cert-manager
WIP: Bundles with a sidecar container
WIP: This is a proof of concept and is not ready for prime-time. In any case it's blocked behind #47
This is an proof-of-concept demo of the design in #43 and an alternative implementation of #36 which had been discussed in a biweekly meeting.
There's a bunch of stuff here which is obviously just for the demo; this is intended as a POC. Importantly the rootcerts dependency should be in its own go.mod - it's in the main go.mod here to make it easier to develop with pkg/sidecar
(The first two commits might want to be separated into their own PR, but they were helpful as part of making this PR)
Example file which uses the bundle:
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: trust-bundle
namespace: default
spec:
sources:
- packagedBundle: "cert-manager"
target:
configMap:
key: trust.pem
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: SgtCoDFish
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [SgtCoDFish]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
(tests are broken by this but that doesn't really matter because I've not written any new ones! obviously an actual implementation would be more careful and would include a bunch of new tests)
@SgtCoDFish: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| pull-cert-manager-trust-verify | fb23c724a9b92fb42a986ba71973db66fe7995f4 | link | true | /test pull-cert-manager-trust-verify |
| pull-cert-manager-trust-smoke | fb23c724a9b92fb42a986ba71973db66fe7995f4 | link | true | /test pull-cert-manager-trust-smoke |
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
@SgtCoDFish: PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Tasks:
- [x] rename field in CRD to reflect above discussion
- [x] nit
Tests will fail until I sort out the automation again for pushing package images, which was blocked behind the now-merged #80
After discussing with @inteon this morning, we agreed to remove the Type field from fspkg, which I'll do now
@SgtCoDFish Thank you for the change, this small new feature will bring a lot of value to our trust-manager users.
It is a very minimal solution that should cover most use cases.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: inteon, SgtCoDFish
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [SgtCoDFish]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Thank you so much @inteon and others for the reviews!
NB: We shouldn't release a new version of trust-manager until I've made a few more changes. I want to ensure that trust-package containers we release are tested more carefully, and I want to remove the type field from https://quay.io/repository/jetstack/cert-manager-package-debian?tab=tags&tag=latest before anyone starts using it!