├── .github └── dependabot.yml ├── .gitignore ├── CONTRIBUTING.md ├── Dockerfile ├── Dockerfile.orig ├── Dockerfile.ppc64le ├── Dockerfile.s390x ├── LICENSE ├── Makefile ├── OWNERS ├── PROJECT ├── README.md ├── RELEASE.md ├── SECURITY_CONTACTS ├── apis ├── acme.cert-manager │ └── v1 │ │ ├── groupversion_info.go │ │ ├── types_issuer.go │ │ └── zz_generated.deepcopy.go ├── cert-manager │ └── v1 │ │ ├── certificate_types.go │ │ ├── doc.go │ │ ├── groupversion_info.go │ │ ├── issuer_types.go │ │ ├── types.go │ │ └── zz_generated.deepcopy.go ├── meta.cert-manager │ └── v1 │ │ ├── doc.go │ │ ├── groupversion_info.go │ │ ├── types.go │ │ └── zz_generated.deepcopy.go └── operator │ └── v1 │ ├── certmanagerconfig_types.go │ ├── groupversion_info.go │ └── zz_generated.deepcopy.go ├── base_images.json ├── bundle.Dockerfile ├── bundle ├── manifests │ ├── acme.cert-manager.io_challenges.yaml │ ├── acme.cert-manager.io_orders.yaml │ ├── cert-manager.io_certificaterequests.yaml │ ├── cert-manager.io_certificates.yaml │ ├── cert-manager.io_clusterissuers.yaml │ ├── cert-manager.io_issuers.yaml │ ├── ibm-cert-manager-manager-config_v1_configmap.yaml │ ├── ibm-cert-manager-operator.clusterserviceversion.yaml │ └── operator.ibm.com_certmanagerconfigs.yaml ├── metadata │ └── annotations.yaml └── tests │ └── scorecard │ └── config.yaml ├── cert-manager-migration ├── Chart.yaml ├── templates │ ├── cert-manager-migration-job.yaml │ └── rbac.yaml └── values.yaml ├── common ├── Makefile.common.mk ├── config │ ├── .golangci.yml │ ├── .hadolint.yml │ ├── .yamllint.yml │ ├── mdl.rb │ ├── sass-lint.yml │ └── tslint.json └── scripts │ ├── config_docker.sh │ ├── delete_v1.sh │ ├── gobuild.sh │ ├── lint_copyright_banner.sh │ ├── lint_go.sh │ ├── patch-csv.sh │ └── patch-metadata.sh ├── config ├── crd │ ├── bases │ │ ├── acme.cert-manager.io_challenges.yaml │ │ ├── acme.cert-manager.io_orders.yaml │ │ ├── cert-manager.io_certificaterequests.yaml │ │ ├── cert-manager.io_certificates.yaml │ │ ├── cert-manager.io_clusterissuers.yaml │ │ ├── cert-manager.io_issuers.yaml │ │ └── operator.ibm.com_certmanagerconfigs.yaml │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── patches │ │ ├── cainjection_in_certificaterequests.yaml │ │ ├── cainjection_in_certificates.yaml │ │ ├── cainjection_in_certmanagers.yaml │ │ ├── cainjection_in_challenges.yaml │ │ ├── cainjection_in_issuers.yaml │ │ ├── cainjection_in_orders.yaml │ │ ├── webhook_in_certificaterequests.yaml │ │ ├── webhook_in_certificates.yaml │ │ ├── webhook_in_certmanagers.yaml │ │ ├── webhook_in_challenges.yaml │ │ ├── webhook_in_issuers.yaml │ │ └── webhook_in_orders.yaml ├── default │ ├── kustomization.yaml │ ├── manager_auth_proxy_patch.yaml │ └── manager_config_patch.yaml ├── manager │ ├── controller_manager_config.yaml │ ├── kustomization.yaml │ └── manager.yaml ├── manifests │ ├── bases │ │ └── ibm-cert-manager-operator.clusterserviceversion.yaml │ └── kustomization.yaml ├── prometheus │ ├── kustomization.yaml │ └── monitor.yaml ├── rbac │ ├── auth_proxy_client_clusterrole.yaml │ ├── auth_proxy_role.yaml │ ├── auth_proxy_role_binding.yaml │ ├── auth_proxy_service.yaml │ ├── certificate_editor_role.yaml │ ├── certificate_viewer_role.yaml │ ├── certificaterequest_editor_role.yaml │ ├── certificaterequest_viewer_role.yaml │ ├── certmanager_editor_role.yaml │ ├── certmanager_viewer_role.yaml │ ├── challenge_editor_role.yaml │ ├── challenge_viewer_role.yaml │ ├── issuer_editor_role.yaml │ ├── issuer_viewer_role.yaml │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ ├── leader_election_role_binding.yaml │ ├── order_editor_role.yaml │ ├── order_viewer_role.yaml │ ├── role.yaml │ ├── role_binding.yaml │ └── service_account.yaml ├── samples │ ├── kustomization.yaml │ └── operator_v1_certmanagerconfig.yaml └── scorecard │ ├── bases │ └── config.yaml │ ├── kustomization.yaml │ └── patches │ ├── basic.config.yaml │ └── olm.config.yaml ├── controllers ├── operator │ ├── certmanager_controller.go │ ├── deploys.go │ ├── prereqs-webhook.go │ ├── prereqs.go │ ├── suite_test.go │ └── util.go └── resources │ ├── certmanager.go │ ├── constants.go │ ├── containers.go │ ├── deployments.go │ ├── pods.go │ ├── rbac.go │ ├── util.go │ └── webhook_resources.go ├── go.mod ├── go.sum ├── hack ├── boilerplate.go.txt ├── fixup-cert-manager-manifests.py └── reduce-bundle-crds.sh ├── helm-cluster-scoped ├── Chart.yaml ├── templates │ ├── acme.cert-manager.io_challenges.yaml │ ├── acme.cert-manager.io_orders.yaml │ ├── cert-manager.io_certificaterequests.yaml │ ├── cert-manager.io_certificates.yaml │ ├── cert-manager.io_clusterissuers.yaml │ ├── cert-manager.io_issuers.yaml │ ├── cluster-rbac.yaml │ └── operator.ibm.com_certmanagerconfigs.yaml └── values.yaml ├── helm ├── Chart.yaml ├── templates │ ├── deployment.yaml │ └── rbac.yaml └── values.yaml └── main.go /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: docker 4 | directory: "/" 5 | schedule: 6 | interval: daily 7 | target-branch: "master" 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | bin 9 | testbin/* 10 | 11 | # Test binary, build with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Kubernetes Generated files - skip generated files, except for vendored files 18 | 19 | !vendor/**/zz_generated.* 20 | 21 | # editor and IDE paraphernalia 22 | .idea 23 | *.swp 24 | *.swo 25 | *~ 26 | 27 | hack/tmp 28 | 29 | cache 30 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | **Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* 4 | 5 | - [Contributing guidelines](#contributing-guidelines) 6 | - [Developer Certificate of Origin](#developer-certificate-of-origin) 7 | - [Contributing A Patch](#contributing-a-patch) 8 | - [Issue and Pull Request Management](#issue-and-pull-request-management) 9 | - [Pre-check before submitting a PR](#pre-check-before-submitting-a-pr) 10 | - [Build images](#build-images) 11 | 12 | 13 | 14 | # Contributing guidelines 15 | 16 | ## Developer Certificate of Origin 17 | 18 | This repository built with [probot](https://github.com/probot/probot) that enforces the [Developer Certificate of Origin](https://developercertificate.org/) (DCO) on Pull Requests. It requires all commit messages to contain the `Signed-off-by` line with an email address that matches the commit author. 19 | 20 | ## Contributing A Patch 21 | 22 | 1. Submit an issue describing your proposed change to the repo in question. 23 | 1. The [repo owners](OWNERS) will respond to your issue promptly. 24 | 1. Fork the desired repo, develop and test your code changes. 25 | 1. Commit your changes with DCO 26 | 1. Submit a pull request. 27 | 28 | ## Issue and Pull Request Management 29 | 30 | Anyone may comment on issues and submit reviews for pull requests. However, in 31 | order to be assigned an issue or pull request, you must be a member of the 32 | [IBM](https://github.com/ibm) GitHub organization. 33 | 34 | Repo maintainers can assign you an issue or pull request by leaving a 35 | `/assign ` comment on the issue or pull request. 36 | 37 | ## Developing 38 | 39 | ### Pre-requisite 40 | 41 | 1. [operator-sdk CLI](https://github.com/operator-framework/operator-sdk) v1.23.0 or above 42 | 43 | ### Version bump 44 | 45 | 1. Edit the `PREV_VERSION` and `VERSION` values in the Makefile. 46 | 1. Edit the image tags in [manager.yaml](config/manager/manager.yaml). 47 | 1. Edit the image tags in [base csv](config/manifests/bases/ibm-cert-manager-operator.clusterserviceversion.yaml). 48 | 1. Re-generate the bundle. 49 | 50 | ``` 51 | make bundle 52 | ``` 53 | 54 | 1. Verify CSV has all the edits that were made in previous steps. 55 | 56 | ## Testing on Open Shift cluster 57 | 58 | ### Pre-requisites 59 | 60 | 1. [operator-sdk CLI](https://github.com/operator-framework/operator-sdk) v1.23.0 or above 61 | 62 | ### Testing bundle with OLM 63 | 64 | A bundle is a packaging format for the operator, which mainly consists of the CSV and CRDs. Bundles are understood by OLM. The operator-sdk CLI has the capability to create everything necessary to run this bundle on the cluster. 65 | 66 | Running the bundle involves ephemerally creating all the necessary OLM objects to ultimately have the operator's deployment running, such as temporary CatalogSource, OperatorGroup, Subscription, etc. 67 | 68 | This type of testing is as close as possible to how IBM Foundational services installs `ibm-cert-manager-operator` without creating a complete IBM Foundational services' CatalogSource and using ODLM. 69 | 70 | 1. Verify you can build and push the operator's image to a registry. Check the `REGISTRY` variable in Makefile to see what is the default. Recommended to use your own personal registry that your Open Shift cluster has access to. 71 | 72 | ``` 73 | make push-image-amd64 74 | 75 | ``` 76 | 77 | 1. Temporarily edit the `image` field in [manager.yaml](config/manager/manager.yaml) file to be the operator image you pushed in step 1. 78 | 1. Verify you can generate the CSV in `bundle/`. The `image` field in the CSV should be the image you pushed in step 1. 79 | 80 | ``` 81 | make bundle 82 | ``` 83 | 84 | 1. Verify you can build the image for the operator bundle. 85 | 86 | ``` 87 | make bundle-build 88 | ``` 89 | 90 | 1. Push the bundle up to a registry. Check the `REGISTRY` variable in Makefile to see what is the default. Recommended to use your own personal registry that your Open Shift cluster has access to. 91 | 92 | ``` 93 | make bundle-push 94 | ``` 95 | 96 | 1. Use the built-in operator-sdk feature to [run the bundle](https://sdk.operatorframework.io/docs/olm-integration/tutorial-bundle/#deploying-an-operator-with-olm) 97 | 98 | ``` 99 | make bundle-run 100 | ``` 101 | 102 | 1. Verify operator is running, and you can create the operands by creating a new CertManagerConfig object 103 | 1. Revert the `image` change in [manager.yaml](config/manager/manager.yaml) file, and re-generate the bundle before opening PR 104 | 105 | ``` 106 | make bundle 107 | ``` 108 | 109 | ## Pre-check before submitting a PR 110 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-edge-docker-local/build-images/ubi9-minimal:latest-amd64 2 | ARG VCS_REF 3 | 4 | ENV OPERATOR=/usr/local/bin/ibm-cert-manager-operator \ 5 | USER_UID=1001 \ 6 | USER_NAME=ibm-cert-manager-operator 7 | 8 | # Add licenses folder 9 | RUN mkdir /licenses 10 | COPY LICENSE /licenses 11 | 12 | # install operator binary 13 | COPY build/_output/bin/ibm-cert-manager-operator ${OPERATOR} 14 | 15 | ENTRYPOINT ["ibm-cert-manager-operator"] 16 | 17 | USER ${USER_UID} 18 | 19 | LABEL name="ibm-cert-manager-operator" 20 | LABEL vendor="IBM" 21 | LABEL version="0.0.1" 22 | LABEL release="0.0.1" 23 | LABEL summary="Operator for the cert-manager microservice" 24 | LABEL description="Operator for the cert-manager-microservice" 25 | LABEL org.label-schema.vcs-ref=$VCS_REF 26 | -------------------------------------------------------------------------------- /Dockerfile.orig: -------------------------------------------------------------------------------- 1 | # Build the manager binary 2 | FROM golang:1.23.5 as builder 3 | 4 | WORKDIR /workspace 5 | # Copy the Go Modules manifests 6 | COPY go.mod go.mod 7 | COPY go.sum go.sum 8 | # cache deps before building and copying source so that we don't need to re-download as much 9 | # and so that source changes don't invalidate our downloaded layer 10 | RUN go mod download 11 | 12 | # Copy the go source 13 | COPY main.go main.go 14 | COPY apis/ apis/ 15 | COPY controllers/ controllers/ 16 | 17 | # Build 18 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go 19 | 20 | # Use distroless as minimal base image to package the manager binary 21 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 22 | FROM docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-edge-docker-local/build-images/ubi8-minimal:latest-amd64 23 | WORKDIR / 24 | COPY --from=builder /workspace/manager . 25 | USER 65532:65532 26 | 27 | ENTRYPOINT ["/manager"] 28 | -------------------------------------------------------------------------------- /Dockerfile.ppc64le: -------------------------------------------------------------------------------- 1 | FROM alpine as builder 2 | 3 | RUN wget -O /qemu-ppc64le-static https://github.com/multiarch/qemu-user-static/releases/download/v7.2.0-1/qemu-ppc64le-static 4 | 5 | RUN chmod +x /qemu-ppc64le-static 6 | 7 | FROM docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-edge-docker-local/build-images/ubi9-minimal:latest-ppc64le 8 | ARG VCS_REF 9 | ARG VCS_URL 10 | 11 | LABEL org.label-schema.vendor="IBM" \ 12 | org.label-schema.name="go-repo-template" \ 13 | org.label-schema.description="A github repo with golang" \ 14 | org.label-schema.vcs-ref=$VCS_REF \ 15 | org.label-schema.vcs-url=$VCS_URL \ 16 | org.label-schema.license="Licensed Materials - Property of IBM" \ 17 | org.label-schema.schema-version="1.0" \ 18 | name="go-repo-template" \ 19 | vendor="IBM" \ 20 | description="A github repo with golang" \ 21 | summary="A github repo with golang" 22 | 23 | ENV OPERATOR=/usr/local/bin/ibm-cert-manager-operator \ 24 | USER_UID=1001 \ 25 | USER_NAME=ibm-cert-manager-operator 26 | 27 | COPY --from=builder /qemu-ppc64le-static /usr/bin/ 28 | 29 | # install the binary 30 | COPY build/_output/bin/ibm-cert-manager-operator-ppc64le ${OPERATOR} 31 | 32 | # copy licenses 33 | RUN mkdir /licenses 34 | COPY LICENSE /licenses 35 | 36 | ENTRYPOINT ["ibm-cert-manager-operator"] 37 | 38 | USER ${USER_UID} 39 | 40 | LABEL name="ibm-cert-manager-operator" 41 | LABEL vendor="IBM" 42 | LABEL version="0.0.1" 43 | LABEL release="0.0.1" 44 | LABEL summary="Operator for the cert-manager microservice" 45 | LABEL description="Operator for the cert-manager-microservice" 46 | -------------------------------------------------------------------------------- /Dockerfile.s390x: -------------------------------------------------------------------------------- 1 | FROM alpine as builder 2 | 3 | RUN wget -O /qemu-s390x-static https://github.com/multiarch/qemu-user-static/releases/download/v7.2.0-1/qemu-s390x-static 4 | 5 | RUN chmod +x /qemu-s390x-static 6 | 7 | FROM docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-edge-docker-local/build-images/ubi9-minimal:latest-s390x 8 | ARG VCS_REF 9 | ARG VCS_URL 10 | 11 | LABEL org.label-schema.vendor="IBM" \ 12 | org.label-schema.name="go-repo-template" \ 13 | org.label-schema.description="A github repo with golang" \ 14 | org.label-schema.vcs-ref=$VCS_REF \ 15 | org.label-schema.vcs-url=$VCS_URL \ 16 | org.label-schema.license="Licensed Materials - Property of IBM" \ 17 | org.label-schema.schema-version="1.0" \ 18 | name="go-repo-template" \ 19 | vendor="IBM" \ 20 | description="A github repo with golang" \ 21 | summary="A github repo with golang" 22 | 23 | ENV OPERATOR=/usr/local/bin/ibm-cert-manager-operator \ 24 | USER_UID=1001 \ 25 | USER_NAME=ibm-cert-manager-operator 26 | 27 | COPY --from=builder /qemu-s390x-static /usr/bin/ 28 | 29 | # install the binary 30 | COPY build/_output/bin/ibm-cert-manager-operator-s390x ${OPERATOR} 31 | 32 | # copy licenses 33 | RUN mkdir /licenses 34 | COPY LICENSE /licenses 35 | 36 | ENTRYPOINT ["ibm-cert-manager-operator"] 37 | 38 | USER ${USER_UID} 39 | 40 | LABEL name="ibm-cert-manager-operator" 41 | LABEL vendor="IBM" 42 | LABEL version="0.0.1" 43 | LABEL release="0.0.1" 44 | LABEL summary="Operator for the cert-manager microservice" 45 | LABEL description="Operator for the cert-manager-microservice" 46 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | reviewers: 2 | - bitscuit 3 | - Daniel-Fan 4 | - yannizhang2019 5 | - qpdpQ 6 | - bluzarraga 7 | - YCShen1010 8 | - Jeremy-Cheng-stack 9 | approvers: 10 | - bitscuit 11 | - Daniel-Fan 12 | - yannizhang2019 13 | - qpdpQ 14 | - bluzarraga 15 | - YCShen1010 16 | - Jeremy-Cheng-stack 17 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | domain: ibm.com 2 | layout: 3 | - go.kubebuilder.io/v3 4 | multigroup: true 5 | plugins: 6 | manifests.sdk.operatorframework.io/v2: {} 7 | scorecard.sdk.operatorframework.io/v2: {} 8 | projectName: ibm-cert-manager-operator 9 | repo: github.com/ibm/ibm-cert-manager-operator 10 | resources: 11 | - api: 12 | crdVersion: v1 13 | namespaced: true 14 | controller: true 15 | domain: ibm.com 16 | group: operator 17 | kind: CertManagerConfig 18 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/operator/v1 19 | version: v1 20 | - api: 21 | crdVersion: v1 22 | namespaced: true 23 | controller: true 24 | domain: k8s.io 25 | group: certmanager 26 | kind: Issuer 27 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/certmanager/v1alpha1 28 | version: v1alpha1 29 | - api: 30 | crdVersion: v1 31 | namespaced: true 32 | controller: true 33 | domain: k8s.io 34 | group: certmanager 35 | kind: Certificate 36 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/certmanager/v1alpha1 37 | version: v1alpha1 38 | - api: 39 | crdVersion: v1 40 | namespaced: true 41 | controller: true 42 | domain: k8s.io 43 | group: certmanager 44 | kind: Challenge 45 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/certmanager/v1alpha1 46 | version: v1alpha1 47 | - api: 48 | crdVersion: v1 49 | namespaced: true 50 | controller: true 51 | domain: k8s.io 52 | group: certmanager 53 | kind: Order 54 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/certmanager/v1alpha1 55 | version: v1alpha1 56 | - api: 57 | crdVersion: v1 58 | namespaced: true 59 | controller: true 60 | domain: k8s.io 61 | group: certmanager 62 | kind: CertificateRequest 63 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/certmanager/v1alpha1 64 | version: v1alpha1 65 | - api: 66 | crdVersion: v1 67 | namespaced: true 68 | controller: true 69 | domain: io 70 | group: meta.cert-manager 71 | kind: "" 72 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/meta.cert-manager/v1 73 | version: v1 74 | - api: 75 | crdVersion: v1 76 | namespaced: true 77 | controller: true 78 | domain: io 79 | group: acme.cert-manager 80 | kind: "" 81 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/acme.cert-manager/v1 82 | version: v1 83 | - api: 84 | crdVersion: v1 85 | namespaced: true 86 | controller: true 87 | domain: io 88 | group: cert-manager 89 | kind: Issuer 90 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/cert-manager/v1 91 | version: v1 92 | - api: 93 | crdVersion: v1 94 | namespaced: true 95 | controller: true 96 | domain: io 97 | group: cert-manager 98 | kind: Certificate 99 | path: github.com/ibm/ibm-cert-manager-operator/v4/apis/cert-manager/v1 100 | version: v1 101 | version: "3" 102 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ibm-cert-manager-operator 2 | 3 | You can use IBM Cert Manager Operator to install the IBM certificate manager service. IBM certificate manager service issues and manages x509 certificates from various sources, such as a simple signing key pair, or self-signed. It ensures certificates are valid and up to date and will renew certificates before they expire. If you are using this operator as part of an IBM Cloud Pak, see the documentation for your specific IBM Cloud Pak to learn more about how to install and use the operator service. For more information about IBM Cloud Paks, see [IBM Cloud Paks that use foundational services](http://ibm.biz/cpcs_cloudpaks). 4 | 5 | ## Supported platforms 6 | 7 | Red Hat OpenShift Container Platform 4.3 or newer installed on one of the following platforms: 8 | 9 | - Linux x86_64 10 | - Linux on Power (ppc64le) 11 | - Linux on IBM Z and LinuxONE 12 | 13 | ## Operator versions 14 | 15 | - 3.5.0 16 | - 3.6.0 17 | - 3.7.1 18 | 19 | ## Prerequisites 20 | 21 | Before you install this operator, you need to first install the operator dependencies and prerequisites: 22 | 23 | - For the list of operator dependencies, see the IBM Knowledge Center [Common Services dependencies documentation](http://ibm.biz/cpcs_opdependencies). 24 | 25 | - For the list of prerequisites for installing the operator, see the IBM Knowledge Center [Preparing to install services documentation](http://ibm.biz/cpcs_opinstprereq). 26 | 27 | ## Documentation 28 | 29 | To install the operator with the IBM Common Services Operator follow the the installation and configuration instructions within the IBM Knowledge Center. 30 | 31 | - If you are using the operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak. For a list of IBM Cloud Paks, see [IBM Cloud Paks that use Common Services](http://ibm.biz/cpcs_cloudpaks). 32 | - If you are using the operator with an IBM Containerized Software, see the IBM Cloud Platform Common Services Knowledge Center [Installer documentation](http://ibm.biz/cpcs_opinstall). 33 | 34 | ## SecurityContextConstraints Requirements 35 | 36 | The IBM certificate manager service supports running with the OpenShift Container Platform 4.3 default restricted Security Context Constraints (SCCs). 37 | 38 | For more information about the OpenShift Container Platform Security Context Constraints, see [Managing Security Context Constraints](https://docs.openshift.com/container-platform/4.3/authentication/managing-security-context-constraints.html). 39 | 40 | OCP 4.3 restricted SCC: 41 | 42 | ```yaml 43 | allowHostDirVolumePlugin: false 44 | allowHostIPC: false 45 | allowHostNetwork: false 46 | allowHostPID: false 47 | allowHostPorts: false 48 | allowPrivilegeEscalation: true 49 | allowPrivilegedContainer: false 50 | allowedCapabilities: null 51 | apiVersion: security.openshift.io/v1 52 | defaultAddCapabilities: null 53 | fsGroup: 54 | type: MustRunAs 55 | groups: 56 | - system:authenticated 57 | kind: SecurityContextConstraints 58 | metadata: 59 | annotations: 60 | kubernetes.io/description: restricted denies access to all host features and requires 61 | pods to be run with a UID, and SELinux context that are allocated to the namespace. This 62 | is the most restrictive SCC and it is used by default for authenticated users. 63 | creationTimestamp: "2020-03-27T15:01:00Z" 64 | generation: 1 65 | name: restricted 66 | resourceVersion: "6365" 67 | selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/restricted 68 | uid: 6a77775c-a6d8-4341-b04c-bd826a67f67e 69 | priority: null 70 | readOnlyRootFilesystem: false 71 | requiredDropCapabilities: 72 | - KILL 73 | - MKNOD 74 | - SETUID 75 | - SETGID 76 | runAsUser: 77 | type: MustRunAsRange 78 | seLinuxContext: 79 | type: MustRunAs 80 | supplementalGroups: 81 | type: RunAsAny 82 | users: [] 83 | volumes: 84 | - configMap 85 | - downwardAPI 86 | - emptyDir 87 | - persistentVolumeClaim 88 | - projected 89 | - secret 90 | ``` 91 | 92 | ### Developer guide 93 | 94 | See [CONTRIBUTING.md](CONTRIBUTING.md) 95 | 96 | ### End-to-End testing 97 | 98 | For more instructions on how to run end-to-end testing with the Operand Deployment Lifecycle Manager, see [IBM Common Services Operator guide](https://github.com/IBM/ibm-common-service-operator/blob/master/docs/install.md). 99 | 100 | -------------------------------------------------------------------------------- /RELEASE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | **Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* 4 | 5 | - [Release Process](#release-process) 6 | 7 | 8 | 9 | # Release Process 10 | 11 | The XXX is released on an as-needed basis. The process is as follows: 12 | 13 | 1. An issue is proposing a new release with a changelog since the last release 14 | 1. All [OWNERS](OWNERS) must LGTM this release 15 | 1. An OWNER runs `git tag -s $VERSION` and inserts the changelog and pushes the tag with `git push $VERSION` 16 | 1. The release issue is closed 17 | 1. An announcement email is sent to `xxx` with the subject `[ANNOUNCE] xxx $VERSION is released` 18 | -------------------------------------------------------------------------------- /SECURITY_CONTACTS: -------------------------------------------------------------------------------- 1 | # Defined below are the security contacts for this repo. 2 | # 3 | # They are the contact point for the Product Security Committee to reach out 4 | # to for triaging and handling of incoming issues. 5 | # 6 | 7 | bitscuit 8 | -------------------------------------------------------------------------------- /apis/acme.cert-manager/v1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package v1 contains API Schema definitions for the acme.cert-manager v1 API group 18 | //+kubebuilder:object:generate=true 19 | //+groupName=acme.cert-manager.io 20 | package v1 21 | 22 | import ( 23 | "k8s.io/apimachinery/pkg/runtime/schema" 24 | "sigs.k8s.io/controller-runtime/pkg/scheme" 25 | ) 26 | 27 | var ( 28 | // GroupVersion is group version used to register these objects 29 | GroupVersion = schema.GroupVersion{Group: "acme.cert-manager.io", Version: "v1"} 30 | 31 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 32 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 33 | 34 | // AddToScheme adds the types in this group-version to the given scheme. 35 | AddToScheme = SchemeBuilder.AddToScheme 36 | ) 37 | -------------------------------------------------------------------------------- /apis/cert-manager/v1/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | // Package v1 contains API Schema definitions for the cert-manager v1 API group 18 | // +k8s:deepcopy-gen=package,register 19 | // +groupName=cert-manager.io 20 | package v1 21 | -------------------------------------------------------------------------------- /apis/cert-manager/v1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package v1 contains API Schema definitions for the cert-manager v1 API group 18 | //+kubebuilder:object:generate=true 19 | //+groupName=cert-manager.io 20 | package v1 21 | 22 | import ( 23 | "k8s.io/apimachinery/pkg/runtime/schema" 24 | "sigs.k8s.io/controller-runtime/pkg/scheme" 25 | ) 26 | 27 | var ( 28 | // GroupVersion is group version used to register these objects 29 | GroupVersion = schema.GroupVersion{Group: "cert-manager.io", Version: "v1"} 30 | 31 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 32 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 33 | 34 | // AddToScheme adds the types in this group-version to the given scheme. 35 | AddToScheme = SchemeBuilder.AddToScheme 36 | ) 37 | -------------------------------------------------------------------------------- /apis/meta.cert-manager/v1/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | // Package v1 contains API Schema definitions for the meta v1 API group 18 | // +k8s:deepcopy-gen=package,register 19 | // +groupName=meta.cert-manager.io 20 | package v1 21 | -------------------------------------------------------------------------------- /apis/meta.cert-manager/v1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package v1 contains API Schema definitions for the meta.cert-manager v1 API group 18 | //+kubebuilder:object:generate=true 19 | //+groupName=meta.cert-manager.io 20 | package v1 21 | 22 | import ( 23 | "k8s.io/apimachinery/pkg/runtime/schema" 24 | "sigs.k8s.io/controller-runtime/pkg/scheme" 25 | ) 26 | 27 | var ( 28 | // GroupVersion is group version used to register these objects 29 | GroupVersion = schema.GroupVersion{Group: "meta.cert-manager.io", Version: "v1"} 30 | 31 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 32 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 33 | 34 | // AddToScheme adds the types in this group-version to the given scheme. 35 | AddToScheme = SchemeBuilder.AddToScheme 36 | ) 37 | -------------------------------------------------------------------------------- /apis/meta.cert-manager/v1/types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The cert-manager Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1 18 | 19 | // ConditionStatus represents a condition's status. 20 | // +kubebuilder:validation:Enum=True;False;Unknown 21 | type ConditionStatus string 22 | 23 | // These are valid condition statuses. "ConditionTrue" means a resource is in 24 | // the condition; "ConditionFalse" means a resource is not in the condition; 25 | // "ConditionUnknown" means kubernetes can't decide if a resource is in the 26 | // condition or not. In the future, we could add other intermediate 27 | // conditions, e.g. ConditionDegraded. 28 | const ( 29 | // ConditionTrue represents the fact that a given condition is true 30 | ConditionTrue ConditionStatus = "True" 31 | 32 | // ConditionFalse represents the fact that a given condition is false 33 | ConditionFalse ConditionStatus = "False" 34 | 35 | // ConditionUnknown represents the fact that a given condition is unknown 36 | ConditionUnknown ConditionStatus = "Unknown" 37 | ) 38 | 39 | // A reference to an object in the same namespace as the referent. 40 | // If the referent is a cluster-scoped resource (e.g. a ClusterIssuer), 41 | // the reference instead refers to the resource with the given name in the 42 | // configured 'cluster resource namespace', which is set as a flag on the 43 | // controller component (and defaults to the namespace that cert-manager 44 | // runs in). 45 | type LocalObjectReference struct { 46 | // Name of the resource being referred to. 47 | // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 48 | Name string `json:"name"` 49 | } 50 | 51 | // ObjectReference is a reference to an object with a given name, kind and group. 52 | type ObjectReference struct { 53 | // Name of the resource being referred to. 54 | Name string `json:"name"` 55 | // Kind of the resource being referred to. 56 | // +optional 57 | Kind string `json:"kind,omitempty"` 58 | // Group of the resource being referred to. 59 | // +optional 60 | Group string `json:"group,omitempty"` 61 | } 62 | 63 | // A reference to a specific 'key' within a Secret resource. 64 | // In some instances, `key` is a required field. 65 | type SecretKeySelector struct { 66 | // The name of the Secret resource being referred to. 67 | LocalObjectReference `json:",inline"` 68 | 69 | // The key of the entry in the Secret resource's `data` field to be used. 70 | // Some instances of this field may be defaulted, in others it may be 71 | // required. 72 | // +optional 73 | Key string `json:"key,omitempty"` 74 | } 75 | 76 | const ( 77 | // Used as a data key in Secret resources to store a CA certificate. 78 | TLSCAKey = "ca.crt" 79 | ) 80 | -------------------------------------------------------------------------------- /apis/meta.cert-manager/v1/zz_generated.deepcopy.go: -------------------------------------------------------------------------------- 1 | //go:build !ignore_autogenerated 2 | 3 | /* 4 | Copyright 2022. 5 | 6 | Licensed under the Apache License, Version 2.0 (the "License"); 7 | you may not use this file except in compliance with the License. 8 | You may obtain a copy of the License at 9 | 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | 12 | Unless required by applicable law or agreed to in writing, software 13 | distributed under the License is distributed on an "AS IS" BASIS, 14 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | See the License for the specific language governing permissions and 16 | limitations under the License. 17 | */ 18 | 19 | // Code generated by controller-gen. DO NOT EDIT. 20 | 21 | package v1 22 | 23 | import () 24 | 25 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 26 | func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) { 27 | *out = *in 28 | } 29 | 30 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference. 31 | func (in *LocalObjectReference) DeepCopy() *LocalObjectReference { 32 | if in == nil { 33 | return nil 34 | } 35 | out := new(LocalObjectReference) 36 | in.DeepCopyInto(out) 37 | return out 38 | } 39 | 40 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 41 | func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { 42 | *out = *in 43 | } 44 | 45 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference. 46 | func (in *ObjectReference) DeepCopy() *ObjectReference { 47 | if in == nil { 48 | return nil 49 | } 50 | out := new(ObjectReference) 51 | in.DeepCopyInto(out) 52 | return out 53 | } 54 | 55 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 56 | func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) { 57 | *out = *in 58 | out.LocalObjectReference = in.LocalObjectReference 59 | } 60 | 61 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. 62 | func (in *SecretKeySelector) DeepCopy() *SecretKeySelector { 63 | if in == nil { 64 | return nil 65 | } 66 | out := new(SecretKeySelector) 67 | in.DeepCopyInto(out) 68 | return out 69 | } 70 | -------------------------------------------------------------------------------- /apis/operator/v1/certmanagerconfig_types.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1 18 | 19 | import ( 20 | corev1 "k8s.io/api/core/v1" 21 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 | ) 23 | 24 | //+kubebuilder:validation:XPreserveUnknownFields 25 | 26 | // CertManagerConfigSpec defines the desired state of CertManager 27 | type CertManagerConfigSpec struct { 28 | // ImageRegistry describes the image registry for the operands, e.g. 29 | // cert-manager-controller 30 | ImageRegistry string `json:"imageRegistry,omitempty"` 31 | // ImagePostFix describes a string that will be appended to the end of the 32 | // fully qualified image, e.g. imageRegistry/imageName:imageTagAndPostFix 33 | ImagePostFix string `json:"imagePostFix,omitempty"` 34 | // Webhook enables the cert-manager-webhook operand 35 | Webhook bool `json:"enableWebhook,omitempty"` 36 | // ResourceNS describes the cluster-resource-namespace flag for 37 | // cert-manager-controller operand, which is used to configure the namespace 38 | // the operand will use for ClusterIssuer secretReferences 39 | ResourceNS string `json:"resourceNamespace,omitempty"` 40 | // DisableHostNetwork disables 41 | DisableHostNetwork *bool `json:"disableHostNetwork,omitempty"` 42 | // Version descibes the version of cert-manager-operator. Changing the value 43 | // does not change the cert-manager-operator version 44 | Version string `json:"version,omitempty"` 45 | //CertManagerController describes spec for cert-manager-controller workload 46 | CertManagerController CertManagerContainerSpec `json:"certManagerController,omitempty"` 47 | //CertManagerWebhook describes spec for cert-manager-webhook workload 48 | CertManagerWebhook CertManagerContainerSpec `json:"certManagerWebhook,omitempty"` 49 | //CertManagerCAInjector describes spec for cert-manager-cainjector workload 50 | CertManagerCAInjector CertManagerContainerSpec `json:"certManagerCAInjector,omitempty"` 51 | //ConfigMapWatcher is not used 52 | ConfigMapWatcher CertManagerContainerSpec `json:"configMapWatcher,omitempty"` 53 | 54 | // EnableCertRefresh enables the refresh of leaf certificates based on a CA 55 | // certificate 56 | EnableCertRefresh *bool `json:"enableCertRefresh,omitempty"` 57 | 58 | // RefreshCertsBasedOnCA is a list of CA certificate names. Leaf 59 | // certificates created from any of the listed CA will be refreshed when 60 | // the CA is refreshed 61 | RefreshCertsBasedOnCA []CACertificate `json:"refreshCertsBasedOnCA,omitempty"` 62 | 63 | // Labels describes foundational services will use this 64 | // labels to labels their corresponding resources 65 | Labels map[string]string `json:"labels,omitempty"` 66 | 67 | // +optional 68 | License LicenseAcceptance `json:"license,omitempty"` 69 | 70 | // +optional 71 | EnableInstanaMetricCollection bool `json:"enableInstanaMetricCollection,omitempty"` 72 | } 73 | 74 | // LicenseAcceptance defines the license specification in CSV 75 | type LicenseAcceptance struct { 76 | // Accepting the license - URL: https://ibm.biz/integration-licenses 77 | // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:hidden" 78 | // +optional 79 | Accept bool `json:"accept"` 80 | // The type of license being accepted. 81 | // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:hidden" 82 | Use string `json:"use,omitempty"` 83 | // The license being accepted where the component has multiple. 84 | // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:hidden" 85 | License string `json:"license,omitempty"` 86 | // The license key for this deployment. 87 | // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors.x-descriptors="urn:alm:descriptor:com.tectonic.ui:hidden" 88 | Key string `json:"key,omitempty"` 89 | } 90 | 91 | type CertManagerContainerSpec struct { 92 | Resources corev1.ResourceRequirements `json:"resources,omitempty"` 93 | } 94 | 95 | // CACertificate describes a CA Certfiicate's name and namespace 96 | type CACertificate struct { 97 | CertName string `json:"certName"` 98 | Namespace string `json:"namespace"` 99 | } 100 | 101 | // CertManagerConfigStatus defines the observed state of CertManagerConfig 102 | type CertManagerConfigStatus struct { 103 | // OverallStatus describes whether cert-manager operands have been 104 | // successfully deployed or not. 105 | // +operator-sdk:gen-csv:customresourcedefinitions.statusDescriptors=true 106 | // +operator-sdk:gen-csv:customresourcedefinitions.statusDescriptors.displayName="CertManagerConfig Status" 107 | OverallStatus string `json:"certManagerConfigStatus"` 108 | } 109 | 110 | //+kubebuilder:object:root=true 111 | //+kubebuilder:subresource:status 112 | //+kubebuilder:resource:path=certmanagerconfigs,scope=Cluster 113 | 114 | // CertManagerConfig is the Schema for the certmanagerconfigs API. Documentation For additional details regarding install parameters check: https://ibm.biz/icpfs39install. License By installing this product you accept the license terms https://ibm.biz/icpfs39license. 115 | type CertManagerConfig struct { 116 | metav1.TypeMeta `json:",inline"` 117 | metav1.ObjectMeta `json:"metadata,omitempty"` 118 | 119 | Spec CertManagerConfigSpec `json:"spec,omitempty"` 120 | Status CertManagerConfigStatus `json:"status,omitempty"` 121 | } 122 | 123 | //+kubebuilder:object:root=true 124 | 125 | // CertManagerList contains a list of CertManager 126 | type CertManagerConfigList struct { 127 | metav1.TypeMeta `json:",inline"` 128 | metav1.ListMeta `json:"metadata,omitempty"` 129 | Items []CertManagerConfig `json:"items"` 130 | } 131 | 132 | func init() { 133 | SchemeBuilder.Register(&CertManagerConfig{}, &CertManagerConfigList{}) 134 | } 135 | -------------------------------------------------------------------------------- /apis/operator/v1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package v1 contains API Schema definitions for the operator v1 API group 18 | //+kubebuilder:object:generate=true 19 | //+groupName=operator.ibm.com 20 | package v1 21 | 22 | import ( 23 | "k8s.io/apimachinery/pkg/runtime/schema" 24 | "sigs.k8s.io/controller-runtime/pkg/scheme" 25 | ) 26 | 27 | var ( 28 | // GroupVersion is group version used to register these objects 29 | GroupVersion = schema.GroupVersion{Group: "operator.ibm.com", Version: "v1"} 30 | 31 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 32 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 33 | 34 | // AddToScheme adds the types in this group-version to the given scheme. 35 | AddToScheme = SchemeBuilder.AddToScheme 36 | ) 37 | -------------------------------------------------------------------------------- /apis/operator/v1/zz_generated.deepcopy.go: -------------------------------------------------------------------------------- 1 | //go:build !ignore_autogenerated 2 | 3 | /* 4 | Copyright 2022. 5 | 6 | Licensed under the Apache License, Version 2.0 (the "License"); 7 | you may not use this file except in compliance with the License. 8 | You may obtain a copy of the License at 9 | 10 | http://www.apache.org/licenses/LICENSE-2.0 11 | 12 | Unless required by applicable law or agreed to in writing, software 13 | distributed under the License is distributed on an "AS IS" BASIS, 14 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | See the License for the specific language governing permissions and 16 | limitations under the License. 17 | */ 18 | 19 | // Code generated by controller-gen. DO NOT EDIT. 20 | 21 | package v1 22 | 23 | import ( 24 | runtime "k8s.io/apimachinery/pkg/runtime" 25 | ) 26 | 27 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 28 | func (in *CACertificate) DeepCopyInto(out *CACertificate) { 29 | *out = *in 30 | } 31 | 32 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CACertificate. 33 | func (in *CACertificate) DeepCopy() *CACertificate { 34 | if in == nil { 35 | return nil 36 | } 37 | out := new(CACertificate) 38 | in.DeepCopyInto(out) 39 | return out 40 | } 41 | 42 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 43 | func (in *CertManagerConfig) DeepCopyInto(out *CertManagerConfig) { 44 | *out = *in 45 | out.TypeMeta = in.TypeMeta 46 | in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) 47 | in.Spec.DeepCopyInto(&out.Spec) 48 | out.Status = in.Status 49 | } 50 | 51 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerConfig. 52 | func (in *CertManagerConfig) DeepCopy() *CertManagerConfig { 53 | if in == nil { 54 | return nil 55 | } 56 | out := new(CertManagerConfig) 57 | in.DeepCopyInto(out) 58 | return out 59 | } 60 | 61 | // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. 62 | func (in *CertManagerConfig) DeepCopyObject() runtime.Object { 63 | if c := in.DeepCopy(); c != nil { 64 | return c 65 | } 66 | return nil 67 | } 68 | 69 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 70 | func (in *CertManagerConfigList) DeepCopyInto(out *CertManagerConfigList) { 71 | *out = *in 72 | out.TypeMeta = in.TypeMeta 73 | in.ListMeta.DeepCopyInto(&out.ListMeta) 74 | if in.Items != nil { 75 | in, out := &in.Items, &out.Items 76 | *out = make([]CertManagerConfig, len(*in)) 77 | for i := range *in { 78 | (*in)[i].DeepCopyInto(&(*out)[i]) 79 | } 80 | } 81 | } 82 | 83 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerConfigList. 84 | func (in *CertManagerConfigList) DeepCopy() *CertManagerConfigList { 85 | if in == nil { 86 | return nil 87 | } 88 | out := new(CertManagerConfigList) 89 | in.DeepCopyInto(out) 90 | return out 91 | } 92 | 93 | // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. 94 | func (in *CertManagerConfigList) DeepCopyObject() runtime.Object { 95 | if c := in.DeepCopy(); c != nil { 96 | return c 97 | } 98 | return nil 99 | } 100 | 101 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 102 | func (in *CertManagerConfigSpec) DeepCopyInto(out *CertManagerConfigSpec) { 103 | *out = *in 104 | if in.DisableHostNetwork != nil { 105 | in, out := &in.DisableHostNetwork, &out.DisableHostNetwork 106 | *out = new(bool) 107 | **out = **in 108 | } 109 | in.CertManagerController.DeepCopyInto(&out.CertManagerController) 110 | in.CertManagerWebhook.DeepCopyInto(&out.CertManagerWebhook) 111 | in.CertManagerCAInjector.DeepCopyInto(&out.CertManagerCAInjector) 112 | in.ConfigMapWatcher.DeepCopyInto(&out.ConfigMapWatcher) 113 | if in.EnableCertRefresh != nil { 114 | in, out := &in.EnableCertRefresh, &out.EnableCertRefresh 115 | *out = new(bool) 116 | **out = **in 117 | } 118 | if in.RefreshCertsBasedOnCA != nil { 119 | in, out := &in.RefreshCertsBasedOnCA, &out.RefreshCertsBasedOnCA 120 | *out = make([]CACertificate, len(*in)) 121 | copy(*out, *in) 122 | } 123 | if in.Labels != nil { 124 | in, out := &in.Labels, &out.Labels 125 | *out = make(map[string]string, len(*in)) 126 | for key, val := range *in { 127 | (*out)[key] = val 128 | } 129 | } 130 | out.License = in.License 131 | } 132 | 133 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerConfigSpec. 134 | func (in *CertManagerConfigSpec) DeepCopy() *CertManagerConfigSpec { 135 | if in == nil { 136 | return nil 137 | } 138 | out := new(CertManagerConfigSpec) 139 | in.DeepCopyInto(out) 140 | return out 141 | } 142 | 143 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 144 | func (in *CertManagerConfigStatus) DeepCopyInto(out *CertManagerConfigStatus) { 145 | *out = *in 146 | } 147 | 148 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerConfigStatus. 149 | func (in *CertManagerConfigStatus) DeepCopy() *CertManagerConfigStatus { 150 | if in == nil { 151 | return nil 152 | } 153 | out := new(CertManagerConfigStatus) 154 | in.DeepCopyInto(out) 155 | return out 156 | } 157 | 158 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 159 | func (in *CertManagerContainerSpec) DeepCopyInto(out *CertManagerContainerSpec) { 160 | *out = *in 161 | in.Resources.DeepCopyInto(&out.Resources) 162 | } 163 | 164 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertManagerContainerSpec. 165 | func (in *CertManagerContainerSpec) DeepCopy() *CertManagerContainerSpec { 166 | if in == nil { 167 | return nil 168 | } 169 | out := new(CertManagerContainerSpec) 170 | in.DeepCopyInto(out) 171 | return out 172 | } 173 | 174 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 175 | func (in *LicenseAcceptance) DeepCopyInto(out *LicenseAcceptance) { 176 | *out = *in 177 | } 178 | 179 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LicenseAcceptance. 180 | func (in *LicenseAcceptance) DeepCopy() *LicenseAcceptance { 181 | if in == nil { 182 | return nil 183 | } 184 | out := new(LicenseAcceptance) 185 | in.DeepCopyInto(out) 186 | return out 187 | } 188 | -------------------------------------------------------------------------------- /base_images.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "imageType": "external", 4 | "sourceRepo": "registry.access.redhat.com", 5 | "sourceNamespace": "ubi9", 6 | "sourceImage": "ubi-minimal", 7 | "destStage": "edge", 8 | "destNamespace": "build-images", 9 | "destImage": "ubi9-minimal", 10 | "tag": "9.6-1747218906", 11 | "updatePackages": [] 12 | }, 13 | { 14 | "imageType": "external", 15 | "sourceRepo": "registry.access.redhat.com", 16 | "sourceNamespace": "ubi9", 17 | "sourceImage": "ubi", 18 | "destStage": "edge", 19 | "destNamespace": "build-images", 20 | "destImage": "ubi9", 21 | "tag": "9.6-1747219013", 22 | "updatePackages": [] 23 | }, 24 | { 25 | "imageType": "external", 26 | "sourceRepo": "registry.access.redhat.com", 27 | "sourceNamespace": "ubi9", 28 | "sourceImage": "ubi-micro", 29 | "destStage": "edge", 30 | "destNamespace": "build-images", 31 | "destImage": "ubi9-micro", 32 | "tag": "9.6-1747318857", 33 | "updatePackages": [] 34 | }, 35 | { 36 | "imageType": "node", 37 | "sourceImage": "ubi9-minimal", 38 | "sourceTag": "9.6-1747218906", 39 | "destImage": "node-v20-ubi9-minimal", 40 | "nodeVersion": "20.19.2" 41 | }, 42 | { 43 | "imageType": "node", 44 | "sourceImage": "ubi9-minimal", 45 | "sourceTag": "9.6-1747218906", 46 | "destImage": "node-v22-ubi9-minimal", 47 | "nodeVersion": "22.16.0" 48 | } 49 | ] 50 | -------------------------------------------------------------------------------- /bundle.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM scratch 2 | 3 | # Core bundle labels. 4 | LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 5 | LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ 6 | LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ 7 | LABEL operators.operatorframework.io.bundle.package.v1=ibm-cert-manager-operator 8 | LABEL operators.operatorframework.io.bundle.channels.v1=alpha 9 | LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0 10 | LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 11 | LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3 12 | 13 | # Labels for testing. 14 | LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 15 | LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ 16 | 17 | # Copy files to locations specified by labels. 18 | COPY bundle/manifests /manifests/ 19 | COPY bundle/metadata /metadata/ 20 | COPY bundle/tests/scorecard /tests/scorecard/ 21 | -------------------------------------------------------------------------------- /bundle/manifests/ibm-cert-manager-manager-config_v1_configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | controller_manager_config.yaml: | 4 | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 5 | kind: ControllerManagerConfig 6 | health: 7 | healthProbeBindAddress: :8081 8 | metrics: 9 | bindAddress: 127.0.0.1:8080 10 | webhook: 11 | port: 9443 12 | leaderElection: 13 | leaderElect: true 14 | resourceName: 1557e857.ibm.com 15 | kind: ConfigMap 16 | metadata: 17 | name: ibm-cert-manager-manager-config 18 | -------------------------------------------------------------------------------- /bundle/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | # Core bundle annotations. 3 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: ibm-cert-manager-operator 7 | operators.operatorframework.io.bundle.channels.v1: alpha 8 | operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0 9 | operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 10 | operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 11 | 12 | # Annotations for testing. 13 | operators.operatorframework.io.test.mediatype.v1: scorecard+v1 14 | operators.operatorframework.io.test.config.v1: tests/scorecard/ 15 | -------------------------------------------------------------------------------- /bundle/tests/scorecard/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scorecard.operatorframework.io/v1alpha3 2 | kind: Configuration 3 | metadata: 4 | name: config 5 | stages: 6 | - parallel: true 7 | tests: 8 | - entrypoint: 9 | - scorecard-test 10 | - basic-check-spec 11 | image: quay.io/operator-framework/scorecard-test:v1.15.0 12 | labels: 13 | suite: basic 14 | test: basic-check-spec-test 15 | storage: 16 | spec: 17 | mountPath: {} 18 | - entrypoint: 19 | - scorecard-test 20 | - olm-bundle-validation 21 | image: quay.io/operator-framework/scorecard-test:v1.15.0 22 | labels: 23 | suite: olm 24 | test: olm-bundle-validation-test 25 | storage: 26 | spec: 27 | mountPath: {} 28 | - entrypoint: 29 | - scorecard-test 30 | - olm-crds-have-validation 31 | image: quay.io/operator-framework/scorecard-test:v1.15.0 32 | labels: 33 | suite: olm 34 | test: olm-crds-have-validation-test 35 | storage: 36 | spec: 37 | mountPath: {} 38 | - entrypoint: 39 | - scorecard-test 40 | - olm-crds-have-resources 41 | image: quay.io/operator-framework/scorecard-test:v1.15.0 42 | labels: 43 | suite: olm 44 | test: olm-crds-have-resources-test 45 | storage: 46 | spec: 47 | mountPath: {} 48 | - entrypoint: 49 | - scorecard-test 50 | - olm-spec-descriptors 51 | image: quay.io/operator-framework/scorecard-test:v1.15.0 52 | labels: 53 | suite: olm 54 | test: olm-spec-descriptors-test 55 | storage: 56 | spec: 57 | mountPath: {} 58 | - entrypoint: 59 | - scorecard-test 60 | - olm-status-descriptors 61 | image: quay.io/operator-framework/scorecard-test:v1.15.0 62 | labels: 63 | suite: olm 64 | test: olm-status-descriptors-test 65 | storage: 66 | spec: 67 | mountPath: {} 68 | storage: 69 | spec: 70 | mountPath: {} 71 | -------------------------------------------------------------------------------- /cert-manager-migration/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cert-mgr-migration 3 | description: A Helm chart for migrating IBM Cert Manager Operator from OLM to No OLM 4 | type: application 5 | version: 0.0.0 6 | appVersion: "0.0.0" -------------------------------------------------------------------------------- /cert-manager-migration/templates/cert-manager-migration-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: cert-mgr-migration-job 5 | namespace: {{ .Values.global.certmgrNamespace }} 6 | annotations: 7 | "helm.sh/hook-delete-policy": before-hook-creation 8 | "helm.sh/hook": pre-install 9 | "helm.sh/hook-weight": "0" 10 | spec: 11 | template: 12 | spec: 13 | containers: 14 | - name: cert-mgr-migration-job 15 | image: {{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand }}/cpfs-utils:4.6.7 16 | command: 17 | - bash 18 | - -c 19 | - | 20 | echo "Starting cleanup for OLM -> No OLM migration..." 21 | operatorNamespace={{ .Values.global.certmgrNamespace }} 22 | 23 | certSub=$(oc get subscription.operators.coreos.com -n "$operatorNamespace" -o jsonpath="{.items[?(@.spec.name=='ibm-cert-manager-operator')].metadata.name}") 24 | if [[ -z $certSub ]]; then 25 | echo "IBM Cert Manager Subscription not present in namespace $operatorNamespace, aborting." 26 | else 27 | certCSV=$(oc get --ignore-not-found subscription.operators.coreos.com $certSub -n $operatorNamespace -o jsonpath='{.status.currentCSV}') 28 | echo "Deleting IBM Cert Manager CSV and Subscription in namespace $operatorNamespace..." 29 | oc delete --ignore-not-found csv $certCSV -n $operatorNamespace && oc delete --ignore-not-found subscription.operators.coreos.com $certSub -n $operatorNamespace 30 | 31 | #deployments are operands right? Do they need to be deleted? 32 | # echo "Cleaning up IBM Cert Manager deployments" 33 | # oc delete --ignore-not-found deploy cert-manager-cainjector cert-manager-controller cert-manager-webhook -n $operatorNamespace 34 | 35 | echo "Cleaning up IBM Cert Manager RBAC" 36 | roles=$(oc get roles -n $operatorNamespace | grep ibm-cert-manager-op | awk '{print $1}' | tr "\n" " ") 37 | rolebindings=$(oc get rolebindings -n $operatorNamespace | grep ibm-cert-manager-op | awk '{print $1}' | tr "\n" " ") 38 | secret=$(oc get secret -n $operatorNamespace | grep ibm-cert-manager-op | awk '{print $1}' | tr "\n" " ") 39 | 40 | oc delete --ignore-not-found sa ibm-cert-manager-operator -n $operatorNamespace 41 | oc delete --ignore-not-found roles $roles -n $operatorNamespace 42 | oc delete --ignore-not-found rolebindings $rolebindings -n $operatorNamespace 43 | oc delete --ignore-not-found secret $secret -n $operatorNamespace 44 | 45 | echo "IBM Cert Manager OLM install cleaned up." 46 | echo "Ready for No OLM install in namespace $operatorNamespace." 47 | fi 48 | restartPolicy: Never 49 | serviceAccount: cert-mgr-migration-job-sa 50 | imagePullSecrets: 51 | - name: {{ .Values.global.imagePullSecret }} -------------------------------------------------------------------------------- /cert-manager-migration/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: cert-mgr-migration-job-sa 5 | namespace: {{ .Values.global.certmgrNamespace }} 6 | annotations: 7 | "helm.sh/hook": pre-install 8 | "helm.sh/hook-weight": "-1" 9 | --- 10 | kind: Role 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | metadata: 13 | name: cert-mgr-migration-job-role-{{ .Values.global.certmgrNamespace }} 14 | namespace: {{ .Values.global.certmgrNamespace }} 15 | annotations: 16 | "helm.sh/hook": pre-install 17 | "helm.sh/hook-weight": "-1" 18 | rules: 19 | - apiGroups: 20 | - operators.coreos.com 21 | resources: 22 | - subscriptions 23 | - clusterserviceversions 24 | verbs: 25 | - list 26 | - get 27 | - delete 28 | - watch 29 | - apiGroups: 30 | - "rbac.authorization.k8s.io" 31 | resources: 32 | - roles 33 | - rolebindings 34 | - clusterroles 35 | - clusterrolebindings 36 | verbs: 37 | - list 38 | - get 39 | - delete 40 | - watch 41 | - apiGroups: 42 | - "" 43 | resources: 44 | - serviceaccounts 45 | - secrets 46 | verbs: 47 | - list 48 | - get 49 | - delete 50 | - watch 51 | --- 52 | kind: RoleBinding 53 | apiVersion: rbac.authorization.k8s.io/v1 54 | metadata: 55 | name: cert-mgr-migration-job-rb-{{ .Values.global.certmgrNamespace }} 56 | namespace: {{ .Values.global.certmgrNamespace }} 57 | annotations: 58 | "helm.sh/hook": pre-install 59 | "helm.sh/hook-weight": "-1" 60 | subjects: 61 | - kind: ServiceAccount 62 | name: cert-mgr-migration-job-sa 63 | namespace: {{ .Values.global.certmgrNamespace }} 64 | roleRef: 65 | apiGroup: rbac.authorization.k8s.io 66 | kind: Role 67 | name: cert-mgr-migration-job-role-{{ .Values.global.certmgrNamespace }} -------------------------------------------------------------------------------- /cert-manager-migration/values.yaml: -------------------------------------------------------------------------------- 1 | #stand-in global values for testing 2 | global: 3 | certmgrNamespace: "ibm-cert-manager" 4 | imagePullPrefix: icr.io 5 | imagePullSecret: ibm-entitlement-key 6 | 7 | cpfs: 8 | imageRegistryNamespaceOperand: cpopen/cpfs -------------------------------------------------------------------------------- /common/Makefile.common.mk: -------------------------------------------------------------------------------- 1 | # Copyright 2019 The Kubernetes Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ############################################################ 16 | # GKE section 17 | ############################################################ 18 | PROJECT ?= oceanic-guard-191815 19 | ZONE ?= us-east5-c 20 | CLUSTER ?= bedrock-prow 21 | 22 | activate-serviceaccount: 23 | ifdef GOOGLE_APPLICATION_CREDENTIALS 24 | gcloud auth activate-service-account --key-file="$(GOOGLE_APPLICATION_CREDENTIALS)" || true 25 | endif 26 | 27 | get-cluster-credentials: activate-serviceaccount 28 | mkdir -p ~/.kube; cp -v /etc/kubeconfig/config ~/.kube; kubectl config use-context default; kubectl get nodes; echo going forward retiring google cloud 29 | 30 | ifdef GOOGLE_APPLICATION_CREDENTIALS 31 | gcloud container clusters get-credentials "$(CLUSTER)" --project="$(PROJECT)" --zone="$(ZONE)" || true 32 | endif 33 | 34 | config-docker: get-cluster-credentials 35 | @common/scripts/config_docker.sh 36 | 37 | ############################################################ 38 | # lint section 39 | ############################################################ 40 | 41 | LOCAL_OS := $(shell uname) 42 | ifeq ($(LOCAL_OS),Linux) 43 | TARGET_OS ?= linux 44 | XARGS_FLAGS="-r" 45 | else ifeq ($(LOCAL_OS),Darwin) 46 | TARGET_OS ?= darwin 47 | XARGS_FLAGS= 48 | else 49 | $(error "This system's OS $(LOCAL_OS) isn't recognized/supported") 50 | endif 51 | 52 | FINDFILES=find . \( -path ./.git -o -path ./.github \) -prune -o -type f 53 | XARGS = xargs -0 ${XARGS_FLAGS} 54 | CLEANXARGS = xargs ${XARGS_FLAGS} 55 | 56 | lint-dockerfiles: 57 | @${FINDFILES} -name 'Dockerfile*' -print0 | ${XARGS} hadolint -c ./common/config/.hadolint.yml 58 | 59 | lint-scripts: 60 | @${FINDFILES} -name '*.sh' -print0 | ${XARGS} shellcheck 61 | 62 | lint-yaml: 63 | @${FINDFILES} \( -name '*.yml' -o -name '*.yaml' \) -print0 | { ${XARGS} grep -L -e "{{" || true; } | ${CLEANXARGS} yamllint -c ./common/config/.yamllint.yml 64 | 65 | lint-helm: 66 | @${FINDFILES} -name 'Chart.yaml' -print0 | ${XARGS} -L 1 dirname | ${CLEANXARGS} helm lint 67 | 68 | lint-copyright-banner: 69 | @${FINDFILES} \( -name '*.go' -o -name '*.cc' -o -name '*.h' -o -name '*.proto' -o -name '*.py' -o -name '*.sh' \) \( ! \( -name '*.gen.go' -o -name '*.pb.go' -o -name '*_pb2.py' \) \) -print0 |\ 70 | ${XARGS} common/scripts/lint_copyright_banner.sh 71 | 72 | lint-go: 73 | # @${FINDFILES} -name '*.go' \( ! \( -name '*.gen.go' -o -name '*.pb.go' \) \) -print0 | ${XARGS} common/scripts/lint_go.sh 74 | 75 | lint-python: 76 | # @${FINDFILES} -name '*.py' \( ! \( -name '*_pb2.py' \) \) -print0 | ${XARGS} autopep8 --max-line-length 160 --exit-code -d 77 | 78 | lint-markdown: 79 | @${FINDFILES} -name '*.md' -print0 | ${XARGS} mdl --ignore-front-matter --style common/config/mdl.rb 80 | ifdef MARKDOWN_LINT_WHITELIST 81 | @${FINDFILES} -name '*.md' -print0 | ${XARGS} awesome_bot --skip-save-results --allow_ssl --allow-timeout --allow-dupe --allow-redirect --white-list ${MARKDOWN_LINT_WHITELIST} 82 | else 83 | @${FINDFILES} -name '*.md' -print0 | ${XARGS} awesome_bot --skip-save-results --allow_ssl --allow-timeout --allow-dupe --allow-redirect 84 | endif 85 | 86 | lint-sass: 87 | @${FINDFILES} -name '*.scss' -print0 | ${XARGS} sass-lint -c common/config/sass-lint.yml --verbose 88 | 89 | lint-typescript: 90 | @${FINDFILES} -name '*.ts' -print0 | ${XARGS} tslint -c common/config/tslint.json 91 | 92 | lint-protos: 93 | @$(FINDFILES) -name '*.proto' -print0 | $(XARGS) -L 1 prototool lint --protoc-bin-path=/usr/bin/protoc 94 | 95 | lint-all: lint-dockerfiles lint-scripts lint-yaml lint-helm lint-copyright-banner lint-go lint-python lint-markdown lint-sass lint-typescript lint-protos 96 | 97 | format-go: 98 | @${FINDFILES} -name '*.go' \( ! \( -name '*.gen.go' -o -name '*.pb.go' \) \) -print0 | ${XARGS} goimports -w -local "github.com/IBM" 99 | 100 | format-python: 101 | @${FINDFILES} -name '*.py' -print0 | ${XARGS} autopep8 --max-line-length 160 --aggressive --aggressive -i 102 | 103 | format-protos: 104 | @$(FINDFILES) -name '*.proto' -print0 | $(XARGS) -L 1 prototool format -w 105 | 106 | .PHONY: lint-dockerfiles lint-scripts lint-yaml lint-copyright-banner lint-go lint-python lint-helm lint-markdown lint-sass lint-typescript lint-protos lint-all format-go format-python format-protos config-docker 107 | -------------------------------------------------------------------------------- /common/config/.golangci.yml: -------------------------------------------------------------------------------- 1 | service: 2 | # When updating this, also update the version stored in docker/build-tools/Dockerfile in the multicloudlab/tools repo. 3 | golangci-lint-version: 1.23.1 # use the fixed version to not introduce new linters unexpectedly 4 | run: 5 | # timeout for analysis, e.g. 30s, 5m, default is 1m 6 | deadline: 20m 7 | 8 | # which dirs to skip: they won't be analyzed; 9 | # can use regexp here: generated.*, regexp is applied on full path; 10 | # default value is empty list, but next dirs are always skipped independently 11 | # from this option's value: 12 | # vendor$, third_party$, testdata$, examples$, Godeps$, builtin$ 13 | skip-dirs: 14 | - genfiles$ 15 | - vendor$ 16 | 17 | # which files to skip: they will be analyzed, but issues from them 18 | # won't be reported. Default value is empty list, but there is 19 | # no need to include all autogenerated files, we confidently recognize 20 | # autogenerated files. If it's not please let us know. 21 | skip-files: 22 | - ".*\\.pb\\.go" 23 | - ".*\\.gen\\.go" 24 | - apis/certmanager/v1/challenge_types.go 25 | - apis/certmanager/v1/issuer_types.go 26 | - apis/certmanager/v1/order_types.go 27 | 28 | linters: 29 | # please, do not use `enable-all`: it's deprecated and will be removed soon. 30 | # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint 31 | disable-all: true 32 | enable: 33 | - deadcode 34 | - errcheck 35 | - goconst 36 | - gocritic 37 | # - gocyclo 38 | - gofmt 39 | - goimports 40 | - golint 41 | # - gosec 42 | - gosimple 43 | - govet 44 | - ineffassign 45 | - interfacer 46 | # - misspell 47 | - staticcheck 48 | - structcheck 49 | - stylecheck 50 | - typecheck 51 | - unconvert 52 | - unparam 53 | - unused 54 | - varcheck 55 | # don't enable: 56 | # - bodyclose 57 | # - depguard 58 | # - dogsled 59 | # - dupl 60 | # - funlen 61 | # - gochecknoglobals 62 | # - gochecknoinits 63 | # - gocognit 64 | # - godox 65 | # - maligned 66 | # - nakedret 67 | # - prealloc 68 | # - scopelint 69 | # - whitespace 70 | 71 | linters-settings: 72 | errcheck: 73 | # report about not checking of errors in type assetions: `a := b.(MyStruct)`; 74 | # default is false: such cases aren't reported by default. 75 | check-type-assertions: false 76 | 77 | # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`; 78 | # default is false: such cases aren't reported by default. 79 | check-blank: false 80 | govet: 81 | # report about shadowed variables 82 | check-shadowing: false 83 | golint: 84 | # minimal confidence for issues, default is 0.8 85 | min-confidence: 0.0 86 | gofmt: 87 | # simplify code: gofmt with `-s` option, true by default 88 | simplify: true 89 | goimports: 90 | # put imports beginning with prefix after 3rd-party packages; 91 | # it's a comma-separated list of prefixes 92 | local-prefixes: github.com/IBM/ 93 | maligned: 94 | # print struct with more effective memory layout or not, false by default 95 | suggest-new: true 96 | misspell: 97 | # Correct spellings using locale preferences for US or UK. 98 | # Default is to use a neutral variety of English. 99 | # Setting locale to US will correct the British spelling of 'colour' to 'color'. 100 | locale: US 101 | ignore-words: 102 | - cancelled 103 | lll: 104 | # max line length, lines longer will be reported. Default is 120. 105 | # '\t' is counted as 1 character by default, and can be changed with the tab-width option 106 | line-length: 160 107 | # tab width in spaces. Default to 1. 108 | tab-width: 1 109 | unused: 110 | # treat code as a program (not a library) and report unused exported identifiers; default is false. 111 | # XXX: if you enable this setting, unused will report a lot of false-positives in text editors: 112 | # if it's called for subdir of a project it can't find funcs usages. All text editor integrations 113 | # with golangci-lint call it on a directory with the changed file. 114 | check-exported: false 115 | unparam: 116 | # call graph construction algorithm (cha, rta). In general, use cha for libraries, 117 | # and rta for programs with main packages. Default is cha. 118 | algo: cha 119 | 120 | # Inspect exported functions, default is false. Set to true if no external program/library imports your code. 121 | # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors: 122 | # if it's called for subdir of a project it can't find external interfaces. All text editor integrations 123 | # with golangci-lint call it on a directory with the changed file. 124 | check-exported: false 125 | gocritic: 126 | enabled-checks: 127 | - appendCombine 128 | - argOrder 129 | - assignOp 130 | - badCond 131 | - boolExprSimplify 132 | - builtinShadow 133 | - captLocal 134 | - caseOrder 135 | - codegenComment 136 | - commentedOutCode 137 | - commentedOutImport 138 | - defaultCaseOrder 139 | - deprecatedComment 140 | - docStub 141 | - dupArg 142 | - dupBranchBody 143 | - dupCase 144 | - dupSubExpr 145 | - elseif 146 | - emptyFallthrough 147 | - equalFold 148 | - flagDeref 149 | - flagName 150 | - hexLiteral 151 | - indexAlloc 152 | - initClause 153 | - methodExprCall 154 | - nilValReturn 155 | - octalLiteral 156 | - offBy1 157 | - rangeExprCopy 158 | - regexpMust 159 | - sloppyLen 160 | - stringXbytes 161 | - switchTrue 162 | - typeAssertChain 163 | - typeSwitchVar 164 | - typeUnparen 165 | - underef 166 | - unlambda 167 | - unnecessaryBlock 168 | - unslice 169 | - valSwap 170 | - weakCond 171 | 172 | # Unused 173 | # - yodaStyleExpr 174 | # - appendAssign 175 | # - commentFormatting 176 | # - emptyStringTest 177 | # - exitAfterDefer 178 | # - ifElseChain 179 | # - hugeParam 180 | # - importShadow 181 | # - nestingReduce 182 | # - paramTypeCombine 183 | # - ptrToRefParam 184 | # - rangeValCopy 185 | # - singleCaseSwitch 186 | # - sloppyReassign 187 | # - unlabelStmt 188 | # - unnamedResult 189 | # - wrapperFunc 190 | 191 | issues: 192 | # List of regexps of issue texts to exclude, empty list by default. 193 | # But independently from this option we use default exclude patterns, 194 | # it can be disabled by `exclude-use-default: false`. To list all 195 | # excluded by default patterns execute `golangci-lint run --help` 196 | exclude: 197 | - composite literal uses unkeyed fields 198 | - Potential hardcoded credentials 199 | - is unused 200 | - line is 161 characters 201 | - line is 174 characters 202 | - line is 181 characters 203 | - line is 210 characters 204 | - line is 316 characters 205 | - cyclomatic complexity 97 206 | 207 | exclude-rules: 208 | # Exclude some linters from running on test files. 209 | - path: _test\.go$|^tests/|^samples/ 210 | linters: 211 | - errcheck 212 | - maligned 213 | 214 | # Independently from option `exclude` we use default exclude patterns, 215 | # it can be disabled by this option. To list all 216 | # excluded by default patterns execute `golangci-lint run --help`. 217 | # Default value for this option is true. 218 | exclude-use-default: true 219 | 220 | # Maximum issues count per one linter. Set to 0 to disable. Default is 50. 221 | max-per-linter: 0 222 | 223 | # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. 224 | max-same-issues: 0 225 | -------------------------------------------------------------------------------- /common/config/.hadolint.yml: -------------------------------------------------------------------------------- 1 | ignored: 2 | - FAKE_DL3003 3 | - DL3006 4 | 5 | trustedRegistries: 6 | - gcr.io 7 | - docker.io 8 | - quay.io 9 | - registry.access.redhat.com 10 | - docker-na-public.artifactory.swg-devops.com 11 | -------------------------------------------------------------------------------- /common/config/.yamllint.yml: -------------------------------------------------------------------------------- 1 | rules: 2 | braces: disable 3 | brackets: disable 4 | colons: enable 5 | commas: disable 6 | comments: disable 7 | comments-indentation: disable 8 | document-end: disable 9 | document-start: disable 10 | empty-lines: disable 11 | empty-values: enable 12 | hyphens: enable 13 | indentation: disable 14 | key-duplicates: enable 15 | key-ordering: disable 16 | line-length: disable 17 | new-line-at-end-of-file: disable 18 | new-lines: enable 19 | octal-values: enable 20 | quoted-strings: disable 21 | trailing-spaces: disable 22 | truthy: disable 23 | -------------------------------------------------------------------------------- /common/config/mdl.rb: -------------------------------------------------------------------------------- 1 | all 2 | rule 'MD002', :level => 1 3 | rule 'MD007', :indent => 4 4 | rule 'MD013', :line_length => 160, :code_blocks => false, :tables => false 5 | rule 'MD024', :allow_different_nesting => true 6 | rule 'MD026', :punctuation => ".,;:!" 7 | exclude_rule 'MD013' 8 | exclude_rule 'MD014' 9 | exclude_rule 'MD030' 10 | exclude_rule 'MD032' 11 | exclude_rule 'MD033' 12 | exclude_rule 'MD041' 13 | exclude_rule 'MD046' 14 | -------------------------------------------------------------------------------- /common/config/sass-lint.yml: -------------------------------------------------------------------------------- 1 | ######################### 2 | ## Config for sass-lint 3 | ######################### 4 | # Linter Options 5 | options: 6 | # Don't merge default rules 7 | merge-default-rules: false 8 | # Raise an error if more than 50 warnings are generated 9 | max-warnings: 500 10 | # Rule Configuration 11 | rules: 12 | attribute-quotes: 13 | - 2 14 | - 15 | include: false 16 | bem-depth: 2 17 | border-zero: 2 18 | brace-style: 2 19 | class-name-format: 2 20 | clean-import-paths: 2 21 | declarations-before-nesting: 2 22 | empty-args: 2 23 | empty-line-between-blocks: 2 24 | extends-before-declarations: 2 25 | extends-before-mixins: 2 26 | final-newline: 2 27 | force-attribute-nesting: 0 28 | force-element-nesting: 0 29 | force-pseudo-nesting: 0 30 | function-name-format: 2 31 | hex-length: 0 32 | hex-notation: 2 33 | id-name-format: 2 34 | indentation: 35 | - 2 36 | - 37 | size: 4 38 | leading-zero: 39 | - 2 40 | - 41 | include: false 42 | max-file-line-count: 0 43 | max-file-length: 0 44 | mixins-before-declarations: 2 45 | no-attribute-selectors: 0 46 | no-color-hex: 0 47 | no-color-keywords: 0 48 | no-color-literals: 0 49 | no-combinators: 0 50 | no-css-comments: 2 51 | no-debug: 2 52 | no-disallowed-properties: 2 53 | no-duplicate-properties: 2 54 | no-empty-rulesets: 2 55 | no-extends: 2 56 | no-ids: 0 57 | no-invalid-hex: 2 58 | no-important: 0 59 | no-mergeable-selectors: 2 60 | no-misspelled-properties: 2 61 | no-qualifying-elements: 0 62 | no-trailing-whitespace: 2 63 | no-trailing-zero: 2 64 | no-transition-all: 0 65 | no-url-domains: 2 66 | no-url-protocols: 2 67 | no-warn: 2 68 | one-declaration-per-line: 2 69 | placeholder-in-extend: 2 70 | placeholder-name-format: 2 71 | property-sort-order: 0 72 | property-units: 2 73 | pseudo-element: 2 74 | quotes: 75 | - 2 76 | - 77 | style: double 78 | shorthand-values: 2 79 | single-line-per-selector: 0 80 | space-after-bang: 2 81 | space-after-colon: 2 82 | space-after-comma: 2 83 | space-around-operator: 2 84 | space-before-bang: 2 85 | space-before-brace: 2 86 | space-before-colon: 2 87 | space-between-parens: 2 88 | trailing-semicolon: 2 89 | url-quotes: 2 90 | variable-for-property: 91 | - 0 92 | - 93 | properties: 94 | - color 95 | - background-color 96 | - fill 97 | variable-name-format: 0 98 | zero-unit: 2 99 | -------------------------------------------------------------------------------- /common/config/tslint.json: -------------------------------------------------------------------------------- 1 | { 2 | "defaultSeverity": "error", 3 | "extends": [ 4 | "tslint:recommended" 5 | ], 6 | "rules": { 7 | "max-line-length": { 8 | "options": [160] 9 | }, 10 | "arrow-parens": false, 11 | "new-parens": true, 12 | "no-arg": true, 13 | "no-bitwise": true, 14 | "no-conditional-assignment": true, 15 | "no-consecutive-blank-lines": true, 16 | "no-console": { 17 | "severity": "warning", 18 | "options": ["debug", "info", "log", "time", "timeEnd", "trace"] 19 | }, 20 | "no-shadowed-variable": false, 21 | "eofline": false 22 | }, 23 | "jsRules": {}, 24 | "rulesDirectory": [] 25 | } 26 | -------------------------------------------------------------------------------- /common/scripts/config_docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2020 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | KUBECTL=$(command -v kubectl) 19 | DOCKER_REGISTRY="docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-integration-docker-local" 20 | DOCKER_EDGE_REGISTRY="docker-na-public.artifactory.swg-devops.com/hyc-cloud-private-edge-docker-local" 21 | DOCKER_USERNAME=$(${KUBECTL} -n default get secret artifactory-cred -o jsonpath='{.data.username}' | base64 --decode) 22 | DOCKER_PASSWORD=$(${KUBECTL} -n default get secret artifactory-cred -o jsonpath='{.data.password}' | base64 --decode) 23 | 24 | # support other container tools, e.g. podman 25 | CONTAINER_CLI=${CONTAINER_CLI:-docker} 26 | 27 | # login the docker registry 28 | ${CONTAINER_CLI} login "${DOCKER_REGISTRY}" -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}" 29 | ${CONTAINER_CLI} login "${DOCKER_EDGE_REGISTRY}" -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}" 30 | -------------------------------------------------------------------------------- /common/scripts/delete_v1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2020 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | 19 | if [ -f ./config/crd/bases/cert-manager.io_certificates.yaml ] ;then 20 | rm -rf ./config/crd/bases/cert-manager.io_certificates.yaml 21 | echo " cert-manager.io_certificates.yaml is removed" 22 | fi 23 | 24 | if [ -f ./config/crd/bases/cert-manager.io_issuers.yaml ] ;then 25 | rm -rf ./config/crd/bases/cert-manager.io_issuers.yaml 26 | echo " cert-manager.io_issuers.yaml is removed" 27 | fi -------------------------------------------------------------------------------- /common/scripts/gobuild.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2020 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # This script builds and version stamps the output 19 | 20 | VERBOSE=${VERBOSE:-"0"} 21 | V="" 22 | if [[ "${VERBOSE}" == "1" ]];then 23 | V="-x" 24 | set -x 25 | fi 26 | 27 | OUT=${1:?"output path"} 28 | shift 29 | 30 | set -e 31 | 32 | BUILD_GOOS=${GOOS:-linux} 33 | BUILD_GOARCH=${GOARCH:-amd64} 34 | GOBINARY=${GOBINARY:-go} 35 | BUILDINFO=${BUILDINFO:-""} 36 | STATIC=${STATIC:-1} 37 | GOBUILDFLAGS=${GOBUILDFLAGS:-} 38 | GCFLAGS=${GCFLAGS:-} 39 | LDFLAGS=${LDFLAGS:-"-extldflags -static"} 40 | # Split GOBUILDFLAGS by spaces into an array called GOBUILDFLAGS_ARRAY. 41 | IFS=' ' read -r -a GOBUILDFLAGS_ARRAY <<< "$GOBUILDFLAGS" 42 | 43 | export CGO_ENABLED=0 44 | 45 | if [[ "${STATIC}" != "1" ]];then 46 | LDFLAGS="" 47 | fi 48 | 49 | time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \ 50 | ${V} "${GOBUILDFLAGS_ARRAY[@]}" ${GCFLAGS:+-gcflags "${GCFLAGS}"} \ 51 | -o "${OUT}" \ 52 | -ldflags "${LDFLAGS}" "${@}" 53 | -------------------------------------------------------------------------------- /common/scripts/lint_copyright_banner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2020 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | set -e 19 | 20 | ec=0 21 | for fn in "$@"; do 22 | if ! grep -L -q -e "Apache License, Version 2" "${fn}"; then 23 | echo "Missing license: ${fn}" 24 | ec=1 25 | fi 26 | 27 | if ! grep -L -q -e "Copyright" "${fn}"; then 28 | echo "Missing copyright: ${fn}" 29 | ec=1 30 | fi 31 | done 32 | 33 | exit $ec 34 | -------------------------------------------------------------------------------- /common/scripts/lint_go.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright 2020 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | GOGC=25 golangci-lint run -c ./common/config/.golangci.yml 19 | -------------------------------------------------------------------------------- /common/scripts/patch-csv.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright 2022 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | set -o errexit 19 | set -o errtrace 20 | set -o nounset 21 | set -o pipefail 22 | 23 | sed="sed" 24 | unamestr=$(uname) 25 | if [[ "$unamestr" == "Darwin" ]] ; then 26 | SED=gsed 27 | type $SED >/dev/null 2>&1 || { 28 | echo >&2 "$SED it's not installed. Try: brew install gnu-sed" ; 29 | exit 1; 30 | } 31 | fi 32 | 33 | prev_version=${1} 34 | curr_version=${2} 35 | csv=${3:-config/manifests/bases/ibm-cert-manager-operator.clusterserviceversion.yaml} 36 | 37 | # add labels to resources 38 | "${sed}" -e "s|replaces: ibm-cert-manager-operator\(.*\)|replaces: ibm-cert-manager-operator.${prev_version}|" -i "${csv}" 39 | "${sed}" -e "s|olm.skipRange: <\(.*\)|olm.skipRange: <${curr_version}|" -i "${csv}" 40 | -------------------------------------------------------------------------------- /common/scripts/patch-metadata.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright 2022 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | set -o errexit 19 | set -o errtrace 20 | set -o nounset 21 | set -o pipefail 22 | 23 | yq=${1} 24 | # crdDir=${2:-config/crd/bases} 25 | 26 | # # add unapproved api annotation to v1alpha1 APIs which have domian k8s.io 27 | # for f in "$crdDir"/certmanager.k8s.io_*; do 28 | # "${yq}" eval '.metadata.annotations."api-approved.kubernetes.io" = "unapproved"' "${f}" -i 29 | # done 30 | 31 | # add labels to resources 32 | "${yq}" eval '.metadata.labels."app.kubernetes.io/instance" = "ibm-cert-manager-operator"' config/rbac/role.yaml -i 33 | "${yq}" eval '.metadata.labels."app.kubernetes.io/managed-by" = "ibm-cert-manager-operator"' config/rbac/role.yaml -i 34 | "${yq}" eval '.metadata.labels."app.kubernetes.io/name" = "cert-manager"' config/rbac/role.yaml -i 35 | -------------------------------------------------------------------------------- /config/crd/bases/acme.cert-manager.io_orders.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: orders.acme.cert-manager.io 5 | labels: 6 | app: 'cert-manager' 7 | app.kubernetes.io/name: 'cert-manager' 8 | app.kubernetes.io/instance: 'cert-manager' 9 | # Generated labels 10 | app.kubernetes.io/version: "v1.13.1" 11 | spec: 12 | group: acme.cert-manager.io 13 | names: 14 | kind: Order 15 | listKind: OrderList 16 | plural: orders 17 | singular: order 18 | categories: 19 | - cert-manager 20 | - cert-manager-acme 21 | scope: Namespaced 22 | versions: 23 | - name: v1 24 | subresources: 25 | status: {} 26 | additionalPrinterColumns: 27 | - jsonPath: .status.state 28 | name: State 29 | type: string 30 | - jsonPath: .spec.issuerRef.name 31 | name: Issuer 32 | priority: 1 33 | type: string 34 | - jsonPath: .status.reason 35 | name: Reason 36 | priority: 1 37 | type: string 38 | - jsonPath: .metadata.creationTimestamp 39 | description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 40 | name: Age 41 | type: date 42 | schema: 43 | openAPIV3Schema: 44 | description: Order is a type to represent an Order with an ACME server 45 | type: object 46 | required: 47 | - metadata 48 | - spec 49 | properties: 50 | apiVersion: 51 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 52 | type: string 53 | kind: 54 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 55 | type: string 56 | metadata: 57 | type: object 58 | spec: 59 | type: object 60 | required: 61 | - issuerRef 62 | - request 63 | properties: 64 | commonName: 65 | description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. 66 | type: string 67 | dnsNames: 68 | description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 69 | type: array 70 | items: 71 | type: string 72 | duration: 73 | description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. 74 | type: string 75 | ipAddresses: 76 | description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. 77 | type: array 78 | items: 79 | type: string 80 | issuerRef: 81 | description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. 82 | type: object 83 | required: 84 | - name 85 | properties: 86 | group: 87 | description: Group of the resource being referred to. 88 | type: string 89 | kind: 90 | description: Kind of the resource being referred to. 91 | type: string 92 | name: 93 | description: Name of the resource being referred to. 94 | type: string 95 | request: 96 | description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. 97 | type: string 98 | format: byte 99 | status: 100 | type: object 101 | properties: 102 | authorizations: 103 | description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. 104 | type: array 105 | items: 106 | description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. 107 | type: object 108 | required: 109 | - url 110 | properties: 111 | challenges: 112 | description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. 113 | type: array 114 | items: 115 | description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. 116 | type: object 117 | required: 118 | - token 119 | - type 120 | - url 121 | properties: 122 | token: 123 | description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. 124 | type: string 125 | type: 126 | description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. 127 | type: string 128 | url: 129 | description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. 130 | type: string 131 | identifier: 132 | description: Identifier is the DNS name to be validated as part of this authorization 133 | type: string 134 | initialState: 135 | description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. 136 | type: string 137 | enum: 138 | - valid 139 | - ready 140 | - pending 141 | - processing 142 | - invalid 143 | - expired 144 | - errored 145 | url: 146 | description: URL is the URL of the Authorization that must be completed 147 | type: string 148 | wildcard: 149 | description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. 150 | type: boolean 151 | certificate: 152 | description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. 153 | type: string 154 | format: byte 155 | failureTime: 156 | description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. 157 | type: string 158 | format: date-time 159 | finalizeURL: 160 | description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. 161 | type: string 162 | reason: 163 | description: Reason optionally provides more information about a why the order is in the current state. 164 | type: string 165 | state: 166 | description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' 167 | type: string 168 | enum: 169 | - valid 170 | - ready 171 | - pending 172 | - processing 173 | - invalid 174 | - expired 175 | - errored 176 | url: 177 | description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. 178 | type: string 179 | served: true 180 | storage: true -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/operator.ibm.com_certmanagerconfigs.yaml 6 | - bases/cert-manager.io_issuers.yaml 7 | - bases/cert-manager.io_certificates.yaml 8 | - bases/cert-manager.io_clusterissuers.yaml 9 | - bases/cert-manager.io_certificaterequests.yaml 10 | - bases/acme.cert-manager.io_challenges.yaml 11 | - bases/acme.cert-manager.io_orders.yaml 12 | #+kubebuilder:scaffold:crdkustomizeresource 13 | 14 | patchesStrategicMerge: 15 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. 16 | # patches here are for enabling the conversion webhook for each CRD 17 | #- patches/webhook_in_certmanagers.yaml 18 | #- patches/webhook_in_issuers.yaml 19 | #- patches/webhook_in_certificates.yaml 20 | #- patches/webhook_in_challenges.yaml 21 | #- patches/webhook_in_orders.yaml 22 | #- patches/webhook_in_certificaterequests.yaml 23 | #+kubebuilder:scaffold:crdkustomizewebhookpatch 24 | 25 | # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. 26 | # patches here are for enabling the CA injection for each CRD 27 | #- patches/cainjection_in_certmanagers.yaml 28 | #- patches/cainjection_in_issuers.yaml 29 | #- patches/cainjection_in_certificates.yaml 30 | #- patches/cainjection_in_challenges.yaml 31 | #- patches/cainjection_in_orders.yaml 32 | #- patches/cainjection_in_certificaterequests.yaml 33 | #+kubebuilder:scaffold:crdkustomizecainjectionpatch 34 | 35 | # the following config is for teaching kustomize how to do kustomization for CRDs. 36 | configurations: 37 | - kustomizeconfig.yaml 38 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | version: v1 8 | group: apiextensions.k8s.io 9 | path: spec/conversion/webhook/clientConfig/service/name 10 | 11 | namespace: 12 | - kind: CustomResourceDefinition 13 | version: v1 14 | group: apiextensions.k8s.io 15 | path: spec/conversion/webhook/clientConfig/service/namespace 16 | create: false 17 | 18 | varReference: 19 | - path: metadata/annotations 20 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_certificaterequests.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: certificaterequests.certmanager.k8s.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_certificates.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: certificates.certmanager.k8s.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_certmanagers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: certmanagers.operator.ibm.com 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_challenges.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: challenges.certmanager.k8s.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_issuers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: issuers.certmanager.k8s.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_orders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | annotations: 6 | cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) 7 | name: orders.certmanager.k8s.io 8 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_certificaterequests.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: certificaterequests.certmanager.k8s.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_certificates.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: certificates.certmanager.k8s.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_certmanagers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: certmanagers.operator.ibm.com 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_challenges.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: challenges.certmanager.k8s.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_issuers.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: issuers.certmanager.k8s.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_orders.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables a conversion webhook for the CRD 2 | apiVersion: apiextensions.k8s.io/v1 3 | kind: CustomResourceDefinition 4 | metadata: 5 | name: orders.certmanager.k8s.io 6 | spec: 7 | conversion: 8 | strategy: Webhook 9 | webhook: 10 | clientConfig: 11 | service: 12 | namespace: system 13 | name: webhook-service 14 | path: /convert 15 | conversionReviewVersions: 16 | - v1 17 | -------------------------------------------------------------------------------- /config/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: ibm-cert-manager-operator-system 3 | 4 | # Value of this field is prepended to the 5 | # names of all resources, e.g. a deployment named 6 | # "wordpress" becomes "alices-wordpress". 7 | # Note that it should also match with the prefix (text before '-') of the namespace 8 | # field above. 9 | namePrefix: ibm-cert-manager- 10 | 11 | # Labels to add to all resources and selectors. 12 | #commonLabels: 13 | # someName: someValue 14 | 15 | bases: 16 | - ../crd 17 | - ../rbac 18 | - ../manager 19 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 20 | # crd/kustomization.yaml 21 | #- ../webhook 22 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. 23 | #- ../certmanager 24 | # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 25 | #- ../prometheus 26 | 27 | patchesStrategicMerge: 28 | # Protect the /metrics endpoint by putting it behind auth. 29 | # If you want your controller-manager to expose the /metrics 30 | # endpoint w/o any authn/z, please comment the following line. 31 | # - manager_auth_proxy_patch.yaml 32 | 33 | # Mount the controller config file for loading manager configurations 34 | # through a ComponentConfig type 35 | #- manager_config_patch.yaml 36 | 37 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 38 | # crd/kustomization.yaml 39 | #- manager_webhook_patch.yaml 40 | 41 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 42 | # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. 43 | # 'CERTMANAGER' needs to be enabled to use ca injection 44 | #- webhookcainjection_patch.yaml 45 | 46 | # the following config is for teaching kustomize how to do var substitution 47 | vars: 48 | # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. 49 | #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR 50 | # objref: 51 | # kind: Certificate 52 | # group: cert-manager.io 53 | # version: v1 54 | # name: serving-cert # this name should match the one in certificate.yaml 55 | # fieldref: 56 | # fieldpath: metadata.namespace 57 | #- name: CERTIFICATE_NAME 58 | # objref: 59 | # kind: Certificate 60 | # group: cert-manager.io 61 | # version: v1 62 | # name: serving-cert # this name should match the one in certificate.yaml 63 | #- name: SERVICE_NAMESPACE # namespace of the service 64 | # objref: 65 | # kind: Service 66 | # version: v1 67 | # name: webhook-service 68 | # fieldref: 69 | # fieldpath: metadata.namespace 70 | #- name: SERVICE_NAME 71 | # objref: 72 | # kind: Service 73 | # version: v1 74 | # name: webhook-service 75 | -------------------------------------------------------------------------------- /config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the 2 | # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: system 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 14 | args: 15 | - "--secure-listen-address=0.0.0.0:8443" 16 | - "--upstream=http://127.0.0.1:8080/" 17 | - "--logtostderr=true" 18 | - "--v=10" 19 | ports: 20 | - containerPort: 8443 21 | protocol: TCP 22 | name: https 23 | - name: manager 24 | args: 25 | - "--health-probe-bind-address=:8081" 26 | - "--metrics-bind-address=127.0.0.1:8080" 27 | - "--leader-elect" 28 | -------------------------------------------------------------------------------- /config/default/manager_config_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | args: 12 | - "--config=controller_manager_config.yaml" 13 | volumeMounts: 14 | - name: manager-config 15 | mountPath: /controller_manager_config.yaml 16 | subPath: controller_manager_config.yaml 17 | volumes: 18 | - name: manager-config 19 | configMap: 20 | name: manager-config 21 | -------------------------------------------------------------------------------- /config/manager/controller_manager_config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 2 | kind: ControllerManagerConfig 3 | health: 4 | healthProbeBindAddress: :8081 5 | metrics: 6 | bindAddress: 127.0.0.1:8080 7 | webhook: 8 | port: 9443 9 | leaderElection: 10 | leaderElect: true 11 | resourceName: 1557e857.ibm.com 12 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | 4 | generatorOptions: 5 | disableNameSuffixHash: true 6 | 7 | configMapGenerator: 8 | - files: 9 | - controller_manager_config.yaml 10 | name: manager-config 11 | apiVersion: kustomize.config.k8s.io/v1beta1 12 | kind: Kustomization 13 | images: 14 | - name: controller 15 | newName: ibm-cert-manager-operator 16 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: operator 6 | name: system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: operator 12 | labels: 13 | app.kubernetes.io/instance: ibm-cert-manager-operator 14 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 15 | app.kubernetes.io/name: cert-manager 16 | spec: 17 | replicas: 1 18 | selector: 19 | matchLabels: 20 | name: ibm-cert-manager-operator 21 | template: 22 | metadata: 23 | labels: 24 | name: ibm-cert-manager-operator 25 | app.kubernetes.io/instance: ibm-cert-manager-operator 26 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 27 | app.kubernetes.io/name: cert-manager 28 | annotations: 29 | productName: IBM Cloud Platform Common Services 30 | productID: "068a62892a1e4db39641342e592daa25" 31 | productMetric: FREE 32 | spec: 33 | serviceAccountName: operator 34 | affinity: 35 | nodeAffinity: 36 | requiredDuringSchedulingIgnoredDuringExecution: 37 | nodeSelectorTerms: 38 | - matchExpressions: 39 | - key: kubernetes.io/arch 40 | operator: In 41 | values: 42 | - amd64 43 | - ppc64le 44 | - s390x 45 | hostIPC: false 46 | hostNetwork: false 47 | hostPID: false 48 | containers: 49 | - name: manager 50 | image: icr.io/cpopen/ibm-cert-manager-operator:latest 51 | command: 52 | - ibm-cert-manager-operator 53 | imagePullPolicy: IfNotPresent 54 | livenessProbe: 55 | httpGet: 56 | path: /healthz 57 | port: 8081 58 | initialDelaySeconds: 15 59 | periodSeconds: 20 60 | readinessProbe: 61 | httpGet: 62 | path: /readyz 63 | port: 8081 64 | initialDelaySeconds: 5 65 | periodSeconds: 10 66 | env: 67 | - name: WATCH_NAMESPACE 68 | valueFrom: 69 | fieldRef: 70 | fieldPath: metadata.annotations['olm.targetNamespaces'] 71 | - name: DEPLOYED_NAMESPACE 72 | valueFrom: 73 | fieldRef: 74 | fieldPath: metadata.namespace 75 | - name: POD_NAME 76 | valueFrom: 77 | fieldRef: 78 | fieldPath: metadata.name 79 | - name: OPERATOR_NAME 80 | value: "ibm-cert-manager-operator" 81 | - name: ICP_CERT_MANAGER_CONTROLLER_IMAGE 82 | value: icr.io/cpopen/cpfs/icp-cert-manager-controller:4.2.16-jetstack.1.13.3 83 | - name: ICP_CERT_MANAGER_WEBHOOK_IMAGE 84 | value: icr.io/cpopen/cpfs/icp-cert-manager-webhook:4.2.16-jetstack.1.13.3 85 | - name: ICP_CERT_MANAGER_CAINJECTOR_IMAGE 86 | value: icr.io/cpopen/cpfs/icp-cert-manager-cainjector:4.2.16-jetstack.1.13.3 87 | - name: ICP_CERT_MANAGER_ACMESOLVER_IMAGE 88 | value: icr.io/cpopen/cpfs/icp-cert-manager-acmesolver:4.2.16-jetstack.1.13.3 89 | resources: 90 | limits: 91 | cpu: 100m 92 | memory: 300Mi 93 | requests: 94 | cpu: 10m 95 | memory: 50Mi 96 | ephemeral-storage: 256Mi 97 | securityContext: 98 | seccompProfile: 99 | type: RuntimeDefault 100 | allowPrivilegeEscalation: false 101 | capabilities: 102 | drop: 103 | - ALL 104 | privileged: false 105 | readOnlyRootFilesystem: true 106 | runAsNonRoot: true 107 | -------------------------------------------------------------------------------- /config/manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # These resources constitute the fully configured set of manifests 2 | # used to generate the 'manifests/' directory in a bundle. 3 | resources: 4 | - bases/ibm-cert-manager-operator.clusterserviceversion.yaml 5 | - ../default 6 | - ../samples 7 | - ../scorecard 8 | 9 | # [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. 10 | # Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. 11 | # These patches remove the unnecessary "cert" volume and its manager container volumeMount. 12 | #patchesJson6902: 13 | #- target: 14 | # group: apps 15 | # version: v1 16 | # kind: Deployment 17 | # name: controller-manager 18 | # namespace: system 19 | # patch: |- 20 | # # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. 21 | # # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. 22 | # - op: remove 23 | # path: /spec/template/spec/containers/1/volumeMounts/0 24 | # # Remove the "cert" volume, since OLM will create and mount a set of certs. 25 | # # Update the indices in this path if adding or removing volumes in the manager's Deployment. 26 | # - op: remove 27 | # path: /spec/template/spec/volumes/0 28 | -------------------------------------------------------------------------------- /config/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - monitor.yaml 3 | -------------------------------------------------------------------------------- /config/prometheus/monitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | # Prometheus Monitor Service (Metrics) 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | labels: 7 | control-plane: controller-manager 8 | name: controller-manager-metrics-monitor 9 | namespace: system 10 | spec: 11 | endpoints: 12 | - path: /metrics 13 | port: https 14 | scheme: https 15 | bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 16 | tlsConfig: 17 | insecureSkipVerify: true 18 | selector: 19 | matchLabels: 20 | control-plane: controller-manager 21 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_client_clusterrole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: metrics-reader 5 | rules: 6 | - nonResourceURLs: 7 | - "/metrics" 8 | verbs: 9 | - get 10 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: 7 | - authentication.k8s.io 8 | resources: 9 | - tokenreviews 10 | verbs: 11 | - create 12 | - apiGroups: 13 | - authorization.k8s.io 14 | resources: 15 | - subjectaccessreviews 16 | verbs: 17 | - create 18 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: controller-manager 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: controller-manager-metrics-service 7 | namespace: system 8 | spec: 9 | ports: 10 | - name: https 11 | port: 8443 12 | protocol: TCP 13 | targetPort: https 14 | selector: 15 | control-plane: controller-manager 16 | -------------------------------------------------------------------------------- /config/rbac/certificate_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit certificates. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certificate-editor-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - certificates 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - certmanager.k8s.io 21 | resources: 22 | - certificates/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/certificate_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view certificates. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certificate-viewer-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - certificates 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - certmanager.k8s.io 17 | resources: 18 | - certificates/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/certificaterequest_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit certificaterequests. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certificaterequest-editor-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - certificaterequests 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - certmanager.k8s.io 21 | resources: 22 | - certificaterequests/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/certificaterequest_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view certificaterequests. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certificaterequest-viewer-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - certificaterequests 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - certmanager.k8s.io 17 | resources: 18 | - certificaterequests/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/certmanager_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit certmanagers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certmanager-editor-role 6 | rules: 7 | - apiGroups: 8 | - operator.ibm.com 9 | resources: 10 | - certmanagers 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - operator.ibm.com 21 | resources: 22 | - certmanagers/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/certmanager_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view certmanagers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: certmanager-viewer-role 6 | rules: 7 | - apiGroups: 8 | - operator.ibm.com 9 | resources: 10 | - certmanagers 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - operator.ibm.com 17 | resources: 18 | - certmanagers/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/challenge_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit challenges. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: challenge-editor-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - challenges 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - certmanager.k8s.io 21 | resources: 22 | - challenges/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/challenge_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view challenges. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: challenge-viewer-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - challenges 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - certmanager.k8s.io 17 | resources: 18 | - challenges/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/issuer_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit issuers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: issuer-editor-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - issuers 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - certmanager.k8s.io 21 | resources: 22 | - issuers/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/issuer_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view issuers. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: issuer-viewer-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - issuers 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - certmanager.k8s.io 17 | resources: 18 | - issuers/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | # All RBAC will be applied under this service account in 3 | # the deployment namespace. You may comment out this resource 4 | # if your manager will use a service account that exists at 5 | # runtime. Be sure to update RoleBinding and ClusterRoleBinding 6 | # subjects if changing service account names. 7 | - service_account.yaml 8 | - role.yaml 9 | - role_binding.yaml 10 | - leader_election_role.yaml 11 | - leader_election_role_binding.yaml 12 | # Comment the following 4 lines if you want to disable 13 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 14 | # which protects your /metrics endpoint. 15 | # - auth_proxy_service.yaml 16 | # - auth_proxy_role.yaml 17 | # - auth_proxy_role_binding.yaml 18 | # - auth_proxy_client_clusterrole.yaml 19 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: operator-leader-election-role 6 | labels: 7 | app.kubernetes.io/instance: ibm-cert-manager-operator 8 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 9 | app.kubernetes.io/name: cert-manager 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - configmaps 15 | verbs: 16 | - get 17 | - list 18 | - watch 19 | - create 20 | - update 21 | - patch 22 | - delete 23 | - apiGroups: 24 | - coordination.k8s.io 25 | resources: 26 | - leases 27 | verbs: 28 | - get 29 | - list 30 | - watch 31 | - create 32 | - update 33 | - patch 34 | - delete 35 | - apiGroups: 36 | - "" 37 | resources: 38 | - events 39 | verbs: 40 | - create 41 | - patch 42 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: operator-leader-election-rolebinding 5 | labels: 6 | app.kubernetes.io/instance: ibm-cert-manager-operator 7 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 8 | app.kubernetes.io/name: cert-manager 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: Role 12 | name: operator-leader-election-role 13 | subjects: 14 | - kind: ServiceAccount 15 | name: operator 16 | -------------------------------------------------------------------------------- /config/rbac/order_editor_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to edit orders. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: order-editor-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - orders 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - certmanager.k8s.io 21 | resources: 22 | - orders/status 23 | verbs: 24 | - get 25 | -------------------------------------------------------------------------------- /config/rbac/order_viewer_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions for end users to view orders. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: order-viewer-role 6 | rules: 7 | - apiGroups: 8 | - certmanager.k8s.io 9 | resources: 10 | - orders 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - certmanager.k8s.io 17 | resources: 18 | - orders/status 19 | verbs: 20 | - get 21 | -------------------------------------------------------------------------------- /config/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: operator 6 | labels: 7 | app.kubernetes.io/instance: ibm-cert-manager-operator 8 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 9 | app.kubernetes.io/name: cert-manager 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - configmaps 15 | verbs: 16 | - get 17 | - list 18 | - apiGroups: 19 | - "" 20 | resources: 21 | - events 22 | verbs: 23 | - create 24 | - get 25 | - patch 26 | - update 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - pods 31 | verbs: 32 | - create 33 | - delete 34 | - get 35 | - list 36 | - watch 37 | - apiGroups: 38 | - "" 39 | resources: 40 | - secrets 41 | verbs: 42 | - create 43 | - delete 44 | - get 45 | - list 46 | - patch 47 | - update 48 | - watch 49 | - apiGroups: 50 | - "" 51 | resources: 52 | - serviceaccounts 53 | verbs: 54 | - create 55 | - delete 56 | - get 57 | - list 58 | - patch 59 | - update 60 | - watch 61 | - apiGroups: 62 | - "" 63 | resources: 64 | - services 65 | verbs: 66 | - create 67 | - delete 68 | - get 69 | - list 70 | - update 71 | - watch 72 | - apiGroups: 73 | - acme.cert-manager.io 74 | resources: 75 | - challenges 76 | - orders 77 | verbs: 78 | - create 79 | - delete 80 | - deletecollection 81 | - get 82 | - list 83 | - patch 84 | - update 85 | - watch 86 | - apiGroups: 87 | - acme.cert-manager.io 88 | resources: 89 | - challenges/finalizers 90 | - challenges/status 91 | - orders/finalizers 92 | - orders/status 93 | verbs: 94 | - update 95 | - apiGroups: 96 | - admissionregistration.k8s.io 97 | resources: 98 | - mutatingwebhookconfigurations 99 | verbs: 100 | - create 101 | - delete 102 | - get 103 | - list 104 | - patch 105 | - update 106 | - watch 107 | - apiGroups: 108 | - admissionregistration.k8s.io 109 | resources: 110 | - validatingwebhookconfigurations 111 | verbs: 112 | - create 113 | - delete 114 | - get 115 | - list 116 | - patch 117 | - update 118 | - watch 119 | - apiGroups: 120 | - apiextensions.k8s.io 121 | resources: 122 | - customresourcedefinitions 123 | verbs: 124 | - create 125 | - delete 126 | - get 127 | - list 128 | - patch 129 | - update 130 | - watch 131 | - apiGroups: 132 | - apiregistration.k8s.io 133 | resources: 134 | - apiservices 135 | verbs: 136 | - create 137 | - delete 138 | - get 139 | - list 140 | - patch 141 | - update 142 | - watch 143 | - apiGroups: 144 | - apps 145 | resources: 146 | - daemonsets 147 | - deployments 148 | - statefulsets 149 | verbs: 150 | - create 151 | - get 152 | - list 153 | - patch 154 | - update 155 | - watch 156 | - apiGroups: 157 | - apps 158 | resources: 159 | - deployments 160 | verbs: 161 | - create 162 | - delete 163 | - get 164 | - list 165 | - patch 166 | - update 167 | - watch 168 | - apiGroups: 169 | - auditregistration.k8s.io 170 | resources: 171 | - auditsinks 172 | verbs: 173 | - get 174 | - list 175 | - update 176 | - watch 177 | - apiGroups: 178 | - authorization.k8s.io 179 | resources: 180 | - subjectaccessreviews 181 | verbs: 182 | - create 183 | - apiGroups: 184 | - cert-manager.io 185 | resources: 186 | - certificaterequests 187 | verbs: 188 | - create 189 | - delete 190 | - deletecollection 191 | - get 192 | - list 193 | - patch 194 | - update 195 | - watch 196 | - apiGroups: 197 | - cert-manager.io 198 | resources: 199 | - certificaterequests/finalizers 200 | verbs: 201 | - update 202 | - apiGroups: 203 | - cert-manager.io 204 | resources: 205 | - certificaterequests/status 206 | verbs: 207 | - update 208 | - apiGroups: 209 | - cert-manager.io 210 | resources: 211 | - certificates 212 | verbs: 213 | - create 214 | - delete 215 | - deletecollection 216 | - get 217 | - list 218 | - patch 219 | - update 220 | - watch 221 | - apiGroups: 222 | - cert-manager.io 223 | resources: 224 | - certificates/finalizers 225 | verbs: 226 | - update 227 | - apiGroups: 228 | - cert-manager.io 229 | resources: 230 | - certificates/status 231 | verbs: 232 | - get 233 | - patch 234 | - update 235 | - apiGroups: 236 | - cert-manager.io 237 | resources: 238 | - clusterissuers 239 | verbs: 240 | - get 241 | - list 242 | - update 243 | - watch 244 | - apiGroups: 245 | - cert-manager.io 246 | resources: 247 | - clusterissuers/status 248 | verbs: 249 | - update 250 | - apiGroups: 251 | - cert-manager.io 252 | resources: 253 | - issuers 254 | verbs: 255 | - create 256 | - delete 257 | - deletecollection 258 | - get 259 | - list 260 | - patch 261 | - update 262 | - watch 263 | - apiGroups: 264 | - cert-manager.io 265 | resources: 266 | - issuers/finalizers 267 | verbs: 268 | - update 269 | - apiGroups: 270 | - cert-manager.io 271 | resources: 272 | - issuers/status 273 | verbs: 274 | - get 275 | - patch 276 | - update 277 | - apiGroups: 278 | - cert-manager.io 279 | resources: 280 | - signers 281 | verbs: 282 | - approve 283 | - apiGroups: 284 | - certificates.k8s.io 285 | resources: 286 | - certificatesigningrequests 287 | verbs: 288 | - get 289 | - list 290 | - update 291 | - watch 292 | - apiGroups: 293 | - certificates.k8s.io 294 | resources: 295 | - certificatesigningrequests/status 296 | verbs: 297 | - update 298 | - apiGroups: 299 | - certificates.k8s.io 300 | resources: 301 | - signers 302 | verbs: 303 | - sign 304 | - apiGroups: 305 | - ibmcpcs.ibm.com 306 | resources: 307 | - secretshares 308 | verbs: 309 | - create 310 | - get 311 | - list 312 | - watch 313 | - apiGroups: 314 | - networking.k8s.io 315 | resources: 316 | - httproutes 317 | - ingresses 318 | verbs: 319 | - create 320 | - delete 321 | - get 322 | - list 323 | - update 324 | - watch 325 | - apiGroups: 326 | - networking.k8s.io 327 | resources: 328 | - ingresses/finalizers 329 | verbs: 330 | - update 331 | - apiGroups: 332 | - networking.x-k8s.io 333 | resources: 334 | - gateways 335 | verbs: 336 | - get 337 | - list 338 | - watch 339 | - apiGroups: 340 | - networking.x-k8s.io 341 | resources: 342 | - gateways/finalizers 343 | - httproutes/finalizers 344 | verbs: 345 | - update 346 | - apiGroups: 347 | - networking.x-k8s.io 348 | resources: 349 | - httproutes 350 | verbs: 351 | - create 352 | - delete 353 | - get 354 | - list 355 | - update 356 | - watch 357 | - apiGroups: 358 | - operator.ibm.com 359 | resources: 360 | - certmanagerconfigs 361 | verbs: 362 | - create 363 | - delete 364 | - get 365 | - list 366 | - patch 367 | - update 368 | - watch 369 | - apiGroups: 370 | - operator.ibm.com 371 | resources: 372 | - certmanagerconfigs/finalizers 373 | verbs: 374 | - update 375 | - apiGroups: 376 | - operator.ibm.com 377 | resources: 378 | - certmanagerconfigs/status 379 | verbs: 380 | - get 381 | - patch 382 | - update 383 | - apiGroups: 384 | - rbac.authorization.k8s.io 385 | resources: 386 | - clusterrolebindings 387 | - clusterroles 388 | - rolebindings 389 | - roles 390 | verbs: 391 | - create 392 | - delete 393 | - get 394 | - list 395 | - update 396 | - watch 397 | - apiGroups: 398 | - route.openshift.io 399 | resources: 400 | - routes/custom-host 401 | verbs: 402 | - create 403 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: operator 5 | labels: 6 | app.kubernetes.io/instance: ibm-cert-manager-operator 7 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 8 | app.kubernetes.io/name: cert-manager 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: operator 13 | subjects: 14 | - kind: ServiceAccount 15 | name: operator 16 | -------------------------------------------------------------------------------- /config/rbac/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: operator 5 | labels: 6 | app.kubernetes.io/instance: ibm-cert-manager-operator 7 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 8 | app.kubernetes.io/name: cert-manager 9 | -------------------------------------------------------------------------------- /config/samples/kustomization.yaml: -------------------------------------------------------------------------------- 1 | ## Append samples you want in your CSV to this file as resources ## 2 | resources: 3 | - operator_v1_certmanagerconfig.yaml 4 | #+kubebuilder:scaffold:manifestskustomizesamples 5 | -------------------------------------------------------------------------------- /config/samples/operator_v1_certmanagerconfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.ibm.com/v1 2 | kind: CertManagerConfig 3 | metadata: 4 | name: default 5 | labels: 6 | app.kubernetes.io/instance: ibm-cert-manager-operator 7 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 8 | app.kubernetes.io/name: cert-manager 9 | spec: 10 | disableHostNetwork: true 11 | enableWebhook: true 12 | imageRegistry: icr.io/cpopen/cpfs 13 | version: "4.2.16" 14 | enableCertRefresh: true 15 | status: 16 | certManagerConfigStatus: '' 17 | -------------------------------------------------------------------------------- /config/scorecard/bases/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scorecard.operatorframework.io/v1alpha3 2 | kind: Configuration 3 | metadata: 4 | name: config 5 | stages: 6 | - parallel: true 7 | tests: [] 8 | -------------------------------------------------------------------------------- /config/scorecard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - bases/config.yaml 3 | patchesJson6902: 4 | - path: patches/basic.config.yaml 5 | target: 6 | group: scorecard.operatorframework.io 7 | version: v1alpha3 8 | kind: Configuration 9 | name: config 10 | - path: patches/olm.config.yaml 11 | target: 12 | group: scorecard.operatorframework.io 13 | version: v1alpha3 14 | kind: Configuration 15 | name: config 16 | #+kubebuilder:scaffold:patchesJson6902 17 | -------------------------------------------------------------------------------- /config/scorecard/patches/basic.config.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /stages/0/tests/- 3 | value: 4 | entrypoint: 5 | - scorecard-test 6 | - basic-check-spec 7 | image: quay.io/operator-framework/scorecard-test:v1.15.0 8 | labels: 9 | suite: basic 10 | test: basic-check-spec-test 11 | -------------------------------------------------------------------------------- /config/scorecard/patches/olm.config.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /stages/0/tests/- 3 | value: 4 | entrypoint: 5 | - scorecard-test 6 | - olm-bundle-validation 7 | image: quay.io/operator-framework/scorecard-test:v1.15.0 8 | labels: 9 | suite: olm 10 | test: olm-bundle-validation-test 11 | - op: add 12 | path: /stages/0/tests/- 13 | value: 14 | entrypoint: 15 | - scorecard-test 16 | - olm-crds-have-validation 17 | image: quay.io/operator-framework/scorecard-test:v1.15.0 18 | labels: 19 | suite: olm 20 | test: olm-crds-have-validation-test 21 | - op: add 22 | path: /stages/0/tests/- 23 | value: 24 | entrypoint: 25 | - scorecard-test 26 | - olm-crds-have-resources 27 | image: quay.io/operator-framework/scorecard-test:v1.15.0 28 | labels: 29 | suite: olm 30 | test: olm-crds-have-resources-test 31 | - op: add 32 | path: /stages/0/tests/- 33 | value: 34 | entrypoint: 35 | - scorecard-test 36 | - olm-spec-descriptors 37 | image: quay.io/operator-framework/scorecard-test:v1.15.0 38 | labels: 39 | suite: olm 40 | test: olm-spec-descriptors-test 41 | - op: add 42 | path: /stages/0/tests/- 43 | value: 44 | entrypoint: 45 | - scorecard-test 46 | - olm-status-descriptors 47 | image: quay.io/operator-framework/scorecard-test:v1.15.0 48 | labels: 49 | suite: olm 50 | test: olm-status-descriptors-test 51 | -------------------------------------------------------------------------------- /controllers/operator/prereqs.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package operator 18 | 19 | import ( 20 | "context" 21 | 22 | rbacv1 "k8s.io/api/rbac/v1" 23 | "k8s.io/apimachinery/pkg/api/equality" 24 | apiErrors "k8s.io/apimachinery/pkg/api/errors" 25 | "k8s.io/apimachinery/pkg/runtime" 26 | "k8s.io/apimachinery/pkg/types" 27 | "sigs.k8s.io/controller-runtime/pkg/client" 28 | "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" 29 | 30 | operatorv1 "github.com/ibm/ibm-cert-manager-operator/v4/apis/operator/v1" 31 | res "github.com/ibm/ibm-cert-manager-operator/v4/controllers/resources" 32 | ) 33 | 34 | // Check all RBAC is ready for cert-manager 35 | func checkRbac(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client, ns string) error { 36 | if rolesError := roles(instance, scheme, client, ns); rolesError != nil { 37 | return rolesError 38 | } 39 | return nil 40 | } 41 | 42 | func roles(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client, ns string) error { 43 | 44 | if clusterRoleErr := createClusterRole(instance, scheme, client); clusterRoleErr != nil { 45 | return clusterRoleErr 46 | } 47 | if roleErr := createRole(instance, scheme, client, ns); roleErr != nil { 48 | return roleErr 49 | } 50 | if clusterRoleBindingErr := createClusterRoleBinding(instance, scheme, client, ns); clusterRoleBindingErr != nil { 51 | return clusterRoleBindingErr 52 | } 53 | if roleBindingErr := createRoleBinding(instance, scheme, client, ns); roleBindingErr != nil { 54 | return roleBindingErr 55 | } 56 | if serviceAccountErr := createServiceAccount(instance, scheme, client, ns); serviceAccountErr != nil { 57 | return serviceAccountErr 58 | } 59 | return nil 60 | } 61 | 62 | func createRole(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client, namespace string) error { 63 | logd.V(0).Info("Creating roles") 64 | for _, r := range res.RolesToCreate.Items { 65 | logd.V(0).Info("Creating role " + r.Name) 66 | role := &rbacv1.Role{} 67 | err := client.Get(context.Background(), types.NamespacedName{Name: r.Name, Namespace: namespace}, role) 68 | if err != nil && apiErrors.IsNotFound(err) { 69 | r.ResourceVersion = "" 70 | r.Namespace = namespace 71 | if err := controllerutil.SetControllerReference(instance, &r, scheme); err != nil { 72 | logd.Error(err, "Error setting controller reference on role") 73 | } 74 | err := client.Create(context.Background(), &r) 75 | if err != nil { 76 | return err 77 | } 78 | } else if err != nil { 79 | return err 80 | } else { 81 | oldRole := role.DeepCopy() 82 | role.Rules = r.Rules 83 | if !equality.Semantic.DeepEqual(oldRole, role) { 84 | err := client.Update(context.Background(), role) 85 | if err != nil { 86 | return err 87 | } 88 | } 89 | } 90 | } 91 | return nil 92 | } 93 | 94 | func createClusterRole(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client) error { 95 | logd.V(0).Info("Creating cluster roles") 96 | for _, r := range res.ClusterRolesToCreate.Items { 97 | logd.V(0).Info("Creating cluster role " + r.Name) 98 | clusterRole := &rbacv1.ClusterRole{} 99 | err := client.Get(context.Background(), types.NamespacedName{Name: r.Name, Namespace: ""}, clusterRole) 100 | if err != nil && apiErrors.IsNotFound(err) { 101 | r.ResourceVersion = "" 102 | 103 | if err := controllerutil.SetControllerReference(instance, &r, scheme); err != nil { 104 | logd.Error(err, "Error setting controller reference on clusterrole") 105 | } 106 | err := client.Create(context.Background(), &r) 107 | if err != nil { 108 | return err 109 | } 110 | } else if err != nil { 111 | return err 112 | } else { 113 | oldClusterRole := clusterRole.DeepCopy() 114 | clusterRole.Rules = r.Rules 115 | if !equality.Semantic.DeepEqual(oldClusterRole, clusterRole) { 116 | err := client.Update(context.Background(), clusterRole) 117 | if err != nil { 118 | return err 119 | } 120 | } 121 | } 122 | } 123 | return nil 124 | } 125 | 126 | func createClusterRoleBinding(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client, namespace string) error { 127 | logd.V(0).Info("Creating cluster role binding") 128 | for _, b := range res.ClusterRoleBindingsToCreate.Items { 129 | logd.V(0).Info("Creating cluster role binding " + b.Name) 130 | clusterRoleBinding := &rbacv1.ClusterRoleBinding{} 131 | 132 | err := client.Get(context.Background(), types.NamespacedName{Name: b.Name, Namespace: ""}, clusterRoleBinding) 133 | if err != nil && apiErrors.IsNotFound(err) { 134 | b.ResourceVersion = "" 135 | for i := range b.Subjects { 136 | b.Subjects[i].Namespace = namespace 137 | } 138 | if err := controllerutil.SetControllerReference(instance, &b, scheme); err != nil { 139 | logd.Error(err, "Error setting controller reference on clusterrolebinding") 140 | } 141 | err := client.Create(context.Background(), &b) 142 | if err != nil { 143 | return err 144 | } 145 | } else if err != nil { 146 | return err 147 | } else { 148 | for i := range b.Subjects { 149 | b.Subjects[i].Namespace = namespace 150 | } 151 | oldClusterRoleBinding := clusterRoleBinding.DeepCopy() 152 | clusterRoleBinding.RoleRef = b.RoleRef 153 | clusterRoleBinding.Subjects = b.Subjects 154 | if !equality.Semantic.DeepEqual(oldClusterRoleBinding, clusterRoleBinding) { 155 | err := client.Update(context.Background(), clusterRoleBinding) 156 | if err != nil { 157 | return err 158 | } 159 | } 160 | } 161 | } 162 | 163 | return nil 164 | } 165 | 166 | func createRoleBinding(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client, namespace string) error { 167 | logd.V(0).Info("Creating role binding") 168 | for _, b := range res.RoleBindingsToCreate.Items { 169 | logd.V(0).Info("Creating role binding " + b.Name) 170 | roleBinding := &rbacv1.RoleBinding{} 171 | 172 | err := client.Get(context.Background(), types.NamespacedName{Name: b.Name, Namespace: namespace}, roleBinding) 173 | if err != nil && apiErrors.IsNotFound(err) { 174 | b.ResourceVersion = "" 175 | b.Namespace = namespace 176 | for i := range b.Subjects { 177 | b.Subjects[i].Namespace = namespace 178 | } 179 | if err := controllerutil.SetControllerReference(instance, &b, scheme); err != nil { 180 | logd.Error(err, "Error setting controller reference on rolebinding") 181 | } 182 | err := client.Create(context.Background(), &b) 183 | if err != nil { 184 | return err 185 | } 186 | } else if err != nil { 187 | return err 188 | } else { 189 | for i := range b.Subjects { 190 | b.Subjects[i].Namespace = namespace 191 | } 192 | oldRolebinding := roleBinding.DeepCopy() 193 | roleBinding.RoleRef = b.RoleRef 194 | roleBinding.Subjects = b.Subjects 195 | if !equality.Semantic.DeepEqual(oldRolebinding, roleBinding) { 196 | err := client.Update(context.Background(), roleBinding) 197 | if err != nil { 198 | return err 199 | } 200 | } 201 | err := client.Update(context.Background(), roleBinding) 202 | if err != nil { 203 | return err 204 | } 205 | } 206 | } 207 | 208 | return nil 209 | } 210 | 211 | func createServiceAccount(instance *operatorv1.CertManagerConfig, scheme *runtime.Scheme, client client.Client, namespace string) error { 212 | logd.V(0).Info("Creating service account") 213 | for _, a := range res.ServiceAccountsToCreate.Items { 214 | logd.V(0).Info("Creating service account" + a.Name) 215 | a.ResourceVersion = "" 216 | a.Namespace = namespace 217 | err := client.Create(context.Background(), &a) 218 | if err := controllerutil.SetControllerReference(instance, &a, scheme); err != nil { 219 | logd.Error(err, "Error setting controller reference on service account") 220 | } 221 | if err != nil { 222 | if !apiErrors.IsAlreadyExists(err) { 223 | logd.V(2).Info("Error creating the service account, but was not an already exists error", "error message", err) 224 | return err 225 | } 226 | } 227 | } 228 | return nil 229 | } 230 | -------------------------------------------------------------------------------- /controllers/operator/suite_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package operator 18 | 19 | import ( 20 | "path/filepath" 21 | "testing" 22 | 23 | . "github.com/onsi/ginkgo" 24 | . "github.com/onsi/gomega" 25 | "k8s.io/client-go/kubernetes/scheme" 26 | "k8s.io/client-go/rest" 27 | "sigs.k8s.io/controller-runtime/pkg/client" 28 | "sigs.k8s.io/controller-runtime/pkg/envtest" 29 | logf "sigs.k8s.io/controller-runtime/pkg/log" 30 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 31 | 32 | operatorv1 "github.com/ibm/ibm-cert-manager-operator/v4/apis/operator/v1" 33 | //+kubebuilder:scaffold:imports 34 | ) 35 | 36 | // These tests use Ginkgo (BDD-style Go testing framework). Refer to 37 | // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. 38 | 39 | var cfg *rest.Config 40 | var k8sClient client.Client 41 | var testEnv *envtest.Environment 42 | 43 | func TestAPIs(t *testing.T) { 44 | RegisterFailHandler(Fail) 45 | 46 | RunSpecs(t, 47 | "Controller Suite") 48 | } 49 | 50 | var _ = BeforeSuite(func() { 51 | logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) 52 | 53 | By("bootstrapping test environment") 54 | testEnv = &envtest.Environment{ 55 | CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, 56 | ErrorIfCRDPathMissing: true, 57 | } 58 | 59 | cfg, err := testEnv.Start() 60 | Expect(err).NotTo(HaveOccurred()) 61 | Expect(cfg).NotTo(BeNil()) 62 | 63 | err = operatorv1.AddToScheme(scheme.Scheme) 64 | Expect(err).NotTo(HaveOccurred()) 65 | 66 | //+kubebuilder:scaffold:scheme 67 | 68 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 69 | Expect(err).NotTo(HaveOccurred()) 70 | Expect(k8sClient).NotTo(BeNil()) 71 | 72 | }, 60) 73 | 74 | var _ = AfterSuite(func() { 75 | By("tearing down the test environment") 76 | err := testEnv.Stop() 77 | Expect(err).NotTo(HaveOccurred()) 78 | }) 79 | -------------------------------------------------------------------------------- /controllers/operator/util.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package operator 18 | 19 | import ( 20 | "bytes" 21 | "fmt" 22 | "io" 23 | "io/ioutil" 24 | "reflect" 25 | 26 | utilyaml "github.com/ghodss/yaml" 27 | "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" 28 | "k8s.io/apimachinery/pkg/runtime/serializer/json" 29 | "k8s.io/apimachinery/pkg/runtime/serializer/streaming" 30 | "k8s.io/apimachinery/pkg/runtime/serializer/yaml" 31 | "k8s.io/klog" 32 | ) 33 | 34 | func containsString(source []string, str string) bool { 35 | for _, searchString := range source { 36 | if searchString == str { 37 | return true 38 | } 39 | } 40 | return false 41 | } 42 | 43 | func removeString(source []string, str string) (result []string) { 44 | for _, sourceString := range source { 45 | if sourceString == str { 46 | continue 47 | } 48 | result = append(result, sourceString) 49 | } 50 | return result 51 | } 52 | 53 | // YamlToObjects convert YAML content to unstructured objects 54 | func YamlToObjects(yamlContent []byte) ([]*unstructured.Unstructured, error) { 55 | var objects []*unstructured.Unstructured 56 | 57 | // This step is for converting large yaml file, we can remove it after using "apimachinery" v0.19.0 58 | if len(yamlContent) > 1024*64 { 59 | object, err := YamlToObject(yamlContent) 60 | if err != nil { 61 | return nil, err 62 | } 63 | objects = append(objects, object) 64 | return objects, nil 65 | } 66 | 67 | yamlDecoder := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme) 68 | 69 | reader := json.YAMLFramer.NewFrameReader(ioutil.NopCloser(bytes.NewReader(yamlContent))) 70 | decoder := streaming.NewDecoder(reader, yamlDecoder) 71 | for { 72 | obj, _, err := decoder.Decode(nil, nil) 73 | if err != nil { 74 | if err == io.EOF { 75 | break 76 | } 77 | klog.Infof("error convert object: %v", err) 78 | continue 79 | } 80 | 81 | switch t := obj.(type) { 82 | case *unstructured.Unstructured: 83 | objects = append(objects, t) 84 | default: 85 | return nil, fmt.Errorf("failed to convert object %s", reflect.TypeOf(obj)) 86 | } 87 | } 88 | 89 | return objects, nil 90 | } 91 | 92 | // YamlToObject converting large yaml file, we can remove it after using "apimachinery" v0.19.0 93 | func YamlToObject(yamlContent []byte) (*unstructured.Unstructured, error) { 94 | obj := &unstructured.Unstructured{} 95 | jsonSpec, err := utilyaml.YAMLToJSON(yamlContent) 96 | if err != nil { 97 | return nil, fmt.Errorf("could not convert yaml to json: %v", err) 98 | } 99 | 100 | if err := obj.UnmarshalJSON(jsonSpec); err != nil { 101 | return nil, fmt.Errorf("could not unmarshal resource: %v", err) 102 | } 103 | 104 | return obj, nil 105 | } 106 | 107 | func ClearLabelMap(m map[string]string) { 108 | for k := range m { 109 | delete(m, k) 110 | } 111 | } 112 | -------------------------------------------------------------------------------- /controllers/resources/certmanager.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | // base on doc https://www.ibm.com/docs/en/cpfs?topic=services-configuring-foundational-by-using-custom-resource#cert_resources 20 | const CertManagerConfigCR = ` 21 | apiVersion: operator.ibm.com/v1 22 | kind: CertManagerConfig 23 | metadata: 24 | labels: 25 | app.kubernetes.io/instance: ibm-cert-manager-operator 26 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 27 | app.kubernetes.io/name: cert-manager 28 | name: default 29 | spec: 30 | certManagerCAInjector: 31 | resources: 32 | limits: 33 | cpu: 100m 34 | memory: 1000Mi 35 | requests: 36 | cpu: 30m 37 | memory: 500Mi 38 | ephemeral-storage: 256Mi 39 | certManagerController: 40 | resources: 41 | limits: 42 | cpu: 80m 43 | memory: 1010Mi 44 | requests: 45 | cpu: 20m 46 | memory: 230Mi 47 | ephemeral-storage: 510Mi 48 | certManagerWebhook: 49 | resources: 50 | limits: 51 | cpu: 60m 52 | memory: 100Mi 53 | requests: 54 | cpu: 30m 55 | memory: 40Mi 56 | ephemeral-storage: 256Mi 57 | disableHostNetwork: true 58 | enableCertRefresh: true 59 | enableWebhook: true 60 | imageRegistry: icr.io/cpopen/cpfs 61 | license: 62 | accept: false 63 | version: 4.2.16 64 | status: 65 | certManagerConfigStatus: '' 66 | ` 67 | -------------------------------------------------------------------------------- /controllers/resources/constants.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | import ( 20 | "os" 21 | 22 | v1 "k8s.io/api/core/v1" 23 | "k8s.io/apimachinery/pkg/api/resource" 24 | ) 25 | 26 | // TrueVar the variable representing the boolean value true 27 | var TrueVar = true 28 | 29 | // FalseVar the variable representing the boolean value false 30 | var FalseVar = false 31 | 32 | // CPU quantities 33 | var cpu100 = resource.NewMilliQuantity(100, resource.DecimalSI) // 100m 34 | var cpu500 = resource.NewMilliQuantity(500, resource.DecimalSI) // 500m 35 | 36 | // Memory quantities 37 | var memory256 = resource.NewQuantity(256*1024*1024, resource.BinarySI) // 300Mi 38 | var memory300 = resource.NewQuantity(300*1024*1024, resource.BinarySI) // 300Mi 39 | var memory500 = resource.NewQuantity(500*1024*1024, resource.BinarySI) // 500Mi 40 | 41 | var replicaCount int32 = 1 42 | var timeoutSecondsWebhook int32 = 10 43 | 44 | const certManagerComponentName = "cert-manager" 45 | 46 | // ControllerLabelMap is a map of all the labels used by cert-manager-controller 47 | var OriginalControllerLabelMap = map[string]string{ 48 | "app": "ibm-cert-manager-controller", 49 | "app.kubernetes.io/name": "ibm-cert-manager-controller", 50 | "app.kubernetes.io/component": certManagerComponentName, 51 | "app.kubernetes.io/managed-by": "operator", 52 | "app.kubernetes.io/instance": certManagerComponentName, 53 | "release": certManagerComponentName, 54 | } 55 | var ControllerLabelMap = map[string]string{} 56 | 57 | // WebhookLabelMap is a map of all the labels used by the cert-manager-webhook 58 | var OriginalWebhookLabelMap = map[string]string{ 59 | "app": "ibm-cert-manager-webhook", 60 | "app.kubernetes.io/name": "ibm-cert-manager-webhook", 61 | "app.kubernetes.io/component": certManagerComponentName, 62 | "app.kubernetes.io/managed-by": "operator", 63 | "app.kubernetes.io/instance": certManagerComponentName, 64 | "release": certManagerComponentName, 65 | } 66 | var WebhookLabelMap = map[string]string{} 67 | 68 | // CainjectorLabelMap is a map of all the labels used by the cert-manager-cainjector 69 | var OriginalCainjectorLabelMap = map[string]string{ 70 | "app": "ibm-cert-manager-cainjector", 71 | "app.kubernetes.io/name": "ibm-cert-manager-cainjector", 72 | "app.kubernetes.io/component": certManagerComponentName, 73 | "app.kubernetes.io/managed-by": "operator", 74 | "app.kubernetes.io/instance": certManagerComponentName, 75 | "release": certManagerComponentName, 76 | } 77 | var CainjectorLabelMap = map[string]string{} 78 | 79 | // PodAnnotations are the annotations required for a pod 80 | var PodAnnotations = map[string]string{"openshift.io/scc": "restricted", "productName": "IBM Cloud Platform Common Services", "productID": "068a62892a1e4db39641342e592daa25", "productMetric": "FREE"} 81 | 82 | var securityAnnotationWebhook = map[string]string{"openshift.io/scc": "hostnetwork", 83 | "productName": "IBM Cloud Platform Common Services", 84 | "productID": "068a62892a1e4db39641342e592daa25", 85 | "productMetric": "FREE", 86 | } 87 | 88 | // ControllerLabels is a string of the cert-manager-controller's labels 89 | const ControllerLabels = "app=ibm-cert-manager-controller" 90 | 91 | // WebhookLabels is a string of the cert-manager-webhook's labels 92 | const WebhookLabels = "app=ibm-cert-manager-webhook" 93 | 94 | // CainjectorLabels is a string of the cert-manager-cainjector's labels 95 | const CainjectorLabels = "app=ibm-cert-manager-cainjector" 96 | 97 | // SecretWatchLabel is a string of secrets that watched by cert manager operator labels 98 | const SecretWatchLabel string = "operator.ibm.com/watched-by-cert-manager" 99 | 100 | // DefaultNamespace is the namespace the cert-manager services will be deployed in if the operator is deployed in all namespaces or locally 101 | const DefaultNamespace = "ibm-cert-manager" 102 | 103 | // PodNamespace is the namespace the the operator is getting deployed (set in an env var) 104 | var PodNamespace = os.Getenv("POD_NAMESPACE") 105 | 106 | // DeployNamespace is the namespace the cert-manager services will be deployed in 107 | var DeployNamespace = GetDeployNamespace() 108 | 109 | const pullPolicy = v1.PullIfNotPresent 110 | 111 | // CertManagerControllerName is the name of the container/pod/deployment for cert-manager-controller 112 | const CertManagerControllerName = "cert-manager-controller" 113 | 114 | // CertManagerAcmeSolverName is the name of the container/pod/deployment for cert-manager-acmesolver 115 | const CertManagerAcmeSolverName = "cert-manager-acmesolver" 116 | 117 | // CertManagerCainjectorName is the name of the container/pod/deployment for cert-manager-cainjector 118 | const CertManagerCainjectorName = "cert-manager-cainjector" 119 | 120 | // CertManagerWebhookName is the name of the container/pod/deployment for cert-manager-webhook 121 | const CertManagerWebhookName = "cert-manager-webhook" 122 | 123 | // ConfigmapWatcherName is the name of the container/pod/deployment for the configmap-watcher 124 | const ConfigmapWatcherName = "configmap-watcher" 125 | 126 | // ImageRegistry is the default image registry for the operand deployments 127 | const ImageRegistry = "icr.io/cpopen/cpfs" 128 | 129 | // ControllerImageVersion is the default image version used for the cert-manager-controller 130 | const ControllerImageVersion = "0.12.0" 131 | 132 | // WebhookImageVersion is the default image version used for the cert-manager-webhook 133 | const WebhookImageVersion = "0.12.0" 134 | 135 | // ControllerImageName is the image name of the cert-manager-controller 136 | const ControllerImageName = "icp-cert-manager-controller" 137 | 138 | // AcmesolverImageName is the image name of the cert-manager-acmesolver 139 | const AcmesolverImageName = "icp-cert-manager-acmesolver" 140 | 141 | // CainjectorImageName is the image name of the cert-manager-cainjector 142 | const CainjectorImageName = "icp-cert-manager-cainjector" 143 | 144 | // WebhookImageName is the image name of the cert-manager-webhook 145 | const WebhookImageName = "icp-cert-manager-webhook" 146 | 147 | // ControllerImageEnvVar is the env variable name defined in operator container for Controller Image. Check operator.yaml 148 | const ControllerImageEnvVar = "ICP_CERT_MANAGER_CONTROLLER_IMAGE" 149 | 150 | // WebhookImageEnvVar is the env variable name defined in operator container for Webhook Image. Check operator.yaml 151 | const WebhookImageEnvVar = "ICP_CERT_MANAGER_WEBHOOK_IMAGE" 152 | 153 | // CaInjectorImageEnvVar is the env variable name defined in operator container for cainjector Image. Check operator.yaml 154 | const CaInjectorImageEnvVar = "ICP_CERT_MANAGER_CAINJECTOR_IMAGE" 155 | 156 | // AcmeSolverImageEnvVar is the env variable name defined in operator container for acme-solver Image. Check operator.yaml 157 | const AcmeSolverImageEnvVar = "ICP_CERT_MANAGER_ACMESOLVER_IMAGE" 158 | 159 | // DefaultImagePostfix is set to empty. It indicates any platform suffix that you can append to an image tag 160 | const DefaultImagePostfix = "" 161 | 162 | var controllerImage = GetImageID(ImageRegistry, ControllerImageName, ControllerImageVersion, DefaultImagePostfix, ControllerImageEnvVar) 163 | var acmesolverImage = GetImageID(ImageRegistry, AcmesolverImageName, ControllerImageVersion, DefaultImagePostfix, AcmeSolverImageEnvVar) 164 | var cainjectorImage = GetImageID(ImageRegistry, CainjectorImageName, ControllerImageVersion, DefaultImagePostfix, CaInjectorImageEnvVar) 165 | var webhookImage = GetImageID(ImageRegistry, WebhookImageName, WebhookImageVersion, DefaultImagePostfix, WebhookImageEnvVar) 166 | 167 | // ServiceAccount is the name of the default service account to be used by cert-manager services 168 | const ServiceAccount = "cert-manager" 169 | 170 | // ClusterRoleName is the default name of the clusterrole and clusterrolebinding used by the cert-manager services 171 | const ClusterRoleName = "cert-manager" 172 | 173 | // SecurityContext values 174 | var runAsNonRoot = true 175 | 176 | // Liveness/Readiness Probe 177 | var initialDelaySecondsLiveness int32 = 60 178 | var timeoutSecondsLiveness int32 = 10 179 | var periodSecondsLiveness int32 = 30 180 | var failureThresholdLiveness int32 = 10 181 | var livenessExecActionController = v1.ExecAction{ 182 | Command: []string{"sh", "-c", "pgrep cert-manager -l"}, 183 | } 184 | var livenessExecActionCainjector = v1.ExecAction{ 185 | Command: []string{"sh", "-c", "pgrep cainjector -l"}, 186 | } 187 | var livenessExecActionWebhook = v1.ExecAction{ 188 | Command: []string{"sh", "-c", "pgrep webhook -l"}, 189 | } 190 | 191 | var initialDelaySecondsReadiness int32 = 60 192 | var timeoutSecondsReadiness int32 = 10 193 | var periodSecondsReadiness int32 = 30 194 | var failureThresholdReadiness int32 = 10 195 | var readinessExecActionController = v1.ExecAction{ 196 | Command: []string{"sh", "-c", "exec echo start cert-manager"}, 197 | } 198 | var readinessExecActionCainjector = v1.ExecAction{ 199 | Command: []string{"sh", "-c", "exec echo start cert-manager cainjector"}, 200 | } 201 | var readinessExecActionWebhook = v1.ExecAction{ 202 | Command: []string{"sh", "-c", "exec echo start cert-manager webhook"}, 203 | } 204 | 205 | // Cert-manager args 206 | 207 | // WebhookServingSecret is the name of tls secret used for serving the cert-manager-webhook 208 | const WebhookServingSecret = "cert-manager-webhook-ca" 209 | 210 | // ResourceNS is the resource namespace arg for cert-manager-controller 211 | var ResourceNS = "--cluster-resource-namespace=" + DeployNamespace 212 | 213 | const leaderElectNS = "--leader-election-namespace=cert-manager" 214 | 215 | // AcmeSolverArg is the acme solver image to use for the cert-manager-controller 216 | var AcmeSolverArg = "--acme-http01-solver-image=" + acmesolverImage 217 | 218 | // DefaultArgs are the default arguments use for cert-manager-controller 219 | var DefaultArgs = []string{} 220 | -------------------------------------------------------------------------------- /controllers/resources/containers.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | import ( 20 | "strings" 21 | 22 | corev1 "k8s.io/api/core/v1" 23 | "k8s.io/apimachinery/pkg/api/resource" 24 | ) 25 | 26 | var containerSecurityGeneral = &corev1.SecurityContext{ 27 | RunAsNonRoot: &runAsNonRoot, 28 | AllowPrivilegeEscalation: &FalseVar, 29 | ReadOnlyRootFilesystem: &TrueVar, 30 | Privileged: &FalseVar, 31 | Capabilities: &corev1.Capabilities{ 32 | Drop: []corev1.Capability{ 33 | "ALL", 34 | }, 35 | }, 36 | SeccompProfile: &corev1.SeccompProfile{ 37 | Type: corev1.SeccompProfileTypeRuntimeDefault, 38 | }, 39 | } 40 | 41 | var containerSecurityWebhook = &corev1.SecurityContext{ 42 | RunAsNonRoot: &runAsNonRoot, 43 | AllowPrivilegeEscalation: &FalseVar, 44 | ReadOnlyRootFilesystem: &TrueVar, 45 | Privileged: &FalseVar, 46 | Capabilities: &corev1.Capabilities{ 47 | Drop: []corev1.Capability{ 48 | "ALL", 49 | }, 50 | }, 51 | SeccompProfile: &corev1.SeccompProfile{ 52 | Type: corev1.SeccompProfileTypeRuntimeDefault, 53 | }, 54 | } 55 | 56 | var cpuMemory = corev1.ResourceRequirements{ 57 | Limits: map[corev1.ResourceName]resource.Quantity{ 58 | corev1.ResourceCPU: *cpu500, 59 | corev1.ResourceMemory: *memory500}, 60 | Requests: map[corev1.ResourceName]resource.Quantity{ 61 | corev1.ResourceCPU: *cpu100, 62 | corev1.ResourceMemory: *memory300, 63 | corev1.ResourceEphemeralStorage: *memory256}, 64 | } 65 | 66 | var controllerContainer = corev1.Container{ 67 | Name: CertManagerControllerName, 68 | Image: controllerImage, 69 | ImagePullPolicy: pullPolicy, 70 | Args: []string{leaderElectNS}, 71 | Env: []corev1.EnvVar{ 72 | { 73 | Name: "POD_NAMESPACE", 74 | ValueFrom: &corev1.EnvVarSource{ 75 | FieldRef: &corev1.ObjectFieldSelector{ 76 | FieldPath: "metadata.namespace", 77 | }, 78 | }, 79 | }, 80 | { 81 | Name: "POD_RESTART", 82 | Value: "true", 83 | }, 84 | }, 85 | LivenessProbe: &corev1.Probe{ 86 | ProbeHandler: corev1.ProbeHandler{ 87 | Exec: &livenessExecActionController, 88 | }, 89 | InitialDelaySeconds: initialDelaySecondsLiveness, 90 | TimeoutSeconds: timeoutSecondsLiveness, 91 | PeriodSeconds: periodSecondsLiveness, 92 | FailureThreshold: failureThresholdLiveness, 93 | }, 94 | ReadinessProbe: &corev1.Probe{ 95 | ProbeHandler: corev1.ProbeHandler{ 96 | Exec: &readinessExecActionController, 97 | }, 98 | InitialDelaySeconds: initialDelaySecondsReadiness, 99 | TimeoutSeconds: timeoutSecondsReadiness, 100 | PeriodSeconds: periodSecondsReadiness, 101 | FailureThreshold: failureThresholdReadiness, 102 | }, 103 | SecurityContext: containerSecurityGeneral, 104 | Resources: cpuMemory, 105 | } 106 | 107 | var webhookContainer = corev1.Container{ 108 | Name: CertManagerWebhookName, 109 | Image: webhookImage, 110 | ImagePullPolicy: pullPolicy, 111 | Args: []string{"--v=2", "--secure-port=10250", "--dynamic-serving-ca-secret-namespace=" + DeployNamespace, "--dynamic-serving-ca-secret-name=" + WebhookServingSecret, "--dynamic-serving-dns-names=" + strings.Join([]string{CertManagerWebhookName, CertManagerWebhookName + "." + DeployNamespace, CertManagerWebhookName + "." + DeployNamespace + ".svc"}, ",")}, 112 | Env: []corev1.EnvVar{ 113 | { 114 | Name: "POD_NAMESPACE", 115 | ValueFrom: &corev1.EnvVarSource{ 116 | FieldRef: &corev1.ObjectFieldSelector{ 117 | FieldPath: "metadata.namespace", 118 | }, 119 | }, 120 | }, 121 | }, 122 | Ports: []corev1.ContainerPort{ 123 | { 124 | Name: "https", 125 | Protocol: corev1.ProtocolTCP, 126 | ContainerPort: 10250, 127 | }, 128 | }, 129 | LivenessProbe: &corev1.Probe{ 130 | ProbeHandler: corev1.ProbeHandler{ 131 | Exec: &livenessExecActionWebhook, 132 | }, 133 | InitialDelaySeconds: initialDelaySecondsLiveness, 134 | TimeoutSeconds: timeoutSecondsLiveness, 135 | PeriodSeconds: periodSecondsLiveness, 136 | FailureThreshold: failureThresholdLiveness, 137 | }, 138 | ReadinessProbe: &corev1.Probe{ 139 | ProbeHandler: corev1.ProbeHandler{ 140 | Exec: &readinessExecActionWebhook, 141 | }, 142 | InitialDelaySeconds: initialDelaySecondsReadiness, 143 | TimeoutSeconds: timeoutSecondsReadiness, 144 | PeriodSeconds: periodSecondsReadiness, 145 | FailureThreshold: failureThresholdReadiness, 146 | }, 147 | SecurityContext: containerSecurityWebhook, 148 | Resources: cpuMemory, 149 | } 150 | 151 | var cainjectorContainer = corev1.Container{ 152 | Name: CertManagerCainjectorName, 153 | Image: cainjectorImage, 154 | ImagePullPolicy: pullPolicy, 155 | Env: []corev1.EnvVar{ 156 | { 157 | Name: "POD_NAMESPACE", 158 | ValueFrom: &corev1.EnvVarSource{ 159 | FieldRef: &corev1.ObjectFieldSelector{ 160 | FieldPath: "metadata.namespace", 161 | }, 162 | }, 163 | }, 164 | }, 165 | LivenessProbe: &corev1.Probe{ 166 | ProbeHandler: corev1.ProbeHandler{ 167 | Exec: &livenessExecActionCainjector, 168 | }, 169 | InitialDelaySeconds: initialDelaySecondsLiveness, 170 | TimeoutSeconds: timeoutSecondsLiveness, 171 | PeriodSeconds: periodSecondsLiveness, 172 | FailureThreshold: failureThresholdLiveness, 173 | }, 174 | ReadinessProbe: &corev1.Probe{ 175 | ProbeHandler: corev1.ProbeHandler{ 176 | Exec: &readinessExecActionCainjector, 177 | }, 178 | InitialDelaySeconds: initialDelaySecondsReadiness, 179 | TimeoutSeconds: timeoutSecondsReadiness, 180 | PeriodSeconds: periodSecondsReadiness, 181 | FailureThreshold: failureThresholdReadiness, 182 | }, 183 | SecurityContext: containerSecurityGeneral, 184 | Resources: cpuMemory, 185 | } 186 | -------------------------------------------------------------------------------- /controllers/resources/deployments.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | import ( 20 | appsv1 "k8s.io/api/apps/v1" 21 | corev1 "k8s.io/api/core/v1" 22 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 | ) 24 | 25 | // ControllerDeployment is the deployment template for deploying the cert-manager-controller 26 | var ControllerDeployment = &appsv1.Deployment{ 27 | ObjectMeta: metav1.ObjectMeta{ 28 | Name: CertManagerControllerName, 29 | // Namespace: DeployNamespace, 30 | Labels: ControllerLabelMap, 31 | }, 32 | Spec: appsv1.DeploymentSpec{ 33 | Replicas: &replicaCount, 34 | Selector: &metav1.LabelSelector{ 35 | MatchLabels: OriginalControllerLabelMap, 36 | }, 37 | Template: corev1.PodTemplateSpec{ 38 | ObjectMeta: metav1.ObjectMeta{ 39 | Labels: ControllerLabelMap, 40 | Annotations: PodAnnotations, 41 | }, 42 | Spec: certManagerControllerPod, 43 | }, 44 | }, 45 | } 46 | 47 | // WebhookDeployment is the deployment template for deploying the cert-manager-webhook 48 | var WebhookDeployment = &appsv1.Deployment{ 49 | ObjectMeta: metav1.ObjectMeta{ 50 | Name: CertManagerWebhookName, 51 | // Namespace: DeployNamespace, 52 | Labels: WebhookLabelMap, 53 | }, 54 | Spec: appsv1.DeploymentSpec{ 55 | Replicas: &replicaCount, 56 | Selector: &metav1.LabelSelector{ 57 | MatchLabels: map[string]string{ 58 | "app": "ibm-cert-manager-webhook", 59 | }, 60 | }, 61 | Template: corev1.PodTemplateSpec{ 62 | ObjectMeta: metav1.ObjectMeta{ 63 | Labels: WebhookLabelMap, 64 | Annotations: securityAnnotationWebhook, 65 | }, 66 | Spec: certManagerWebhookPod, 67 | }, 68 | }, 69 | } 70 | 71 | // CainjectorDeployment is the deployment template for deploying the cert-manager-cainjector 72 | var CainjectorDeployment = &appsv1.Deployment{ 73 | ObjectMeta: metav1.ObjectMeta{ 74 | Name: CertManagerCainjectorName, 75 | // Namespace: DeployNamespace, 76 | Labels: CainjectorLabelMap, 77 | }, 78 | Spec: appsv1.DeploymentSpec{ 79 | Replicas: &replicaCount, 80 | Selector: &metav1.LabelSelector{ 81 | MatchLabels: OriginalCainjectorLabelMap, 82 | }, 83 | Template: corev1.PodTemplateSpec{ 84 | ObjectMeta: metav1.ObjectMeta{ 85 | Labels: CainjectorLabelMap, 86 | Annotations: PodAnnotations, 87 | }, 88 | Spec: certManagerCainjectorPod, 89 | }, 90 | }, 91 | } 92 | -------------------------------------------------------------------------------- /controllers/resources/pods.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | import ( 20 | corev1 "k8s.io/api/core/v1" 21 | ) 22 | 23 | var podAffinity = &corev1.Affinity{ 24 | NodeAffinity: &corev1.NodeAffinity{ 25 | RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ 26 | NodeSelectorTerms: []corev1.NodeSelectorTerm{ 27 | { 28 | MatchExpressions: []corev1.NodeSelectorRequirement{ 29 | { 30 | Key: "kubernetes.io/arch", 31 | Operator: "In", 32 | Values: []string{ 33 | "amd64", 34 | "ppc64le", 35 | "s390x", 36 | }, 37 | }, 38 | }, 39 | }, 40 | }, 41 | }, 42 | }, 43 | } 44 | 45 | var seccompProfile = &corev1.SeccompProfile{ 46 | Type: corev1.SeccompProfileTypeRuntimeDefault, 47 | } 48 | 49 | var podSecurity = &corev1.PodSecurityContext{ 50 | RunAsNonRoot: &runAsNonRoot, 51 | SeccompProfile: seccompProfile, 52 | } 53 | 54 | var certManagerControllerPod = corev1.PodSpec{ 55 | Affinity: podAffinity, 56 | ServiceAccountName: "ibm-cert-manager-controller", 57 | SecurityContext: podSecurity, 58 | Containers: []corev1.Container{ 59 | controllerContainer, 60 | }, 61 | } 62 | 63 | var certManagerWebhookPod = corev1.PodSpec{ 64 | Affinity: podAffinity, 65 | HostNetwork: TrueVar, 66 | ServiceAccountName: "ibm-cert-manager-webhook", 67 | SecurityContext: podSecurity, 68 | Containers: []corev1.Container{ 69 | webhookContainer, 70 | }, 71 | } 72 | 73 | var certManagerCainjectorPod = corev1.PodSpec{ 74 | Affinity: podAffinity, 75 | ServiceAccountName: "ibm-cert-manager-cainjector", 76 | SecurityContext: podSecurity, 77 | Containers: []corev1.Container{ 78 | cainjectorContainer, 79 | }, 80 | } 81 | -------------------------------------------------------------------------------- /controllers/resources/util.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | import ( 20 | "os" 21 | "strings" 22 | 23 | logf "sigs.k8s.io/controller-runtime/pkg/log" 24 | ) 25 | 26 | var log = logf.Log.WithName("resource_utils") 27 | 28 | //GetImageID constructs image IDs for operands: either : or @ 29 | func GetImageID(imageRegistry, imageName, defaultImageVersion, imagePostfix, envVarName string) string { 30 | 31 | //Check if the env var exists, if yes, check whether it's a SHA or tag and use accordingly; if no, use the default image version 32 | imageID := os.Getenv(envVarName) 33 | 34 | if len(imageID) > 0 { 35 | log.V(2).Info("Using env var for operand image: " + imageName) 36 | 37 | if !strings.Contains(imageID, "sha256:") { 38 | // if tag, append imagePostfix to the tag if set in CR 39 | if imagePostfix != "" { 40 | imageID += imagePostfix 41 | } 42 | } 43 | } else { 44 | //Use default value 45 | log.V(2).Info("Using default tag value for operand image " + imageName) 46 | imageID = imageRegistry + "/" + imageName + ":" + defaultImageVersion 47 | 48 | if imagePostfix != "" { 49 | imageID += imagePostfix 50 | } 51 | } 52 | 53 | return imageID 54 | } 55 | 56 | // GetDeployNamespace returns the namespace cert manager operator is deployed in 57 | func GetDeployNamespace() string { 58 | ns, _ := os.LookupEnv("DEPLOYED_NAMESPACE") 59 | if ns == "" { 60 | return DefaultNamespace 61 | } 62 | return ns 63 | } 64 | -------------------------------------------------------------------------------- /controllers/resources/webhook_resources.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 IBM Corporation 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | // 16 | 17 | package resources 18 | 19 | import ( 20 | admRegv1 "k8s.io/api/admissionregistration/v1" 21 | corev1 "k8s.io/api/core/v1" 22 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 | "k8s.io/apimachinery/pkg/util/intstr" 24 | apiRegv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" 25 | ) 26 | 27 | var valPath = "/validate" 28 | var mutationPath = "/mutate" 29 | var failPolicy = admRegv1.Fail 30 | var sideEffect = admRegv1.SideEffectClassNone 31 | 32 | // MutatingWebhook is the mutating webhook definition for cert-manager-webhook 33 | var MutatingWebhook = &admRegv1.MutatingWebhookConfiguration{ 34 | ObjectMeta: metav1.ObjectMeta{ 35 | Name: CertManagerWebhookName, 36 | Labels: WebhookLabelMap, 37 | Annotations: map[string]string{ 38 | "cert-manager.io/inject-ca-from-secret": DeployNamespace + "/" + WebhookServingSecret, 39 | }, 40 | }, 41 | Webhooks: []admRegv1.MutatingWebhook{ 42 | { 43 | Name: "webhook.cert-manager.io", 44 | ClientConfig: admRegv1.WebhookClientConfig{ 45 | Service: &admRegv1.ServiceReference{ 46 | Namespace: DeployNamespace, 47 | Name: CertManagerWebhookName, 48 | Path: &mutationPath, 49 | }, 50 | }, 51 | Rules: []admRegv1.RuleWithOperations{ 52 | { 53 | Operations: []admRegv1.OperationType{ 54 | admRegv1.Create, 55 | admRegv1.Update, 56 | }, 57 | Rule: admRegv1.Rule{ 58 | APIGroups: []string{ 59 | "cert-manager.io", 60 | "acme.cert-manager.io", 61 | }, 62 | APIVersions: []string{ 63 | "v1", 64 | }, 65 | Resources: []string{ 66 | "*/*", 67 | }, 68 | }, 69 | }, 70 | }, 71 | FailurePolicy: &failPolicy, 72 | SideEffects: &sideEffect, 73 | AdmissionReviewVersions: []string{"v1"}, 74 | TimeoutSeconds: &timeoutSecondsWebhook, 75 | }, 76 | }, 77 | } 78 | 79 | //const injectSecretCA = DeployNamespace + "/" + webhookServingSecret 80 | 81 | // APISvcName is the name used for cert-manager-webhooks' apiservice definition 82 | const APISvcName = "v1beta1.webhook.certmanager.k8s.io" 83 | 84 | // APIService is the apiservice for cert-manager-webhook 85 | var APIService = &apiRegv1.APIService{ 86 | ObjectMeta: metav1.ObjectMeta{ 87 | Name: APISvcName, 88 | Labels: map[string]string{ 89 | "app": "ibm-cert-manager-webhook", 90 | }, 91 | Annotations: map[string]string{ 92 | //"certmanager.k8s.io/inject-ca-from-secret": injectSecretCA, 93 | }, 94 | }, 95 | Spec: apiRegv1.APIServiceSpec{ 96 | Group: "webhook.certmanager.k8s.io", 97 | GroupPriorityMinimum: 1000, 98 | VersionPriority: 15, 99 | Service: &apiRegv1.ServiceReference{ 100 | Name: CertManagerWebhookName, 101 | //Namespace: DeployNamespace, 102 | }, 103 | Version: "v1beta1", 104 | }, 105 | } 106 | 107 | // WebhookSvc is the service definition for cert-manager-webhook 108 | var WebhookSvc = &corev1.Service{ 109 | ObjectMeta: metav1.ObjectMeta{ 110 | Name: CertManagerWebhookName, 111 | Namespace: DeployNamespace, 112 | Labels: map[string]string{ 113 | "app": "ibm-cert-manager-webhook", 114 | }, 115 | }, 116 | Spec: corev1.ServiceSpec{ 117 | Ports: []corev1.ServicePort{ 118 | { 119 | Name: "https", 120 | Port: 443, 121 | Protocol: "TCP", 122 | TargetPort: intstr.IntOrString{ 123 | IntVal: 10250, 124 | }, 125 | }, 126 | }, 127 | Selector: map[string]string{ 128 | "app": "ibm-cert-manager-webhook", 129 | }, 130 | Type: corev1.ServiceTypeClusterIP, 131 | }, 132 | } 133 | 134 | // ValidatingWebhook is the validating webhook definition for cert-manager-webhook 135 | var ValidatingWebhook = &admRegv1.ValidatingWebhookConfiguration{ 136 | ObjectMeta: metav1.ObjectMeta{ 137 | Name: CertManagerWebhookName, 138 | Labels: WebhookLabelMap, 139 | Annotations: map[string]string{ 140 | "cert-manager.io/inject-ca-from-secret": DeployNamespace + "/" + WebhookServingSecret, 141 | }, 142 | }, 143 | Webhooks: []admRegv1.ValidatingWebhook{ 144 | { 145 | Name: "webhook.cert-manager.io", 146 | Rules: []admRegv1.RuleWithOperations{ 147 | { 148 | Operations: []admRegv1.OperationType{ 149 | admRegv1.Create, 150 | admRegv1.Update, 151 | }, 152 | Rule: admRegv1.Rule{ 153 | APIGroups: []string{ 154 | "cert-manager.io", 155 | "acme.cert-manager.io", 156 | }, 157 | APIVersions: []string{ 158 | "v1", 159 | }, 160 | Resources: []string{ 161 | "*/*", 162 | }, 163 | }, 164 | }, 165 | }, 166 | AdmissionReviewVersions: []string{"v1"}, 167 | ClientConfig: admRegv1.WebhookClientConfig{ 168 | Service: &admRegv1.ServiceReference{ 169 | Namespace: DeployNamespace, 170 | Name: CertManagerWebhookName, 171 | Path: &valPath, 172 | }, 173 | }, 174 | FailurePolicy: &failPolicy, 175 | SideEffects: &sideEffect, 176 | NamespaceSelector: &metav1.LabelSelector{ 177 | MatchExpressions: []metav1.LabelSelectorRequirement{ 178 | { 179 | Key: "cert-manager.io/disable-validation", 180 | Operator: metav1.LabelSelectorOpNotIn, 181 | Values: []string{"true"}, 182 | }, 183 | { 184 | Key: "name", 185 | Operator: metav1.LabelSelectorOpNotIn, 186 | Values: []string{DeployNamespace}, 187 | }, 188 | }, 189 | }, 190 | TimeoutSeconds: &timeoutSecondsWebhook, 191 | }, 192 | }, 193 | } 194 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/ibm/ibm-cert-manager-operator/v4 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.23.4 6 | 7 | require ( 8 | github.com/onsi/ginkgo v1.16.5 9 | github.com/onsi/gomega v1.27.10 10 | k8s.io/api v0.28.1 11 | k8s.io/apiextensions-apiserver v0.28.1 12 | k8s.io/apimachinery v0.28.1 13 | k8s.io/client-go v0.28.1 14 | k8s.io/kube-aggregator v0.25.1 15 | sigs.k8s.io/controller-runtime v0.16.1 16 | sigs.k8s.io/gateway-api v0.8.1 17 | ) 18 | 19 | require ( 20 | github.com/emicklei/go-restful/v3 v3.10.0 // indirect 21 | github.com/evanphx/json-patch/v5 v5.6.0 // indirect 22 | github.com/go-openapi/jsonpointer v0.19.6 // indirect 23 | github.com/go-openapi/jsonreference v0.20.2 // indirect 24 | github.com/go-openapi/swag v0.22.3 // indirect 25 | github.com/google/gnostic-models v0.6.8 // indirect 26 | github.com/josharian/intern v1.0.0 // indirect 27 | github.com/mailru/easyjson v0.7.7 // indirect 28 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 29 | github.com/pkg/errors v0.9.1 // indirect 30 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 31 | github.com/rogpeppe/go-internal v1.11.0 // indirect 32 | golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect 33 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect 34 | ) 35 | 36 | require ( 37 | github.com/beorn7/perks v1.0.1 // indirect 38 | github.com/cespare/xxhash/v2 v2.2.0 // indirect 39 | github.com/davecgh/go-spew v1.1.1 // indirect 40 | github.com/fsnotify/fsnotify v1.6.0 // indirect 41 | github.com/ghodss/yaml v1.0.0 42 | github.com/go-logr/logr v1.2.4 // indirect 43 | github.com/go-logr/zapr v1.2.4 // indirect 44 | github.com/gogo/protobuf v1.3.2 // indirect 45 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 46 | github.com/golang/protobuf v1.5.3 // indirect 47 | github.com/google/go-cmp v0.6.0 // indirect 48 | github.com/google/gofuzz v1.2.0 // indirect 49 | github.com/google/uuid v1.3.0 // indirect 50 | github.com/imdario/mergo v0.3.12 // indirect 51 | github.com/json-iterator/go v1.1.12 // indirect 52 | github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect 53 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 54 | github.com/modern-go/reflect2 v1.0.2 // indirect 55 | github.com/nxadm/tail v1.4.8 // indirect 56 | github.com/prometheus/client_golang v1.16.0 // indirect 57 | github.com/prometheus/client_model v0.4.0 // indirect 58 | github.com/prometheus/common v0.44.0 // indirect 59 | github.com/prometheus/procfs v0.10.1 // indirect 60 | github.com/spf13/pflag v1.0.5 // indirect 61 | go.uber.org/multierr v1.11.0 // indirect 62 | go.uber.org/zap v1.25.0 // indirect 63 | golang.org/x/net v0.38.0 // indirect 64 | golang.org/x/oauth2 v0.27.0 // indirect 65 | golang.org/x/sys v0.31.0 // indirect 66 | golang.org/x/term v0.30.0 // indirect 67 | golang.org/x/text v0.23.0 // indirect 68 | golang.org/x/time v0.3.0 // indirect 69 | gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect 70 | google.golang.org/protobuf v1.33.0 // indirect 71 | gopkg.in/inf.v0 v0.9.1 // indirect 72 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect 73 | gopkg.in/yaml.v2 v2.4.0 // indirect 74 | gopkg.in/yaml.v3 v3.0.1 // indirect 75 | k8s.io/component-base v0.28.1 // indirect 76 | k8s.io/klog v1.0.0 77 | k8s.io/klog/v2 v2.100.1 // indirect 78 | k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect 79 | k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect 80 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect 81 | sigs.k8s.io/yaml v1.3.0 // indirect 82 | ) 83 | -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ -------------------------------------------------------------------------------- /hack/fixup-cert-manager-manifests.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright 2022 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | """ 19 | Manipulate the upstream cert-manager yaml manifests so that they are more 20 | compatible with OLM. 21 | * Reduces the combined size of CRDs to <1MiB (the size limit of a configmap) 22 | This is a work around for https://github.com/operator-framework/operator-lifecycle-manager/issues/1523 23 | Adapted from 24 | https://raw.githubusercontent.com/kubevirt/hyperconverged-cluster-operator/c6b425961feb0f350655ccfa7401336b30de66ab/hack/strip_old_descriptions.py 25 | in https://github.com/kubevirt/hyperconverged-cluster-operator/pull/1396 26 | Retain only the description fields of the stored API version with the exception of descriptions related to podTemplate, 27 | because those are so verbose and repeated multiple times. 28 | Usage: 29 | hack/fixup-cert-manager-manifests < build/cert-manager-1.4.0.upstream.yaml > build/cert-manager-1.4.0.olm.yaml 30 | """ 31 | import sys 32 | 33 | import yaml 34 | 35 | rubbish = ("description",) 36 | 37 | 38 | def remove_descriptions(obj, keep=True, context=None): 39 | """ 40 | Recursively remove any field called "description" 41 | """ 42 | if context == "podTemplate": 43 | keep = False 44 | 45 | if isinstance(obj, dict): 46 | obj = { 47 | key: remove_descriptions(value, keep, context=key) 48 | for key, value in obj.items() 49 | if keep or key not in rubbish 50 | } 51 | elif isinstance(obj, list): 52 | obj = [ 53 | remove_descriptions(item, keep, context=None) 54 | for i, item in enumerate(obj) 55 | ] 56 | return obj 57 | 58 | 59 | def remove_descriptions_from_non_storage_versions_in_crd(crd): 60 | """ 61 | Remove the description fields from the non-stored CRD versions. 62 | """ 63 | crd_versions = crd["spec"]["versions"] 64 | for i, crd_version in enumerate(crd_versions): 65 | crd_versions[i] = remove_descriptions(crd_version, keep=crd_version.get("storage")) 66 | 67 | 68 | def main(): 69 | """ 70 | Strip duplicate description fields from all supplied CRD files. 71 | """ 72 | for doc in yaml.safe_load_all(sys.stdin): 73 | if doc.get("kind", "") == "CustomResourceDefinition": 74 | remove_descriptions_from_non_storage_versions_in_crd(doc) 75 | yaml.safe_dump(doc, sys.stdout) 76 | sys.stdout.write("---\n") 77 | 78 | 79 | if __name__ == "__main__": 80 | main() -------------------------------------------------------------------------------- /hack/reduce-bundle-crds.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # Copyright 2022 IBM Corporation 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | set -o errexit 19 | set -o errtrace 20 | set -o nounset 21 | set -o pipefail 22 | 23 | mkdir -p hack/tmp 24 | 25 | for f in bundle/manifests/cert*.yaml; do 26 | filename="$(basename "$f")" 27 | hack/fixup-cert-manager-manifests.py < "$f" > hack/tmp/"$filename" 28 | cp hack/tmp/"$filename" "$f" 29 | done 30 | -------------------------------------------------------------------------------- /helm-cluster-scoped/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ibm-cert-manager-operator-cluster-scoped 3 | description: A Helm chart for ibm-cert-manager-operator 4 | type: application 5 | version: 4.2.16 6 | appVersion: 4.2.16 -------------------------------------------------------------------------------- /helm-cluster-scoped/templates/cluster-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: ibm-cert-manager-operator 6 | labels: 7 | app.kubernetes.io/instance: ibm-cert-manager-operator 8 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 9 | app.kubernetes.io/name: cert-manager 10 | component-id: {{ .Chart.Name }} 11 | {{- with .Values.cpfs.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | rules: 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - configmaps 19 | verbs: 20 | - get 21 | - list 22 | - apiGroups: 23 | - "" 24 | resources: 25 | - events 26 | verbs: 27 | - create 28 | - get 29 | - patch 30 | - update 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - pods 35 | verbs: 36 | - create 37 | - delete 38 | - get 39 | - list 40 | - watch 41 | - apiGroups: 42 | - "" 43 | resources: 44 | - secrets 45 | verbs: 46 | - create 47 | - delete 48 | - get 49 | - list 50 | - patch 51 | - update 52 | - watch 53 | - apiGroups: 54 | - "" 55 | resources: 56 | - serviceaccounts 57 | verbs: 58 | - create 59 | - delete 60 | - get 61 | - list 62 | - patch 63 | - update 64 | - watch 65 | - apiGroups: 66 | - "" 67 | resources: 68 | - services 69 | verbs: 70 | - create 71 | - delete 72 | - get 73 | - list 74 | - update 75 | - watch 76 | - apiGroups: 77 | - acme.cert-manager.io 78 | resources: 79 | - challenges 80 | - orders 81 | verbs: 82 | - create 83 | - delete 84 | - deletecollection 85 | - get 86 | - list 87 | - patch 88 | - update 89 | - watch 90 | - apiGroups: 91 | - acme.cert-manager.io 92 | resources: 93 | - challenges/finalizers 94 | - challenges/status 95 | - orders/finalizers 96 | - orders/status 97 | verbs: 98 | - update 99 | - apiGroups: 100 | - admissionregistration.k8s.io 101 | resources: 102 | - mutatingwebhookconfigurations 103 | verbs: 104 | - create 105 | - delete 106 | - get 107 | - list 108 | - patch 109 | - update 110 | - watch 111 | - apiGroups: 112 | - admissionregistration.k8s.io 113 | resources: 114 | - validatingwebhookconfigurations 115 | verbs: 116 | - create 117 | - delete 118 | - get 119 | - list 120 | - patch 121 | - update 122 | - watch 123 | - apiGroups: 124 | - apiextensions.k8s.io 125 | resources: 126 | - customresourcedefinitions 127 | verbs: 128 | - create 129 | - delete 130 | - get 131 | - list 132 | - patch 133 | - update 134 | - watch 135 | - apiGroups: 136 | - apiregistration.k8s.io 137 | resources: 138 | - apiservices 139 | verbs: 140 | - create 141 | - delete 142 | - get 143 | - list 144 | - patch 145 | - update 146 | - watch 147 | - apiGroups: 148 | - apps 149 | resources: 150 | - daemonsets 151 | - deployments 152 | - statefulsets 153 | verbs: 154 | - create 155 | - get 156 | - list 157 | - patch 158 | - update 159 | - watch 160 | - apiGroups: 161 | - apps 162 | resources: 163 | - deployments 164 | verbs: 165 | - create 166 | - delete 167 | - get 168 | - list 169 | - patch 170 | - update 171 | - watch 172 | - apiGroups: 173 | - auditregistration.k8s.io 174 | resources: 175 | - auditsinks 176 | verbs: 177 | - get 178 | - list 179 | - update 180 | - watch 181 | - apiGroups: 182 | - authorization.k8s.io 183 | resources: 184 | - subjectaccessreviews 185 | verbs: 186 | - create 187 | - apiGroups: 188 | - cert-manager.io 189 | resources: 190 | - certificaterequests 191 | verbs: 192 | - create 193 | - delete 194 | - deletecollection 195 | - get 196 | - list 197 | - patch 198 | - update 199 | - watch 200 | - apiGroups: 201 | - cert-manager.io 202 | resources: 203 | - certificaterequests/finalizers 204 | verbs: 205 | - update 206 | - apiGroups: 207 | - cert-manager.io 208 | resources: 209 | - certificaterequests/status 210 | verbs: 211 | - update 212 | - apiGroups: 213 | - cert-manager.io 214 | resources: 215 | - certificates 216 | verbs: 217 | - create 218 | - delete 219 | - deletecollection 220 | - get 221 | - list 222 | - patch 223 | - update 224 | - watch 225 | - apiGroups: 226 | - cert-manager.io 227 | resources: 228 | - certificates/finalizers 229 | verbs: 230 | - update 231 | - apiGroups: 232 | - cert-manager.io 233 | resources: 234 | - certificates/status 235 | verbs: 236 | - get 237 | - patch 238 | - update 239 | - apiGroups: 240 | - cert-manager.io 241 | resources: 242 | - clusterissuers 243 | verbs: 244 | - get 245 | - list 246 | - update 247 | - watch 248 | - apiGroups: 249 | - cert-manager.io 250 | resources: 251 | - clusterissuers/status 252 | verbs: 253 | - update 254 | - apiGroups: 255 | - cert-manager.io 256 | resources: 257 | - issuers 258 | verbs: 259 | - create 260 | - delete 261 | - deletecollection 262 | - get 263 | - list 264 | - patch 265 | - update 266 | - watch 267 | - apiGroups: 268 | - cert-manager.io 269 | resources: 270 | - issuers/finalizers 271 | verbs: 272 | - update 273 | - apiGroups: 274 | - cert-manager.io 275 | resources: 276 | - issuers/status 277 | verbs: 278 | - get 279 | - patch 280 | - update 281 | - apiGroups: 282 | - cert-manager.io 283 | resources: 284 | - signers 285 | verbs: 286 | - approve 287 | - apiGroups: 288 | - certificates.k8s.io 289 | resources: 290 | - certificatesigningrequests 291 | verbs: 292 | - get 293 | - list 294 | - update 295 | - watch 296 | - apiGroups: 297 | - certificates.k8s.io 298 | resources: 299 | - certificatesigningrequests/status 300 | verbs: 301 | - update 302 | - apiGroups: 303 | - certificates.k8s.io 304 | resources: 305 | - signers 306 | verbs: 307 | - sign 308 | - apiGroups: 309 | - ibmcpcs.ibm.com 310 | resources: 311 | - secretshares 312 | verbs: 313 | - create 314 | - get 315 | - list 316 | - watch 317 | - apiGroups: 318 | - networking.k8s.io 319 | resources: 320 | - httproutes 321 | - ingresses 322 | verbs: 323 | - create 324 | - delete 325 | - get 326 | - list 327 | - update 328 | - watch 329 | - apiGroups: 330 | - networking.k8s.io 331 | resources: 332 | - ingresses/finalizers 333 | verbs: 334 | - update 335 | - apiGroups: 336 | - networking.x-k8s.io 337 | resources: 338 | - gateways 339 | verbs: 340 | - get 341 | - list 342 | - watch 343 | - apiGroups: 344 | - networking.x-k8s.io 345 | resources: 346 | - gateways/finalizers 347 | - httproutes/finalizers 348 | verbs: 349 | - update 350 | - apiGroups: 351 | - networking.x-k8s.io 352 | resources: 353 | - httproutes 354 | verbs: 355 | - create 356 | - delete 357 | - get 358 | - list 359 | - update 360 | - watch 361 | - apiGroups: 362 | - operator.ibm.com 363 | resources: 364 | - certmanagerconfigs 365 | verbs: 366 | - create 367 | - delete 368 | - get 369 | - list 370 | - patch 371 | - update 372 | - watch 373 | - apiGroups: 374 | - operator.ibm.com 375 | resources: 376 | - certmanagerconfigs/finalizers 377 | verbs: 378 | - update 379 | - apiGroups: 380 | - operator.ibm.com 381 | resources: 382 | - certmanagerconfigs/status 383 | verbs: 384 | - get 385 | - patch 386 | - update 387 | - apiGroups: 388 | - rbac.authorization.k8s.io 389 | resources: 390 | - clusterrolebindings 391 | - clusterroles 392 | - rolebindings 393 | - roles 394 | verbs: 395 | - create 396 | - delete 397 | - get 398 | - list 399 | - update 400 | - watch 401 | - apiGroups: 402 | - route.openshift.io 403 | resources: 404 | - routes/custom-host 405 | verbs: 406 | - create 407 | --- 408 | apiVersion: rbac.authorization.k8s.io/v1 409 | kind: ClusterRoleBinding 410 | metadata: 411 | name: ibm-cert-manager-operator 412 | labels: 413 | component-id: {{ .Chart.Name }} 414 | {{- with .Values.cpfs.labels }} 415 | {{- toYaml . | nindent 4 }} 416 | {{- end }} 417 | roleRef: 418 | kind: ClusterRole 419 | apiGroup: rbac.authorization.k8s.io 420 | name: ibm-cert-manager-operator 421 | subjects: 422 | - kind: ServiceAccount 423 | name: ibm-cert-manager-operator 424 | namespace: {{ .Values.global.certmgrNamespace }} 425 | 426 | --- 427 | -------------------------------------------------------------------------------- /helm-cluster-scoped/values.yaml: -------------------------------------------------------------------------------- 1 | cpfs: 2 | imageRegistryNamespaceOperator: cpopen 3 | imageRegistryNamespaceOperand: cpopen/cpfs 4 | labels: 5 | 6 | global: 7 | certmgrNamespace: ibm-cert-manager -------------------------------------------------------------------------------- /helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: ibm-cert-manager-operator 3 | description: A Helm chart for ibm-cert-manager-operator 4 | type: application 5 | version: 4.2.16 6 | appVersion: 4.2.16 -------------------------------------------------------------------------------- /helm/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: ibm-cert-manager-operator 5 | namespace: {{ .Values.global.certmgrNamespace }} 6 | labels: 7 | app.kubernetes.io/instance: ibm-cert-manager-operator 8 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 9 | app.kubernetes.io/name: cert-manager 10 | component-id: {{ .Chart.Name }} 11 | {{- with .Values.cpfs.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | replicas: 1 16 | selector: 17 | matchLabels: 18 | name: ibm-cert-manager-operator 19 | strategy: {} 20 | template: 21 | metadata: 22 | labels: 23 | name: ibm-cert-manager-operator 24 | app.kubernetes.io/instance: ibm-cert-manager-operator 25 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 26 | app.kubernetes.io/name: cert-manager 27 | annotations: 28 | productName: IBM Cloud Platform Common Services 29 | productID: "068a62892a1e4db39641342e592daa25" 30 | productMetric: FREE 31 | spec: 32 | serviceAccountName: ibm-cert-manager-operator 33 | imagePullSecrets: 34 | - name: {{ .Values.global.imagePullSecret }} 35 | affinity: 36 | nodeAffinity: 37 | requiredDuringSchedulingIgnoredDuringExecution: 38 | nodeSelectorTerms: 39 | - matchExpressions: 40 | - key: kubernetes.io/arch 41 | operator: In 42 | values: 43 | - amd64 44 | - ppc64le 45 | - s390x 46 | hostIPC: false 47 | hostNetwork: false 48 | hostPID: false 49 | containers: 50 | - name: manager 51 | image: {{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperator}}/ibm-cert-manager-operator:4.2.16 52 | command: 53 | - ibm-cert-manager-operator 54 | imagePullPolicy: IfNotPresent 55 | livenessProbe: 56 | httpGet: 57 | path: /healthz 58 | port: 8081 59 | initialDelaySeconds: 15 60 | periodSeconds: 20 61 | readinessProbe: 62 | httpGet: 63 | path: /readyz 64 | port: 8081 65 | initialDelaySeconds: 5 66 | periodSeconds: 10 67 | env: 68 | - name: WATCH_NAMESPACE 69 | value: "" 70 | - name: DEPLOYED_NAMESPACE 71 | valueFrom: 72 | fieldRef: 73 | fieldPath: metadata.namespace 74 | - name: POD_NAME 75 | valueFrom: 76 | fieldRef: 77 | fieldPath: metadata.name 78 | - name: OPERATOR_NAME 79 | value: "ibm-cert-manager-operator" 80 | - name: ICP_CERT_MANAGER_CONTROLLER_IMAGE 81 | value: {{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand}}/icp-cert-manager-controller:4.2.16-jetstack.1.13.3 82 | - name: ICP_CERT_MANAGER_WEBHOOK_IMAGE 83 | value: {{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand}}/icp-cert-manager-webhook:4.2.16-jetstack.1.13.3 84 | - name: ICP_CERT_MANAGER_CAINJECTOR_IMAGE 85 | value: {{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand}}/icp-cert-manager-cainjector:4.2.16-jetstack.1.13.3 86 | - name: ICP_CERT_MANAGER_ACMESOLVER_IMAGE 87 | value: {{ .Values.cpfs.imagePullPrefix | default .Values.global.imagePullPrefix }}/{{ .Values.cpfs.imageRegistryNamespaceOperand}}/icp-cert-manager-acmesolver:4.2.16-jetstack.1.13.3 88 | resources: 89 | limits: 90 | cpu: 100m 91 | memory: 300Mi 92 | requests: 93 | cpu: 10m 94 | memory: 50Mi 95 | ephemeral-storage: 256Mi 96 | securityContext: 97 | seccompProfile: 98 | type: RuntimeDefault 99 | allowPrivilegeEscalation: false 100 | capabilities: 101 | drop: 102 | - ALL 103 | privileged: false 104 | readOnlyRootFilesystem: true 105 | runAsNonRoot: true 106 | -------------------------------------------------------------------------------- /helm/templates/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: ibm-cert-manager-operator 5 | namespace: {{ .Values.global.certmgrNamespace }} 6 | labels: 7 | component-id: {{ .Chart.Name }} 8 | {{- with .Values.cpfs.labels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | --- 12 | # permissions to do leader election. 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | kind: Role 15 | metadata: 16 | name: ibm-cert-manager-operator-leader-election-role 17 | namespace: {{ .Values.global.certmgrNamespace }} 18 | labels: 19 | app.kubernetes.io/instance: ibm-cert-manager-operator 20 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 21 | app.kubernetes.io/name: cert-manager 22 | component-id: {{ .Chart.Name }} 23 | {{- with .Values.cpfs.labels }} 24 | {{- toYaml . | nindent 4 }} 25 | {{- end }} 26 | rules: 27 | - apiGroups: 28 | - "" 29 | resources: 30 | - configmaps 31 | verbs: 32 | - get 33 | - list 34 | - watch 35 | - create 36 | - update 37 | - patch 38 | - delete 39 | - apiGroups: 40 | - coordination.k8s.io 41 | resources: 42 | - leases 43 | verbs: 44 | - get 45 | - list 46 | - watch 47 | - create 48 | - update 49 | - patch 50 | - delete 51 | - apiGroups: 52 | - "" 53 | resources: 54 | - events 55 | verbs: 56 | - create 57 | - patch 58 | --- 59 | apiVersion: rbac.authorization.k8s.io/v1 60 | kind: RoleBinding 61 | metadata: 62 | name: ibm-cert-manager-operator-leader-election-rolebinding 63 | namespace: {{ .Values.global.certmgrNamespace }} 64 | labels: 65 | app.kubernetes.io/instance: ibm-cert-manager-operator 66 | app.kubernetes.io/managed-by: ibm-cert-manager-operator 67 | app.kubernetes.io/name: cert-manager 68 | component-id: {{ .Chart.Name }} 69 | {{- with .Values.cpfs.labels }} 70 | {{- toYaml . | nindent 4 }} 71 | {{- end }} 72 | roleRef: 73 | apiGroup: rbac.authorization.k8s.io 74 | kind: Role 75 | name: ibm-cert-manager-operator-leader-election-role 76 | subjects: 77 | - kind: ServiceAccount 78 | name: ibm-cert-manager-operator 79 | namespace: {{ .Values.global.certmgrNamespace }} 80 | -------------------------------------------------------------------------------- /helm/values.yaml: -------------------------------------------------------------------------------- 1 | cpfs: 2 | imageRegistryNamespaceOperator: cpopen 3 | imageRegistryNamespaceOperand: cpopen/cpfs 4 | labels: 5 | 6 | global: 7 | imagePullPrefix: icr.io 8 | certmgrNamespace: ibm-cert-manager 9 | imagePullSecret: 10 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2022. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import ( 20 | "flag" 21 | "os" 22 | 23 | // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) 24 | // to ensure that exec-entrypoint and run can make use of them. 25 | "k8s.io/client-go/kubernetes" 26 | _ "k8s.io/client-go/plugin/pkg/client/auth" 27 | 28 | admRegv1 "k8s.io/api/admissionregistration/v1" 29 | apiextensionv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 30 | apiextensionclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" 31 | "k8s.io/apimachinery/pkg/runtime" 32 | utilruntime "k8s.io/apimachinery/pkg/util/runtime" 33 | clientgoscheme "k8s.io/client-go/kubernetes/scheme" 34 | apiRegv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" 35 | ctrl "sigs.k8s.io/controller-runtime" 36 | "sigs.k8s.io/controller-runtime/pkg/cache" 37 | "sigs.k8s.io/controller-runtime/pkg/healthz" 38 | logf "sigs.k8s.io/controller-runtime/pkg/log" 39 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 40 | 41 | res "github.com/ibm/ibm-cert-manager-operator/v4/controllers/resources" 42 | 43 | acmecertmanagerv1 "github.com/ibm/ibm-cert-manager-operator/v4/apis/acme.cert-manager/v1" 44 | certmanagerv1 "github.com/ibm/ibm-cert-manager-operator/v4/apis/cert-manager/v1" 45 | metacertmanagerv1 "github.com/ibm/ibm-cert-manager-operator/v4/apis/meta.cert-manager/v1" 46 | operatorv1 "github.com/ibm/ibm-cert-manager-operator/v4/apis/operator/v1" 47 | operatorcontrollers "github.com/ibm/ibm-cert-manager-operator/v4/controllers/operator" 48 | //+kubebuilder:scaffold:imports 49 | ) 50 | 51 | var log = logf.Log.WithName("cmd") 52 | 53 | var ( 54 | scheme = runtime.NewScheme() 55 | setupLog = ctrl.Log.WithName("setup") 56 | ) 57 | 58 | func init() { 59 | utilruntime.Must(clientgoscheme.AddToScheme(scheme)) 60 | 61 | utilruntime.Must(operatorv1.AddToScheme(scheme)) 62 | utilruntime.Must(metacertmanagerv1.AddToScheme(scheme)) 63 | utilruntime.Must(acmecertmanagerv1.AddToScheme(scheme)) 64 | utilruntime.Must(certmanagerv1.AddToScheme(scheme)) 65 | //+kubebuilder:scaffold:scheme 66 | } 67 | 68 | func main() { 69 | var enableLeaderElection bool 70 | var probeAddr string 71 | flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") 72 | flag.BoolVar(&enableLeaderElection, "leader-elect", false, 73 | "Enable leader election for controller manager. "+ 74 | "Enabling this will ensure there is only one active controller manager.") 75 | opts := zap.Options{ 76 | Development: true, 77 | } 78 | opts.BindFlags(flag.CommandLine) 79 | flag.Parse() 80 | 81 | ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) 82 | 83 | mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ 84 | Scheme: scheme, 85 | Cache: cache.Options{ 86 | ReaderFailOnMissingInformer: true, 87 | }, 88 | HealthProbeBindAddress: probeAddr, 89 | LeaderElection: enableLeaderElection, 90 | LeaderElectionID: "1557e857.ibm.com", 91 | }) 92 | if err != nil { 93 | setupLog.Error(err, "unable to start manager") 94 | os.Exit(1) 95 | } 96 | 97 | // Setup Scheme for all resources 98 | if err := clientgoscheme.AddToScheme(mgr.GetScheme()); err != nil { 99 | log.Error(err, "") 100 | os.Exit(1) 101 | } 102 | 103 | if err := apiextensionv1.AddToScheme(mgr.GetScheme()); err != nil { 104 | log.Error(err, "") 105 | os.Exit(1) 106 | } 107 | if err := apiRegv1.AddToScheme(mgr.GetScheme()); err != nil { 108 | log.Error(err, "") 109 | os.Exit(1) 110 | } 111 | 112 | if err := admRegv1.AddToScheme(mgr.GetScheme()); err != nil { 113 | log.Error(err, "") 114 | os.Exit(1) 115 | } 116 | 117 | kubeclient, _ := kubernetes.NewForConfig(mgr.GetConfig()) 118 | apiextclient, _ := apiextensionclientset.NewForConfig(mgr.GetConfig()) 119 | if err = (&operatorcontrollers.CertManagerReconciler{ 120 | Client: mgr.GetClient(), 121 | Reader: mgr.GetAPIReader(), 122 | Kubeclient: kubeclient, 123 | APIextclient: apiextclient, 124 | Scheme: mgr.GetScheme(), 125 | Recorder: mgr.GetEventRecorderFor("ibm-cert-manager-operator"), 126 | NS: res.DeployNamespace, 127 | }).SetupWithManager(mgr); err != nil { 128 | setupLog.Error(err, "unable to create controller", "controller", "CertManager") 129 | os.Exit(1) 130 | } 131 | //+kubebuilder:scaffold:builder 132 | 133 | if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { 134 | setupLog.Error(err, "unable to set up health check") 135 | os.Exit(1) 136 | } 137 | if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { 138 | setupLog.Error(err, "unable to set up ready check") 139 | os.Exit(1) 140 | } 141 | 142 | setupLog.Info("starting manager") 143 | if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { 144 | setupLog.Error(err, "problem running manager") 145 | os.Exit(1) 146 | } 147 | } 148 | --------------------------------------------------------------------------------