Merge pull request #2880 from openziti/upgrade-cert-manager

upgrade cert-manager

Author: qrkourier

.github/workflows/test-deployments.yml

@@ -20,7 +20,7 @@ env:
 jobs:
   build-linux-packages:
     name: Build ${{ matrix.package_name }} ${{ matrix.arch.gox }} ${{ matrix.packager }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         package_name:
@@ -77,7 +77,7 @@ jobs:
   dry-run-linux-packages:
     needs: build-linux-packages
     name: Dry Run ${{ format('{0}:{1}', matrix.distro.name, matrix.distro.version) }} ${{ matrix.arch.gox }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     env:
       ZITI_PWD: ziggypw
       ZITI_CTRL_ADVERTISED_ADDRESS: linux-controller.127.21.71.0.sslip.io
@@ -136,7 +136,10 @@ jobs:
       - name: Install Packages
         shell: bash
         run: |
-          set -x
+
+          set -o pipefail
+          set -o xtrace
+
           ls -lR ./release/
           case "${{ matrix.distro.type }}" in
             rpm)
@@ -158,7 +161,10 @@ jobs:
         env:
           DEBUG: 1
         run: |
-          set -x
+
+          set -o pipefail
+          set -o xtrace
+
           /opt/openziti/etc/controller/bootstrap.bash <<CTRL
           ZITI_CTRL_ADVERTISED_ADDRESS=${ZITI_CTRL_ADVERTISED_ADDRESS}
           ZITI_CTRL_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT}
@@ -176,9 +182,9 @@ jobs:
           ZITI_ARGS="--verbose"
           ROUTER
 
-  test-linux-services:
-    name: Test Debian Linux Services
-    runs-on: ubuntu-latest
+  linux-deployments:
+    name: Test Linux Deployments
+    runs-on: ubuntu-24.04
     steps:
       - name: Shallow checkout
         uses: actions/checkout@v4
@@ -192,9 +198,13 @@ jobs:
       - name: Install nfpm
         shell: bash
         run: |
+
+          set -o pipefail
+          set -o xtrace
+
           echo ~/.local/bin >> $GITHUB_PATH
           mkdir -p ~/.local/bin
-          wget -qO- https://github.com/goreleaser/nfpm/releases/download/v${{ env.NFPM_VERSION }}/nfpm_${{ env.NFPM_VERSION }}_Linux_x86_64.tar.gz | tar --directory ~/.local/bin -xz nfpm
+          wget -qO- https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz | tar --directory ~/.local/bin -xz nfpm
           nfpm --version
 
       - name: Bootstrap & Run
@@ -205,8 +215,10 @@ jobs:
         if: always()
         shell: bash
         run: |
-          set -x
-          set +e
+
+          set -o xtrace
+          set +o errexit
+
           sudo ss -lntp | grep -E ":(${ZITI_CTRL_ADVERTISED_PORT}|${ZITI_ROUTER_PORT})"
           sudo journalctl --no-pager -o cat -u ziti-controller.service
           sudo journalctl --no-pager -o cat -u ziti-router.service
@@ -215,7 +227,7 @@ jobs:
 
   docker-deployments:
     name: Test Docker Deployments
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     env:
       ZIGGY_UID: 1001  # let container EUID run-as GHA "runner" user to share cache, etc.
     steps:
@@ -228,15 +240,15 @@ jobs:
         with:
           go-version-file: ./go.mod
 
-      - name: Run the Compose Test Script
+      - name: Run the Docker Test Script
         shell: bash
-        run: dist/docker-images/compose.test.bash
+        run: dist/docker-images/docker.test.bash
         env:
           ZITI_GO_VERSION: ${{ steps.setup-go.outputs.go-version }}
 
   kubernetes-deployments:
     name: Test Kubernetes Deployments
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     env:
       ZITI_NAMESPACE: zititest
     steps:
@@ -257,4 +269,3 @@ jobs:
       - name: Run the Kubernetes Test Script
         shell: bash
         run: ./dist/docker-images/k8s.test.bash --cpus=2  # GitHub runners have 4 vCPUs
-

dist/dist-packages/linux/linux.test.bash

@@ -182,18 +182,26 @@ else
     exit 1
 fi
 
+export \
 ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=${ZITI_CTRL_ADVERTISED_ADDRESS} \
-ZITI_CTRL_EDGE_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT} \
-go test -v -count=1 -tags="quickstart manual" ./ziti/cmd/edge/...
+ZITI_CTRL_EDGE_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT}
+
+_test_result=$(go test -v -count=1 -tags="quickstart manual" ./ziti/run/...)
+
+# check for failure modes that don't result in an error exit code
+if [[ "${_test_result}" =~ "no tests to run" ]]
+then
+    echo "ERROR: test failed because no tests to run"
+    exit 1
+fi
 
 ATTEMPTS=5
 DELAY=3
 
 # verify console is available
 curl_cmd="curl -skSfw '%{http_code}\t%{url}\n' -o/dev/null \"https://${ZITI_CTRL_ADVERTISED_ADDRESS}:${ZITI_CTRL_ADVERTISED_PORT}/zac/\""
-until ! ((ATTEMPTS)) || eval "${curl_cmd}" &> /dev/null
+until ! (( ATTEMPTS-- )) || eval "${curl_cmd}" &> /dev/null
 do
-    (( ATTEMPTS-- ))
     echo "Waiting for zac"
     sleep ${DELAY}
 done

dist/docker-images/compose.test.bash dist/docker-images/docker.test.bash

@@ -124,18 +124,26 @@ ziti edge create edge-router "${ZITI_ROUTER_NAME}" -to ~ziggy/.config/ziti/"${ZI
 docker compose up ziti-router --detach
 
 unset GOOS
+export \
 ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=${ZITI_CTRL_ADVERTISED_ADDRESS} \
-ZITI_CTRL_EDGE_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT} \
-go test -v -count=1 -tags="quickstart manual" ./ziti/cmd/edge/...
+ZITI_CTRL_EDGE_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT}
+
+_test_result=$(go test -v -count=1 -tags="quickstart manual" ./ziti/run/...)
+
+# check for failure modes that don't result in an error exit code
+if [[ "${_test_result}" =~ "no tests to run" ]]
+then
+    echo "ERROR: test failed because no tests to run"
+    exit 1
+fi
 
 ATTEMPTS=5
 DELAY=3
 
 # verify console is available
 curl_cmd="curl -skSfw '%{http_code}\t%{url}\n' -o/dev/null \"https://${ZITI_CTRL_ADVERTISED_ADDRESS}:${ZITI_CTRL_ADVERTISED_PORT}/zac/\""
-until ! ((ATTEMPTS)) || eval "${curl_cmd}" &> /dev/null
+until ! (( ATTEMPTS-- )) || eval "${curl_cmd}" &> /dev/null
 do
-    (( ATTEMPTS-- ))
     echo "Waiting for zac"
     sleep ${DELAY}
 done

dist/docker-images/k8s.test.bash

@@ -122,34 +122,40 @@ image:
     pullPolicy: Never
 ROUTER
 
-./quickstart/kubernetes/miniziti.bash start \
+bash -x ./quickstart/kubernetes/miniziti.bash start \
 --profile "${ZITI_NAMESPACE}" \
 --no-hosts \
---debug \
 --values-dir "${EXTRA_VALUES_DIR}"
 
 MINIKUBE_IP="$(minikube --profile "${ZITI_NAMESPACE}" ip)"
+ZITI_CTRL_ADVERTISED_ADDRESS="miniziti-controller.${MINIKUBE_IP}.sslip.io"
 
 # verify console is available
-curl -skSfw '%{http_code}\t%{url}\n' -o/dev/null "https://miniziti-controller.${MINIKUBE_IP}.sslip.io/zac/"
+curl -skSfw '%{http_code}\t%{url}\n' -o/dev/null "https://${ZITI_CTRL_ADVERTISED_ADDRESS}:${ZITI_CTRL_ADVERTISED_PORT}/zac/"
 
 ZITI_PWD=$(
-minikube kubectl --profile "${ZITI_NAMESPACE}" -- \
---context "${ZITI_NAMESPACE}" \
-get secrets "ziti-controller-admin-secret" \
---namespace "${ZITI_NAMESPACE}" \
---output go-template='{{index .data "admin-password" | base64decode }}'
+    minikube kubectl --profile "${ZITI_NAMESPACE}" -- \
+        --context "${ZITI_NAMESPACE}" \
+        get secrets "ziti-controller-admin-secret" \
+        --namespace "${ZITI_NAMESPACE}" \
+        --output go-template='{{index .data "admin-password" | base64decode }}'
 )
 
 
 export \
 ZITI_PWD \
 ZITI_ROUTER_NAME="miniziti-router" \
-ZITI_CTRL_ADVERTISED_ADDRESS="miniziti-controller.${MINIKUBE_IP}.sslip.io"
-
-ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=${ZITI_CTRL_ADVERTISED_ADDRESS} \
-ZITI_CTRL_EDGE_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT} \
-ZITI_TEST_BIND_ADDRESS="ziti-controller-client.${ZITI_NAMESPACE}.svc.cluster.local" \
-go test -v -count=1 -tags="quickstart manual" ./ziti/cmd/edge/...
+ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${ZITI_CTRL_ADVERTISED_ADDRESS}" \
+ZITI_CTRL_EDGE_ADVERTISED_PORT="${ZITI_CTRL_ADVERTISED_PORT}" \
+ZITI_TEST_BIND_ADDRESS="ziti-controller-client.${ZITI_NAMESPACE}.svc.cluster.local"
+
+_test_result=$(go test -v -count=1 -tags="quickstart manual" ./ziti/run/...)
+
+# check for failure modes that don't result in an error exit code
+if [[ "${_test_result}" =~ "no tests to run" ]]
+then
+    echo "ERROR: test failed because no tests to run"
+    exit 1
+fi
 
 cleanup

quickstart/kubernetes/miniziti.bash

@@ -432,7 +432,7 @@ checkCommand() {
 
 main(){
     checkBashVersion >&2
-    MINIZITI_DEBUG=0
+
     # require commands
     declare -a BINS=(awk grep helm jq minikube nslookup pgrep sed xargs)
     for BIN in "${BINS[@]}"; do
@@ -442,6 +442,14 @@ main(){
     # open a descriptor for debug messages
     exec 3>/dev/null
 
+    # xtrace opt implies --verbose
+    if [[ $- =~ x ]]; then
+        MINIZITI_DEBUG=1
+        exec 3>&1
+    else
+        MINIZITI_DEBUG=0
+    fi
+
     # local strings with defaults that never produce an error
     declare DELETE_MINIZITI=0 \
             DETECTED_OS \
@@ -768,12 +776,6 @@ main(){
         --selector app.kubernetes.io/component=controller \
         --timeout "${MINIZITI_TIMEOUT_SECS}s" >&3
 
-    logDebug "applying Custom Resource Definitions: Certificate, Issuer, and Bundle"
-    kubectlWrapper apply \
-        --filename https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.crds.yaml >&3
-    kubectlWrapper apply \
-        --filename https://raw.githubusercontent.com/cert-manager/trust-manager/v0.7.0/deploy/crds/trust.cert-manager.io_bundles.yaml >&3
-
     declare -A HELM_REPOS
     HELM_REPOS[openziti]="openziti.io/helm-charts"
     HELM_REPOS[jetstack]="charts.jetstack.io"
@@ -788,21 +790,26 @@ main(){
         fi
     done
 
+    helmWrapper upgrade --install cert-manager jetstack/cert-manager \
+        --namespace cert-manager --create-namespace \
+        --set crds.enabled=true
+    kubectlWrapper wait deployments -n cert-manager --for condition=Available --timeout="${MINIZITI_TIMEOUT_SECS}s" --all >&3
+
+    kubectlWrapper get namespace "${ZITI_NAMESPACE}" &>/dev/null || kubectlWrapper create namespace "${ZITI_NAMESPACE}" >&3
+    helmWrapper upgrade --install trust-manager jetstack/trust-manager \
+        --namespace cert-manager \
+        --set crds.keep=false \
+        --set app.trust.namespace="${ZITI_NAMESPACE}"
+    kubectlWrapper wait deployments -n cert-manager --for condition=Available --timeout="${MINIZITI_TIMEOUT_SECS}s" trust-manager >&3
+
     #
     ## Ensure OpenZiti Controller is Upgraded and Ready
     #
 
     logInfo "installing openziti controller chart"
-    (( ZITI_CHARTS_ALT )) && {
-        logDebug "building ${ZITI_CHARTS_REF}/ziti-controller Helm Chart dependencies"
-        helmWrapper dependency build "${ZITI_CHARTS_REF}/ziti-controller" >&3
-    }
     local -a _controller_cmd=(upgrade --install "ziti-controller" "${ZITI_CHARTS_REF}/ziti-controller"
         --namespace "${ZITI_NAMESPACE}" --create-namespace
         --set clientApi.advertisedHost="miniziti-controller.${MINIZITI_INGRESS_ZONE}"
-        --set trust-manager.app.trust.namespace="${ZITI_NAMESPACE}"
-        --set trust-manager.enabled=true
-        --set cert-manager.enabled=true
         --values "${ZITI_CHARTS_URL}/ziti-controller/values-ingress-nginx.yaml"
         --set ctrlPlane.service.enabled=false
         --set ctrlPlane.ingress.enabled=false
@@ -816,13 +823,11 @@ main(){
         kubectlWrapper config set-context "${MINIKUBE_PROFILE}" \
             --namespace "${ZITI_NAMESPACE}" >&3
 
-    for DEPLOYMENT in ziti-controller-cert-manager trust-manager ziti-controller; do
-        logInfo "waiting for $DEPLOYMENT to be ready"
-        kubectlWrapper wait deployments "$DEPLOYMENT" \
+    logInfo "waiting for ziti-controller to be ready"
+    kubectlWrapper wait deployments ziti-controller \
             --namespace "${ZITI_NAMESPACE}" \
             --for condition=Available=True \
             --timeout "${MINIZITI_TIMEOUT_SECS}s" >&3
-    done
 
     #
     ## Ensure Minikube Tunnel is Running on macOS and WSL
@@ -964,10 +969,6 @@ EOF
     fi
 
     logDebug "installing router chart as 'ziti-router'"
-    (( ZITI_CHARTS_ALT )) && {
-        logDebug "building ${ZITI_CHARTS_REF}/ziti-router Helm Chart dependencies"
-        helmWrapper dependency build "${ZITI_CHARTS_REF}/ziti-router" >&3
-    }
     local -a _router_cmd=(upgrade --install "ziti-router" "${ZITI_CHARTS_REF}/ziti-router"
         --namespace "${ZITI_NAMESPACE}"
         --set-file enrollmentJwt="$ROUTER_OTT"