bumps Go version to 1.17, updates deps and kube libraries

[irbekrm]

What this PR does / why we need it:

• Bumps Go 1.16 -> 1.17
• Bumps kube libraries v0.22.0 -> v0.22.2
• Bumps controller runtime v0.9.6 -> v0.10.1
• Bumps some Bazel deps, nginx-ingress images for e2e tests and a few more things
• Enforces minimum Bazel version of v4.0.0
• Uses Bazel to load Kyverno images- this should allow for the images to be cached and hopefully for there to be less timeouts like this

Special notes for your reviewer:

• Minimum required Bazel version is now v4.0.0 because this is the minimum version required by rules_go v0.28.0. I've updated the CI test images with Bazel in Bazel version bump testing#585 and website#708 updates supported Bazel versions in documentation. I've added some code borrowed from pixie to enforce the minimum version upfront as I think this is preferable as it'd be easier to debug than mystery errors because of version incompatibility

• controller runtime v0.10.0 fixes a number of bugs that may or may not caused some of our test flakiness

Go 1.17:

• I've regenerated the go.mod file with go mod tidy -go=1.17 and it is now in the new form required for module graph pruning in 1.17
• go:build form of Go build tags has been automatically added to all files that previously only had // +build form of build tags, see https://go.googlesource.com/proposal/+/master/design/draft-gobuild.md
• Binary size seems to have shrunk slightly due to compiler improvements:

irbe@cert-manager$ ls -lha bazel-out/k8-fastbuild/bin/cmd/controller/controller_/controller
-r-xr-xr-x 1 irbe irbe 60M Sep 27 15:53 bazel-out/k8-fastbuild/bin/cmd/controller/controller_/controller <- from current master

irbe@cert-manager$ ls -lha bazel-out/k8-fastbuild/bin/cmd/controller/controller_/controller
-r-xr-xr-x 1 irbe irbe 58M Sep 27 15:57 bazel-out/k8-fastbuild/bin/cmd/controller/controller_/controller <- this branch

• Various improvements to core crypto libraries might make us faster and safer 🚀 https://golang.org/doc/go1.17#minor_library_changes, but don't appear breaking

• e2e tests where run in CI for all kube versions + the upgrade test & all passed

cert-manager now uses Go 1.17.

[irbekrm]

/kind cleanup

[irbekrm]

This is so that we can source the functions that remove/replace the autogen build tags from another file (using the rlocation function that is being sourced here- I wanted to do that, to make this file shorter as I had to add some extra functionality to replacing/removing.
Arguably, this adds complexity, but is also an example of how bash libraries can be imported if that was ever useful.

This appears to be a standard way of doing it, see i.e https://github.com/pixie-io/pixie/blob/main/src/e2e_test/px_cluster/test_px_on_gke.sh#L33-L45

[wallrj]

It's pretty unreadable, but also quite interesting to look at.
It seems to be attempting to load bazel_tools/tools/bash/runfiles/runfiles.bash from various directories, which may be derived from the name of the current script $0, right?

Thanks for the explanatory comment.

[irbekrm]

Yes, it is interesting to look at!

It seems to be attempting to load bazel_tools/tools/bash/runfiles/runfiles.bash from various directories, which may be derived from the name of the current script $0, right?

Yes, my understanding of this is that since bazel_tools/tools/bash/runfiles is declared as a dependency of the update-codegen Bazel target (here), it will get added to the 'runfiles' when we bazel run this target- see a limited description of that mechanism here and here. These lines then attempt to source the runfiles.bash script from one of the known locations of these Bazel runfiles.

Perhaps I should add a comment about this.

[irbekrm]

This is because this PR bumps Ingress-NGINX controller's version to v1.0.2 when running on kube 1.22. v1.X Ingress-NGINX requires for ingress class name to be defined on Ingress resources (docs).

cert-manager ingress-shim creates Ingresses with our without class name depending on how the users have configured the HTTP-01 solver on the issuer, see the code. Our e2e tests create some Ingresses without the class name (and we probably want to keep doing that, at least for as long as we support Ingress-NGINX versions where the class name is not mandatory) so the tests break with v1 Ingress-NGINX as the Ingresses without class name are ignored by the controller. Adding this flag makes the controller watch Ingresses without class.

I think we should eventually test with a standard v1 ingress controller configuration (that only wathces Ingresses with class name), but I think we don't want to deploy two ingress controllers, so might need to allow for different test configurations for v1 and pre-v1 ingress controllers.
We may also want to make the field descriptions on the solver spec more clear as to when the class name is required.

[wallrj]

Ok. I think I get it. Thanks for the explanatory comment.
It might be worth summarizing that explanation as a comment in the code, for the benefit of others who might be tempted to change the versions etc.

[wallrj]

Thanks @irbekrm

That's a lot of work and some impressive hacking to work around the problems with the upgrade.

Some parts I didn't understand, and some things I'd like to see explained as comments in the code rather than as PR comments, but also happy to merge this as-is and improve later.

Unhold when you're happy with it.

/lgtm
/hold

[wallrj]

Ok. I think I get it. Thanks for the explanatory comment.
It might be worth summarizing that explanation as a comment in the code, for the benefit of others who might be tempted to change the versions etc.

[wallrj]

We're importing this twice with different aliases.

[wallrj]

Wait a minute... I only added this yesterday!

Is it really not needed? If not, then remove the function definition too.

[irbekrm]

Apologies, I was rebasing this morning and did not realize this was recently added.

I think it may not be needed- I see that served is set to true for all versions in patchCRDConversion function (which was called on the line above) here. I will remove this now, but it would be good if you could double check?

[wallrj]

OMG, that's my fault. I originally added it to patchCRDConversion then thought it would be clearer as a separate function and forgot to remove the original place. Sorry about that.

Why does patchCRDConversion now return a new slice of CRDs?
It seems superficial because inside the function we're still mutating the original CRD objects.

If these functions are called patchXYZ then I think it makes sense if they clearly modify the supplied slice of CRDs.

[irbekrm]

yeah it's a good point about the name and I didn't somehow didn't realize it was modifying those CRDs I think- I will change it back

[wallrj]

I guess native is builtin. I don't see it imported anywhere.

[irbekrm]

native is a built-in module and bazel_version appears to be an undocumented method within it :) bazelbuild/bazel#8305

[wallrj]

BTW I also confirmed that I was able to run all the E2E tests locally with Bazel 4

./devel/cluster/install.sh
./devel/setup-e2e-deps.sh
./devel/run-e2e.sh

Ran 468 of 789 Specs in 1059.924 seconds
SUCCESS! -- 468 Passed | 0 Failed | 0 Pending | 321 Skipped


Ginkgo ran 1 suite in 17m40.508821255s
Test Suite Passed

[irbekrm]

Thanks for the review, all the great comments and verifying that the setup works @wallrj !

I think I've addressed all the comments now.

[wallrj]

/lgtm

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irbekrm, wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [irbekrm,wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[irbekrm]

/hold cancel