Add kubectl 'cert-manager check api' command #4205
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jetstack-bot
added
release-note
|
Hi @inteon. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
jetstack-bot
added
ok-to-test
and removed
needs-ok-to-test
inteon
force-pushed
the
kubectl_check_api
branch
from
c7dbd73
to
323110e
Compare
inteon
commented
Jul 13, 2021
wallrj
requested changes
Jul 14, 2021
There was a problem hiding this comment.
This works pretty well Tim, thanks.
But please:
- Use it after the
helm upgrade --installin the E2E tests. - Add unit-tests
- Link to some prototype documentation for it.
- Make it react quickly to ctrl-c
- Make it print meaningful messages to the console, currently I see
bazel run //cmd/ctl -- check api
...
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
^Cwhile attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
In the absence of cert-manager.
And if I leave it running while I install cert-manager I get:
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
The Kubernetes Api is ready to created cert-manager resources against
Try and make it a bit more user friendly.
jetstack-bot
added
size/XL
inteon
force-pushed
the
kubectl_check_api
branch
from
c941dcc
to
9aef0e3
Compare
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
… fixed os.Exit(1) Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
inteon
force-pushed
the
kubectl_check_api
branch
from
9aef0e3
to
21bc989
Compare
wallrj
approved these changes
Jul 16, 2021
There was a problem hiding this comment.
This is great @inteon
I tested the various output flags and I really like the logged messages:
- Without an API server
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api
Error: while creating client: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
- Timeout while cert-manager is installing
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api --wait=1m -v
2021/07/16 12:29:12 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:17 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:25 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:33 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:43 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:29:47 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:29:52 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:29:57 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:30:02 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:30:08 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:12 Timed out after 1m0s
- Eventual Success
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api --wait=1m -v
2021/07/16 12:30:16 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:21 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:26 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:31 The cert-manager API is ready
- Immediate success
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api --wait=1m -v
2021/07/16 12:30:34 The cert-manager API is ready
- Non-waiting user-friendly success output
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api
The cert-manager API is ready
- Unexpected error with clean ctrl-c exit
bazel-bin/hack/bin/kubectl-cert_manager check api -v --as anon --wait=1m
2021/07/16 12:37:59 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:05 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:10 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:15 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:20 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:25 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
^C
And the tests now cover all the translateError cases
And the e2e test now precompiles the CLI for faster API check
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
$TEST_TMPDIR defined: output root default is '/bazel-scratch/.cache/bazel' and max_idle_secs default is '15'.
Starting local Bazel server and connecting to it...
INFO: Invocation ID: 30d7517b-66f5-411d-a266-3786d113e452
Loading:
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
currently loading: hack/bin
Analyzing: target //hack/bin:kubectl-cert_manager (1 packages loaded, 0 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (17 packages loaded, 18 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (93 packages loaded, 7373 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (144 packages loaded, 7487 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (225 packages loaded, 7872 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (433 packages loaded, 9093 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (639 packages loaded, 11271 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (784 packages loaded, 12180 targets configured)
INFO: Analyzed target //hack/bin:kubectl-cert_manager (863 packages loaded, 13064 targets configured).
INFO: Found 1 target...
[2 / 545] [Prepa] BazelWorkspaceStatusAction stable-status.txt
[466 / 1,247] checking cached actions
[1,246 / 1,247] checking cached actions
Target //hack/bin:kubectl-cert_manager up-to-date:
bazel-bin/hack/bin/kubectl-cert_manager_script
bazel-bin/hack/bin/kubectl-cert_manager
INFO: Elapsed time: 19.311s, Critical Path: 2.89s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
$TEST_TMPDIR defined: output root default is '/bazel-scratch/.cache/bazel' and max_idle_secs default is '15'.
INFO: Invocation ID: 7c24871c-0cd8-48a4-9cb9-e7e74f8ed03f
2021/07/16 11:20:01 The cert-manager API is ready
I think the use of error.Unwrap is a bit unconventional. I'd rather have used errors.As, but it works fine so let's merge and get this into the next cert-manager alpha release.
Please add a PR to the website (release-next branch) with some documentation explaining when and how to use this command a release note paragraph about it, and recommend it in the https://cert-manager.io/docs/installation/kubernetes/#verifying-the-installation (if you haven't already done that).
I'm just going to run the e2e test against K8S 1.16 to check that our dry-run mechanism works there too:
/test pull-cert-manager-e2e-v1-16
/lgtm
/hold
jetstack-bot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: inteon, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
|
/unhold |
jetstack-bot
removed
the
do-not-merge/hold
This was referenced Aug 10, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Adds the kubectl 'cert-manager check api' command.
This check attempts to perform a dry-run create of a cert-manager v1alpha2
Certificate resource in order to verify that CRDs are installed and all the
required webhooks are reachable by the K8S API server.
We use v1alpha2 API to ensure that the API server has also connected to the
cert-manager conversion webhook.
Release note:
/kind feature