Deploy the preflight agent

README.md

@@ -18,6 +18,14 @@ gcloud container clusters create foo --region us-east1 --num-nodes=1 --preemptib
   --workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog
 ```
 
+This application re-tags the various images (cert-manager, cas-issuer, ubbagent, preflight-agent) using
+a unified tag that we call "application version". Although it does not appear to be a requirement for
+releasing to the Google Marketplace, we were not able to set "default" tags for each image and thus
+resolved to just having a unified tag; this means that we will have to keep this difference in tags when
+supporting [jetstack-secure-for-cert-manager][].
+
+[jetstack-secure-for-cert-manager]: https://console.cloud.google.com/partner/editor/jetstack-public/jetstack-secure-for-cert-manager?project=jetstack-public
+
 Re-publish the images to the project:
 
 ```sh
@@ -27,19 +35,22 @@ docker pull quay.io/jetstack/cert-manager-controller:v1.1.0
 docker pull quay.io/jetstack/cert-manager-cainjector:v1.1.0
 docker pull quay.io/jetstack/cert-manager-webhook:v1.1.0
 docker pull quay.io/jetstack/cert-manager-google-cas-issuer:0.1.0
-docker tag quay.io/jetstack/cert-manager-controller:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-controller:1.1.0
-docker tag quay.io/jetstack/cert-manager-cainjector:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-cainjector:1.1.0
-docker tag quay.io/jetstack/cert-manager-webhook:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-webhook:1.1.0
-docker tag quay.io/jetstack/cert-manager-google-cas-issuer:latest $REGISTRY/$APP_NAME/cert-manager-google-cas-issuer:0.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-controller:1.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-cainjector:1.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-webhook:1.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-google-cas-issuer:0.1.0
+docker pull quay.io/jetstack/preflight:0.1.27
+docker tag quay.io/jetstack/cert-manager-controller:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-controller:1.0.0
+docker tag quay.io/jetstack/cert-manager-cainjector:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-cainjector:1.0.0
+docker tag quay.io/jetstack/cert-manager-webhook:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-webhook:1.0.0
+docker tag quay.io/jetstack/cert-manager-google-cas-issuer:latest $REGISTRY/$APP_NAME/cert-manager-google-cas-issuer:1.0.0
+docker tag quay.io/jetstack/preflight:latest $REGISTRY/$APP_NAME/cert-manager-preflight:1.0.0
+docker push $REGISTRY/$APP_NAME/cert-manager-controller:1.0.0
+docker push $REGISTRY/$APP_NAME/cert-manager-cainjector:1.0.0
+docker push $REGISTRY/$APP_NAME/cert-manager-webhook:1.0.0
+docker push $REGISTRY/$APP_NAME/cert-manager-google-cas-issuer:1.0.0
+docker push $REGISTRY/$APP_NAME/cert-manager-preflight:1.0.0
 ```
 
-> Note: although cert-manager's tags are of the form "v1.1.0", we chose to
-> use tags of the form "1.1.0" for the Google Marketplace for the sake of
-> consistency.
+> Note: although cert-manager's tags are of the form "v1.1.0", we 
+> use the same JSP version tag for all the Google Marketplace images, 
+> for consistency with other marketplace packages.
 
 Then, build and push the deployer image:
 

chart/jetstacksecure-mp/Chart.yaml

@@ -1,3 +1,8 @@
+# The appVersion below are overridden by the `publishedVersion` that is set in
+# `schema.yaml`. Changing the below version will not change the actual versions
+# being pulled when the application is deployed from the Google Marketplace.
+# Instead, you should update the image tags that are being re-tagged in
+# `cloudbuild.yml`.
 apiVersion: v2
 engine: gotpl
 name: jetstacksecure-mp
@@ -10,3 +15,7 @@ dependencies:
   - name: google-cas-issuer
     appVersion: 0.1.0
     repository: ./charts/google-cas-issuer
+  - name: preflight
+    version: 0.1.0
+    appVersion: 0.1.27
+    repository: ./charts/preflight

chart/jetstacksecure-mp/charts/preflight/templates/deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: agent
+  name: {{ include "preflight.fullname" . }}
   labels:
     {{- include "preflight.labels" . | nindent 4 }}
 spec:
@@ -28,7 +28,7 @@ spec:
         secret:
           secretName: agent-credentials
       containers:
-      - name: agent
+      - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:v{{ .Chart.AppVersion }}"
         args:
         - "agent"

chart/jetstacksecure-mp/values.yaml

@@ -22,3 +22,9 @@ google-cas-issuer:
   installCRDs: true
   serviceAccount:
     create: false # see note (1)
+
+preflight:
+  serviceAccount:
+    create: false # see note (1)
+  rbac:
+    create: false # see note (1)

cloudbuild.yaml

@@ -6,7 +6,32 @@ substitutions:
   _APP_VERSION: 1.0.0
   _CERT_MANAGER_VERSION: 1.1.0
   _CAS_ISSUER_VERSION: 0.1.0
+  _PREFLIGHT_VERSION: 0.1.27
 steps:
+  - id: pull-preflight
+    name: gcr.io/cloud-builders/docker
+    args:
+      - pull
+      - quay.io/jetstack/preflight:v${_PREFLIGHT_VERSION}
+    waitFor: ["-"]
+
+  - id: tag-preflight
+    name: gcr.io/cloud-builders/docker
+    args:
+      - tag
+      - quay.io/jetstack/preflight:v${_PREFLIGHT_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-preflight:${_APP_VERSION}
+    waitFor:
+      - pull-preflight
+
+  - id: push-preflight
+    name: gcr.io/cloud-builders/docker
+    args:
+      - push
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-preflight:${_APP_VERSION}
+    waitFor:
+      - tag-preflight
+
   - id: pull-cas-issuer
     name: gcr.io/cloud-builders/docker
     args:
@@ -217,6 +242,7 @@ steps:
       - push-cainjector
       - push-webhook
       - push-cas-issuer
+      - push-preflight
       - push-ubbagent
 
   - id: publish
@@ -238,5 +264,6 @@ images:
   - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_APP_VERSION}
   - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_APP_VERSION}
   - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-google-cas-issuer:${_APP_VERSION}
+  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-preflight:${_APP_VERSION}
   - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_APP_VERSION}
   - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/ubbagent:${_APP_VERSION}

schema.yaml

@@ -50,6 +50,12 @@ x-google-marketplace:
           type: REPO_WITH_REGISTRY
         google-cas-issuer.image.tag:
           type: TAG
+    cert-manager-preflight:
+      properties:
+        preflight.image.repository:
+          type: REPO_WITH_REGISTRY
+        preflight.image.tag:
+          type: TAG
 
   # Allow the deployer to create CRDs and webhook configurations
   # See https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/schema.md#deployerserviceaccount
@@ -302,6 +308,52 @@ properties:
                 resources: [certificaterequests/status]
                 verbs: [get, patch, update]
 
+  preflight.serviceAccount.name:
+    type: string
+    x-google-marketplace:
+      type: SERVICE_ACCOUNT
+      serviceAccount:
+        description: Service account used by preflight
+        roles:
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: [""]
+                resources: ["nodes"]
+                verbs: ["get", "list"]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list"]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: ["cert-manager.io"]
+                resources:
+                - certificates
+                - certificaterequests
+                - issuers
+                - clusterissuers
+                verbs: ["get", "list"]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: ["cas-issuer.jetstack.io"]
+                resources:
+                - googlecasissuers
+                - googlecasclusterissuers
+                verbs: ["get", "list"]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: ["admissionregistration.k8s.io"]
+                resources:
+                - validatingwebhookconfigurations
+                - mutatingwebhookconfigurations
+                verbs: ["get", "list"]
+
 required:
   - name
   - namespace