Add the google-cas-issuer to the Google Marketplace release #4
Conversation
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
maelvls
force-pushed
the
add-cas-issuer
branch
from
af34d73 to
c0b7fe5
Compare
|
Yay! I finally managed to manually test google-cas-issuer when deployed with Proof: % kubectl describe cert demo-certificate
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 20s cert-manager Issuing certificate as Secret was previously issued by GoogleCASIssuer.cas-issuer.jetstack.io/googlecasissuer-sample
Normal Reused 20s cert-manager Reusing private key stored in existing Secret resource "demo-cert-tls"
Normal Requested 20s cert-manager Created new CertificateRequest resource "demo-certificate-v2rwr"
Normal Issuing 20s cert-manager The certificate has been successfully issued
As detailed in 1, CRDs that are applied through the CRD pre-install hook will not ever be updated or upgraded. The Helm documentation reads 4:
On top of that, it seems to be not possible (after multiple trials) to manage CRDs using Helm 3's crd-install hook using the crds/ folder 2. It seems like the only way would be to bundle crds inside the templates/ like cert-manager has been doing for a while. Note that installing CRDs using the templates/ way also causes trouble. Rob Percival mentions in 1 that Helm has a problem with the CRD ordering 3 and that the issue has not been fixed yet, which means installing operators like google-cas-issuer breaks when the CRDs are inside templates/. Final notes:
cc @jakexks |
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
As detailed in [1], CRDs that are applied through the CRD pre-install hook will not ever be updated or upgraded. The Helm documentation reads [4]: > The resources that a hook creates are not tracked or managed as part of > the release. Once Tiller verifies that the hook has reached its ready > state, it will leave the hook resource alone. > > Practically speaking, this means that if you create resources in a hook, > you cannot rely upon helm delete to remove the resources. To destroy such > resources, you need to either write code to perform this operation in a > pre-delete or post-delete hook or add "helm.sh/hook-delete-policy" > annotation to the hook template file. On top of that, it seems to be not possible (after multiple trials) to manage CRDs using Helm 3's crd-install hook using the crds/ folder [2]. It seems like the only way would be to bundle crds inside the templates/ like cert-manager has been doing for a while. Note that installing CRDs using the templates/ way also causes trouble. Rob Percival mentions in [1] that Helm has a problem with the CRD ordering [3] and that the issue has not been fixed yet, which means installing operators like google-cas-issuer breaks when the CRDs are inside templates/. [1]: GoogleCloudPlatform/marketplace-k8s-app-tools#303 [2]: https://helm.sh/docs/developing_charts/#defining-a-crd-with-the-crd-install-hook [3]: helm/helm#2994 [4]: https://v2.helm.sh/docs/developing_charts/#hook-resources-are-not-managed-with-corresponding-releases Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Maël Valais <[email protected]>
maelvls
force-pushed
the
add-cas-issuer
branch
from
5143586 to
ad77ba6
Compare
| @@ -0,0 +1,246 @@ | |||
| {{ if .Values.installCRDs }} | |||
There was a problem hiding this comment.
That commit message is great. Worth pasting here for the benefit of future maintainers.
README.md
Outdated
|
|
||
| This will also verify the application using the [Google Cloud Marketplace verification tool](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/c5899a928a2ac8d5022463c82823284a9e63b177/scripts/verify). | ||
|
|
||
| [workload-identity]: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity |
There was a problem hiding this comment.
I guess this goes further up the file where the missing link is?
chart/jetstacksecure-mp/charts/google-cas-issuer/templates/crds.yaml
Outdated
Show resolved
Hide resolved
|
Only saw some minor text changes |
Signed-off-by: Maël Valais <[email protected]> Co-authored-by: Jake Sanders <[email protected]>
Signed-off-by: Maël Valais <[email protected]> Co-authored-by: Jake Sanders <[email protected]>
|
/unassign |
|
/assign @jakexks |
|
/lgtm tentative LGTM 😅 |
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Maël Valais <[email protected]> Co-authored-by: Richard Wall <[email protected]>
Signed-off-by: Maël Valais <[email protected]> Co-authored-by: Richard Wall <[email protected]>
Signed-off-by: Maël Valais <[email protected]> Co-authored-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
Signed-off-by: Richard Wall <[email protected]>
|
|
||
| > Note: although cert-manager's tags are of the form "v1.1.0", we chose to | ||
| > use tags of the form "1.1.0" for the Google Marketplace for the sake of | ||
| > consistency. |
There was a problem hiding this comment.
I don't think it's a choice. I think GCM enforces that the version be a semver without any prefix.
| cat /scripts/dev > "/workspace/cmpt" | ||
| chmod +x /workspace/cmpt | ||
| cat /scripts/dev > "/workspace/mpdev" | ||
| chmod +x /workspace/mpdev |
There was a problem hiding this comment.
This breaks the following steps which still refer to cmpt
This PR is an attempt at adding https://github.com/jetstack/google-cas-issuer to the Google Marketplace release.