feat: remove cert manager

this commit will likely break CI, but not exactly how,
will address in later commit

Author: lockwobr

.github/workflows/agent-ci.yaml

@@ -98,11 +98,14 @@ jobs:
           apt-get update && apt-get install -y make git jq
           cd agent
           # if this is a tag build, use the tag as the version, otherwise use the sha
-          TAGS="-t ${REGISTRY@L}/${{env.IMAGE_NAME}}/agent:${{ github.sha }}"
+          git fetch --all
+          export GIT_SHA=$(git rev-parse --short ${{ github.sha }})
+          TAGS="-t ${REGISTRY@L}/${{env.IMAGE_NAME}}/agent:${GIT_SHA}"
           case ${{ github.ref_type }} in
             branch)
                 # The last tag + current git sha
-                export AGENT_VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "0.0.0")+${{ github.sha }}
+                export AGENT_VERSION=$(git tag --list 'agent*' --sort=-v:refname | head -n 1 | cut -d/ -f2 || echo "0.0.0")+${GIT_SHA}
+                TAGS="$TAGS -t ${REGISTRY@L}/${{env.IMAGE_NAME}}/agent:$(echo "${AGENT_VERSION}" | tr + -)"
                 ;;
             tag)
                 # The version part of the tag

.github/workflows/operator-ci.yaml

@@ -131,11 +131,14 @@ jobs:
           apt-get update && apt-get install -y make git jq
           cd operator
           # if this is a tag build, use the tag as the version, otherwise use the sha
-          TAGS="-t ${REGISTRY@L}/${{env.IMAGE_NAME}}/operator:${{ github.sha }}"
+          git fetch --all
+          export GIT_SHA=$(git rev-parse --short ${{ github.sha }})
+          TAGS="-t ${REGISTRY@L}/${{env.IMAGE_NAME}}/operator:${GIT_SHA}"
           case ${{ github.ref_type }} in
             branch)
                 # The last tag + current git sha
-                export OPERATOR_VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "0.0.0")+${{ github.sha }}
+                export OPERATOR_VERSION=$(git tag --list 'operator*' --sort=-v:refname | head -n 1 | cut -d/ -f2 || echo "0.0.0")+${GIT_SHA}
+                TAGS="$TAGS -t ${REGISTRY@L}/${{env.IMAGE_NAME}}/operator:$(echo "${OPERATOR_VERSION}" | tr + -)"
                 ;;
             tag)
                 # The version part of the tag
@@ -149,7 +152,7 @@ jobs:
           esac
           set -x
           docker buildx build \
-            --build-arg GIT_SHA=$${{ github.sha }} \
+            --build-arg GIT_SHA=${GIT_SHA} \
             --build-arg VERSION=${OPERATOR_VERSION} \
             --build-arg GO_VERSION=${GO_VERSION} \
             --push \

.vscode/launch.json

@@ -10,6 +10,7 @@
             "request": "launch",
             "mode": "debug",
             "program": "${workspaceRoot}/operator/cmd/main.go",
+            "cwd": "${workspaceRoot}/operator",
             "buildFlags": "--ldflags '-X github.com/NVIDIA/skyhook/internal/version.GIT_SHA=foobars -X github.com/NVIDIA/skyhook/internal/version.VERSION=v0.5.0'",
             "env": {
                 "ENABLE_WEBHOOKS": "false",

README.md

@@ -50,7 +50,6 @@ There are a few pre-built generalist packages available at [NVIDIA/skyhook-packa
 ## Quick Start
 
 ### Install the operator
-  1. Install cert-manager `kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.yaml`
   1. Create a secret for the operator to pull images `kubectl create secret generic node-init-secret --from-file=.dockerconfigjson=${HOME}/.config/containers/auth.json --type=kubernetes.io/dockerconfigjson -n  skyhook`
   1. Install the operator `helm install skyhook ./chart --namespace skyhook`
 

agent/Makefile

@@ -56,11 +56,14 @@ docker-setup:
 	$(DOCKER_CMD) buildx create --platform linux/amd64,linux/arm64 --use builder
 	$(DOCKER_CMD) run --privileged --rm tonistiigi/binfmt --install amd64,arm64
 
-ACTUAL_TAGS=$(shell echo "-t $(REGISTRY)/$(AGENT_IMAGE):$(shell date +%y.%m.%d-%H%M%S)-$(COMMIT_SHORT_SHA) $(TAGS)" | tr A-Z a-z)
+GIT_SHA=$(shell git rev-parse --short HEAD)
+ACTUAL_TAGS=$(shell echo "-t $(REGISTRY)/$(AGENT_IMAGE):$(shell date +%y.%m.%d-%H%M%S)-$(GIT_SHA) $(TAGS)" | tr A-Z a-z)
 .PHONY: docker-build-only
 docker-build-only:
 	@echo "Building skyhook-agent $(DOCKER_CMD) image with tags: $(ACTUAL_TAGS)"
-	$(DOCKER_CMD) buildx build $(BUILD_ARGS) --build-arg AGENT_VERSION=$(AGENT_VERSION) --platform linux/amd64,linux/arm64 $(ACTUAL_TAGS) --metadata-file=metadata.json -f ../containers/agent.Dockerfile .
+	$(DOCKER_CMD) buildx build $(BUILD_ARGS) --build-arg AGENT_VERSION=$(AGENT_VERSION) \
+		--build-arg GIT_SHA=$(GIT_SHA) \
+		--platform linux/amd64,linux/arm64 $(ACTUAL_TAGS) --metadata-file=metadata.json -f ../containers/agent.Dockerfile .
 
 ##@ Vendor
 .PHONY: vendor

chart/templates/deployment.yaml

@@ -108,10 +108,6 @@ spec:
           {{- end }}
         securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
           | nindent 10 }}
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
-          readOnly: true
       - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
@@ -132,11 +128,6 @@ spec:
         runAsNonRoot: true
       serviceAccountName: {{ include "chart.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10
-      volumes:
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: webhook-server-cert
 {{ if ((.Values.controllerManager.podDisruptionBudget).minAvailable) }}
 {{ if ge .Values.controllerManager.podDisruptionBudget.minAvailable .Values.controllerManager.replicas }}
 {{- $_ := required "minAvailable to be less than replicas" .nil }}

chart/templates/manager-rbac.yaml

@@ -5,6 +5,17 @@ metadata:
   labels:
   {{- include "chart.labels" . | nindent 4 }}
 rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -66,6 +77,16 @@ rules:
   - pods/status
   verbs:
   - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
 - apiGroups:
   - skyhook.nvidia.com
   resources: