addons: Add CRL Operator deployment by default

TeddyAndrieux · TeddyAndrieux · commit 6b04074011ee · 2025-11-12T14:33:22.000Z
diff --git a/.pylint-dict b/.pylint-dict
@@ -19,6 +19,8 @@ cp
 checksum
 checksums
 containerd
+CRL
+crl
 dataset
 de
 debuild
@@ -37,6 +39,7 @@ getitem
 globals
 gofmt
 Kube
+kustomize
 html
 init
 io
@@ -52,6 +55,7 @@ metadata
 mkdir
 mkisofs
 mypy
+namespace
 nginx
 observability
 pdf
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## Release 131.0.2 (in development)
 
+### Enhancements
+
+- Install [crl-operator](https://github.com/scality/crl-operator) version
+  [v1.0.0](https://github.com/scality/crl-operator/releases/tag/v1.0.0) by default
+  (PR[#4692](https://github.com/scality/metalk8s/pull/4692))
+
 ## Release 131.0.1
 
 ## Release 131.0.0
diff --git a/buildchain/buildchain/codegen.py b/buildchain/buildchain/codegen.py
@@ -5,11 +5,12 @@
 
 
 import shlex
-from typing import Callable, Iterator, Tuple
+from typing import Callable, Iterator, Tuple, Dict
 
 import doit  # type: ignore
 
 from buildchain import constants
+from buildchain import targets
 from buildchain import types
 from buildchain import utils
 
@@ -318,6 +319,65 @@ def codegen_chart_cert_manager() -> types.TaskDict:
     }
 
 
+def task_get_codegen_kustomize_crl_operator() -> types.TaskDict:
+    """Generate the kustomize manifests output for the CRL Operator."""
+    kustomize_dir = constants.ROOT / "kustomizes/crl-operator"
+
+    cmd = f"kustomize build {kustomize_dir}"
+
+    return {
+        "doc": task_get_codegen_kustomize_crl_operator.__doc__,
+        "actions": [doit.action.CmdAction(cmd, cwd=constants.ROOT, save_out="stdout")],
+        "file_dep": list(utils.git_ls(kustomize_dir)),
+        "task_dep": ["check_for:kustomize"],
+    }
+
+
+def task_transform_codegen_kustomize_crl_operator() -> types.TaskDict:
+    """Transform the kustomize manifests output for the CRL Operator."""
+
+    def _transform(stdout: str) -> Dict[str, str]:
+        """Transform the kustomize output."""
+        # Note: We have to replace the namespace 'crl-operator-system' by
+        # 'metalk8s-certs' as kustomize does not allow easily to patch every
+        # occurrence in "custom resources fields" like Certificate dnsNames.
+        return {
+            "output": stdout.strip().replace("crl-operator-system", "metalk8s-certs")
+        }
+
+    return {
+        "doc": task_transform_codegen_kustomize_crl_operator.__doc__,
+        "actions": [_transform],
+        "task_dep": ["get_codegen_kustomize_crl_operator"],
+        "getargs": {
+            "stdout": ("get_codegen_kustomize_crl_operator", "stdout"),
+        },
+    }
+
+
+def codegen_kustomize_crl_operator() -> types.TaskDict:
+    """Generate the SLS file for the CRL Operator."""
+    target_sls = constants.ROOT / "salt/metalk8s/addons/crl-operator/deployed/chart.sls"
+    template_file = constants.ROOT / "kustomizes/template.sls.in"
+
+    tpl_task = targets.TemplateFile(
+        task_name="kustomize_crl-operator",
+        source=template_file,
+        destination=target_sls,
+    )
+    tpl_task_dict = tpl_task.task
+    tpl_task_dict.update(
+        {
+            "title": utils.title_with_subtask_name("CODEGEN"),
+            "task_dep": ["transform_codegen_kustomize_crl_operator"],
+            "getargs": {
+                "Manifests": ("transform_codegen_kustomize_crl_operator", "output"),
+            },
+        }
+    )
+    return tpl_task_dict
+
+
 # List of available code generation tasks.
 CODEGEN: Tuple[Callable[[], types.TaskDict], ...] = (
     codegen_storage_operator,
@@ -330,6 +390,7 @@ def codegen_chart_cert_manager() -> types.TaskDict:
     codegen_chart_prometheus_adapter,
     codegen_chart_thanos,
     codegen_chart_cert_manager,
+    codegen_kustomize_crl_operator,
 )
 
 
diff --git a/buildchain/buildchain/config.py b/buildchain/buildchain/config.py
@@ -65,6 +65,7 @@ class ExtCommand(enum.Enum):
     SKOPEO = os.getenv("SKOPEO_BIN", "skopeo")
     TOX = os.getenv("TOX_BIN", "tox")
     VAGRANT = os.getenv("VAGRANT_BIN", "vagrant")
+    KUSTOMIZE = os.getenv("KUSTOMIZE_BIN", "kustomize")
 
     @property
     def command_name(self) -> str:
diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py
@@ -219,6 +219,7 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage:
     ],
     constants.SCALITY_REPOSITORY: [
         "ui-operator",
+        "crl-operator",
     ],
 }
 
diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
@@ -292,6 +292,8 @@ def _download_ui_operator_crds() -> str:
     Path("salt/metalk8s/addons/cert-manager/deployed/chart.sls"),
     Path("salt/metalk8s/addons/cert-manager/deployed/init.sls"),
     Path("salt/metalk8s/addons/cert-manager/deployed/namespace.sls"),
+    Path("salt/metalk8s/addons/crl-operator/deployed/chart.sls"),
+    Path("salt/metalk8s/addons/crl-operator/deployed/init.sls"),
     Path("salt/metalk8s/addons/dex/ca/init.sls"),
     Path("salt/metalk8s/addons/dex/ca/installed.sls"),
     Path("salt/metalk8s/addons/dex/ca/advertised.sls"),
diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py
@@ -302,6 +302,11 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
         version=_version_prefix(CERT_MANAGER_VERSION),
         digest="sha256:a076f72f33a22dfd3a23727f1e1a069817819406b39e5b0fd9cb97d3338cb8d8",
     ),
+    Image(
+        name="crl-operator",
+        version="v1.0.0",
+        digest="sha256:86b4198036c1f83f1d9363a1e2ae78015482ca4fe60cd706939b8730c179ac8a",
+    ),
 )
 
 CONTAINER_IMAGES_MAP = {image.name: image for image in CONTAINER_IMAGES}
diff --git a/kustomizes/crl-operator/delete_ns.yaml b/kustomizes/crl-operator/delete_ns.yaml
@@ -0,0 +1,5 @@
+$patch: delete
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system
diff --git a/kustomizes/crl-operator/deploy_patch.yaml b/kustomizes/crl-operator/deploy_patch.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: not-important
+spec:
+  template:
+    nodeSelector:
+      node-role.kubernetes.io/master: ""
+    spec:
+      tolerations:
+      - key: "node-role.kubernetes.io/bootstrap"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node-role.kubernetes.io/infra"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
diff --git a/kustomizes/crl-operator/kustomization.yaml b/kustomizes/crl-operator/kustomization.yaml
@@ -0,0 +1,21 @@
+namespace: metalk8s-certs
+
+resources:
+  - github.com/scality/crl-operator.git/config/default?ref=v1.0.0
+
+images:
+  - name: controller 
+    newName: '{% endraw -%}{{ build_image_name("crl-operator", False) }}{%- raw %}'
+    newTag: v1.0.0
+
+patches:
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: "--cert-manager-namespace=metalk8s-certs"
+    target:
+      kind: Deployment
+  - path: deploy_patch.yaml
+    target:
+      kind: Deployment
+  - path: delete_ns.yaml
diff --git a/kustomizes/template.sls.in b/kustomizes/template.sls.in
@@ -0,0 +1,6 @@
+#!jinja | metalk8s_kubernetes
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+
+{%- raw %}
+@@Manifests
+{%- endraw %}
diff --git a/salt/metalk8s/addons/crl-operator/deployed/chart.sls b/salt/metalk8s/addons/crl-operator/deployed/chart.sls
diff --git a/salt/metalk8s/addons/crl-operator/deployed/init.sls b/salt/metalk8s/addons/crl-operator/deployed/init.sls
diff --git a/salt/metalk8s/deployed/init.sls b/salt/metalk8s/deployed/init.sls
diff --git a/tests/post/features/sanity.feature b/tests/post/features/sanity.feature

Original file line number	Diff line number	Diff line change
`@@ -219,6 +219,7 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage:`
`219`	`219`	`],`
`220`	`220`	`constants.SCALITY_REPOSITORY: [`
`221`	`221`	`"ui-operator",`
	`222`	`+ "crl-operator",`
`222`	`223`	`],`
`223`	`224`	`}`
`224`	`225`