Use jetstack public to build and fix Application wrangling

[maelvls]

In this PR, I fix a couple of things

2. Remind ourselves that we should only use jetstack-public in order to run gcloud builds submit, otherwise the verify step will fail (see "hardcoded" in cloudbuild.yml)
3. Fix the Application component wrangling (cainjector and webhook still missing...). the names are confusion thourh (controller = google-cas-issuer), so we need to work that out
4. ubbagent is now a side-car to the cert-manager controller deployment
5. I had to unpack the cert-manager tarball... sorry for the 16 000 new lines!!!

[maelvls]

I have cut a second release, 1.1.0-gcm.2, that fixes the issues reported in #34> In a few words, the deployments are now properly showing in the application UI. This fix was urgent because the application UI is the first page they will see after having clicked "Deploy"; in 1.1.0-gcm.1, cert-manager would not even show up in the UI. Only the ubbagent was showing, which makes for a very poor experience.

My plan is to click "Submit for review" tonight (probably late), and have Google review 1.1.0-gcm.2 during the night (10-11 March). If Google accepts it during the night, we should be able to make the application public by tomorrow morning.

Last note: I am still very unhappy with 1.1.0-gcm.2 (see below screenshot). Two deployments are missing from the list (even though they are running fine): the cainjector and the webhook. The deployment names are ultra confusing. Also, the icon is broken:

Here is a view of the Application UI after installing the application:

step by step process

First I built 1.1.0-gcm.2 deployer:

% gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
  --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=1.1,_APP_VERSION=1.1.0-gcm.2

• logs
• image: gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.1.0-gcm.2

Then I retagged the images

retag() {
  docker pull $1 && docker tag $1 $2 && docker push $2
}
retag gcr.io/jetstack-public/jetstack-secure-for-cert-manager:{google-review,1.1.0-gcm.2}
retag gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-acmesolver:{google-review,1.1.0-gcm.2}
retag gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-cainjector:{google-review,1.1.0-gcm.2}
retag gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-webhook:{google-review,1.1.0-gcm.2}
retag gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-google-cas-issuer:{google-review,1.1.0-gcm.2}
retag gcr.io/jetstack-public/jetstack-secure-for-cert-manager/preflight:{google-review,1.1.0-gcm.2}
retag gcr.io/cloud-marketplace-tools/metering/ubbagent:latest gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent:1.1.0-gcm.2

Finally I did (still on the branch... I know, not good)

git tag 1.1.0-gcm.2
git push --tags

Then I updated the version on the UI and clicked "Submit for review".

[maelvls]

I have cut another release, 1.1.0-gcm.3. With this last release, we fixed all the issues that we knew of (icon is now showing, deployment names are now way more descriptive, ubbagent is integrated in the main cert-manager pod instead of being a standalone deployment).

My plan is to click "Submit for review" in a few minutes, and have Google review 1.1.0-gcm.3 during the night (11-12 March). If Google accepts it during the night, we should be able to make the application public by tomorrow morning!

step by step process

first I built 1.1.0-gcm.3 deployer

% gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
  --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=1.1,_APP_VERSION=1.1.0-gcm.3

• logs
• image: gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.1.0-gcm.3

Finally, I did

git tag 1.1.0-gcm.3

And I went to the UI, updated the image and "Save" and Submit for review.

[wallrj]

Thanks @maelvls

Just a few comments and nits, but I know that this has already been deployed, so I'll add lgtm and hold so that you can decide when it gets merged.

/lgtm
/hold

[wallrj]

Suggested change

	**Note:** the preflight deploymnent is expected to be failing when the
	application is first deployed. After registering your cluster on
	<https://platform.jetstack.io>, the deployment will start working. To register your cluster, keep reading the [next section](#step-2-log-into-the-jetstack-secure-dashboard).
	**Note:** the preflight deployment is expected to be failing when the
	application is first deployed. After registering your cluster on
	<https://platform.jetstack.io>, the deployment will start working. To register your cluster, keep reading the [next section](#step-2-log-into-the-jetstack-secure-dashboard).

[wallrj]

nit:

Suggested change

	cat agent-config.yaml | sed '/namespace:/d' | kubectl -n $NAMESPACE apply -f-
	sed '/namespace:/d' agent-config.yaml | kubectl -n $NAMESPACE apply -f-

[wallrj]

nit I thought it might be possible to use kubectl rollout restart deployment --selector app.kubernetes.io/name=preflight but it doesn't support the --selector flag.

The kubectl scale command does.

Did we discuss perhaps deploying preflight with replicas=0 ? I can't remember why we decided against it.

[maelvls]

We discussed having two separate behaviours: one for the tests, one for the normal deployments.

• When running the smoke-test, we set replica=0
• When running normally (e.g., one click deployment through the marketplace UI), the preflight deployment would be set to replica=1 (= purposefully failing)

I don't really like the idea of letting the preflight deployment in a failing mode "by default", e.g. the user would immediately see a failing deployment after deploying:

[maelvls]

I'll open an issue about this.

[wallrj]

I think it's possible to use a cert-manager self-signed Issuer to create the CA cert and then reference that from another CA Issuer.

That might be neater than using openssl from a non-jetstack Docker image.

[maelvls]

Initially I tried the SelfSignedIssuer but I could not figure it out... I guess I should double down on that 😅

If that's OK, I will /unhold and do this change in another PR
I'll add that to my todo

[wallrj]

We should update this, in cert-manager repo.

[wallrj]

Ah, that's how it's done!

[maelvls]

had to dig into click-to-deploy to find this piece of the Application API 😅

[wallrj]

nit. Are we calling it preflight, or are we calling it jetstack-secure-agent, or somthing else?
I guess preflight makes sense until we change the name of the chart.

[maelvls]

I am quite confused by which name I should be employing: in places, I call it the "Jetstack Secure Platform agent", and sometimes I default to "the preflight agent".

@charlieegan3 thoughts?

[wallrj]

Can I wondered if we could use more descriptive values for these component names, e.g. Google Cloud Marketplace Billing Agent....

BUT WAIT why is this still here as a separate deployment, if you have now deployed the ubbagent as a cert-manager side-car?

[wallrj]

...ah, this isn't the deployment, but the config for ubbagent...ignore me.
I see the deployment is deleted below.

[maelvls]

Yes, I moved it to the cert-manager deployment itself instead of having it qs q separate deployment. Apologies for the messy PR :-(

[maelvls]

/unhold

I created #40 with the PR comment fixes.