Add scripts to rebase istio-csr upstream manifests

swghosh · swghosh · commit 4ce10b86d158 · 2025-03-11T15:55:18.000+05:30
with `make update`

* ISTIO_CSR_VERSION in Makefile points to release version of upstream istio-csr
* hack/update-istio-csr-manifests.sh pulls from upstream, modifies and places in bindata/

Signed-off-by: Swarup Ghosh &lt;swghosh@redhat.com&gt;
diff --git a/Makefile b/Makefile
@@ -97,6 +97,8 @@ GOLANGCI_LINT_BIN=$(BIN_DIR)/golangci-lint
 
 OPERATOR_SDK_BIN=$(BIN_DIR)/operator-sdk
 
+HELM_BIN=$(BIN_DIR)/helm
+
 COMMIT ?= $(shell git rev-parse HEAD)
 SHORTCOMMIT ?= $(shell git rev-parse --short HEAD)
 GOBUILD_VERSION_ARGS = -ldflags "-X $(PACKAGE)/pkg/version.SHORTCOMMIT=$(SHORTCOMMIT) -X $(PACKAGE)/pkg/version.COMMIT=$(COMMIT)"
@@ -107,7 +109,7 @@ E2E_TIMEOUT ?= 1h
 E2E_GINKGO_LABEL_FILTER ?= "Platform: isSubsetOf {AWS}"
 
 MANIFEST_SOURCE = https://github.com/cert-manager/cert-manager/releases/download/v1.15.5/cert-manager.yaml
-
+ISTIO_CSR_VERSION = "v0.14.0"
 
 ##@ Development
 
@@ -141,8 +143,9 @@ test: manifests generate fmt vet ## Run tests.
 	mkdir -p "$(ENVTEST_ASSETS_DIR)"
 	KUBEBUILDER_ASSETS="$(shell $(SETUP_ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(ENVTEST_ASSETS_DIR) -p path)" go test ./... -coverprofile cover.out
 
-update-manifests:
+update-manifests: $(HELM_BIN)
 	hack/update-cert-manager-manifests.sh $(MANIFEST_SOURCE)
+	hack/update-istio-csr-manifests.sh $(ISTIO_CSR_VERSION)
 .PHONY: update-manifests
 
 update-scripts:
@@ -285,6 +288,10 @@ $(OPERATOR_SDK_BIN):
 	mkdir -p $(BIN_DIR)
 	hack/operator-sdk.sh $(OPERATOR_SDK_BIN)
 
+$(HELM_BIN):
+	mkdir -p $(BIN_DIR)
+	hack/helm.sh $(HELM_BIN)
+
 clean:
 	go clean
 	rm -f $(BIN)
diff --git a/hack/helm.sh b/hack/helm.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eou pipefail
+
+OUTPUT_PATH=${1:-./bin/helm}
+VERSION="v3.17.1"
+
+GOOS=$(go env GOOS)
+GOARCH=$(go env GOARCH)
+
+TAR_FILENAME="helm-${VERSION}-${GOOS}-${GOARCH}.tar.gz"
+TAR_DL_URL="https://get.helm.sh/${TAR_FILENAME}"
+
+TEMP_DIR=$(mktemp -d)
+
+echo "> downloading helm binary"
+
+curl --silent --location -o "${TEMP_DIR}/${TAR_FILENAME}" "${TAR_DL_URL}"
+tar -C "${TEMP_DIR}" -xzf "${TEMP_DIR}/${TAR_FILENAME}"
+mv "${TEMP_DIR}/${GOOS}-${GOARCH}/helm" "${OUTPUT_PATH}"
+
+echo "> helm binary available at ${OUTPUT_PATH}"
diff --git a/hack/lib/yq.sh b/hack/lib/yq.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+OUTPUT_PATH="./bin/yq"
+
+if [ ! -f "${OUTPUT_PATH}" ]; then
+    echo "---- Installing yq tooling ----"
+
+    DIR=$(dirname "${OUTPUT_PATH}")
+    mkdir -p "${DIR}"
+    curl -s -f -L "https://github.com/mikefarah/yq/releases/download/v4.13.3/yq_$(go env GOHOSTOS)_$(go env GOHOSTARCH)" -o "${OUTPUT_PATH}"
+    chmod +x "${OUTPUT_PATH}"
+
+    echo "yq binary installed in ${OUTPUT_PATH}"
+fi
diff --git a/hack/update-cert-manager-manifests.sh b/hack/update-cert-manager-manifests.sh
@@ -3,6 +3,7 @@
 set -e
 
 source "$(dirname "${BASH_SOURCE}")/lib/init.sh"
+source "$(dirname "${BASH_SOURCE}")/lib/yq.sh"
 
 MANIFEST_SOURCE=${1:?"missing Cert Manager manifest url. You can use either http:// or file://"}
 
@@ -11,19 +12,12 @@ mkdir -p ./_output
 echo "---- Downloading manifest file from $MANIFEST_SOURCE ----"
 curl -NLs "$MANIFEST_SOURCE" -o ./_output/manifest.yaml
 
-echo "---- Installing tooling ----"
-if [ ! -f ./_output/tools/bin/yq ]; then
-    mkdir -p ./_output/tools/bin
-    curl -s -f -L https://github.com/mikefarah/yq/releases/download/v4.13.3/yq_$(go env GOHOSTOS)_$(go env GOHOSTARCH) -o ./_output/tools/bin/yq
-    chmod +x ./_output/tools/bin/yq
-fi
-
 go install ./vendor/github.com/google/go-jsonnet/cmd/jsonnet
 
 echo "---- Patching manifest ----"
 # Upstream manifest includes yaml items in a single file as separate yaml documents.
 # JSON cannot handle this so create one yaml document which includes an array of items instead.
-./_output/tools/bin/yq \
+./bin/yq \
     --output-format json \
     eval-all '. as $item ireduce ([]; . + $item)' \
     _output/manifest.yaml \
@@ -34,7 +28,7 @@ echo "---- Patching manifest ----"
 jsonnet \
     --tla-code-file manifest=_output/manifest_as_array.json \
     jsonnet/main.jsonnet \
-    | ./_output/tools/bin/yq e '.' - \
+    | ./bin/yq e '.' - \
     > _output/targets_as_map.json
 
 # regenerate all bindata
@@ -43,12 +37,12 @@ rm -rf bindata/cert-manager-deployment
 rm -rf config/crd/bases/*-crd.yaml
 
 # Split the produced target items in separate files and convert back to yaml.
-for file in $(./_output/tools/bin/yq eval 'keys | join(" ")' _output/targets_as_map.json)
+for file in $(./bin/yq eval 'keys | join(" ")' _output/targets_as_map.json)
 do
     dir=$(dirname "${file}")
     mkdir -p "${dir}"
     echo "${file}"
-    ./_output/tools/bin/yq \
+    ./bin/yq \
         --output-format yaml --prettyPrint \
         eval ".[\"${file}\"]" _output/targets_as_map.json \
         > "${file}"
diff --git a/hack/update-istio-csr-manifests.sh b/hack/update-istio-csr-manifests.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -e
+
+source "$(dirname "${BASH_SOURCE}")/lib/init.sh"
+source "$(dirname "${BASH_SOURCE}")/lib/yq.sh"
+
+ISTIO_CSR_VERSION=${1:?"missing istio-csr version. Please specify a version from https://github.com/cert-manager/istio-csr/releases"}
+
+mkdir -p ./_output
+
+echo "---- Downloading istio-csr manifests ${ISTIO_CSR_VERSION} ----"
+
+./bin/helm repo add jetstack https://charts.jetstack.io --force-update
+./bin/helm template cert-manager-istio-csr jetstack/cert-manager-istio-csr \
+    -n cert-manager --version "${ISTIO_CSR_VERSION}" > _output/istio-csr-manifest.yaml
+
+echo "---- Patching manifest ----"
+
+# remove the helm specific labels from .metadata.labels and .spec.template.metadata.labels
+./bin/yq e 'del(.metadata.labels."helm.sh/chart")' -i _output/istio-csr-manifest.yaml
+./bin/yq e 'del(.spec.template.metadata.labels."helm.sh/chart")' -i _output/istio-csr-manifest.yaml
+./bin/yq e 'del(.spec.template.metadata.labels."app.kubernetes.io/managed-by")' -i _output/istio-csr-manifest.yaml
+
+# update all occurences of app.kubernetes.io/managed-by label value.
+./bin/yq e \
+  '(.[][] | select(has("app.kubernetes.io/managed-by"))."app.kubernetes.io/managed-by") |= "cert-manager-operator"' \
+  -i _output/istio-csr-manifest.yaml
+
+# regenerate all bindata
+rm -rf bindata/istio-csr
+mkdir -p bindata/istio-csr
+
+# split into individual manifest files
+./bin/yq --output-format json \
+    eval-all '.' -I 0 \
+    _output/istio-csr-manifest.yaml | while read -r item; do
+
+  name=$(echo "$item" | ./bin/yq eval '.metadata.name' -)
+  kind=$(echo "$item" | ./bin/yq eval '.kind' - | tr '[:upper:]' '[:lower:]')
+
+  # skip unused manifests
+  if [[ "${name}-${kind}" == "cert-manager-istio-csr-metrics-service" || \
+        "${name}-${kind}" == "cert-manager-istio-csr-dynamic-istiod-rolebinding" \
+  ]]; then
+    
+    continue
+  fi
+  
+  output_file="bindata/istio-csr/${name}-${kind}.yaml"
+
+  echo "$item" | ./bin/yq eval -P > "$output_file"
+  echo "$output_file"
+done
