-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kubectl 'cert-manager check api' command #4205
Conversation
Hi @inteon. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
c7dbd73
to
323110e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works pretty well Tim, thanks.
But please:
- Use it after the
helm upgrade --install
in the E2E tests. - Add unit-tests
- Link to some prototype documentation for it.
- Make it react quickly to ctrl-c
- Make it print meaningful messages to the console, currently I see
bazel run //cmd/ctl -- check api
...
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
^Cwhile attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
In the absence of cert-manager.
And if I leave it running while I install cert-manager I get:
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
while attempting dry-run creation of Certificate: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
The Kubernetes Api is ready to created cert-manager resources against
Try and make it a bit more user friendly.
c941dcc
to
9aef0e3
Compare
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
… fixed os.Exit(1) Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@inteon This is looking good.
A few more comments and suggestions.
Signed-off-by: Inteon <42113979+inteon@users.noreply.github.com>
9aef0e3
to
21bc989
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great @inteon
I tested the various output flags and I really like the logged messages:
- Without an API server
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api
Error: while creating client: Get "http://localhost:8080/api?timeout=32s": dial tcp [::1]:8080: connect: connection refused
- Timeout while cert-manager is installing
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api --wait=1m -v
2021/07/16 12:29:12 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:17 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:25 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:33 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server (error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io")
2021/07/16 12:29:43 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:29:47 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:29:52 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:29:57 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:30:02 Not ready: the cert-manager webhook deployment is not ready yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.12.222:443: connect: connection refused)
2021/07/16 12:30:08 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:12 Timed out after 1m0s
- Eventual Success
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api --wait=1m -v
2021/07/16 12:30:16 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:21 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:26 Not ready: the cert-manager webhook CA bundle is not injected yet (Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority)
2021/07/16 12:30:31 The cert-manager API is ready
- Immediate success
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api --wait=1m -v
2021/07/16 12:30:34 The cert-manager API is ready
- Non-waiting user-friendly success output
bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/cmd/ctl/kubectl-cert_manager check api
The cert-manager API is ready
- Unexpected error with clean ctrl-c exit
bazel-bin/hack/bin/kubectl-cert_manager check api -v --as anon --wait=1m
2021/07/16 12:37:59 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:05 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:10 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:15 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:20 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
2021/07/16 12:38:25 Not ready: certificates.cert-manager.io is forbidden: User "anon" cannot create resource "certificates" in API group "cert-manager.io" in the namespace "default"
^C
And the tests now cover all the translateError cases
And the e2e test now precompiles the CLI for faster API check
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
$TEST_TMPDIR defined: output root default is '/bazel-scratch/.cache/bazel' and max_idle_secs default is '15'.
Starting local Bazel server and connecting to it...
INFO: Invocation ID: 30d7517b-66f5-411d-a266-3786d113e452
Loading:
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
currently loading: hack/bin
Analyzing: target //hack/bin:kubectl-cert_manager (1 packages loaded, 0 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (17 packages loaded, 18 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (93 packages loaded, 7373 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (144 packages loaded, 7487 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (225 packages loaded, 7872 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (433 packages loaded, 9093 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (639 packages loaded, 11271 targets configured)
Analyzing: target //hack/bin:kubectl-cert_manager (784 packages loaded, 12180 targets configured)
INFO: Analyzed target //hack/bin:kubectl-cert_manager (863 packages loaded, 13064 targets configured).
INFO: Found 1 target...
[2 / 545] [Prepa] BazelWorkspaceStatusAction stable-status.txt
[466 / 1,247] checking cached actions
[1,246 / 1,247] checking cached actions
Target //hack/bin:kubectl-cert_manager up-to-date:
bazel-bin/hack/bin/kubectl-cert_manager_script
bazel-bin/hack/bin/kubectl-cert_manager
INFO: Elapsed time: 19.311s, Critical Path: 2.89s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
$TEST_TMPDIR defined: output root default is '/bazel-scratch/.cache/bazel' and max_idle_secs default is '15'.
INFO: Invocation ID: 7c24871c-0cd8-48a4-9cb9-e7e74f8ed03f
2021/07/16 11:20:01 The cert-manager API is ready
I think the use of error.Unwrap
is a bit unconventional. I'd rather have used errors.As
, but it works fine so let's merge and get this into the next cert-manager alpha release.
Please add a PR to the website (release-next branch) with some documentation explaining when and how to use this command a release note paragraph about it, and recommend it in the https://cert-manager.io/docs/installation/kubernetes/#verifying-the-installation (if you haven't already done that).
I'm just going to run the e2e test against K8S 1.16 to check that our dry-run mechanism works there too:
/test pull-cert-manager-e2e-v1-16
/lgtm
/hold
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: inteon, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold |
What this PR does / why we need it:
Adds the kubectl 'cert-manager check api' command.
This check attempts to perform a dry-run create of a cert-manager v1alpha2
Certificate resource in order to verify that CRDs are installed and all the
required webhooks are reachable by the K8S API server.
We use v1alpha2 API to ensure that the API server has also connected to the
cert-manager conversion webhook.
Release note:
/kind feature