1.7.1-gcm.1

This release fixes a vulnerability in the deployer image inherit from ubbagent:

CVE-2019-14697 -> https://gcr.io/cloud-marketplace/jetstack-public/jetstack-secure-for-cert-manager/ubbagent@sha256:1a39f200634390a4252481c2f7a1a4188df3de5f5af1c3c30b91cd1c066a07e7

We confirmed that we were using this vulnerable version of ubbagent (sha256 starts with 1a39f200634) in the following deployer images:

• 1.4.3-gcm.0
• 1.4.4-gcm.0 ← 1.4
• 1.5.3-gcm.0
• 1.5.4-gcm.0
• 1.5.4-gcm.1 ← 1.5
• 1.6.0-gcm.0
• 1.6.1-gcm.0 ← 1.6
• 1.7.1-gcm.0 ← 1.7

$ gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent  --filter 'tags ~ 1\.'
DIGEST        TAGS                                                                                             TIMESTAMP
1a39f2006343  1.4.3-gcm.0,1.4.4-gcm.0,1.5.3-gcm.0,1.5.4-gcm.0,1.5.4-gcm.1,1.6.0-gcm.0,1.6.1-gcm.0,1.7.1-gcm.0  2021-08-05T03:07:54

---

To install this version, please follow the instructions on the README.md (1.7).

Changelog since 1.7.1-gcm.0

• Fixed CVE-2019-14697 that was affecting the ubbagent.
• Upgraded jetstack-secure-agent from v0.1.32 to v0.1.38.

Upgrade instructions

• If you are upgrading from 1.7.1-gcm.0, you don't have to do anything.
• If you are upgrading from 1.6, follow the instructions at Upgrading from cert-manager 1.6 to 1.7.

Notes

Information about this release:

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.7/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.7.1-gcm.1
deployer digest	dc3af35a40b5
git tag	1.7.0-gcm.1
git commit	1c1507d
retag logs	https://console.cloud.google.com/cloud-build/builds/7e237665-cab1-4f1a-b295-7393bdcf6339?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/aa4b2fb1-de32-4a7f-b49f-f76e51607cb0?project=885059085598

📦 Recording of the manual steps of the release process

Expand

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Step-by-step process followed:

• Set the following variables in your shell session. The PREV_APP_VERSION corresponds to the content of the publishedVersion field that is currently set in schema.yaml. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  PREV_APP_VERSION="1.7.1-gcm.0"
  APP_VERSION="1.7.1-gcm.1"
  BRANCH=release-1.7
  CERT_MANAGER_TAG="v1.7.1"
  JETSTACK_AGENT_TAG="v0.1.38"
  GOOGLE_CAS_ISSUER_TAG="v0.5.3"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.3" # same as above, but without the 'v'

• Make sure that you are on the branch $BRANCH.

• Update the above table with the README.md link.

• ⚠️ Update the cert-manager chart:

  # From the jetstack-secure-gcm repo.
  cd chart/jetstack-secure-gcm/charts/
  rm -rf cert-manager
  helm pull jetstack/cert-manager --version "${APP_VERSION/-gcm*/}" --untar

  Then, run the following:

  find cert-manager -type f -print0 | xargs -0 perl -pi -e 's/app\.kubernetes\.io\/name:(.*\")[a-z-._]+\.name(\".*)/app.kubernetes.io\/name:$1cert-manager.name$2/g'
  find cert-manager -type f -print0 | xargs -0 perl -nli -e 'print if !/^ *app:/'

  Explanation:

  1. The first command makes sure all the app.kubernetes.io/name are set to
     cert-manager. This is a "bug" in the cert-manager chart that we need to
     fix in the GCM chart to avoid seeing missing resources in GKE's
     Application UI.
  2. The second command removes all app: ... labels since these aren't used
     in GCM.

  Finally, add patches that make sense:

  git add -p

• Apply the ubbagent patch.

  This adds a sidecar container called ubbagent (Universal Billing Agent) to the main cert-manager deployment.

  patch -p1 < <(curl -sSL https://github.com/jetstack/jetstack-secure-gcm/commit/e1ecea1cb623358d3181157fcf9bff04fd41988f.diff)

• Add any Role and ClusterRole that were added in the previous step into the
  file schema.yaml.

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster:

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml, Chart.yaml and README.md:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  PREV_DOT_ESCAPED="${PREV_APP_VERSION//./\\.}"
  find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED}/${APP_VERSION}/g" '{}' \;
  find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED//-gcm*/}/${APP_VERSION//-gcm*/}/g" '{}' \;

  Check that the diff looks OK and that all the versions in schema.yaml, Chart.yaml and README.md are correct:

  git diff

  Finally, commit it:

  git add .
  git commit -m "bump version to $APP_VERSION" --edit
  git rev-parse HEAD

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Update the git tag in the table above with $APP_VERSION

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

• Add the deployer image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Tags,
  click on the tag you just pushed, and click "Create release from tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the "Container images" tab in the product admin UI, click "View" in Proposed releases and make sure the release points to the image tag of the deployer that was just published. If not, change it to point to that one, click "Save and validate", wait for the validation tests to succeed and then click "Submit".

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.7.1-gcm.0

To install this version, please follow the instructions on the README.md (1.7).

Update 30 May 2022: the tests on Google's side passed, we are waiting on our end to review the pricing since Google changed how pricing looks on the UI.

Changelog since 1.6.1-gcm.0

• Upgraded cert-manager to v1.7.1

Upgrade instructions

• Upgrading from cert-manager 1.6 to 1.7

Notes

Information about this release:

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.7/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.7.1-gcm.0
deployer digest	4ad6ad2262e4
git tag	1.7.0-gcm.0
git commit	3ccd5b1
retag logs	https://console.cloud.google.com/cloud-build/builds/59ffed2d-9773-4f19-be76-c228197e9a20?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/e16dbf32-b48b-4153-8c86-91040b9d822c?project=885059085598

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Step-by-step process followed:

• Set the following variables in your shell session. The PREV_APP_VERSION corresponds to the content of the publishedVersion field that is currently set in schema.yaml. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  PREV_APP_VERSION="1.7.1-gcm.0"
  APP_VERSION="1.7.1-gcm.0"
  BRANCH=release-1.7
  CERT_MANAGER_TAG="v1.7.1"
  JETSTACK_AGENT_TAG="v0.1.32"
  GOOGLE_CAS_ISSUER_TAG="v0.5.3"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.3" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Update the cert-manager chart:

  # From the jetstack-secure-gcm repo.
  cd chart/jetstack-secure-gcm/charts/
  rm -rf cert-manager
  helm pull jetstack/cert-manager --version "${APP_VERSION/-gcm*/}" --untar

  Then, run the following:

  find cert-manager -type f -print0 | xargs -0 perl -pi -e 's/app\.kubernetes\.io\/name:(.*\")[a-z-._]+\.name(\".*)/app.kubernetes.io\/name:$1cert-manager.name$2/g'
  find cert-manager -type f -print0 | xargs -0 perl -nli -e 'print if !/^ *app:/'

  Explanation:

  1. The first command makes sure all the app.kubernetes.io/name are set to
     cert-manager. This is a "bug" in the cert-manager chart that we need to
     fix in the GCM chart to avoid seeing missing resources in GKE's
     Application UI.
  2. The second command removes all app: ... labels since these aren't used
     in GCM.

  Finally, add patches that make sense:

  git add -p

• Apply the ubbagent patch.

  This adds a sidecar container called ubbagent (Universal Billing Agent) to the main cert-manager deployment.

  patch -p1 < <(curl -sSL https://github.com/jetstack/jetstack-secure-gcm/commit/e1ecea1cb623358d3181157fcf9bff04fd41988f.diff)

• Add any Role and ClusterRole that were added in the previous step into the
  file schema.yaml.

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml, Chart.yaml and README.md:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  PREV_DOT_ESCAPED="${PREV_APP_VERSION//./\\.}"
  find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED}/${APP_VERSION}/g" '{}' \;
  find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED//-gcm*/}/${APP_VERSION//-gcm*/}/g" '{}' \;

  Check that the diff looks OK and that all the versions in schema.yaml, Chart.yaml and README.md are correct:

  git diff

  Finally, commit it:

  git add .
  git commit -m "bump version to $APP_VERSION" --edit
  git rev-parse HEAD

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Tags,
  click on the tag you just pushed, and click "Create release from tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the product admin UI, click "Update the image" and "Save". After saving, go to the product page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  
  
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

  **mael, 7 Sept 2022:** we didn't press "Publish", but the version 1.7 shows in the UI so I assume it is published, cf. screenshot below:
  ![image](https://user-images.githubusercontent.com/2195781/188943594-37d4e4f7-2fd9-4278-9355-144587a4d312.png)
  

1.5.4-gcm.1

To install this version, please follow the instructions on the README.md (1.5).

Changelog since 1.5.4-gcm.0

• Fixed a bug that prevented the Google Marketplace verification to pass (#72)

Notes

Information about this release:

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.5/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:{1.5,1.5.4-gcm.1}
deployer digest	1c2e0efa9130
git tag	v1.5.4-gcm.1
git commit	550510a
retag logs	https://console.cloud.google.com/cloud-build/builds/3532c781-8d6a-4831-8896-90cd5e127ef6?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/636974a3-3dae-4216-aedc-6832bd903f23?project=885059085598

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.5.4-gcm.1"
  BRANCH=release-1.5
  CERT_MANAGER_TAG="v1.5.4"
  JETSTACK_AGENT_TAG="v0.1.31"
  GOOGLE_CAS_ISSUER_TAG="v0.5.2"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.2" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Update the cert-manager chart:

  # From the jetstack-secure-gcm repo.
  cd chart/jetstack-secure-gcm/charts/
  rm -rf cert-manager
  helm pull jetstack/cert-manager --version 1.5.4 --untar

  Then, run the following:

  find cert-manager -type f -print0 | xargs -0 perl -i~ -pe 's/app\.kubernetes\.io\/name:(.*\")[a-z-._]+\.name(\".*)/app.kubernetes.io\/name:$1cert-manager.name$2/g'
  find cert-manager -type f -print0 | xargs -0 perl -i~ -nle 'print if !/^ *app:/'

  Explanation:

  1. The first command makes sure all the app.kubernetes.io/name are set to
     cert-manager. This is a "bug" in the cert-manager chart that we need to
     fix in the GCM chart to avoid seeing missing resources in GKE's
     Application UI.
  2. The second command removes all app: ... labels since these aren't used
     in GCM.

  Finally, add patches that make sense:

  git add -p

  Check that you haven't removed important things (like the GCM-specific Helm
  stuff added for the ubbagent).

• Add any Role and ClusterRole that were added in the previous step into the
  file schema.yaml.

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit
  git rev-parse HEAD

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Tags,
  click on the tag you just pushed, and click "Create release from tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  
  
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

v1.4.4-gcm.0

To install this version, please follow the instructions on the README.md (1.4).

Changelog since 1.4.3-gcm.0

• Update cert-manager from 1.4.3 to 1.4.4
• Fixed a bug that prevented the Google Marketplace verification to pass (#72)

Notes

Information about this release:

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.4/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:{1.4,1.4.4-gcm.0}
deployer digest	dca60495fd59
git tag	v1.4.4-gcm.0
git commit	78f5c53
retag logs	https://console.cloud.google.com/cloud-build/builds/6340cbe6-c8e2-4d6c-bf8d-0ce1ae8001e3?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/94a38a29-4129-46bc-926e-49f6c399ddbf?project=885059085598

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.4.4-gcm.0"
  BRANCH=release-1.4
  CERT_MANAGER_TAG="v1.4.4"
  JETSTACK_AGENT_TAG="v0.1.31"
  GOOGLE_CAS_ISSUER_TAG="v0.5.2"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.2" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Update the cert-manager chart:

  # From the jetstack-secure-gcm repo.
  cd chart/jetstack-secure-gcm/charts/
  rm -rf cert-manager
  helm pull jetstack/cert-manager --version 1.4.4 --untar

  Then, run the following:

  find cert-manager -type f -print0 | xargs -0 perl -i~ -pe 's/app\.kubernetes\.io\/name:(.*\")[a-z-._]+\.name(\".*)/app.kubernetes.io\/name:$1cert-manager.name$2/g'
  find cert-manager -type f -print0 | xargs -0 perl -i~ -nle 'print if !/^ *app:/'

  Explanation:

  1. The first command makes sure all the app.kubernetes.io/name are set to
     cert-manager. This is a "bug" in the cert-manager chart that we need to
     fix in the GCM chart to avoid seeing missing resources in GKE's
     Application UI.
  2. The second command removes all app: ... labels since these aren't used
     in GCM.

  Finally, add patches that make sense:

  git add -p

  Check that you haven't removed important things (like the GCM-specific Helm
  stuff added for the ubbagent).

• Add any Role and ClusterRole that were added in the previous step into the
  file schema.yaml.

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit
  git rev-parse HEAD

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Tags,
  click on the tag you just pushed, and click "Create release from tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  
  
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.6.1-gcm.0

To install this version, please follow the instructions on the README.md (1.6).

Changelog since 1.5.4-gcm.0

• Updated cert-manager from v1.5.4 to v1.6.1
• Updated jetstack-secure agent from v0.1.27 to v0.1.32
• Updated google-cas-issuer from v0.5.3 to v0.5.3

Upgrade instructions

• Upgrading from cert-manager 1.5 to 1.6

Notes

Information about this release:

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.6/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.6.1-gcm.0
deployer digest	9c0dbccbaaf7
git tag	1.6.1-gcm.0
git commit	8fb3bc5
retag logs	https://console.cloud.google.com/cloud-build/builds/bad9c1ff-35f7-4c19-9277-3195c76463eb?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/39d03e90-6301-4bc5-b798-dbe10fea6415?project=885059085598

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Step-by-step process followed:

• Set the following variables in your shell session. The PREV_APP_VERSION corresponds to the content of the publishedVersion field that is currently set in schema.yaml. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  PREV_APP_VERSION="1.6.0-gcm.0"
  APP_VERSION="1.6.1-gcm.0"
  BRANCH=release-1.6
  CERT_MANAGER_TAG="v1.6.1"
  JETSTACK_AGENT_TAG="v0.1.32"
  GOOGLE_CAS_ISSUER_TAG="v0.5.3"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.3" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Update the cert-manager chart:

  # From the jetstack-secure-gcm repo.
  cd chart/jetstack-secure-gcm/charts/
  rm -rf cert-manager
  helm pull jetstack/cert-manager --version "${APP_VERSION/-gcm*/}" --untar

  Then, run the following:

  find cert-manager -type f -print0 | xargs -0 perl -pi -e 's/app\.kubernetes\.io\/name:(.*\")[a-z-._]+\.name(\".*)/app.kubernetes.io\/name:$1cert-manager.name$2/g'
  find cert-manager -type f -print0 | xargs -0 perl -nli -e 'print if !/^ *app:/'

  Explanation:

  1. The first command makes sure all the app.kubernetes.io/name are set to
     cert-manager. This is a "bug" in the cert-manager chart that we need to
     fix in the GCM chart to avoid seeing missing resources in GKE's
     Application UI.
  2. The second command removes all app: ... labels since these aren't used
     in GCM.

  Finally, add patches that make sense:

  git add -p

  Check that you haven't removed important things (like the GCM-specific Helm
  stuff added for the ubbagent).

• Add any Role and ClusterRole that were added in the previous step into the
  file schema.yaml.

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in shema.yaml, Chart.yaml and README.md:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  PREV_DOT_ESCAPED="${PREV_APP_VERSION//./\\.}"
  find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED}/${APP_VERSION}/g" '{}' \;
  find . -type f -not -path '*/\.git*' -and -not -name 'go.sum' -and -not -name 'go.mod' -exec perl -pi -e "s/${PREV_DOT_ESCAPED//-gcm*/}/${APP_VERSION//-gcm*/}/g" '{}' \;

  Check that the diff looks OK and that all the versions in shema.yaml, Chart.yaml and README.md are correct:

  git diff

  Finally, commit it:

  git add .
  git commit -m "bump version to $APP_VERSION" --edit
  git rev-parse HEAD

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Tags,
  click on the tag you just pushed, and click "Create release from tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  
  
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.5.4-gcm.0

To install this version, please follow the instructions on the README.md (1.5).

Changelog

• Updated cert-manager to v1.5.4

Upgrade instructions

• Upgrading from cert-manager 1.4 to 1.5

Notes

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Information about this release:

(fill this table after you are done with the below steps)

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.5/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.5.4-gcm.0
deployer digest	ce405dd6f8e4
git tag	1.5.4-gcm.0
git commit	902a15a
retag logs	https://console.cloud.google.com/cloud-build/builds/80a83cbd-9ff5-4f8d-ab81-71b650b623ac?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/f5ced2aa-3c04-4b50-b3ec-8f0126d13500?project=885059085598

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.5.4-gcm.0"
  BRANCH=release-1.5
  CERT_MANAGER_TAG="v1.5.4"
  JETSTACK_AGENT_TAG="v0.1.31"
  GOOGLE_CAS_ISSUER_TAG="v0.5.2"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.2" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Copy any "new" Role or ClusterRole into the schema.yaml:

  # From the cert-manager repo:
  git fetch --tags
  git diff v1.4.3 v1.5.3 -- deploy/charts/cert-manager/templates
  
  # From google-cas-issuer repo:
  git fetch --tags
  git diff v0.3.0 v0.5.2 -- config/

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async --project jetstack-public

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Releases and click "Edit tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  
  
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.5.3-gcm.0

To install this version, please follow the instructions on the README.md (1.5).

Changelog

• Updated cert-manager to v1.5.3

Upgrade instructions

• Upgrading from cert-manager 1.4 to 1.5

Notes

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Information about this release:

(fill this table after you are done with the below steps)

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.5/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.5.3-gcm.0
deployer digest	8757d88b898c
git tag	1.5.3-gcm.0
git commit	2d87129
retag logs	https://console.cloud.google.com/cloud-build/builds/8ef7a79e-632a-4d5b-b141-3eccadab3e18?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/40b50675-85ab-4ae1-aa76-f43e8c007ff5?project=885059085598

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.5.3-gcm.0"
  BRANCH=release-1.5
  CERT_MANAGER_TAG="v1.5.3"
  JETSTACK_AGENT_TAG="v0.1.31"
  GOOGLE_CAS_ISSUER_TAG="v0.5.2"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.2" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Copy any "new" Role or ClusterRole into the schema.yaml:

  # From the cert-manager repo:
  git fetch --tags
  git diff v1.4.3 v1.5.3 -- deploy/charts/cert-manager/templates
  
  # From google-cas-issuer repo:
  git fetch --tags
  git diff v0.3.0 v0.5.2 -- config/

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  git tag $APP_VERSION
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Releases and click "Edit tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.4.3-gcm.0

To install this version, please follow the instructions on the README.md (1.4).

Changelog

Upgrade instructions

Notes

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Information about this release:

(fill this table after you are done with the below steps)

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.4/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.4.3-gcm.0
deployer digest	62dab3167397
git tag	1.4.3-gcm.0
git commit	0589f68
retag logs	https://console.cloud.google.com/cloud-build/builds/0337d543-c07d-4b72-8a39-1417f689fb8c?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/5644f650-0e14-481b-80c0-746ea7ef61ad?project=885059085598

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.4.3-gcm.0"
  BRANCH=release-1.4
  CERT_MANAGER_TAG="v1.4.3"
  JETSTACK_AGENT_TAG="v0.1.31"
  GOOGLE_CAS_ISSUER_TAG="v0.5.2"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.2" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Copy any "new" Role or ClusterRole into the schema.yaml:

  # From the cert-manager repo:
  git fetch --tags
  git diff v1.4.0 v1.4.3 -- deploy/charts/cert-manager/templates
  
  # From google-cas-issuer repo:
  git fetch --tags
  git diff v0.3.0 v0.5.2 -- config/

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  COMMIT=0589f685fb90103f9c3883932d1c7f63d3257d01
  git tag $APP_VERSION $COMMIT
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• [] Go to the GitHub Releases and click "Edit tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• [] Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  

• [] Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.4.0-gcm.0

To install this version, please follow the instructions on the README.md (1.4).

Changelog

In this release, we updated the following versions:

Project	Previous version	New version
cert-manager	v1.3.1	v1.4.0
cert-manager-google-cas-issuer	v0.3.0	v0.5.2
preflight	v0.1.29	v0.1.31

Upgrade instructions

BREAKING CHANGE: the semantics of the Google Private Certificate Authorities have changed, the GoogleGoogleCASIssuer and GoogleCASClusterIssuer have been bumped from v1alpha1 (which represents the old semantics) to v1beta1 (which represents the current Private Certificate Authorities semantics).

The Private Certificate Authorities created during the beta phase of the Google Certificate Authority Service will be unavailable for use when CAS reaches general availability. The v1alpha1 version of GoogleCASIssuer and GoogleCASClusterIssuer are only valid during the beta phase and have been removed. To upgrade to 1.4, you will need to create a new Certificate Pool that replaces the Private Certificate Authorities from the beta. The version v1beta1 of the GoogleCASIssuer and GoogleCASClusterIssuer are able to handle the Certificate Pools.

Upgrade instructions:

1. Before proceeding with the 1.4 upgrade, follow the instructions given in the cert-manager 1.4 upgrade notes.
2. If you are using Google CAS, recreate your Private Certificate Authorities using Certificate Pools.
3. Remove all your existing v1alpha1 issuers.
4. Create new GoogleCASIssuer and GoogleCASClusterIssuer using the v1beta1.
5. Finally, proceed with the upgrade to 1.4 by running the command-line installation instructions.

Example of change between v1alpha1 and v1beta1:

-apiVersion: cas-issuer.jetstack.io/v1alpha1
+apiVersion: cas-issuer.jetstack.io/v1beta1
 kind: GoogleCASIssuer
 metadata:
   name: googlecasissuer-sample
 spec:
   project: my-gcp-project
   location: us-east1
-  certificateAuthorityID: my-ca
+  caPoolId: my-pool

Notes

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Information about this release:

(fill this table after you are done with the below steps)

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.4/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.4.0-gcm.0
deployer digest	f5e2bc67ac37
git tag	1.4.0-gcm.0
git commit	f76a8c0
retag logs	https://console.cloud.google.com/cloud-build/builds/cab0ffb7-5877-447e-a77b-be98edb98e71?project=885059085598
deployer logs	https://console.cloud.google.com/cloud-build/builds/9ecf7b25-c701-405b-94a3-8fce942d4aee?project=885059085598

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.4.0-gcm.0"
  BRANCH=release-1.4
  CERT_MANAGER_TAG="v1.4.0"
  JETSTACK_AGENT_TAG="v0.1.31"
  GOOGLE_CAS_ISSUER_TAG="v0.5.2"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.5.2" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Copy any "new" Role or ClusterRole into the schema.yaml:

  # From the cert-manager repo:
  git fetch --tags
  git diff v1.3.1 v1.4.0 -- deploy/charts/cert-manager/templates
  
  # From google-cas-issuer repo:
  git fetch --tags
  git diff v0.3.0 v0.5.2 -- config/

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  COMMIT=f76a8c05883360d0b24a698a65d4c3cade12e0fb
  git tag $APP_VERSION $COMMIT
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Releases and click "Edit tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".

1.3.1-gcm.1

To install this version, please follow the instructions on the README.md (1.3).

Changelog

This Marketplace build release fixes the version 1.3 that had become uninstallable due to a breaking change introduced by Google.

Notes

📦 Recording of the manual steps of the release process

Since we do not have yet a CD pipeline that would do the work, we prefer documenting every step of the manual process on every single release in order to (1) have a record of what has been done, and (2) be able to remember how to release for the next time.

Information about this release:

(fill this table after you are done with the below steps)

README.md	https://github.com/jetstack/jetstack-secure-gcm/blob/release-1.3/README.md
deployer image	gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer:1.3.1-gcm.1
deployer digest	fa52d4d6522d
git tag	1.3.1-gcm.1
git commit	e84688c
retag logs	https://console.cloud.google.com/cloud-build/builds/e9917453-54b1-4165-9e51-1fc2d7eee568
deployer logs	https://console.cloud.google.com/cloud-build/builds/e6d2821e-3b8d-4b07-b4f5-e7f08d52f1ca?project=885059085598

Step-by-step process followed:

• Set the following variables in your shell session. The APP_VERSION corresponds to the release of GCM that you plan on doing. For the other _TAG variables, pick the latest git tag of each project.

  APP_VERSION="1.3.1-gcm.1"
  BRANCH=release-1.3
  CERT_MANAGER_TAG="v1.3.1"
  JETSTACK_AGENT_TAG="v0.1.29"
  GOOGLE_CAS_ISSUER_TAG="v0.3.0"
  GOOGLE_CAS_ISSUER_TAG_DOCKER="0.3.0" # same as above, but without the 'v'

• Update the above table with the README.md link.

• ⚠️ Copy any "new" Role or ClusterRole into the schema.yaml:

  # From the cert-manager repo:
  git fetch --tags
  git diff v1.3.1 v1.4.0 -- deploy/charts/cert-manager/templates
  
  # From google-cas-issuer repo:
  git fetch --tags
  git diff v0.3.0 v0.5.2 -- config/

• Make sure to be logged in with gcloud and to have the "Editor" role on
  the jetstack-public repo:

  gcloud config set project jetstack-public

• Create the smoke-test cluster. When not using it, we remove the cluster.

  gcloud container clusters create smoke-test --project=jetstack-public --zone=europe-west2-b --workload-pool=jetstack-public.svc.id.goog --num-nodes=2 --async

• Retag the images with the correct licenses using Cloud Build:

  gcloud builds submit --project jetstack-public --config cloudbuild-retag-with-licenses.yaml --substitutions \
      _APP_VERSION=$APP_VERSION,_CERT_MANAGER_TAG=$CERT_MANAGER_TAG,_JETSTACK_AGENT_TAG=$JETSTACK_AGENT_TAG,_GOOGLE_CAS_ISSUER_TAG=$GOOGLE_CAS_ISSUER_TAG,_GOOGLE_CAS_ISSUER_TAG_DOCKER=$GOOGLE_CAS_ISSUER_TAG_DOCKER

• Copy the link to the Cloud Build logs into the table above (row "retag logs").

• Run the following command that will update the app version in schema.yaml:

  # You must be in the jetstack/jetstack-secure-gcm repo folder.
  sed -i~ "s/publishedVersion: .*/publishedVersion: $APP_VERSION/" schema.yaml
  git add schema.yaml
  git commit -m "bump version to $APP_VERSION" --edit

• Copy and paste that commit hash into the above table. You will create the tag later on.

• Build the deployer image:

  gcloud builds submit --project jetstack-public --timeout 1800s --config cloudbuild.yaml \
    --substitutions _CLUSTER_NAME=smoke-test,_CLUSTER_LOCATION=europe-west2-b,_APP_MINOR_VERSION=$(awk 'BEGIN {FS="."}; {print $1 "." $2}' <<<$APP_VERSION),_APP_VERSION=$APP_VERSION

• Copy the link to the Cloud Build logs into the table above (row "deployer logs").

• Tag the commit you created above:

  COMMIT=e84688c46bfb0e0842cc57b5355e70d63943dbeb
  git tag $APP_VERSION $COMMIT
  git push --tags

• Delete the smoke-test cluster.

  gcloud container clusters delete smoke-test --zone=europe-west2-b --async

• Add the image digest to the table above by running:

  gcloud container images list-tags gcr.io/jetstack-public/jetstack-secure-for-cert-manager/deployer --limit=1

• Go to the GitHub Releases and click "Edit tag", and then:

  1. Set the "Release title" to the name of the tag,
  2. Add this current Markdown <details> block _+ the release notes to the release description,
  3. Click "Save Draft"
  4. Don't forget to update the <details> block with any change or addition to the release process.

• Go to the solution admin UI, click "Update the image" and "Save". After saving, go to the solution page and click "Submit for review" (you must be "Editor" of the jetstack-public project):
  

• Finally, when the solution is reviewed, open the GitHub release and click
  "Publish".