From 918a13cb640ef8ba2d44305df82532a2c72ac633 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Tue, 23 May 2023 19:37:19 +0200 Subject: [PATCH] move e2e-setup feature gate splitting into Helm chart Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- .../cert-manager/templates/_helpers.tpl | 35 +++++++++++++++++++ .../templates/cainjector-deployment.yaml | 3 ++ .../cert-manager/templates/deployment.yaml | 4 +-- .../templates/webhook-deployment.yaml | 4 +-- deploy/charts/cert-manager/values.yaml | 6 +--- make/e2e-setup.mk | 15 ++------ 6 files changed, 46 insertions(+), 21 deletions(-) diff --git a/deploy/charts/cert-manager/templates/_helpers.tpl b/deploy/charts/cert-manager/templates/_helpers.tpl index 90db4af2681..68778dad79a 100644 --- a/deploy/charts/cert-manager/templates/_helpers.tpl +++ b/deploy/charts/cert-manager/templates/_helpers.tpl @@ -172,3 +172,38 @@ https://github.com/helm/helm/issues/5358 {{- define "cert-manager.namespace" -}} {{ .Values.namespace | default .Release.Namespace }} {{- end -}} + +{{- define "featureGatesController" -}} +{{- $featureGatesController := list "AllAlpha" "AllBeta" "AdditionalCertificateOutputFormats" "ValidateCAA" "ExperimentalCertificateSigningRequestControllers" "ExperimentalGatewayAPISupport" "ServerSideApply" "LiteralCertificateSubject" "UseCertificateRequestBasicConstraints" "SecretsFilteredCaching" -}} +{{- include "featureGates" (list $.Values.featureGates $featureGatesController) -}} +{{- end -}} + +{{- define "featureGatesWebhook" -}} +{{- $featureGatesWebhook := list "AllAlpha" "AllBeta" "AdditionalCertificateOutputFormats" "LiteralCertificateSubject" -}} +{{- include "featureGates" (list $.Values.featureGates $featureGatesWebhook) -}} +{{- end -}} + +{{- define "featureGatesCAInjector" -}} +{{- $featureGatesCAInjector := list "AllAlpha" "AllBeta" "ServerSideApply" -}} +{{- include "featureGates" (list $.Values.featureGates $featureGatesCAInjector) -}} +{{- end -}} + +{{- define "featureGates" -}} +{{- $featureGatesString := index . 0 -}} +{{- $featureGates := index . 1 -}} +{{- $featureGatesAll := list "AllAlpha" "AllBeta" "AdditionalCertificateOutputFormats" "ValidateCAA" "ExperimentalCertificateSigningRequestControllers" "ExperimentalGatewayAPISupport" "ServerSideApply" "LiteralCertificateSubject" "UseCertificateRequestBasicConstraints" "SecretsFilteredCaching" -}} +{{- /**/ -}} +{{- $flags := list -}} +{{- range $gate := split "," $featureGatesString -}} +{{- $gateName := (split "=" $gate)._0 -}} +{{- $gateValue := (split "=" $gate)._1 -}} +{{- if not (has $gateName $featureGatesAll) -}} +{{- fail (printf "The featureGate %s is unknown." $gateName) -}} +{{- end -}} +{{- if has $gateName $featureGates -}} +{{- $flags = append $flags (printf "%s=%s" $gateName $gateValue) -}} +{{- end -}} +{{- end -}} +{{- /**/ -}} +{{- $flags | join "," -}} +{{- end -}} diff --git a/deploy/charts/cert-manager/templates/cainjector-deployment.yaml b/deploy/charts/cert-manager/templates/cainjector-deployment.yaml index 122017374af..1026bca5ce2 100644 --- a/deploy/charts/cert-manager/templates/cainjector-deployment.yaml +++ b/deploy/charts/cert-manager/templates/cainjector-deployment.yaml @@ -74,6 +74,9 @@ spec: - --leader-election-retry-period={{ .retryPeriod }} {{- end }} {{- end }} + {{- with (include "featureGatesCAInjector" $) }} + - --feature-gates={{ . }} + {{- end }} {{- with .Values.cainjector.extraArgs }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml index aea5736c0c8..6c9c6e794e1 100644 --- a/deploy/charts/cert-manager/templates/deployment.yaml +++ b/deploy/charts/cert-manager/templates/deployment.yaml @@ -107,8 +107,8 @@ spec: - --default-issuer-group={{ .defaultIssuerGroup }} {{- end }} {{- end }} - {{- if .Values.featureGates }} - - --feature-gates={{ .Values.featureGates }} + {{- with (include "featureGatesController" $) }} + - --feature-gates={{ . }} {{- end }} {{- if .Values.maxConcurrentChallenges }} - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }} diff --git a/deploy/charts/cert-manager/templates/webhook-deployment.yaml b/deploy/charts/cert-manager/templates/webhook-deployment.yaml index db85b947a58..4e2a1fe225a 100644 --- a/deploy/charts/cert-manager/templates/webhook-deployment.yaml +++ b/deploy/charts/cert-manager/templates/webhook-deployment.yaml @@ -71,8 +71,8 @@ spec: {{ if not $config.securePort -}} - --secure-port={{ .Values.webhook.securePort }} {{- end }} - {{- if .Values.featureGates }} - - --feature-gates={{ .Values.webhook.featureGates }} + {{- with (include "featureGatesWebhook" $) }} + - --feature-gates={{ . }} {{- end }} {{- $tlsConfig := default $config.tlsConfig "" }} {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}} diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 109c0ebbe86..c6d2ac74f07 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -70,7 +70,7 @@ podDisruptionBudget: # or a percentage value (e.g. 25%) # Comma separated list of feature gates that should be enabled on the -# controller pod. +# controller pod, webhook pod and/ or cainjector pod. featureGates: "" # The maximum number of challenges that can be scheduled as 'processing' at once @@ -341,10 +341,6 @@ webhook: # Path to a file containing a WebhookConfiguration object used to configure the webhook # - --config= - # Comma separated list of feature gates that should be enabled on the - # webhok pod. - featureGates: "" - resources: {} # requests: # cpu: 10m diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 09b3126aadf..073722fbe8c 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -227,17 +227,10 @@ $(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE): | $(BINDIR)/scratch # supplied E2E_SETUP_OPTION_ variables. E2E_SETUP_OPTION_DEPENDENCIES := $(if $(E2E_SETUP_OPTION_BESTPRACTICE),e2e-setup-kyverno $(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE)) -# In make, there is no way to escape commas or spaces. So we use the -# variables $(space) and $(comma) instead. -null = -space = $(null) # -comma = , - # Helm's "--set" interprets commas, which means we want to escape commas # for "--set featureGates". That's why we have "\$(comma)". -feature_gates_controller := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% ValidateCAA=% ExperimentalCertificateSigningRequestControllers=% ExperimentalGatewayAPISupport=% ServerSideApply=% LiteralCertificateSubject=% UseCertificateRequestBasicConstraints=% SecretsFilteredCaching=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) -feature_gates_webhook := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% LiteralCertificateSubject=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) -feature_gates_cainjector := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% ServerSideApply=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) +comma = , +feature_gates := $(subst $(comma),\$(comma),$(FEATURE_GATES)) # Install cert-manager with E2E specific images and deployment settings. # The values.best-practice.yaml file is applied for compliance with the @@ -268,10 +261,8 @@ e2e-setup-certmanager: $(BINDIR)/cert-manager.tgz $(foreach binaryname,controlle --set acmesolver.image.tag="$(TAG)" \ --set startupapicheck.image.tag="$(TAG)" \ --set installCRDs=true \ - --set featureGates="$(feature_gates_controller)" \ + --set featureGates="$(feature_gates)" \ --set "extraArgs={--kube-api-qps=9000,--kube-api-burst=9000,--concurrent-workers=200}" \ - --set webhook.featureGates="$(feature_gates_webhook)" \ - --set "cainjector.extraArgs={--feature-gates=$(feature_gates_cainjector)}" \ --set "dns01RecursiveNameservers=$(SERVICE_IP_PREFIX).16:53" \ --set "dns01RecursiveNameserversOnly=true" \ $(if $(E2E_SETUP_OPTION_BESTPRACTICE),--values=$(E2E_SETUP_OPTION_BESTPRACTICE_HELM_VALUES_FILE)) \