Merge pull request #93 from JoshVanL/image-tags-v0.2.1

Adds support for making multi-arch images. Updates tags

Author: jetstack-bot

Dockerfile

@@ -12,11 +12,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/distroless/static@sha256:aadea1b1f16af043a34491eec481d0132479382096ea34f608087b4bef3634be
+# Build the istio-csr binary
+FROM docker.io/library/golang:1.17 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Copy the go source files
+COPY Makefile Makefile
+COPY cmd/ cmd/
+COPY pkg/ pkg/
+
+# Build
+RUN make build
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4
 LABEL description="istio certificate agent to serve certificate signing requests via cert-manager"
 
+WORKDIR /
 USER 1001
-
-COPY ./bin/cert-manager-istio-csr-linux /usr/bin/cert-manager-istio-csr
+COPY --from=builder /workspace/bin/cert-manager-istio-csr /usr/bin/cert-manager-istio-csr
 
 ENTRYPOINT ["/usr/bin/cert-manager-istio-csr"]

Makefile

@@ -17,6 +17,7 @@ ARCH   ?= $(shell go env GOARCH)
 ISTIO_VERSION ?= 1.10.0
 K8S_VERSION ?= 1.21.1
 HELM_VERSION ?= 3.4.1
+IMAGE_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le
 
 UNAME_S := $(shell uname -s)
 ifeq ($(UNAME_S),Linux)
@@ -39,15 +40,15 @@ lint:
 
 build: ## build cert-manager-istio-csr
 	mkdir -p $(BINDIR)
-	CGO_ENABLED=0 go build -o ./bin/cert-manager-istio-csr  ./cmd/.
+	CGO_ENABLED=0 go build -v -o ./bin/cert-manager-istio-csr  ./cmd/.
 
 verify: test build ## tests and builds cert-manager-istio-csr
 
-build_image_binary: ## builds image binary
-	GOARCH=$(ARCH) GOOS=linux CGO_ENABLED=0 go build -o ./bin/cert-manager-istio-csr-linux  ./cmd/.
-
-image: build_image_binary ## build docker image from binary
-	docker build -t quay.io/jetstack/cert-manager-istio-csr:v0.2.0 .
+# image will only build and store the image locally, targeted in OCI format.
+# To actually push an image to the public repo, replace the `--output` flag and
+# arguments to `--push`.
+image: ## build docker image targeting all supported platforms
+	docker buildx build --platform=$(IMAGE_PLATFORMS) -t quay.io/jetstack/cert-manager-istio-csr:v0.2.1 --output type=oci,dest=./bin/cert-manager-istio-csr-oci .
 
 clean: ## clean up created files
 	rm -rf \
@@ -56,7 +57,7 @@ clean: ## clean up created files
 
 all: test build docker ## runs test, build and docker
 
-demo: depend build test build_image_binary ## create kind cluster and deploy demo
+demo: depend build test ## create kind cluster and deploy demo
 	./hack/demo/deploy-demo.sh $(K8S_VERSION) $(ISTIO_VERSION)
 	$(BINDIR)/kubectl label namespace default istio-injection=enabled
 

deploy/charts/istio-csr/Chart.yaml

@@ -12,5 +12,5 @@ maintainers:
 sources:
 - https://github.com/cert-manager/istio-csr
 
-appVersion: v0.2.0
-version: v0.2.2
+appVersion: v0.2.1
+version: v0.2.3

deploy/charts/istio-csr/README.md

@@ -1,10 +1,10 @@
 # cert-manager-istio-csr
 
-![Version: v0.2.1](https://img.shields.io/badge/Version-v0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.2.0](https://img.shields.io/badge/AppVersion-v0.2.0-informational?style=flat-square)
+![Version: v0.2.3](https://img.shields.io/badge/Version-v0.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.2.1](https://img.shields.io/badge/AppVersion-v0.2.1-informational?style=flat-square)
 
 A Helm chart for istio-csr
 
-**Homepage:** <https://github.com/jetstack/istio-csr>
+**Homepage:** <https://github.com/cert-manager/istio-csr>
 
 ## Maintainers
 
@@ -27,6 +27,7 @@ A Helm chart for istio-csr
 | app.certmanager.preserveCertificateRequests | bool | `false` | Don't delete created CertificateRequests once they have been signed. |
 | app.controller.leaderElectionNamespace | string | `"istio-system"` |  |
 | app.controller.rootCAConfigMapName | string | `"istio-ca-root-cert"` | Name of ConfigMap that should contain the root CA in all namespaces. |
+| app.istio.revisions | list | `["default"]` | The istio revisions that are currently installed in the cluster. Changing this field will modify the DNS names that will be requested for the istiod certificate. The common name for the istiod certificate is hard coded to the `default` revision DNS name. Some issuers may require that the common name on certificates match one of the DNS names. If 1. Your issuer has this constraint, and 2. You are not using `default` as a revision, add the `default` revision here anyway. The resulting certificate will include a DNS name that won't be used, but will pass this constraint. |
 | app.logLevel | int | `1` | Verbosity of istio-csr logging. |
 | app.metrics.port | int | `9402` | Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'. |
 | app.metrics.service | object | `{"enabled":true,"servicemonitor":{"enabled":false,"interval":"10s","labels":{},"prometheusInstance":"default","scrapeTimeout":"5s"},"type":"ClusterIP"}` | Service to expose metrics endpoint. |
@@ -46,7 +47,7 @@ A Helm chart for istio-csr
 | app.tls.trustDomain | string | `"cluster.local"` | The Istio cluster's trust domain. |
 | image.pullPolicy | string | `"IfNotPresent"` | Kubernetes imagePullPolicy on Deployment. |
 | image.repository | string | `"quay.io/jetstack/cert-manager-istio-csr"` | Target image repository. |
-| image.tag | string | `"v0.2.0"` | Target image version tag. |
+| image.tag | string | `"v0.2.1"` | Target image version tag. |
 | replicaCount | int | `1` | Number of replicas of istio-csr to run. |
 | resources | object | `{}` |  |
 | service.port | int | `443` | Service port to expose istio-csr gRPC service. |

deploy/charts/istio-csr/values.yaml

@@ -5,7 +5,7 @@ image:
   # -- Target image repository.
   repository: quay.io/jetstack/cert-manager-istio-csr
   # -- Target image version tag.
-  tag: v0.2.0
+  tag: v0.2.1
   # -- Kubernetes imagePullPolicy on Deployment.
   pullPolicy: IfNotPresent
 

hack/demo/deploy-demo.sh

@@ -2,72 +2,58 @@
 
 K8S_NAMESPACE="${K8S_NAMESPACE:-istio-system}"
 CERT_MANAGER_VERSION="${CERT_MANAGER_VERSION:-1.4.0}"
-ISTIO_AGENT_IMAGE="${CERT_MANAGER_ISTIO_AGENT_IMAGE:-localhost:5000/cert-manager-istio-csr:v0.2.0}"
+ISTIO_AGENT_IMAGE="${CERT_MANAGER_ISTIO_AGENT_IMAGE:-quay.io/jetstack/cert-manager-istio-csr:canary}"
 KUBECTL_BIN="${KUBECTL_BIN:-./bin/kubectl}"
 HELM_BIN="${HELM_BIN:-./bin/helm}"
 KIND_BIN="${KIND_BIN:-./bin/kind}"
 
-./hack/demo/kind-with-registry.sh $1
-
-echo ">> docker build -t ${ISTIO_AGENT_IMAGE} ."
-docker build -t ${ISTIO_AGENT_IMAGE} .
-
-echo ">> docker push ${ISTIO_AGENT_IMAGE}"
-docker push $ISTIO_AGENT_IMAGE
-
-apply_cert-manager_bootstrap_manifests() {
-  $KUBECTL_BIN apply -n $K8S_NAMESPACE -f ./hack/demo/cert-manager-bootstrap-resources.yaml
-  return $?
-}
+echo ">> building istio-csr binary..."
+GOARCH=$(go env GOARCH) GOOS=linux CGO_ENABLED=0 go build -o ./bin/istio-csr-linux ./cmd/.
+
+echo ">> building docker image..."
+docker build -t $ISTIO_AGENT_IMAGE .
+
+echo ">> creating kind cluster..."
+$KIND_BIN delete cluster --name istio-demo
+cat <<EOF | $KIND_BIN create cluster --name istio-demo --config=-
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 30443
+    hostPort: 30443
+    listenAddress: "0.0.0.0"
+    protocol: tcp
+kubeadmConfigPatches:
+  - |
+    # config generated by kind
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    networking:
+      serviceSubnet: 10.0.0.0/16
+EOF
 
-echo ">> loading demo container images into kind"
-IMAGES=("quay.io/joshvanl_jetstack/httpbin:latest" "quay.io/joshvanl_jetstack/curl")
-IMAGES+=("gcr.io/istio-release/pilot:$2" "gcr.io/istio-release/proxyv2:$2")
-for image in ${IMAGES[@]}; do
-  docker pull $image
-  $KIND_BIN load docker-image $image --name istio-demo
-done
+echo ">> loading docker image..."
+$KIND_BIN load docker-image $ISTIO_AGENT_IMAGE --name istio-demo
 
 echo ">> installing cert-manager"
-$KUBECTL_BIN apply -f https://github.com/jetstack/cert-manager/releases/download/v$CERT_MANAGER_VERSION/cert-manager.yaml
-
-$KUBECTL_BIN rollout status deploy -n cert-manager cert-manager
-$KUBECTL_BIN rollout status deploy -n cert-manager cert-manager-cainjector
-$KUBECTL_BIN rollout status deploy -n cert-manager cert-manager-webhook
-
+$HELM_BIN repo add jetstack https://charts.jetstack.io --force-update
+$HELM_BIN upgrade -i -n cert-manager cert-manager jetstack/cert-manager --set installCRDs=true --wait --create-namespace --set global.logLevel=2
 
 echo ">> creating cert-manager istio resources"
-
 $KUBECTL_BIN create namespace $K8S_NAMESPACE
-
-max=15
-
-for x in $(seq 1 $max); do
-    apply_cert-manager_bootstrap_manifests
-    res=$?
-
-    if [ $res -eq 0 ]; then
-        break
-    fi
-
-    echo ">> [${x}] cert-manager not ready" && sleep 5
-
-    if [ x -eq 15 ]; then
-        echo ">> Failed to deploy cert-manager and bootstrap manifests in time"
-        exit 1
-    fi
-done
+$KUBECTL_BIN apply -n $K8S_NAMESPACE -f ./hack/demo/cert-manager-bootstrap-resources.yaml
 
 echo ">> installing cert-manager-istio-csr"
-
 $HELM_BIN install cert-manager-istio-csr ./deploy/charts/istio-csr -n cert-manager --values ./hack/demo/istio-csr-values.yaml
 
 echo ">> installing istio"
-
 ./bin/istioctl-$2 install -y -f ./hack/istio-config-$2.yaml
 
 echo ">> enforcing mTLS everywhere"
-
 $KUBECTL_BIN apply -n istio-system -f - <<EOF
 apiVersion: "security.istio.io/v1beta1"
 kind: "PeerAuthentication"

hack/demo/destroy-demo.sh

@@ -2,5 +2,5 @@
 
 KIND_BIN="${KIND_BIN:-./bin/kind}"
 
+$KIND_BIN export logs _artifacts --name istio-demo
 $KIND_BIN delete cluster --name istio-demo
-docker stop kind-registry

hack/demo/istio-csr-values.yaml

@@ -1,9 +1,9 @@
 replicaCount: 3
 
 image:
-  repository: localhost:5000/cert-manager-istio-csr
-  tag: v0.2.0
-  pullPolicy: Always
+  repository: quay.io/jetstack/cert-manager-istio-csr
+  tag: canary
+  pullPolicy: Never
 
 service:
   port: 443