Skip to content

Instantly share code, notes, and snippets.

@inteon
Last active August 25, 2021 11:34
Show Gist options
  • Save inteon/9dce2403c6946e423c9076b90b195c62 to your computer and use it in GitHub Desktop.
Save inteon/9dce2403c6946e423c9076b90b195c62 to your computer and use it in GitHub Desktop.
Google Summer of Code - @inteon cert-manager - work product

Google Summer of Code - 2021

  • Student: Tim Ramlot
  • Github: @inteon
  • Organization: CNCF - cert-manager
  • Project: Make it easy to install and verify the installation of cert-manager
  • Mentor: Richard Wall (@wallrj)

Project proposal:

The project proposal: GSoC - cert-manager proposal PDF. In addition to the proposal, we identified during the project, that there are a lot of other improvements that could be made regarding the cert-manager installation process. That is why the scope of the project was broadened. Besides adding an install command to the kubectl plugin, I worked on enhancing other parts of the install process.

Summary

cert-manager is one of the most frequently used kubernetes applications. Users with different backgrounds and different goals are using this tool. The first step when using cert-manager is the installation step. The aim of this GSoC project is to reduce the effort necessary for an end-user to install cert-manager. Therefore, multiple aspects can be improved: installation tools, documentation and workflows.

Project execution:

kubectl plugin

cert-manager has a kubectl plugin that is listed in the kubectl krew index. The main objective of this GSoC project is adding a function to this kubectl plugin for installing cert-manager. I developed this feature using the Helm go libraries, so that all the Helm templating options are supported by the kubectl plugin too.

The install feature was released as part of the 1.5 cert-manager release. The documentation for this install method can be found here: (https://cert-manager.io/docs/installation/kubectl-plugin/).

The benefit of using this kubectl command over the Helm CLI is that it installs the CRDs in a way that prevents helm uninstall from deleting the CRDs while uninstalling cert-manager.

In addition to the install tool, I created a command kubectl cert-manager check api for checking if the cert-manager API (https://cert-manager.io/docs/installation/verify/#check-cert-manager-api) is ready and I added logic to the kubectl cert-manager version command for extracting the installed version from a cert-manager deployment.

The cert-manager API check is useful for detecting the possibility to create cert-manager resources against the kubernetes API. Directly after installing cert-manager, the webhook kubernetes resources (conversion, validating & mutating) do not contain the trusted TLS certificate CA. This causes failure when the apiserver performs a request to the webhook service, because the apiserver cannot validate the webhook authentication yet. When using the Helm chart, the kubectl cert-manager check api is now run as part of a Helm post-install hook job. This means that Helm users will automatically wait for the check to succeed.

Helm chart

A Helm chart is used for templating the cert-manager manifests. The chart is also directly used by end-users who want to install cert-manager. Helm templates can greatly reduce the complexity of tuning the kubernetes resources. The downside of Helm templates is that the templating parameters are fully managed by the chart creator. This creates a non-consistent configuration interface across charts. One way to simplify managing the Helm chart parameters is adding JSON schema validation rules. However, it is quite a challenge for a chart owner to manage this JSON schema. As part of the GSoC project, I created a tool that can generate this JSON schema from go code. Besides that, it can create documentation for the chart README.md file in the chart based on the comments in the go code. This tool might be useful as well for other projects that want to add and manage complex JSON schemas for their Helm charts.

Upgrades, bugs and improvements

Some of my contributions are improvements to the cert-manager codebase that are not directly linked to installing cert-manager. I made these improvements because of a problem or bug that I encountered and tried to fix. I, for example, worked on properly shutting down the cert-manager controllers and freeing the leader election lease on shutdown.

Development meetings

cert-manager organizes 2 types of regular repeating meetings:

As part of the GSoC project, I participated in all the daily stand-up meetings and presented the GSoC results at 2 bi-weekly developer meetings (2021-07-14 and 2021-07-28).

Pull-request contribution summary:

Below are the PRs that I created as part of my GSoC participation and that are now part of the cert-manager codebase. The list also includes some PRs that are still in the process of being reviewed.

MERGED cert-manager/website:

MERGED jetstack/cert-manager:

REVIEWING jetstack/cert-manager:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment