Integrate net-certmanager in Serving

.github/workflows/kind-e2e.yaml

@@ -87,7 +87,7 @@ jobs:
 
         ingress:
         - kourier
-        # - kourier-tls
+        - kourier-tls
         - istio
         - istio-tls
         # Disabled due to flakiness: https://github.com/knative/serving/issues/14637
@@ -130,10 +130,9 @@ jobs:
         #   ingress-class: istio
         #   ambient: 1
 
-        # Disabled due to flakiness: https://github.com/knative/serving/issues/15052
-        # - ingress: kourier-tls
-        #   ingress-class: kourier
-        #   enable-tls: 1
+        - ingress: kourier-tls
+          ingress-class: kourier
+          enable-tls: 1
 
         - test-suite: runtime
           test-path: ./test/conformance/runtime/...

cmd/controller/main.go

@@ -17,12 +17,25 @@ limitations under the License.
 package main
 
 import (
+	"context"
+	"fmt"
+
 	// The set of controllers this controller process runs.
 	"flag"
+	"log"
 
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	netcfg "knative.dev/networking/pkg/config"
+	"knative.dev/pkg/injection"
+	"knative.dev/pkg/injection/sharedmain"
 	"knative.dev/pkg/reconciler"
 	"knative.dev/pkg/signals"
+	"knative.dev/pkg/system"
+	"knative.dev/serving/pkg/reconciler/certificate"
 	"knative.dev/serving/pkg/reconciler/configuration"
+	"knative.dev/serving/pkg/reconciler/domainmapping"
 	"knative.dev/serving/pkg/reconciler/gc"
 	"knative.dev/serving/pkg/reconciler/labeler"
 	"knative.dev/serving/pkg/reconciler/nscert"
@@ -31,9 +44,12 @@ import (
 	"knative.dev/serving/pkg/reconciler/serverlessservice"
 	"knative.dev/serving/pkg/reconciler/service"
 
-	"knative.dev/pkg/injection"
-	"knative.dev/pkg/injection/sharedmain"
-	"knative.dev/serving/pkg/reconciler/domainmapping"
+	versioned "knative.dev/serving/pkg/client/certmanager/clientset/versioned"
+	"knative.dev/serving/pkg/client/certmanager/injection/informers/acme/v1/challenge"
+	v1certificate "knative.dev/serving/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
+	"knative.dev/serving/pkg/client/certmanager/injection/informers/certmanager/v1/certificaterequest"
+	"knative.dev/serving/pkg/client/certmanager/injection/informers/certmanager/v1/clusterissuer"
+	"knative.dev/serving/pkg/client/certmanager/injection/informers/certmanager/v1/issuer"
 )
 
 var ctors = []injection.ControllerConstructor{
@@ -53,5 +69,68 @@ func main() {
 		"reconciliation-timeout", reconciler.DefaultTimeout,
 		"The amount of time to give each reconciliation of a resource to complete before its context is canceled.")
 
-	sharedmain.MainWithContext(signals.NewContext(), "controller", ctors...)
+	ctx := signals.NewContext()
+
+	// HACK: This parses flags, so the above should be set once this runs.
+	cfg := injection.ParseAndGetRESTConfigOrDie()
+
+	// If nil it panics
+	client := kubernetes.NewForConfigOrDie(cfg)
+
+	if shouldEnableNetCertManagerController(ctx, client) {
+		v := versioned.NewForConfigOrDie(cfg)
+		if ok, err := certManagerCRDsExist(v); !ok {
+			log.Fatalf("Please install cert-manager: %v", err)
+		}
+		for _, inf := range []injection.InformerInjector{challenge.WithInformer, v1certificate.WithInformer, certificaterequest.WithInformer, clusterissuer.WithInformer, issuer.WithInformer} {
+			injection.Default.RegisterInformer(inf)
+		}
+		ctors = append(ctors, certificate.NewController)
+	}
+
+	sharedmain.MainWithConfig(ctx, "controller", cfg, ctors...)
+}
+
+func shouldEnableNetCertManagerController(ctx context.Context, client *kubernetes.Clientset) bool {
+	var cm *v1.ConfigMap
+	var err error
+	if cm, err = client.CoreV1().ConfigMaps(system.Namespace()).Get(ctx, "config-network", metav1.GetOptions{}); err != nil {
+		log.Fatalf("Failed to get cm config-network: %v", err)
+	}
+	netCfg, err := netcfg.NewConfigFromMap(cm.Data)
+	if err != nil {
+		log.Fatalf("Failed to construct network config: %v", err)
+	}
+
+	return netCfg.ExternalDomainTLS || netCfg.SystemInternalTLSEnabled() || (netCfg.ClusterLocalDomainTLS == netcfg.EncryptionEnabled) ||
+		netCfg.NamespaceWildcardCertSelector != nil
+}
+
+func certManagerCRDsExist(client *versioned.Clientset) (bool, error) {
+	if ok, err := findCRD(client, "cert-manager.io/v1", []string{"certificaterequests", "certificates", "clusterissuers", "issuers"}); !ok {
+		return false, err
+	}
+	if ok, err := findCRD(client, "acme.cert-manager.io/v1", []string{"challenges"}); !ok {
+		return false, err
+	}
+	return true, nil
+}
+
+func findCRD(client *versioned.Clientset, groupVersion string, crds []string) (bool, error) {
+	resourceList, err := client.Discovery().ServerResourcesForGroupVersion(groupVersion)
+	if err != nil {
+		return false, err
+	}
+	for _, crdName := range crds {
+		isCRDPresent := false
+		for _, resource := range resourceList.APIResources {
+			if resource.Name == crdName {
+				isCRDPresent = true
+			}
+		}
+		if !isCRDPresent {
+			return false, fmt.Errorf("cert manager crds are missing: %s", crdName)
+		}
+	}
+	return true, nil
 }

cmd/webhook/main.go

@@ -34,6 +34,7 @@ import (
 	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	servingv1beta1 "knative.dev/serving/pkg/apis/serving/v1beta1"
+	certconfig "knative.dev/serving/pkg/reconciler/certificate/config"
 
 	// resource validation types
 	net "knative.dev/networking/pkg/apis/networking/v1alpha1"
@@ -143,17 +144,18 @@ func newConfigValidationController(ctx context.Context, cmw configmap.Watcher) *
 
 		// The configmaps to validate.
 		configmap.Constructors{
-			tracingconfig.ConfigName:       tracingconfig.NewTracingConfigFromConfigMap,
-			autoscalerconfig.ConfigName:    autoscalerconfig.NewConfigFromConfigMap,
-			gc.ConfigName:                  gc.NewConfigFromConfigMapFunc(ctx),
-			netcfg.ConfigMapName:           network.NewConfigFromConfigMap,
-			deployment.ConfigName:          deployment.NewConfigFromConfigMap,
-			apisconfig.FeaturesConfigName:  apisconfig.NewFeaturesConfigFromConfigMap,
-			metrics.ConfigMapName():        metrics.NewObservabilityConfigFromConfigMap,
-			logging.ConfigMapName():        logging.NewConfigFromConfigMap,
-			leaderelection.ConfigMapName(): leaderelection.NewConfigFromConfigMap,
-			domainconfig.DomainConfigName:  domainconfig.NewDomainFromConfigMap,
-			apisconfig.DefaultsConfigName:  apisconfig.NewDefaultsConfigFromConfigMap,
+			tracingconfig.ConfigName:         tracingconfig.NewTracingConfigFromConfigMap,
+			autoscalerconfig.ConfigName:      autoscalerconfig.NewConfigFromConfigMap,
+			gc.ConfigName:                    gc.NewConfigFromConfigMapFunc(ctx),
+			netcfg.ConfigMapName:             network.NewConfigFromConfigMap,
+			deployment.ConfigName:            deployment.NewConfigFromConfigMap,
+			apisconfig.FeaturesConfigName:    apisconfig.NewFeaturesConfigFromConfigMap,
+			metrics.ConfigMapName():          metrics.NewObservabilityConfigFromConfigMap,
+			logging.ConfigMapName():          logging.NewConfigFromConfigMap,
+			leaderelection.ConfigMapName():   leaderelection.NewConfigFromConfigMap,
+			domainconfig.DomainConfigName:    domainconfig.NewDomainFromConfigMap,
+			apisconfig.DefaultsConfigName:    apisconfig.NewDefaultsConfigFromConfigMap,
+			certconfig.CertManagerConfigName: certconfig.NewCertManagerConfigFromConfigMap,
 		},
 	)
 }

config/core/200-roles/clusterrole.yaml

@@ -51,3 +51,9 @@ rules:
   - apiGroups: ["caching.internal.knative.dev"]
     resources: ["images"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "clusterissuers", "certificaterequests", "issuers"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

config/core/configmaps/certmanager.yaml

@@ -0,0 +1,68 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-certmanager
+  namespace: knative-serving
+  labels:
+    app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: devel
+    networking.knative.dev/certificate-provider: cert-manager
+  annotations:
+    knative.dev/example-checksum: "b7a9a602"
+data:
+  _example: |
+    ################################
+    #                              #
+    #    EXAMPLE CONFIGURATION     #
+    #                              #
+    ################################
+
+    # This block is not actually functional configuration,
+    # but serves to illustrate the available configuration
+    # options and document them in a way that is accessible
+    # to users that `kubectl edit` this config map.
+    #
+    # These sample configuration options may be copied out of
+    # this block and unindented to actually change the configuration.
+
+    # issuerRef is a reference to the issuer for external-domain certificates used for ingress.
+    # IssuerRef should be either `ClusterIssuer` or `Issuer`.
+    # Please refer `IssuerRef` in https://cert-manager.io/docs/concepts/issuer/
+    # for more details about IssuerRef configuration.
+    # If the issuerRef is not specified, the self-signed `knative-selfsigned-issuer` ClusterIssuer is used.
+    issuerRef: |
+      kind: ClusterIssuer
+      name: letsencrypt-issuer
+
+    # clusterLocalIssuerRef is a reference to the issuer for cluster-local-domain certificates used for ingress.
+    # clusterLocalIssuerRef should be either `ClusterIssuer` or `Issuer`.
+    # Please refer `IssuerRef` in https://cert-manager.io/docs/concepts/issuer/
+    # for more details about ClusterInternalIssuerRef configuration.
+    # If the clusterLocalIssuerRef is not specified, the self-signed `knative-selfsigned-issuer` ClusterIssuer is used.
+    clusterLocalIssuerRef: |
+      kind: ClusterIssuer
+      name: your-company-issuer
+
+    # systemInternalIssuerRef is a reference to the issuer for certificates for system-internal-tls certificates used by Knative internal components.
+    # systemInternalIssuerRef should be either `ClusterIssuer` or `Issuer`.
+    # Please refer `IssuerRef` in https://cert-manager.io/docs/concepts/issuer/
+    # for more details about ClusterInternalIssuerRef configuration.
+    # If the systemInternalIssuerRef is not specified, the self-signed `knative-selfsigned-issuer` ClusterIssuer is used.
+    systemInternalIssuerRef: |
+      kind: ClusterIssuer
+      name: knative-selfsigned-issuer

config/core/webhooks/configmap-validation.yaml

@@ -36,5 +36,5 @@ webhooks:
       values: ["knative-serving"]
     - key: app.kubernetes.io/component
       operator: In
-      values: ["autoscaler", "controller", "logging", "networking", "observability", "tracing"]
+      values: ["autoscaler", "controller", "logging", "networking", "observability", "tracing", "net-certmanager"]
   timeoutSeconds: 10

go.mod

@@ -4,7 +4,9 @@ go 1.21
 
 require (
 	github.com/ahmetb/gen-crd-api-reference-docs v0.3.1-0.20210609063737-0067dc6dcea2
-	github.com/davecgh/go-spew v1.1.1
+	github.com/cert-manager/cert-manager v1.13.3
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
+	github.com/ghodss/yaml v1.0.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.13.0
@@ -45,10 +47,10 @@ require (
 	contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
 	contrib.go.opencensus.io/exporter/zipkin v0.1.2 // indirect
-	github.com/Azure/azure-sdk-for-go v67.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
@@ -84,16 +86,16 @@ require (
 	github.com/docker/docker v25.0.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/swag v0.22.7 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -108,7 +110,7 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
 	github.com/influxdata/tdigest v0.0.1 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.16.6 // indirect
@@ -128,7 +130,7 @@ require (
 	github.com/prometheus/statsd_exporter v0.22.7 // indirect
 	github.com/rs/dnscache v0.0.0-20211102005908-e0241e321417 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tsenart/go-tsz v0.0.0-20180814235614-0bd30b3df1c3 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
@@ -153,6 +155,7 @@ require (
 	k8s.io/gengo v0.0.0-20240129211411-f967bbeff4b4 // indirect
 	k8s.io/klog v1.0.0 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
+	sigs.k8s.io/gateway-api v0.8.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )