https://github.com/cert-manager/cert-manager/pull/7291

test.cert-manager-PR-7291.sh

#!/usr/bin/env bash
#
# https://github.com/cert-manager/cert-manager/pull/7291
#
# Creates a Kind cluster and installs cert-manager from master and then from the
# bug fix branch containing the fix.
#
# The logs are printed in each case to demonstrate that there are
# repeating errors in the master branch, and fewer errors in the bug fix
# branch.
#
# The error is simulated by configuring cert-manager with IRSA environment variables and a Route53 ClusterIssuer to use
# "ambient" authentication.
#
# Before:
#
# After:

set -o errexit
set -o nounset
set -o pipefail
set -o xtrace

PR=7291
export KO_REGISTRY=ttl.sh/$(uuidgen)
export KO_HELM_VALUES_FILES=$PWD/values.cert-manager.yaml

# Create cluster
kind create cluster || true

# Deploy cert-manager (master)
helm uninstall -n cert-manager cert-manager || true
git fetch origin master
git checkout FETCH_HEAD
make -j4 ko-deploy-certmanager

# Deploy deliberately misconfigured Route53 issuer
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
        route53:
          hostedZoneID: DEADBEEF
---
# certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www
spec:
  secretName: www-tls
  revisionHistoryLimit: 1
  privateKey:
    rotationPolicy: Always
  commonName: 75b2296e-65a9-4c25-954b-d0b283c6bfd2.com
  dnsNames:
  - 75b2296e-65a9-4c25-954b-d0b283c6bfd2.com
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
EOF

# Wait and count errors
sleep 60
kubectl logs -n cert-manager deploy/cert-manager | grep "failed to change Route 53 record set" | tee /dev/stderr | uniq | wc -l

# Deploy cert-manager (wallrj:route53-error-redact)
helm uninstall -n cert-manager cert-manager || true
git fetch origin pull/${PR}/head
git checkout FETCH_HEAD
make -j4 ko-deploy-certmanager

# Wait and count errors
sleep 60
kubectl logs -n cert-manager deploy/cert-manager | grep "failed to change Route 53 record set" | tee /dev/stderr | uniq | wc -l

values.cert-manager.yaml

# values.cert-manager.yaml
global:
  logLevel: 4
config:
  logging:
    # Pipe logs to https://github.com/koenbollen/jl for easy reading
    format: json
  featureGates:
    ServerSideApply: true
# Simulate the environment variables that are injected by the amazon-eks-pod-identity-webhook.
# https://github.com/aws/amazon-eks-pod-identity-webhook#eks-walkthrough
extraEnv:
- name: AWS_REGION
  value: us-west-2
- name: AWS_DEFAULT_REGION
  value: us-west-2
- name: AWS_ROLE_ARN
  value: "arn:aws:iam::111122223333:role/cert-manager-acme-dns01-route53"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
  value: "/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
  value: "regional"
volumeMounts:
- mountPath: "/var/run/secrets/eks.amazonaws.com/serviceaccount/"
  name: aws-token
volumes:
- name: aws-token
  projected:
    sources:
    - serviceAccountToken:
        audience: "sts.amazonaws.com"
        expirationSeconds: 86400
        path: token