openshift-routes
openshift-routes copied to clipboard
Published
20 hours ago •
cert-manager
cert-manager
[Release v0.6.0] Manual Testing Before Releasing
trafficstars
After changing the release process in #60, Tim released v0.6.0-alpha.0 and asked me so that we (the community) can test the Helm chart and the images before releasing v0.6.0.
Notable changes between v0.5.0 and v0.6.0-alpha.0
In particular, two changes may affect you:
-
The file
static/cert-manager-openshift-routes.yamlis no longer present in the repository. You can continue relying on the generatedcert-manager-openshift-routes.yaml, for example:oc apply -f https://github.com/cert-manager/openshift-routes/releases/download/v0.6.0-alpha.0/cert-manager-openshift-routes.yaml -
Image tags now use the
vprefix:-ghcr.io/cert-manager/cert-manager-openshift-routes:0.5.0 +ghcr.io/cert-manager/cert-manager-openshift-routes:v0.6.0-alpha.0
Please test this alpha!
For anyone willing to test this alpha release, here is the Helm command:
helm upgrade -i openshift-routes -n cert-manager \
oci://ghcr.io/cert-manager/charts/openshift-routes --version 0.6.0-alpha.0
And the static manifest:
oc apply -f https://github.com/cert-manager/openshift-routes/releases/download/v0.6.0-alpha.0/cert-manager-openshift-routes.yaml
Please report any issues you see.
I used the following commands to test the release:
kind create cluster
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.15.1 \
--set crds.enabled=true
kubectl apply -f https://raw.githubusercontent.com/openshift/api/release-4.18/route/v1/zz_generated.crd-manifests/routes-Default.crd.yaml
helm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version 0.6.0-alpha.0
./test/test-smoke.sh
Output:
clusterissuer.cert-manager.io/selfsigned-issuer unchanged
certificate.cert-manager.io/my-selfsigned-ca unchanged
issuer.cert-manager.io/my-ca-issuer unchanged
route.route.openshift.io/test-031340e6aede736fbb484d3f created
route.route.openshift.io/test-031340e6aede736fbb484d3f patched
++ Certificate:
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIRAP87SAqdQf7lNHdq0JbD4HYwDQYJKoZIhvcNAQELBQAw
GzEZMBcGA1UEAxMQbXktc2VsZnNpZ25lZC1jYTAeFw0yNDA3MTgxMTE3MTRaFw0y
NDA3MTgxMTE4MTRaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD
mzytWfW6/jDRJWUSb3YDr7P1IVvc1yGSFJTA93qORvTQQeli8/Cebtl7amWFVZhv
+api74MxXGLK0re9A8z4MP/NhOg8bC7vIPbuxcSPDeWZsExrsBAX6hLXFtoZ1Iew
ARvBFfIbH43KaZq24MRhM1/NWKxWvHHJCfWrzk0I7lOIUFvkrMfuHWTDxbOShv16
CMkrdzrurQs6FYJ/mjXf5+BKr/z20TsEDemr1BSdfbRLntNqDfveVkTEibKvwZZZ
HEfOc/Lzzvsh+Jid6iaVXTBQWGeB7doo75v7uwnuj9tAJMWeWxhZD1dbzipA2kgW
/m3t9RPJ4ktjrED0gqPtAgMBAAGjgbMwgbAwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAURHT4kO2O
ta4IUJk/MoHWrdI3TLEwWgYDVR0RAQH/BFAwToIlaGVsbG8tb3BlbnNoaWZ0LWhl
bGxvLW9wZW5zaGlmdC50ZXN0MYIlaGVsbG8tb3BlbnNoaWZ0LWhlbGxvLW9wZW5z
aGlmdC50ZXN0MjANBgkqhkiG9w0BAQsFAAOCAQEAT3z/p+mMRc2inpHQMIcdi0bS
WaR72tHag7gIXIlRogIA++bsU9XT6VofPYjiNb0zJBaVZnjagkK31nr4iv6IJrQS
vKSsewHK/PUicurFSJB61I54P2vLODeTCAV9mer26Fjpr8ziZi7BLGnJ4K1/6fAi
yGFTIBoezgqpsPKOZUUAtCbb2sdWx3tA/yYauHLSDPr2nyjy3RwgP/p5ZtUPaAzO
w434ZuA2QBx9Xn/89yXoM92GX9c2o/5V4b3bA4a3TFkU+LJjQ+wsMMMlKyUjGloj
5dmkPDYOZMYJvV8gSdzRVZhsOUmir+Y7ABv4mU+QbQGSOarf0akT7hnQZEVqUA==
-----END CERTIFICATE-----
++ Certificate decoded:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ff:3b:48:0a:9d:41:fe:e5:34:77:6a:d0:96:c3:e0:76
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = my-selfsigned-ca
Validity
Not Before: Jul 18 11:17:14 2024 GMT
Not After : Jul 18 11:18:14 2024 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:9b:3c:ad:59:f5:ba:fe:30:d1:25:65:12:6f:
76:03:af:b3:f5:21:5b:dc:d7:21:92:14:94:c0:f7:
7a:8e:46:f4:d0:41:e9:62:f3:f0:9e:6e:d9:7b:6a:
65:85:55:98:6f:f9:aa:62:ef:83:31:5c:62:ca:d2:
b7:bd:03:cc:f8:30:ff:cd:84:e8:3c:6c:2e:ef:20:
f6:ee:c5:c4:8f:0d:e5:99:b0:4c:6b:b0:10:17:ea:
12:d7:16:da:19:d4:87:b0:01:1b:c1:15:f2:1b:1f:
8d:ca:69:9a:b6:e0:c4:61:33:5f:cd:58:ac:56:bc:
71:c9:09:f5:ab:ce:4d:08:ee:53:88:50:5b:e4:ac:
c7:ee:1d:64:c3:c5:b3:92:86:fd:7a:08:c9:2b:77:
3a:ee:ad:0b:3a:15:82:7f:9a:35:df:e7:e0:4a:af:
fc:f6:d1:3b:04:0d:e9:ab:d4:14:9d:7d:b4:4b:9e:
d3:6a:0d:fb:de:56:44:c4:89:b2:af:c1:96:59:1c:
47:ce:73:f2:f3:ce:fb:21:f8:98:9d:ea:26:95:5d:
30:50:58:67:81:ed:da:28:ef:9b:fb:bb:09:ee:8f:
db:40:24:c5:9e:5b:18:59:0f:57:5b:ce:2a:40:da:
48:16:fe:6d:ed:f5:13:c9:e2:4b:63:ac:40:f4:82:
a3:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
44:74:F8:90:ED:8E:B5:AE:08:50:99:3F:32:81:D6:AD:D2:37:4C:B1
X509v3 Subject Alternative Name: critical
DNS:hello-openshift-hello-openshift.test1, DNS:hello-openshift-hello-openshift.test2
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4f:7c:ff:a7:e9:8c:45:cd:a2:9e:91:d0:30:87:1d:8b:46:d2:
59:a4:7b:da:d1:da:83:b8:08:5c:89:51:a2:02:00:fb:e6:ec:
53:d5:d3:e9:5a:1f:3d:88:e2:35:bd:33:24:16:95:66:78:da:
82:42:b7:d6:7a:f8:8a:fe:88:26:b4:12:bc:a4:ac:7b:01:ca:
fc:f5:22:72:ea:c5:48:90:7a:d4:8e:78:3f:6b:cb:38:37:93:
08:05:7d:99:ea:f6:e8:58:e9:af:cc:e2:66:2e:c1:2c:69:c9:
e0:ad:7f:e9:f0:22:c8:61:53:20:1a:1e:ce:0a:a9:b0:f2:8e:
65:45:00:b4:26:db:da:c7:56:c7:7b:40:ff:26:1a:b8:72:d2:
0c:fa:f6:9f:28:f2:dd:1c:20:3f:fa:79:66:d5:0f:68:0c:ce:
c3:8d:f8:66:e0:36:40:1c:7d:5e:7f:fc:f7:25:e8:33:dd:86:
5f:d7:36:a3:fe:55:e1:bd:db:03:86:b7:4c:59:14:f8:b2:63:
43:ec:2c:30:c3:25:2b:25:23:1a:5a:23:e5:d9:a4:3c:36:0e:
64:c6:09:bd:5f:20:49:dc:d1:55:98:6c:39:49:a2:af:e6:3b:
00:1b:f8:99:4f:90:6d:01:92:39:aa:df:d1:a9:13:ee:19:d0:
64:45:6a:50
Found DNS:hello-openshift-hello-openshift.test1 in certificate
Found DNS:hello-openshift-hello-openshift.test2 in certificate
route.route.openshift.io "test-031340e6aede736fbb484d3f" deleted
@maelvls
Thanks Tim!
I've tried to do a full end-to-end test using openshift-router. I've taken inspiration from https://github.com/cert-manager/openshift-routes/pull/27#pullrequestreview-1418666685.
kind create cluster --image=kindest/node:v1.29.2
helm upgrade -i cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set crds.enabled=true
helm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version 0.6.0-alpha.0
Install OpenShift Route CRDs and controller:
Important: the image quay.io/repository/openshift/origin-haproxy-router:4.11 is a single-arch image meant for arm64.
kubectl apply -f https://raw.githubusercontent.com/openshift/router/release-4.11/deploy/route_crd.yaml
kubectl apply -f https://raw.githubusercontent.com/openshift/router/release-4.11/deploy/router_rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/openshift/router/release-4.11/deploy/router.yaml
kubectl set image -n openshift-ingress deploy/ingress-router router=quay.io/openshift/origin-haproxy-router:4.11
kubectl set env -n openshift-ingress deploy/ingress-router ROUTER_DOMAIN=domain.com
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: endpointslices-reader
rules:
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: endpointslices-reader-binding
subjects:
- kind: ServiceAccount
name: ingress-router
namespace: openshift-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: endpointslices-reader
Run openshift-routes:
helm upgrade -i openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version 0.6.0-alpha.0
Create a cert-manager ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: self-signed
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example
namespace: cert-manager
spec:
isCA: true
privateKey:
algorithm: ECDSA
size: 256
secretName: example
commonName: example root
duration: 262800h
issuerRef:
name: self-signed
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: example
namespace: cert-manager
spec:
ca:
secretName: example
Create a Route with the subdomain foo. Since openshift-ingress has been
configured with ROUTER_DOMAIN=domain.com, we don't need to specify the full
domain. The actual hostname will be foo.domain.com.
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: example-route
annotations:
cert-manager.io/issuer-name: example
cert-manager.io/issuer-kind: ClusterIssuer
spec:
subdomain: foo
wildcardPolicy: None
to:
name: httpbin
Get the IP of the node:
IP=$(kubectl get nodes -ojson | jq '.items[].status.addresses[] | select(.type == "InternalIP").address' -r)
Confirm that the issued cert's SAN is foo.domain.com:
openssl s_client -connect $IP:443 -servername foo.domain.com 2>/dev/null <<<"" \
| openssl x509 -noout -text \
| awk '/Subject: C=/{printf $NF"\n"} /DNS:/{x=gsub(/ *DNS:/, ""); printf "SANS=" $0"\n"}'
As expected, it shows:
SANS=foo.domain.com
@inteon Let's wait until we have a good story around the static manifest that was removed: https://github.com/cert-manager/openshift-routes/issues/73
@jacksgt Would you be able to test this alpha? 🙏
helm upgrade -i openshift-routes -n cert-manager \
oci://ghcr.io/cert-manager/charts/openshift-routes --version 0.6.0-alpha.0
v0.6.0 has now been released: https://github.com/cert-manager/openshift-routes/releases/tag/v0.6.0