Update nightly build to cover caBundle setup for webhook

.github/workflows/nightly.yaml

@@ -29,9 +29,11 @@ jobs:
     # Install tools
     - uses: ko-build/[email protected]
       with:
-        version: v0.13.0
+        version: v0.14.1
     - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
     - uses: sigstore/cosign-installer@v3
+    - name: Install Spruce
+      run: make install-spruce
 
     - name: Get current date
       id: date
@@ -55,6 +57,9 @@ jobs:
         mv sample-strategies.yaml nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml
         gh release upload nightly nightly-${{ steps.date.outputs.date }}-sample-strategies.yaml
 
+        echo ${{ steps.date.outputs.date }} > /tmp/latest.txt
+        gh release upload nightly /tmp/latest.txt --clobber
+
     - name: Update latest tag of supporting images
       working-directory: ./cmd
       run: |

.github/workflows/release.yaml

@@ -37,8 +37,10 @@ jobs:
     # Install tools
     - uses: ko-build/[email protected]
       with:
-        version: v0.13.0
+        version: v0.14.1
     - uses: sigstore/cosign-installer@v3
+    - name: Install Spruce
+      run: make install-spruce
 
     - name: Build Release Changelog
       env:

Makefile

@@ -104,7 +104,10 @@ build-image-with-pprof:
 
 .PHONY: release
 release:
+	hack/patch-crds-with-conversion.sh
+	sed -i "s/caBundle: CA_BUNDLE//" deploy/crds/*.yaml
 	hack/release.sh
+	git restore deploy/crds
 
 .PHONY: generate
 generate:

README.md

@@ -43,6 +43,7 @@ Shipwright supports any tool that can build container images in Kubernetes clust
   ```bash
   kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.44.0/release.yaml
   ```
+
   If you are using OpenShift cluster refer [Running on OpenShift](#running-on-openshift) for some more configurations.
 
 - Install the Shipwright deployment. To install the latest version, run:
@@ -51,12 +52,25 @@ Shipwright supports any tool that can build container images in Kubernetes clust
   kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/release.yaml
   ```
 
+  To install the latest nightly release, run:
+
+  ```bash
+  kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt).yaml" --server-side
+  curl --silent --location https://raw.githubusercontent.com/shipwright-io/build/main/hack/setup-webhook-cert.sh | bash
+  ```
+
 - Install the Shipwright strategies. To install the latest version, run:
 
   ```bash
   kubectl apply --filename https://github.com/shipwright-io/build/releases/download/v0.11.0/sample-strategies.yaml
   ```
 
+  To install the latest nightly release, run:
+
+  ```bash
+  kubectl apply --filename "https://github.com/shipwright-io/build/releases/download/nightly/nightly-$(curl --silent https://github.com/shipwright-io/build/releases/download/nightly/latest.txt)-sample-strategies.yaml" --server-side
+  ```
+
 - Generate a secret to access your container registry, such as one on [Docker Hub](https://hub.docker.com/) or [Quay.io](https://quay.io/):
 
   ```bash

hack/release.sh

@@ -13,19 +13,28 @@ echo "Building container image"
 
 echo "Adding io.shipwright.vcs-ref label with value: ${GITHUB_SHA}"
 
+PLATFORM="${PLATFORM:-all}"
+
+echo "[INFO] Building images and release.yaml"
 KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS}" ko resolve \
   --base-import-paths \
+  --recursive \
   --tags "${TAG}" \
   --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
-  --platform=all -R -f deploy/ > release.yaml
+  --platform "${PLATFORM}" \
+  --filename deploy/ > release.yaml
 
+echo "[INFO] Building debug images and release-debug.yaml"
 KO_DOCKER_REPO="${IMAGE_HOST}/${IMAGE_NAMESPACE}" GOFLAGS="${GO_FLAGS} -tags=pprof_enabled" ko resolve \
   --base-import-paths \
+  --recursive \
   --tags "${TAG}-debug" \
   --image-label "io.shipwright.vcs-ref=${GITHUB_SHA}" \
-  --platform=all -R -f deploy/ > release-debug.yaml
+  --platform "${PLATFORM}" \
+  --filename deploy/ > release-debug.yaml
 
 # Bundle the sample cluster build strategies, remove namespace strategies first
+echo "[INFO] Bundling sample build strategies"
 find samples/buildstrategy -type f -print0 | xargs -0 grep -l "kind: BuildStrategy" | xargs rm -f
-ko resolve -R -f samples/buildstrategy/ > sample-strategies.yaml
+KO_DOCKER_REPO=dummy ko resolve --recursive --filename samples/buildstrategy/ > sample-strategies.yaml
 git restore samples/buildstrategy

hack/setup-webhook-cert.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# Copyright The Shipwright Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+
+if ! hash jq >/dev/null 2>&1 ; then
+  echo "[ERROR] jq is not installed"
+  exit 1
+fi
+
+if ! hash openssl >/dev/null 2>&1 ; then
+  echo "[ERROR] openssl is not installed"
+  exit 1
+fi
+
+echo "[INFO] Generating key and signing request for Shipwright Build Webhook"
+
+cat <<EOF >/tmp/csr.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = shp-build-webhook
+DNS.2 = shp-build-webhook.shipwright-build
+DNS.3 = shp-build-webhook.shipwright-build.svc
+DNS.4 = shp-build-webhook.shipwright-build.svc.cluster.local
+EOF
+
+openssl genrsa -out /tmp/server-key.pem 2048
+openssl req -new -days 365 -key /tmp/server-key.pem -subj "/O=system:nodes/CN=system:node:shp-build-webhook.shipwright-build.svc.cluster.local" -out /tmp/server.csr -config /tmp/csr.conf
+
+echo "[INFO] Deleting previous CertificateSigningRequest"
+kubectl delete csr shipwright-build-webhook-csr --ignore-not-found
+
+echo "[INFO] Create a CertificateSigningRequest"
+cat <<EOF | kubectl create -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: shipwright-build-webhook-csr
+spec:
+  groups:
+  - system:authenticated
+  request: $(base64 </tmp/server.csr | tr -d '\n')
+  signerName: kubernetes.io/kubelet-serving
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+EOF
+
+echo "[INFO] Approve the CertificateSigningRequest"
+kubectl certificate approve shipwright-build-webhook-csr
+
+certificate=$(kubectl get csr shipwright-build-webhook-csr -o json | jq -r '.status.certificate')
+while [ "${certificate}" == "null" ]; do
+  echo "[INFO] Waiting for certificate to be ready"
+  sleep 1
+  certificate=$(kubectl get csr shipwright-build-webhook-csr -o json | jq -r '.status.certificate')
+done
+
+openssl base64 -d -A -out /tmp/server-cert.pem <<<"${certificate}"
+
+echo "[INFO] Deleting the CertificateSigningRequest"
+kubectl delete csr shipwright-build-webhook-csr --ignore-not-found
+
+echo "[INFO] Creating TLS secret shipwright-build-webhook-cert"
+kubectl -n shipwright-build delete secret shipwright-build-webhook-cert --ignore-not-found
+kubectl -n shipwright-build create secret tls shipwright-build-webhook-cert --cert /tmp/server-cert.pem --key /tmp/server-key.pem
+rm -rf /tmp/csr.conf /tmp/server-cert.pem /tmp/server-key.pem
+
+echo "[INFO] Retrieving CABundle"
+CA="$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')"
+
+echo "[INFO] Patching caBundle into CustomResourceDefinitions"
+kubectl patch crd clusterbuildstrategies.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
+kubectl patch crd buildstrategies.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
+kubectl patch crd builds.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
+kubectl patch crd buildruns.shipwright.io -p "{\"spec\":{\"conversion\":{\"webhook\":{\"clientConfig\":{\"caBundle\":\"${CA}\"}}}}}"
+
+echo "[INFO] Restarting shipwright-build-webhook"
+kubectl -n shipwright-build rollout restart deployment shipwright-build-webhook
+kubectl -n shipwright-build rollout status deployment shipwright-build-webhook