_LOCATION}
.PHONY: install-eks-webhook
install-eks-webhook: setup-eks-webhook upgrade-local
.PHONY: kind-cluster-delete
kind-cluster-delete:
${KIND} delete cluster --name ${K8S_CLUSTER_NAME}
.PHONY: kind-export-logs
kind-export-logs:
${KIND} export logs --name ${K8S_CLUSTER_NAME} ${E2E_ARTIFACTS_DIRECTORY}
.PHONY: deploy-cert-manager
deploy-cert-manager: ## Deploy cert-manager in the configured Kubernetes cluster in ~/.kube/config
kubectl apply --filename=https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml --kubeconfig=${TEST_KUBECONFIG_LOCATION}
kubectl wait --for=condition=Available --timeout=300s apiservice v1.cert-manager.io --kubeconfig=${TEST_KUBECONFIG_LOCATION}
.PHONY: install-local
install-local: docker-build docker-push-local
#install plugin from local docker repo
sleep 15
helm install issuer ./charts/aws-pca-issuer -n ${NAMESPACE} \
--set serviceAccount.create=false --set serviceAccount.name=${SERVICE_ACCOUNT} \
--set image.repository=${LOCAL_IMAGE} --set image.tag=latest --set image.pullPolicy=Always
.PHONY: install-beta-ecr
install-beta-ecr:
#install plugin from local docker repo
sleep 15
helm install issuer ./charts/aws-pca-issuer -n ${NAMESPACE} \
--set serviceAccount.create=false --set serviceAccount.name=${SERVICE_ACCOUNT} \
--set image.repository=public.ecr.aws/cert-manager-aws-privateca-issuer/cert-manager-aws-privateca-issuer-test \
--set image.tag=latest --set image.pullPolicy=Always
.PHONY: uninstall-local
uninstall-local:
helm uninstall issuer -n ${NAMESPACE}
.PHONY: upgrade-local
upgrade-local: uninstall-local install-local
#Sets up a kind cluster using the latest commit on the current branch
.PHONY: cluster
cluster: manager create-local-registry kind-cluster deploy-cert-manager install-local
.PHONY: cluster-beta
cluster-beta: manager kind-cluster deploy-cert-manager install-beta-ecr
# ==================================
# Download: tools in ${BIN}
# ==================================
${BIN}:
mkdir -p ${BIN}
${KIND}: ${BIN}
curl -sSL -o ${KIND} https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-${OS}-${ARCH}
chmod +x ${KIND}