- Student: Tim Ramlot
- Github: @inteon
- Organization: CNCF - cert-manager
- Project: Make it easy to install and verify the installation of cert-manager
- Mentor: Richard Wall (@wallrj)
The project proposal: GSoC - cert-manager proposal PDF. In addition to the proposal, we identified during the project, that there are a lot of other improvements that could be made regarding the cert-manager installation process. That is why the scope of the project was broadened. Besides adding an install command to the kubectl plugin, I worked on enhancing other parts of the install process.
cert-manager is one of the most frequently used kubernetes applications. Users with different backgrounds and different goals are using this tool. The first step when using cert-manager is the installation step. The aim of this GSoC project is to reduce the effort necessary for an end-user to install cert-manager. Therefore, multiple aspects can be improved: installation tools, documentation and workflows.
cert-manager has a kubectl plugin that is listed in the kubectl krew index. The main objective of this GSoC project is adding a function to this kubectl plugin for installing cert-manager. I developed this feature using the Helm go libraries, so that all the Helm templating options are supported by the kubectl plugin too.
The install feature was released as part of the 1.5 cert-manager release. The documentation for this install method can be found here: (https://cert-manager.io/docs/installation/kubectl-plugin/).
The benefit of using this kubectl command over the Helm CLI is that it installs the CRDs
in a way that prevents helm uninstall
from deleting the CRDs while uninstalling cert-manager.
In addition to the install tool, I created a command kubectl cert-manager check api
for checking if the cert-manager API (https://cert-manager.io/docs/installation/verify/#check-cert-manager-api) is ready and I added logic to the kubectl cert-manager version
command for extracting the installed version from a cert-manager deployment.
The cert-manager API check is useful for detecting the possibility to create cert-manager
resources against the kubernetes API. Directly after installing cert-manager, the webhook kubernetes resources
(conversion, validating & mutating) do not contain the trusted TLS certificate CA. This causes failure when the
apiserver performs a request to the webhook service, because the apiserver cannot validate the webhook
authentication yet. When using the Helm chart, the kubectl cert-manager check api
is now run as part
of a Helm post-install hook job. This means that Helm users will automatically wait for the check to succeed.
A Helm chart is used for templating the cert-manager manifests. The chart is also directly used by end-users who want to install cert-manager. Helm templates can greatly reduce the complexity of tuning the kubernetes resources. The downside of Helm templates is that the templating parameters are fully managed by the chart creator. This creates a non-consistent configuration interface across charts. One way to simplify managing the Helm chart parameters is adding JSON schema validation rules. However, it is quite a challenge for a chart owner to manage this JSON schema. As part of the GSoC project, I created a tool that can generate this JSON schema from go code. Besides that, it can create documentation for the chart README.md file in the chart based on the comments in the go code. This tool might be useful as well for other projects that want to add and manage complex JSON schemas for their Helm charts.
Some of my contributions are improvements to the cert-manager codebase that are not directly linked to installing cert-manager. I made these improvements because of a problem or bug that I encountered and tried to fix. I, for example, worked on properly shutting down the cert-manager controllers and freeing the leader election lease on shutdown.
cert-manager organizes 2 types of regular repeating meetings:
- daily stand-up meetings on Google Meet at 10:30 London time
- bi-weekly developer meetings on Google Meet at 17:00 London time: see meeting notes + recorded and accessible via the cert-manager YouTube channel
As part of the GSoC project, I participated in all the daily stand-up meetings and presented the GSoC results at 2 bi-weekly developer meetings (2021-07-14 and 2021-07-28).
Below are the PRs that I created as part of my GSoC participation and that are now part of the cert-manager codebase. The list also includes some PRs that are still in the process of being reviewed.
MERGED cert-manager/website:
- ✅ Update artifacthub link | #663
- ✅ Add 'kubectl cert-manager check api' docs | #656
- ✅ Install add 'kubectl cert-manager x install' documentation | #655
- ✅ restructured install documentation | #647
- ✅ upgrade hugo + upgrade docsy | #628
MERGED jetstack/cert-manager:
- ✅ Refactor the end-to-end ACME HTTP01 tests (continuation of #3836) | #4128
- ✅ Basic install functionality for kubectl plugin | #4138
- ✅ chore: deduplicate subDomainName generation logic in tests | #4154
- ✅ cleanup tests: WaitForCertificateReady | #4157
- ✅ add -s and -w flags to the go_binary linkopts | #4169
- ✅ Set linkopts "-w" instead of "-w -s" when building go binaries | #4181
- ✅ Upgrade all "hack" tools to the latest version | #4183
- ✅ Add basic tests to kubectl cert-manager x install | #4184
- ✅ Remove Helm-specific labels & add version label | #4190
- ✅ Fix vscode crash | #4200
- ✅ add -prune=true & go mod tidy to update-deps.sh | #4201
- ✅ Update ginkgo and gomega versions | #4202
- ✅ Add kubectl 'cert-manager check api' command | #4205
- ✅ Use 'kubectl cert-manager check api' in verify-upgrade.sh | #4218
- ✅ add 'kubectl cert-manager version' | #4226
- ✅ Set correct exit codes | #4230
- ✅ Add startup api check Job | #4234
- ✅ Resolve test flakes "the object has been modified" | #4239
- ✅ Cleanup goroutine management | #4243
- ✅ Correctly print conditions during tests | #4295
- ✅ Improve certificate condition checking and error logging | #4298
- ✅ Update bazel docker rules & go.mod dependencies | #4299
- ✅ Cleanup tests | #4300
- ✅ Don't wait for hooks in kubectl cert-manager x install integration test | #4342
- ✅ Don't wait for hooks in kubectl cert-manager x install integration test (part 2) | #4347
- ✅ Integration tests cleanup | #4335
- ✅ Upgrade deps (kube v0.22.0) | #4348
- ✅ rerun git tags command when //:version changes | #4363
REVIEWING jetstack/cert-manager: