Migrate source of cert-manager

UPSTREAM_PROJECTS.yaml

@@ -56,9 +56,7 @@ projects:
   - org: cert-manager
     repos:
       - name: cert-manager
-        versions:
-          - tag: v1.19.3
-            go_version: "1.25"
+        versions: []
   - org: cilium
     repos:
       - name: cilium

projects/cert-manager/cert-manager/EKS_ADDON_IMAGE_TAG

@@ -0,0 +1 @@
+v1.19.3-eksbuild.3

projects/cert-manager/cert-manager/Makefile

@@ -1,59 +1,44 @@
-BASE_DIRECTORY:=$(shell git rev-parse --show-toplevel)
-GIT_TAG?=$(shell cat GIT_TAG)
-GOLANG_VERSION=$(shell cat GOLANG_VERSION)
-REPO=cert-manager
-REPO_OWNER=cert-manager
-
-BASE_IMAGE_NAME?=eks-distro-minimal-base
-DOCKERFILE_FOLDER=./docker/linux/$(IMAGE_NAME)
+BASE_DIRECTORY:=$(abspath ../../../)
+EKS_ADDON_IMAGE_TAG=$(shell cat EKS_ADDON_IMAGE_TAG)
+GIT_TAG=$(EKS_ADDON_IMAGE_TAG)
+HELM_GIT_TAG=$(shell cat HELM_GIT_TAG)
 
-CERT_MANAGER_ACMESOLVER_IMAGE_COMPONENT=cert-manager/cert-manager-acmesolver
-CERT_MANAGER_CAINJECTOR_IMAGE_COMPONENT=cert-manager/cert-manager-cainjector
-CERT_MANAGER_CONTROLLER_IMAGE_COMPONENT=cert-manager/cert-manager-controller
-CERT_MANAGER_WEBHOOK_IMAGE_COMPONENT=cert-manager/cert-manager-webhook
-CERT_MANAGER_STARTUPAPICHECK_IMAGE_COMPONENT=cert-manager/cert-manager-startupapicheck
+ # Upstream images are used directly without re-building and re-tagging in build
+ # tooling, so the IMAGE_TAG needs to be overwritten to match upstream ECR tags.
+IMAGE_TAG=$(EKS_ADDON_IMAGE_TAG)
 
-IMAGE_NAMES=cert-manager-acmesolver cert-manager-cainjector cert-manager-controller cert-manager-webhook cert-manager-startupapicheck
+REPO_OWNER=cert-manager
+REPO=cert-manager
 
-BINARY_TARGET_FILES=cert-manager-acmesolver cert-manager-cainjector cert-manager-controller cert-manager-webhook cert-manager-startupapicheck
-SOURCE_PATTERNS=. . . . .
-GO_MOD_PATHS=cmd/acmesolver cmd/cainjector cmd/controller cmd/webhook cmd/startupapicheck
+SIMPLE_CREATE_BINARIES=false
+SIMPLE_CREATE_TARBALLS=false
+HAS_LICENSES=false
+IMAGE_NAMES=
 
-# by default the first target is assumed to be the primary and will produce a attribution with no prefix
-# for this build we want to prefix all the files
-CERT_MANAGER_ACMESOLVER_ATTRIBUTION_OVERRIDE=cert-manager-acmesolver
+BUILD_TARGETS=helm/build
+RELEASE_TARGETS=helm/push
+EXCLUDE_FROM_STAGING_BUILDSPEC=true
+SKIP_ON_RELEASE_BRANCH=true
 
 HAS_HELM_CHART=true
+
+HELM_SOURCE_IMAGE_REPO=602401143452.dkr.ecr.us-west-2.amazonaws.com
+HELM_SOURCE_OWNER=cert-manager
+HELM_SOURCE_REPOSITORY=cert-manager
 HELM_DIRECTORY=deploy/charts/cert-manager
-HELM_IMAGE_LIST=cert-manager/cert-manager-cainjector cert-manager/cert-manager-controller cert-manager/cert-manager-webhook cert-manager/cert-manager-startupapicheck cert-manager/cert-manager-acmesolver
+HELM_IMAGE_LIST=eks/cert-manager-controller eks/cert-manager-webhook eks/cert-manager-cainjector eks/cert-manager-acmesolver
+HELM_USE_UPSTREAM_IMAGE=true
 
-HAS_S3_ARTIFACTS=true
+HELM_CHART_NAMES=cert-manager/cert-manager
 
-BUILDSPEC_COMPUTE_TYPE=BUILD_GENERAL1_LARGE
+EXCLUDE_FROM_CHECKSUMS_BUILDSPEC=true
+EXCLUDE_FROM_UPGRADE_BUILDSPEC=true
 
 include $(BASE_DIRECTORY)/Common.mk
 
-$(call IMAGE_TARGETS_FOR_NAME, cert-manager-acmesolver): cert-manager-acmesolver-useradd/images/export
-$(call IMAGE_TARGETS_FOR_NAME, cert-manager-cainjector): cert-manager-cainjector-useradd/images/export
-$(call IMAGE_TARGETS_FOR_NAME, cert-manager-acmesolver): cert-manager-controller-useradd/images/export
-$(call IMAGE_TARGETS_FOR_NAME, cert-manager-webhook): cert-manager-webhook-useradd/images/export
-$(call IMAGE_TARGETS_FOR_NAME, cert-manager-startupapicheck): cert-manager-startupapicheck-useradd/images/export
-
-cert-manager-acmesolver-useradd/images/export: IMAGE_USERADD_USER_NAME=acmesolver
-cert-manager-cainjector-useradd/images/export: IMAGE_USERADD_USER_NAME=cainjector
-cert-manager-controller-useradd/images/export: IMAGE_USERADD_USER_NAME=cert-manager
-cert-manager-webhook-useradd/images/export: IMAGE_USERADD_USER_NAME=webhook
-cert-manager-startupapicheck-useradd/images/export: IMAGE_USERADD_USER_NAME=startupapicheck
-
-s3-artifacts: create-manifests
-
-.PHONY: create-manifests
-create-manifests:
-	build/create_manifests.sh $(ARTIFACTS_PATH) $(BASE_DIRECTORY) $(GIT_TAG)
-
-.PHONY: update-cert-manager-manifest
-update-cert-manager-manifest:
-	wget -q https://github.com/cert-manager/cert-manager/releases/download/$(GIT_TAG)/cert-manager.yaml -O manifests/cert-manager.yaml
+# To avoid issues cloning/checking out the repo, git_tag is set to
+# a valid branch/tag
+$(GIT_CHECKOUT_TARGET): GIT_TAG=$(word 1,$(subst -, ,$(EKS_ADDON_IMAGE_TAG)))
 
 
 ########### DO NOT EDIT #############################

projects/cert-manager/cert-manager/README.md

@@ -1,63 +1,23 @@
 ## **cert-manager**
 ![Version](https://img.shields.io/badge/version-v1.19.3-blue)
-![Build Status](https://codebuild.us-west-2.amazonaws.com/badges?uuid=eyJlbmNyeXB0ZWREYXRhIjoiUkphQkhWTUpOOVE1OFVLU0dHQmVFUXZJV0dJaGVLYmtEZHp0aGtDRnJBQUxtaHVqOWp3S0l6d0NlTytqNWpwc2tNTmF6RnNhMTZ3d1J1RXErR0lWcldZPSIsIml2UGFyYW1ldGVyU3BlYyI6IlQyU2lIcVVtU3ozZVZSVTgiLCJtYXRlcmlhbFNldFNlcmlhbCI6MX0%3D&branch=main)
 
-[cert-manager](https://github.com/cert-manager/cert-manager) is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources, such as [Let’s Encrypt](https://letsencrypt.org), [HashiCorp Vault](https://www.vaultproject.io), [Venafi](https://www.venafi.com/), a simple signing key pair, or self signed. It periodically ensures that certificates are valid and up-to-date, and attempts to renew certificates at an appropriate time before expiry.
+([cert-manager](https://github.com/cert-manager/cert-manager)) is an AWS supported version of the upstream cert-manager and is distributed by Amazon EKS add-ons.
 
-cert-manager runs within Kubernetes clusters as a series of Deployment resources, its components involving a main cert-manager controller, CA injector and a webhook. 
-* The controller is in charge of requesting issuance of signed certificates, leader election, approval and denial of signed certificate requests, etc.
-* The CA injector helps to configure the CA certificates for various types of webhooks. It copies CA data from one of three sources: a Kubernetes Secret, a cert-manager Certificate, or from the Kubernetes API server CA certificate.
-* The webhook server component is deployed as another pod that runs alongside the cert-manager controller and CA injector components. It has three main functions: `ValidatingAdmissionWebhook`, `MutatingAdmissionWebhook` and `CustomResourceConversionWebhook`.
-
-In addition, cert-manager supports requesting certificates from ACME servers, including from Let’s Encrypt, with use of the ACME Issuer. These certificates are typically trusted on the public Internet by most computers. To successfully request a certificate, cert-manager must solve ACME Challenges which are completed in order to prove that the client owns the DNS addresses that are being requested. The component that helps to do this is the ACME Solver.
-
-You can find the latest versions of these images on ECR Public Gallery.
-
-[ACME Solver](https://gallery.ecr.aws/eks-anywhere/cert-manager/cert-manager-acmesolver) | 
-[cert-manager Controller](https://gallery.ecr.aws/eks-anywhere/cert-manager/cert-manager-controller) | 
-[CA injector](https://gallery.ecr.aws/eks-anywhere/cert-manager/cert-manager-cainjector) | 
-[cert-manager Webhook Server](https://gallery.ecr.aws/eks-anywhere/cert-manager/cert-manager-webhook)
-
-### Helm Chart
-
-The helm chart is a modified version of the source helm chart located in the jetstck/cert-manager repo at `deploy/charts/cert-manager/`.
-
-If there are any patches to the make file, use `git format-patch $(cat ../GIT_TAG)` and add them to the `helm/patches` directory.
-
-### Cert manager manifest
-
-The cert-manager.yaml manifest is currently stored in the build/ repo. This is the cert-manager.yaml from the assets of the current GIT_TAG(v1.5.3)
-The later tags of cert-manager (v1.7.0-alpha.0 onwards) have a make target that helps create this static cert-manager.yaml from the helm chart.
-But right now we're not upgrading the cert-manager tag beyond v1.5.3 since that's what the currently used tag of Cluster API(v1.0.1) uses.
-So till we use cert-manager tags lesser between v1.5.3 and v1.7.0, we need to get the cert-manager.yaml for each release from the assets section
-and replace build/cert-manager.yaml with that. The reason we are doing this instead of fetching the file from github is to avoid getting the file
-from github during each build, and so we're sure nothing changes in the file even if something changes later in the release assets.
+### Periodic Reviews
+Review [helm chart releases](https://github.com/cert-manager/cert-manager/releases) periodically to identify new releases and decide on an update plan and an update schedule.
 
 ### Updating
 
-1. Update cert-manager tag when updating cluster-api tag if cluster-api is using a newer tag.
-   Use the same tag that cluster-api uses by default. For instance [cluster-api v1.0.1 uses cert-manager v1.5.3 by default]
-   (https://github.com/kubernetes-sigs/cluster-api/blob/v1.0.1/cmd/clusterctl/client/config/cert_manager_client.go#L30) so when updating
-   to cluster-api tag v1.0.1, update cert-manager tag to v1.5.3
-1. Review releases and changelogs in upstream [repo](https://github.com/cert-manager/cert-manager) and decide on new version.
-   Please review carefully and if there are questions about changes necessary to eks-anywhere to support the new version
-   and/or automatically update between eks-anywhere version reach out to @jaxesn or @g-gaston.
-1. Review the patches under patches/ folder and remove any that are either merged upstream or no longer needed.
-1. Update the `GIT_TAG` file to have the new desired version based on the upstream release tags.
-1. Changes to cert-manager CRs:
-   1. Usually we will update cert-manager tag only when updating CAPI tag and if the new CAPI tag uses a new cert-manager tag.
-   1. If the updated cert-manager tag introduces a new API version for the cert-manager CRDs, the updated tags of upstream cluster-api providers 
-      (including CAPI, CAPBK, KCP, CAPD and CAPV) will already be using the new API version for cert-manager CRs so we won't have to make any changes there.
-   1. But we also use cert-manager in our custom providers like the [etcdadm-bootstrap-provider](https://github.com/aws/etcdadm-bootstrap-provider/tree/v1beta1/config/certmanager)
-   and [etcdadm-controller](https://github.com/aws/etcdadm-controller/tree/v1beta1/config/certmanager) and we should use the same API version for cert-manager in these providers
-   as used by the upstream providers. To make the required changes to cert-manager CRs in our providers, checkout the CAPI book's [Provider Implementers](https://cluster-api.sigs.k8s.io/developer/providers/implementers.html)
-   section and review the page containing details for upgrading to the desired capi version. 
-   1. For instance, when updating CAPI from v1alpha3 to v1beta1, cert-manager tag changed from v1.1.0 to v1.5.3, and upstream CAPI providers made [these](https://cluster-api.sigs.k8s.io/developer/providers/v1alpha3-to-v1alpha4.html#upgrade-cert-manager-to-v110)
-   changes to their cert-manager CRs. So we made the same changes to the etcdadm providers. Similarly, check the instructions corresponding to the new
-   capi version you are updating to.
-1. Check the go.mod file to see if the golang version has changed when updating a version. Update the field `GOLANG_VERSION` in
-   Makefile to match the version upstream.
-1. Update the cert-manager.yaml manifest running `make update-cert-manager-manifest` from this directory. That will download the new manifest and update `manifests/cert-manager.yaml`.
-1. Update checksums and attribution using `make attribution checksums` in this folder.
-1. Update the version at the top of this Readme.
-1. Run `make generate` from the root of the repo to update the UPSTREAM_PROJECTS.yaml file.
+1.  To update the EKS_ADDON_IMAGE_TAG, check the latest available version from the EKS-Addon team using the following AWS CLI command:
+    ```bash
+    aws eks describe-addon-versions \
+    --kubernetes-version 1.35 \
+    --addon-name cert-manager \
+    --query 'addons[0].addonVersions[0].addonVersion' \
+    --output text
+    ```
+2. For updating HELM_GIT_TAG, monitor [upstream releases](https://github.com/cert-manager/cert-manager/releases) and changelogs and when to bump the tag.
+
+### Notes
+- The startupapicheck component is disabled because the EKS Add-on team does not publish a startupapicheck image.
+- Images are sourced from the EKS Add-on ECR repo (602401143452.dkr.ecr.us-west-2.amazonaws.com) under the `eks/` prefix.