Merge pull request #1 from jakexks/initial-release

Initial Release
cert-manager · May 30, 2022 · 77e962e · 77e962e
2 parents 0fc5110 + f2a5b9d
commit 77e962e
Show file tree

Hide file tree

Showing 17 changed files with 3,202 additions and 2 deletions.
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
@@ -0,0 +1,50 @@
+name: GoReleaser
+
+on:
+  pull_request:
+  push:
+    tags:
+      - "*"
+
+permissions:
+  contents: write # needed to update the data of a release
+  packages: write
+
+jobs:
+  goreleaser:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Fetch all tags
+        run: git fetch --force --tags
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "^1.18"
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run GoReleaser (PR)
+        uses: goreleaser/goreleaser-action@v2
+        if: "!startsWith(github.ref, 'refs/tags')" # runs on a PR
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run GoReleaser (Publish Release)
+        uses: goreleaser/goreleaser-action@v2
+        if: "startsWith(github.ref, 'refs/tags')" # runs on a Tag being pushed
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+dist
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,133 @@
+project_name: cert-manager-openshift-routes
+before:
+  hooks:
+    - go test -v ./...
+    - ./hack/generate-static-manifest.sh {{ .Version }}
+builds:
+  - id: cert-manager-openshift-routes
+    main: ./internal/cmd
+    binary: cert-manager-openshift-routes
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm
+      - arm64
+      - s390x
+      - riscv64
+      - ppc64le
+    goarm:
+      - '6'
+      - '7'
+archives:
+  - format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE
+dockers:
+  - id: cert-manager-openshift-routes-amd64
+    goarch: amd64
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-amd64
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - id: cert-manager-openshift-routes-arm64
+    goarch: arm64
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-arm64
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - id: cert-manager-openshift-routes-armv6
+    goarch: arm
+    goarm: "6"
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-armv6
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm/v6"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - id: cert-manager-openshift-routes-armv7
+    goarch: arm
+    goarm: "7"
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-armv7
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm/v7"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - id: cert-manager-openshift-routes-s390x
+    goarch: s390x
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-s390x
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/s390x"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - id: cert-manager-openshift-routes-riscv64
+    goarch: riscv64
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-riscv64
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/riscv64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+  - id: cert-manager-openshift-routes-ppc64le
+    goarch: ppc64le
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-ppc64le
+    use: buildx
+    dockerfile: internal/cmd/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/ppc64le"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+docker_manifests:
+  - name_template: ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}
+    image_templates:
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-amd64
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-arm64
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-armv6
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-armv7
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-s390x
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-riscv64
+      - ghcr.io/cert-manager/cert-manager-openshift-routes:{{ .Version }}-ppc64le
+checksum:
+  name_template: 'checksums.txt'
+release:
+  extra_files:
+    - glob: ./cert-manager-openshift-routes-*.yaml
+      name_template: cert-manager-openshift-routes.yaml
diff --git a/OWNERS b/OWNERS
@@ -0,0 +1,18 @@
+approvers:
+- munnerz
+- joshvanl
+- meyskens
+- wallrj
+- jakexks
+- maelvls
+- irbekrm
+- sgtcodfish
+- jahrlin
+reviewers:
+- joshvanl
+- wallrj
+- jakexks
+- maelvls
+- irbekrm
+- sgtcodfish
+- jahrlin
diff --git a/README.md b/README.md
@@ -1,2 +1,59 @@
-# openshift-routes
-OpenShift Route support for cert-manager
+# OpenShift Route Support for cert-manager
+
+This project supports automatically getting a certificate for
+OpenShift routes from any cert-manager Issuer.
+
+## Usage
+
+Ensure you have [cert-manager](https://github.com/cert-manager/cert-manager) installed
+through the method of your choice.
+
+Install in your cluster using the static manifests:
+
+```shell
+oc apply -f https://github.com/cert-manager/cert-manager-openshift-routes/releases/latest/cert-manager-openshift-routes.yaml
+```
+
+Annotate your routes:
+
+```yaml
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: example-route
+  annotations:
+    cert-manager.io/issuer-name: my-issuer # This is the only required annotation
+    cert-manager.io/issuer-group: cert-manager.io # Optional, defaults to cert-manager.io
+    cert-manager.io/issuer-kind: Issuer # Optional, defaults to Issuer, could be ClusterIssuer or an External Issuer
+    cert-manager.io/duration: 1h # Optional, defaults to 90 days
+    cert-manager.io/renew-before: 30m # Optional, defaults to 1/3 of total certificate duration.
+    cert-manager.io/common-name: "My Certificate" # Optional, no default.
+    cert-manager.io/alt-names: "mycooldomain.com,mysecondarydomain.com" # Optional, no default
+    cert-manager.io/ip-sans: "10.20.30.40,192.168.192.168" # Optional, no default
+    cert-manager.io/uri-sans: "spiffe://trustdomain/workload" # Optional, no default
+spec:
+  host: my-internal-service-host.my-domain # will be added to the Subject Alternative Names of the CertificateRequest
+  port:
+    targetPort: 8080
+  to:
+    kind: Service
+    name: hello-openshift
+```
+
+Observe the `route.Spec.TLS` section of your route being populated automatically by cert-manager.
+
+The route's TLS certificate will be rotated 2/3 of the way through the certificate's lifetime, or 
+`cert-manager.io/renew-before` time before it expires.
+
+# Why is This a Separate Project?
+
+We do not wish to support non Kubernetes (or kubernetes-sigs) APIs in cert-manager core. This adds
+a large maintenance burden, and it's hard for us to e2e test everyone's CRDs. However, OpenShift is
+widely used, so it makes sense to have some support for it in the cert-manager ecosystem.
+
+Ideally we would have contributed this controller to an existing project, e.g.
+https://github.com/redhat-cop/cert-utils-operator. Unfortunately, cert-manager is not really designed
+to be imported as a module. It has a large number of transitive dependencies that would add an unfair
+amount of maintenance to whichever project we submitted it to. In the future, we would like to split
+the cert-manager APIs and typed clients out of the main cert-manager repo, at which point it would be
+easier for other people to consume in their projects.
diff --git a/deploy/static/cert-manager-openshift-routes.yaml b/deploy/static/cert-manager-openshift-routes.yaml
@@ -0,0 +1,120 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-openshift-routes
+rules:
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificaterequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - certificaterequests/status
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-openshift-routes
+  namespace: cert-manager
+automountServiceAccountToken: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-openshift-routes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-openshift-routes
+subjects:
+- kind: ServiceAccount
+  name: cert-manager-openshift-routes
+  namespace: cert-manager
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-manager-openshift-routes
+  namespace: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager-openshift-routes
+    app.kubernetes.io/version: "$RELEASED_VERSION"
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/part-of: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cert-manager-openshift-routes
+      app.kubernetes.io/version: "$RELEASED_VERSION"
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/part-of: cert-manager
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: cert-manager-openshift-routes
+        app.kubernetes.io/version: "$RELEASED_VERSION"
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/part-of: cert-manager
+    spec:
+      serviceAccountName: cert-manager-openshift-routes
+      automountServiceAccountToken: true
+      containers:
+        - name: cert-manager-openshift-routes
+          image: "ghcr.io/cert-manager/cert-manager-openshift-routes:$RELEASED_VERSION"
+          args:
+          - -v=5
+          ports:
+          - containerPort: 6060
+            name: readiness
+            protocol: TCP
+          - containerPort: 9042
+            name: metrics
+            protocol: TCP
+          readinessProbe:
+            httpGet:
+              port: readiness
+              path: "/readyz"
+            initialDelaySeconds: 3
+            periodSeconds: 5
+            timeoutSeconds: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 65534
+            runAsGroup: 65534