Skip to content

Commit

Permalink
Upgrade JetStack Cert-Manager to v0.15.2
Browse files Browse the repository at this point in the history
  • Loading branch information
@bmelbourne
bmelbourne committed Jul 16, 2020
1 parent 6cc9b08 commit 78ad7e6
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 0 deletions.
12 changes: 12 additions & 0 deletions roles/kubernetes-apps/ingress_controller/cert_manager/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,11 @@ Integration with other PKI/Certificate management solutions, such as HashiCorp V

If you're planning to secure your ingress resources using TLS client certificates, you'll need to create and deploy the Kubernetes `ca-key-pair` secret consisting of the Root CA certificate and key to your K8s cluster.

<<<<<<< HEAD
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
=======
If these are already available, simply update `templates\secret-cert-manager.yml.j2` with the base64 encoded values of your TLS Root CA certificate and key prior to enabling and deploying cert-manager.
>>>>>>> a9fc15ec... Upgrade JetStack Cert-Manager to v0.15.2
e.g.

Expand Down Expand Up @@ -88,7 +92,11 @@ $ sudo apt-get install -y golang-cfssl

#### Create Root Certificate Authority (CA) Configuration File

<<<<<<< HEAD
The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
=======
The default TLS certificate expiry time period is `8760h` which is 5 years from the date the certificate is created.
>>>>>>> a9fc15ec... Upgrade JetStack Cert-Manager to v0.15.2

```shell
$ cat > ca-config.json <<EOF
Expand Down Expand Up @@ -164,7 +172,11 @@ Certificate:
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
<<<<<<< HEAD
X509v3 Subject Key Identifier:
=======
X509v3 Subject Key Identifier:
>>>>>>> a9fc15ec... Upgrade JetStack Cert-Manager to v0.15.2
D4:38:B5:E2:26:49:5E:0D:E3:DC:D9:70:73:3B:C4:19:6A:43:4A:F2
...
```
17 changes: 17 additions & 0 deletions roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,27 @@
when:
- inventory_hostname == groups['kube-master'][0]

<<<<<<< HEAD
- name: Cert Manager | Wait for Webhook pods become ready
command: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
register: cert_manager_webhook_pods_ready
when: inventory_hostname == groups['kube-master'][0]
=======
- name: Cert Manager | Wait for all Webhook pods become created
command: "kubectl get po --namespace={{ cert_manager_namespace }} --output=jsonpath='{.items[*].metadata.name}'"
with_items:
- cert-manager-webhook
register: cert_manager_webhook_pods_created
until: item in cert_manager_webhook_pods_created.stdout
when: inventory_hostname == groups['kube-master'][0]
retries: 10
delay: 30

- name: Cert Manager | Wait for Webhook pods become ready
shell: "kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
register: cert_manager_webhook_pods_ready
when: inventory_hostname == groups['kube-master'][0] and cert_manager_webhook_pods_created is succeeded
>>>>>>> a9fc15ec... Upgrade JetStack Cert-Manager to v0.15.2

- name: Cert Manager | Create ClusterIssuer manifest
template:
Expand Down
8 changes: 8 additions & 0 deletions roles/upgrade/pre-upgrade/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,15 @@
# Node NotReady: type = ready, status = Unknown
- name: See if node is in ready state
shell: >-
<<<<<<< HEAD
<<<<<<< HEAD
{{ bin_dir }}/kubectl get node {{ kube_override_hostname|default(inventory_hostname) }}
=======
{{ bin_dir }}/kubectl get node {{ inventory_hostname }}
>>>>>>> 32c3f0f5... Upgrade JetStack Cert-Manager to v0.15.2
=======
{{ bin_dir }}/kubectl get node {{ inventory_hostname }}
>>>>>>> a9fc15ec... Upgrade JetStack Cert-Manager to v0.15.2
-o jsonpath='{ range .status.conditions[?(@.type == "Ready")].status }{ @ }{ end }'
register: kubectl_node_ready
delegate_to: "{{ groups['kube-master'][0] }}"
Expand All @@ -18,11 +22,15 @@
# else unschedulable key doesn't exist
- name: See if node is schedulable
shell: >-
<<<<<<< HEAD
<<<<<<< HEAD
{{ bin_dir }}/kubectl get node {{ kube_override_hostname|default(inventory_hostname) }}
=======
{{ bin_dir }}/kubectl get node {{ inventory_hostname }}
>>>>>>> 32c3f0f5... Upgrade JetStack Cert-Manager to v0.15.2
=======
{{ bin_dir }}/kubectl get node {{ inventory_hostname }}
>>>>>>> a9fc15ec... Upgrade JetStack Cert-Manager to v0.15.2
-o jsonpath='{ .spec.unschedulable }'
register: kubectl_node_schedulable
delegate_to: "{{ groups['kube-master'][0] }}"
Expand Down

0 comments on commit 78ad7e6

Please sign in to comment.