Improve issuers configuration (#2)

ThomasVitale · Jun 4, 2023 · 45f10eb · 45f10eb
1 parent 7a6db75
commit 45f10eb
Show file tree

Hide file tree

Showing 14 changed files with 72 additions and 33 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,10 +14,10 @@ jobs:
     uses: kadras-io/github-reusable-workflows/.github/workflows/package-release.yml@main
     with:
       package-name-slug: cert-manager-issuers
-      package-name-display: Cert Manager Issuers
+      package-name-display: cert-manager-issuers
       registry-server: ghcr.io
       registry-username: ${{ github.actor }}
       image: ${{ github.repository }}
-      version: 0.1.0
+      version: 0.2.0
     secrets:
       pull-request-token: ${{ secrets.GH_ORG_PAT }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
     name: Integration Tests
     strategy:
       matrix:
-        k8s_version: [v1.24, v1.25, v1.26]
+        k8s_version: [v1.25, v1.26, v1.27]
     permissions:
       contents: read
     uses: kadras-io/github-reusable-workflows/.github/workflows/carvel-package-test-integration.yml@main

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-K8S_VERSION=v1.26
+K8S_VERSION=v1.27
 
 # Build package configuration
 build: package
@@ -26,6 +26,10 @@ ytt:
 schema:
 	ytt -f package/config/values-schema.yml --data-values-schema-inspect -o openapi-v3 > schema-openapi.yml
 
+# Use kbld to resolve the OCI images referenced within the manifests
+kbld:
+	rm -f package/.imgpkg/images.yml && kbld --file package/config --imgpkg-lock-output package/.imgpkg/images.yml 1>> /dev/null
+
 # Check the ytt-annotated Kubernetes configuration and its validation
 test-config:
 	ytt -f package/config | kubeconform -ignore-missing-schemas -summary

diff --git a/README.md b/README.md
@@ -1,12 +1,12 @@
-# Cert Manager Issuers
+# cert-manager-issuers
 
 ![Test Workflow](https://github.com/kadras-io/cert-manager-issuers/actions/workflows/test.yml/badge.svg)
 ![Release Workflow](https://github.com/kadras-io/cert-manager-issuers/actions/workflows/release.yml/badge.svg)
 [![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v0.1/levels)
 [![The Apache 2.0 license badge](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Follow us on Twitter](https://img.shields.io/static/v1?label=Twitter&message=Follow&color=1DA1F2)](https://twitter.com/kadrasIO)
 
-A Carvel package providing a collection of issuers for Cert Manager, used by the Kadras platform to support TLS via a private CA or Let's Encrypt.
+A Carvel package providing a collection of issuers for cert-manager, used by the Kadras platform to support TLS via a private CA or Let's Encrypt.
 
 ## 🚀&nbsp; Getting Started
 
@@ -23,7 +23,7 @@ A Carvel package providing a collection of issuers for Cert Manager, used by the
 
 ### Dependencies
 
-Cert Manager Issuers requires the [Cert Manager](https://github.com/kadras-io/package-for-cert-manager) package. You can install it from the [Kadras package repository](https://github.com/kadras-io/kadras-packages).
+cert-manager-issuers requires the [cert-manager](https://github.com/kadras-io/package-for-cert-manager) package. You can install it from the [Kadras package repository](https://github.com/kadras-io/kadras-packages).
 
 ### Installation
 
@@ -37,7 +37,7 @@ Add the Kadras [package repository](https://github.com/kadras-io/kadras-packages
   ```
 
 <details><summary>Installation without package repository</summary>
-The recommended way of installing the Cert Manager Issuers package is via the Kadras <a href="https://github.com/kadras-io/kadras-packages">package repository</a>. If you prefer not using the repository, you can add the package definition directly using <a href="https://carvel.dev/kapp/docs/latest/install"><code>kapp</code></a> or <code>kubectl</code>.
+The recommended way of installing the cert-manager-issuers package is via the Kadras <a href="https://github.com/kadras-io/kadras-packages">package repository</a>. If you prefer not using the repository, you can add the package definition directly using <a href="https://carvel.dev/kapp/docs/latest/install"><code>kapp</code></a> or <code>kubectl</code>.
 
   ```shell
   kubectl create namespace kadras-packages
@@ -47,7 +47,7 @@ The recommended way of installing the Cert Manager Issuers package is via the Ka
   ```
 </details>
 
-Install the Cert Manager Issuers package:
+Install the cert-manager-issuers package:
 
   ```shell
   kctrl package install -i cert-manager-issuers \
@@ -72,11 +72,11 @@ Verify the installed packages and their status:
 ## 📙&nbsp; Documentation
 
 Documentation, tutorials and examples for this package are available in the [docs](docs) folder.
-For documentation specific to Cert Manager, check out [cert-manager.io](https://cert-manager.io).
+For documentation specific to cert-manager, check out [cert-manager.io](https://cert-manager.io).
 
 ## 🎯&nbsp; Configuration
 
-The Cert Manager Issuers package can be customized via a `values.yml` file.
+The cert-manager-issuers package can be customized via a `values.yml` file.
 
   ```yaml
   letsencrypt:
@@ -95,13 +95,13 @@ Reference the `values.yml` file from the `kctrl` command when installing or upgr
 
 ### Values
 
-The Cert Manager Issuers package has the following configurable properties.
+The cert-manager-issuers package has the following configurable properties.
 
 <details><summary>Configurable properties</summary>
 
 | Config | Default | Description |
 |-------|-------------------|-------------|
-| `namespace` | `cert-manager` | The namespace where Cert Manager is deployed. |
+| `namespace` | `cert-manager` | The namespace where cert-manager is deployed. |
 | `letsencrypt.include` | `false` | Whether to include a ClusterIssuer for Let's Encrypt. |
 | `letsencrypt.staging` | `true` | Whether to use Let's Encrypt staging, recommended for non-production environments. |
 

diff --git a/package/config/letsencrypt.yml → package/config/issuers/letsencrypt.yml b/package/config/letsencrypt.yml → package/config/issuers/letsencrypt.yml
@@ -8,13 +8,14 @@ metadata:
   name: letsencrypt-staging-http01-issuer
 spec:
   acme:
+    email: #@ data.values.letsencrypt.email
     privateKeySecretRef:
       name: letsencrypt-staging
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     solvers:
     - http01:
         ingress:
-          class: contour
+          ingressClassName: contour
 
 #@ if/end data.values.letsencrypt.include and not data.values.letsencrypt.staging:
 ---
@@ -24,10 +25,11 @@ metadata:
   name: letsencrypt-http01-issuer
 spec:
   acme:
+    email: #@ data.values.letsencrypt.email
     privateKeySecretRef:
       name: letsencrypt
     server: https://acme-v02.api.letsencrypt.org/directory
     solvers:
     - http01:
         ingress:
-          class: contour
+          ingressClassName: contour
diff --git a/package/config/private-ca.yml → package/config/issuers/private-ca.yml b/package/config/private-ca.yml → package/config/issuers/private-ca.yml
@@ -16,13 +16,13 @@ metadata:
   namespace: #@ data.values.namespace
 spec:
   isCA: true
-  commonName: Kadras CA
+  commonName: kadras
   secretName: kadras-root-ca
   duration: 8760h #! 365 days
   renewBefore: 360h #! 15 days
   subject:
     organizations:
-    - Kadras
+    - kadras
   privateKey:
     algorithm: Ed25519
     encoding: PKCS8

diff --git a/package/config/kapp-config.yml b/package/config/kapp-config.yml
@@ -0,0 +1,18 @@
+---
+apiVersion: kapp.k14s.io/v1alpha1
+kind: Config
+
+minimumRequiredVersion: 0.50.0
+
+#! Wait rules specify how to wait for resources that kapp does not wait for by default.
+#! See more about the wait rules: https://carvel.dev/kapp/docs/latest/config/#waitrules.
+waitRules:
+
+- supportsObservedGeneration: false
+  conditionMatchers:
+  - type: Ready
+    status: "True"
+    success: true
+  resourceMatchers:
+  - apiVersionKindMatcher: {apiVersion: cert-manager.io/v1, kind: Certificate}
+  - apiVersionKindMatcher: {apiVersion: cert-manager.io/v1, kind: ClusterIssuer}
diff --git a/package/config/values-schema.yml b/package/config/values-schema.yml
@@ -1,7 +1,7 @@
 #@data/values-schema
 ---
 
-#@schema/desc "The namespace where Cert Manager is deployed."
+#@schema/desc "The namespace where cert-manager is deployed."
 #@schema/validation min_len=1
 namespace: cert-manager
 
@@ -11,3 +11,6 @@ letsencrypt:
   include: false
   #@schema/desc "Whether to use Let's Encrypt staging, recommended for non-production environments."
   staging: true
+  #@schema/desc "The email address that Let's Encrypt will use to send info on expiring certificates or issues."
+  #@schema/validation min_len=5, when=lambda _, ctx: ctx.parent["include"]
+  email: ""
diff --git a/test/integration/kuttl-test.yml b/test/integration/kuttl-test.yml
@@ -17,8 +17,8 @@ commands:
   - script: |
       kubectl config set-context --current --namespace=tests && \
       kapp deploy -a cert-manager-package -y \
-        -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.11.1%2Bkadras.1/package.yml \
-        -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.11.1%2Bkadras.1/metadata.yml
+        -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.12.1/package.yml \
+        -f https://github.com/kadras-io/package-for-cert-manager/releases/download/v1.12.1/metadata.yml
   - script: |
       kubectl config set-context --current --namespace=tests && \
       kapp deploy -a dependencies -y -f ./test/setup/dependencies
diff --git a/test/setup/dependencies/cert-manager.yml b/test/setup/dependencies/cert-manager.yml
@@ -12,4 +12,4 @@ spec:
   packageRef:
     refName: cert-manager.packages.kadras.io
     versionSelection:
-      constraints: 1.11.1+kadras.1
+      constraints: 1.12.1
diff --git a/test/setup/kind/v1.24/kind-config.yml b/test/setup/kind/v1.24/kind-config.yml
diff --git a/test/setup/kind/v1.25/kind-config.yml b/test/setup/kind/v1.25/kind-config.yml
@@ -3,6 +3,10 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
-  image: kindest/node:v1.25.8
+  image: kindest/node:v1.25.9
 - role: worker
-  image: kindest/node:v1.25.8
+  image: kindest/node:v1.25.9
+- role: worker
+  image: kindest/node:v1.25.9
+- role: worker
+  image: kindest/node:v1.25.9
diff --git a/test/setup/kind/v1.26/kind-config.yml b/test/setup/kind/v1.26/kind-config.yml
@@ -3,6 +3,10 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 - role: control-plane
-  image: kindest/node:v1.26.3
+  image: kindest/node:v1.26.4
 - role: worker
-  image: kindest/node:v1.26.3
+  image: kindest/node:v1.26.4
+- role: worker
+  image: kindest/node:v1.26.4
+- role: worker
+  image: kindest/node:v1.26.4
diff --git a/test/setup/kind/v1.27/kind-config.yml b/test/setup/kind/v1.27/kind-config.yml
@@ -0,0 +1,12 @@
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  image: kindest/node:v1.27.2
+- role: worker
+  image: kindest/node:v1.27.2
+- role: worker
+  image: kindest/node:v1.27.2
+- role: worker
+  image: kindest/node:v1.27.2