From ba8f7232784386136682562a3cf686d1642092d5 Mon Sep 17 00:00:00 2001
From: Reto Lehmann <retocode@icloud.com>
Date: Mon, 5 Aug 2024 11:08:19 +0200
Subject: [PATCH] Sync upstream 1.15 (#792)

* Use a different 'static' image that supports s390x and ppc (#15409)

Updated image is recommended by Chainguard
Details here: https://www.chainguard.dev/unchained/changes-to-static-git-and-busybox-developer-images-2

Co-authored-by: dprotaso <dprotaso@gmail.com>

* clean up (#15418)

Co-authored-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>

* clean up old certificate leases (#15424)

Co-authored-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>

* [release-1.15] Fix bug in cert manager config (#15437)

* add test to cover cert manager config edge case

* fix edge case bug in cert manager config

---------

Co-authored-by: Marius Stein <mariusstein7@gmail.com>

---------

Co-authored-by: Knative Prow Robot <automation+prow-robot@knative.team>
Co-authored-by: dprotaso <dprotaso@gmail.com>
Co-authored-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>
Co-authored-by: Marius Stein <mariusstein7@gmail.com>
---
 pkg/cleanup/cmd/cleanup/cleanup.go            | 21 ++++++++++++
 .../autoscaling/hpa/resources/hpa.go          | 26 +++++++--------
 .../certificate/config/cert_manager.go        |  6 ++--
 .../certificate/config/cert_manager_test.go   | 32 ++++++++++++++++++-
 4 files changed, 67 insertions(+), 18 deletions(-)

diff --git a/pkg/cleanup/cmd/cleanup/cleanup.go b/pkg/cleanup/cmd/cleanup/cleanup.go
index 8a2f1b2776fc..b2d1a02052c5 100644
--- a/pkg/cleanup/cmd/cleanup/cleanup.go
+++ b/pkg/cleanup/cmd/cleanup/cleanup.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"flag"
 	"log"
+	"strings"
 
 	"go.uber.org/zap"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
@@ -31,6 +32,11 @@ import (
 	"knative.dev/pkg/system"
 )
 
+const (
+	networkingCertificatesReconcilerLease      = "controller.knative.dev.networking.pkg.certificates.reconciler.reconciler"
+	controlProtocolCertificatesReconcilerLease = "controller.knative.dev.control-protocol.pkg.certificates.reconciler.reconciler"
+)
+
 func main() {
 	logger := setupLogger()
 	defer logger.Sync()
@@ -55,6 +61,21 @@ func main() {
 		}
 	}
 
+	leases, err := client.CoordinationV1().Leases(system.Namespace()).List(context.Background(), metav1.ListOptions{})
+	if err != nil {
+		logger.Fatal("failed to fetch leases: ", err)
+	}
+
+	for _, lease := range leases.Items {
+		if strings.HasPrefix(lease.Name, "domainmapping") ||
+			strings.HasPrefix(lease.Name, "net-certmanager") ||
+			strings.HasPrefix(lease.Name, networkingCertificatesReconcilerLease) || strings.HasPrefix(lease.Name, controlProtocolCertificatesReconcilerLease) {
+			if err = client.CoordinationV1().Leases(system.Namespace()).Delete(context.Background(), lease.Name, metav1.DeleteOptions{}); err != nil && !apierrs.IsNotFound(err) {
+				logger.Fatalf("failed to delete lease %s: %v", lease.Name, err)
+			}
+		}
+	}
+
 	// Delete the rest of the domain mapping resources
 	if err = client.CoreV1().Services(system.Namespace()).Delete(context.Background(), "domainmapping-webhook", metav1.DeleteOptions{}); err != nil && !apierrs.IsNotFound(err) {
 		logger.Fatal("failed to delete service domainmapping-webhook: ", err)
diff --git a/pkg/reconciler/autoscaling/hpa/resources/hpa.go b/pkg/reconciler/autoscaling/hpa/resources/hpa.go
index 1ca7daec38dd..ebdc276ab03a 100644
--- a/pkg/reconciler/autoscaling/hpa/resources/hpa.go
+++ b/pkg/reconciler/autoscaling/hpa/resources/hpa.go
@@ -86,21 +86,19 @@ func MakeHPA(pa *autoscalingv1alpha1.PodAutoscaler, config *autoscalerconfig.Con
 				},
 			}}
 		default:
-			if target, ok := pa.Target(); ok {
-				targetQuantity := resource.NewQuantity(int64(target), resource.DecimalSI)
-				hpa.Spec.Metrics = []autoscalingv2.MetricSpec{{
-					Type: autoscalingv2.PodsMetricSourceType,
-					Pods: &autoscalingv2.PodsMetricSource{
-						Metric: autoscalingv2.MetricIdentifier{
-							Name: pa.Metric(),
-						},
-						Target: autoscalingv2.MetricTarget{
-							Type:         autoscalingv2.AverageValueMetricType,
-							AverageValue: targetQuantity,
-						},
+			targetQuantity := resource.NewQuantity(int64(target), resource.DecimalSI)
+			hpa.Spec.Metrics = []autoscalingv2.MetricSpec{{
+				Type: autoscalingv2.PodsMetricSourceType,
+				Pods: &autoscalingv2.PodsMetricSource{
+					Metric: autoscalingv2.MetricIdentifier{
+						Name: pa.Metric(),
+					},
+					Target: autoscalingv2.MetricTarget{
+						Type:         autoscalingv2.AverageValueMetricType,
+						AverageValue: targetQuantity,
 					},
-				}}
-			}
+				},
+			}}
 		}
 	}
 
diff --git a/pkg/reconciler/certificate/config/cert_manager.go b/pkg/reconciler/certificate/config/cert_manager.go
index a00b5c6beb8a..158f4b51e347 100644
--- a/pkg/reconciler/certificate/config/cert_manager.go
+++ b/pkg/reconciler/certificate/config/cert_manager.go
@@ -51,9 +51,9 @@ type CertManagerConfig struct {
 func NewCertManagerConfigFromConfigMap(configMap *corev1.ConfigMap) (*CertManagerConfig, error) {
 	// Use Knative self-signed ClusterIssuer as default
 	config := &CertManagerConfig{
-		IssuerRef:               knativeSelfSignedIssuer,
-		ClusterLocalIssuerRef:   knativeSelfSignedIssuer,
-		SystemInternalIssuerRef: knativeSelfSignedIssuer,
+		IssuerRef:               knativeSelfSignedIssuer.DeepCopy(),
+		ClusterLocalIssuerRef:   knativeSelfSignedIssuer.DeepCopy(),
+		SystemInternalIssuerRef: knativeSelfSignedIssuer.DeepCopy(),
 	}
 
 	if v, ok := configMap.Data[issuerRefKey]; ok {
diff --git a/pkg/reconciler/certificate/config/cert_manager_test.go b/pkg/reconciler/certificate/config/cert_manager_test.go
index 709d412d8b7d..d6d58f56c464 100644
--- a/pkg/reconciler/certificate/config/cert_manager_test.go
+++ b/pkg/reconciler/certificate/config/cert_manager_test.go
@@ -112,6 +112,32 @@ func TestIssuerRef(t *testing.T) {
 				Kind: "ClusterIssuer",
 			},
 		},
+		config: &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: system.Namespace(),
+				Name:      CertManagerConfigName,
+			},
+			Data: map[string]string{
+				systemInternalIssuerRef: "kind: ClusterIssuer\nname: system-internal-issuer",
+			},
+		},
+	}, {
+		name:    "all issuer valid",
+		wantErr: false,
+		wantConfig: &CertManagerConfig{
+			IssuerRef: &cmmeta.ObjectReference{
+				Name: "letsencrypt-issuer",
+				Kind: "ClusterIssuer",
+			},
+			ClusterLocalIssuerRef: &cmmeta.ObjectReference{
+				Name: "system-internal-issuer",
+				Kind: "ClusterIssuer",
+			},
+			SystemInternalIssuerRef: &cmmeta.ObjectReference{
+				Name: "system-internal-issuer",
+				Kind: "ClusterIssuer",
+			},
+		},
 		config: &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: system.Namespace(),
@@ -119,6 +145,8 @@ func TestIssuerRef(t *testing.T) {
 			},
 			Data: map[string]string{
 				clusterLocalIssuerRefKey: "kind: ClusterIssuer\nname: system-internal-issuer",
+				systemInternalIssuerRef:  "kind: ClusterIssuer\nname: system-internal-issuer",
+				issuerRefKey:             "kind: ClusterIssuer\nname: letsencrypt-issuer",
 			},
 		},
 	}}
@@ -129,7 +157,9 @@ func TestIssuerRef(t *testing.T) {
 			if (err != nil) != tt.wantErr {
 				t.Fatalf("Test: %q; NewCertManagerConfigFromConfigMap() error = %v, WantErr %v", tt.name, err, tt.wantErr)
 			}
-			if diff := cmp.Diff(actualConfig, tt.wantConfig); diff != "" {
+
+			if !cmp.Equal(actualConfig, tt.wantConfig) {
+				t.Log(cmp.Diff(actualConfig, tt.wantConfig))
 				t.Fatalf("Want %v, but got %v", tt.wantConfig, actualConfig)
 			}
 		})