upstream-community-operators [N] [CI] cert-manager (1.4.0)

[wallrj]

Thanks submitting your Operator. Please check below list before you create your Pull Request.

New Submissions

• Are you familiar with our contribution guidelines?
• Have you packaged and deployed your Operator for Operator Framework?
• Have you tested your Operator with all Custom Resource Definitions?
• Have you tested your Operator in all supported installation modes?
• Have you considered whether you want use semantic versioning order?
• Is your submission signed?
• Is operator icon set?

Updates to existing Operators

• Did you create a ci.yaml file according to the update instructions?
• Is your new CSV pointing to the previous version with the replaces property if you chose replaces-mode via the updateGraph property in ci.yaml?
• Is your new CSV referenced in the appropriate channel defined in the package.yaml or annotations.yaml ?
• Have you tested an update to your Operator when deployed via OLM?
• Is your submission signed?

Your submission should not

• Modify more than one operator
• Modify an Operator you don't own
• Rename an operator - please remove and add with a different name instead
• Submit operators to both upstream-community-operators and community-operators at once
• Modify any files outside the above mentioned folders
• Contain more than one commit. Please squash your commits.

Operator Description must contain (in order)

1. Description about the managed Application and where to find more information
2. Features and capabilities of your Operator and how to use it
3. Any manual steps about potential pre-requisites for using your Operator

Operator Metadata should contain

• Human readable name and 1-liner description about your Operator
• Valid category name¹
• One of the pre-defined capability levels²
• Links to the maintainer, source code and documentation
• Example templates for all Custom Resource Definitions intended to be used
• A quadratic logo

Remember that you can preview your CSV here.

--

¹ If you feel your Operator does not fit any of the pre-defined categories, file an issue against this repo and explain your need

² For more information see here

[openshift-ci]

Hi @wallrj. Thanks for your PR.

I'm waiting for a operator-framework member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wallrj]

Not ready for review. This is a draft PR. I'm still working through the PR checklist and attempting to test locally.

[wallrj]

While testing on a local Kind cluster I see an error during the bundle unpacking

kubectl -n olm  logs 69eb921e5868a606ccbf4c588b0af829f838c007446ae623e255748bdb77h5h
time="2021-06-17T10:19:02Z" level=info msg="Using in-cluster kube client config"
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/acme.cert-manager.io_challenges.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/acme.cert-manager.io_orders.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager-cainjector_v1_serviceaccount.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager-view_rbac.authorization.k8s.io_v1_clusterrole.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager-webhook_v1_service.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager-webhook_v1_serviceaccount.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager.clusterserviceversion.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager.io_certificaterequests.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager.io_certificates.yaml
time="2021-06-17T10:19:02Z" level=info msg="Reading file" file=/bundle/manifests/cert-manager.io_clusterissuers.yaml
time="2021-06-17T10:19:02Z" level=error msg="File with size 692874 exceeded 1048576 limit, aboring" file=/bundle/manifests/cert-manager.io_clusterissuers.yaml
Error: error loading manifests from directory: file cert-manager.io_clusterissuers.yaml bigger than total allowed limit
Usage:
  opm alpha bundle extract [flags]

Flags:
  -c, --configmapname string   name of configmap to write bundle data
  -l, --datalimit uint         maximum limit in bytes for total bundle data (default 1048576)
      --debug                  enable debug logging
  -h, --help                   help for extract
  -k, --kubeconfig string      absolute path to kubeconfig file
  -m, --manifestsdir string    path to directory containing manifests (default "/")
  -n, --namespace string       namespace to write configmap data (default "openshift-operator-lifecycle-manager")

Global Flags:
      --skip-tls   skip TLS certificate verification for container image registries while pulling bundles or index

Same problem is described in operator-framework/operator-lifecycle-manager#1523 and a solution is described in operator-framework/enhancements#40

[wallrj]

I've worked around the bundle size issue and moved all the make scripts into our own repo in cert-manager/cert-manager-olm#26, but I'm now trying to work around some problems:

• with the -service suffix that OLM adds to the DNS name of the cert-manager webhook service OR
• trying to get the cert-manager webhook to use the OLM supplied serving TLS certificate rather than the one it uses by default.

[wallrj]

richard   release-1.5  ~  projects  cert-manager  cert-manager  1   ./devel/run-e2e.sh --ginkgo.focus '[Conformance].*SelfSigned Issuer'
...
        Internal error occurred: failed calling webhook "mutate.webhooks.cert-manager.io": Post "https://cert-manager-webhook-service.operators.svc:443/mutate?timeout=10s": x509: certificate is valid for cert-manager-webhook, cert-manager-webhook.cert-manager, cert-manager-webhook.cert-manager.svc, not cert-manager-webhook-service.operators.svc
    occurred

    test/e2e/suite/conformance/certificates/selfsigned/selfsigned.go:54
------------------------------
STEP: Retrieving logs for global addons
STEP: Cleaning up the provisioned globals

[wallrj]

I fixed the webhook problem in https://github.com/operator-framework/community-operators/compare/d3ff3db4bacdeae7cefd17b74001c6bd074cd1ec..f72a400c50d09cc4e38cc93359e846f336b1758e and now able to run a selection of the cert-manager conformance tests after installing it with OLM.

I've also tested an upgrade from a 1.3.1 bundle which I generated locally in cert-manager/cert-manager-olm#26

$ kubectl operator install cert-manager -c stable -v 1.3.1 --create-operator-group -n operators
subscription "cert-manager" created
operator "cert-manager" installed; installed csv is "cert-manager.v1.3.1"

kubectl operator upgrade  cert-manager  -n operators
operator "cert-manager" upgraded; installed csv is "cert-manager.v1.4.0"

kubectl get csv
NAME                  DISPLAY        VERSION   REPLACES              PHASE
cert-manager.v1.4.0   cert-manager   1.4.0     cert-manager.v1.3.1   Succeeded

[github-actions]

Dockerfile or bundle.Dockerfile is added/changed. Note that for security reasons none of these files are going to be used when building bundle. Docker file will be generated and all label information is taken from annotations.yaml.

[github-actions]

Dockerfile or bundle.Dockerfile is added/changed. Note that for security reasons none of these files are going to be used when building bundle. Docker file will be generated and all label information is taken from annotations.yaml.

[framework-automation]

/merge possible

[framework-automation]

/merge possible

[framework-automation]

/merge possible

[mvalarh]

@wallrj since addReviewers: true is not critical i am merging it. You can fix it next PR