Draft #1
Draft #1
Conversation
|
I propose to start this repo "from scratch" instead of starting off the existing click-to-deploy (C2D). Rationale: We realized that click-to-deploy (C2D) somehow creates a single image instead of the 3 we usually have on quay.io. The image marketplace.gcr.io/google/cert-manager0:0.13 contains the webhook, controller, cainjector and acmesolver in /app. We searched everywhere in click-to-deploy and cannot find where the single-image-for-multiple-binaries Dockerfile is. Let's skip trying to retro-engineer this piece of spaghetti Makefile totally undocumented! And we would get stuck on trying to figure out where the % make app/build
---- REGISTRY = gcr.io/jetstack-mael-valais
---- GCS_URL = gs://jetstack-mael-valais
---- NAMESPACE = default
---- image-cert-manager = Error response from daemon: manifest for marketplace.gcr.io/google/cert-manager0:1.1 not found: manifest unknown: Failed to fetch "1.1" from request "/v2/google/cert-manager0/manifests/1.1". |
|
@wallrj I am stuck with one thing we do in the cert-manager helm chart. The webhook' secret name is configured using the chart's name with: kind: Role
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [ '{{ template "webhook.fullname" . }}-ca' ] # ⚠️
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "webhook.fullname" . }}:dynamic-servingThe problem with the schema.yaml that the Google Markeplace expects is that properties:
cert-manager.webhook.serviceAccount.name:
type: string
x-google-marketplace:
type: SERVICE_ACCOUNT
serviceAccount:
roles:
- type: Role
rulesType: CUSTOM
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["cert-manager-webhook-ca"] # ❌
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]Here is where this secret is used: kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: '{{ template "webhook.caRef" . }}'
spec:
conversion:
webhook:
clientConfig:
service:
name: '{{ template "webhook.fullname" . }}'
---
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from-secret: "{{ .Release.Namespace }}/{{ template "webhook.fullname" . }}-ca" |
|
Oops, wrong button! |
|
I found this in the click-to-deploy repo: |
|
@maelvls I added a cloudbuild.yaml file which almost works. I changed all the version numbers in the repo to 1.1.0 because I saw ImagePull errors when it attempted to pull the wrong image tag, but I think I may have gone too far. |
I'm very much struggling with that at the moment, I need to figure out how to fix all these permission/missing rbac issues... Do you want to pair together on this tomorrow? |
|
I think we just need to copy all the permissions from the click-to-deploy repo: https://github.com/GoogleCloudPlatform/click-to-deploy/blob/a86db3278f8107309c2faaf06c284bce313b8600/k8s/cert-manager/schema.yaml#L187 and probably some extra since we're deploying a much newer version of CM. |
|
Do you think I can try |
Yeah, it should work for you too. I documented the command in the README file. You will need to change the cluster name and zone to match your GKE cluster. 🤞 |
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
|
I keep doing this. Sorry. |
|
Now I can't re-open :-( |
|
The google cloud build now succeeds: |
|
🎉🎉🎉🎉 |
→ PR recreated in #3 (we closed the PR and could not re-open it)