Skip to content

Instantly share code, notes, and snippets.

@cdoan1
Last active December 4, 2020 01:33
Show Gist options
  • Save cdoan1/4cc8e9b2b8b5a4e476254c5840958c7f to your computer and use it in GitHub Desktop.
Save cdoan1/4cc8e9b2b8b5a4e476254c5840958c7f to your computer and use it in GitHub Desktop.
RHACM 2.1 create multicloud-ca-cert
#!/bin/bash
#
# manually recreate the Issuers and Certificates
# for cert-manager
#
# WHEN to use this script
# * when console-header fails to start because multicloud-ca-cert is missing
# * when Issuers and Certificates are not present
#
# This script will create the Issuers/Certificates, and cause the multicloud-ca-cert to be
# generated
#
# RHACM 2.1
#
NS=open-cluster-management
oc get Issuers,Certificates -n $NS
APPLICATION_UI_DEPLOYMENT=$(oc get deployment -n $NS | grep applicationui | awk '{print $1}')
CONSOLE_CHART=$(oc get helmrelease -A | grep console | awk '{print $2}')
MGMT_INGRESS_CHART=$(oc get helmrelease -A | grep ingress | awk '{print $2}')
GRC_CHART=$(oc get helmrelease -A | grep grc | awk '{print $2}')
SEARCH_CHART=$(oc get helmrelease -A | grep search-prod | awk '{print $2}')
TOPOLOGY_CHART=$(oc get helmrelease -A | grep topology | awk '{print $2}')
CLUSTER=acmhub
BASE_DOMAIN=rhd-qe.com
cat > hack.yaml <<EOF
---
apiVersion: v1
items:
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: cert-manager-rhacm-selfsign
namespace: open-cluster-management
spec:
selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: cert-manager-webhook-selfsign
namespace: open-cluster-management
spec:
selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: multicloud-ca-issuer
namespace: open-cluster-management
spec:
ca:
secretName: multicloud-ca-cert
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: multicluster-hub-mcm-server-ca-issuer
namespace: open-cluster-management
spec:
selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${APPLICATION_UI_DEPLOYMENT}-ca-cert
namespace: open-cluster-management
spec:
commonName: applicationui
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: ${APPLICATION_UI_DEPLOYMENT}-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${CONSOLE_CHART}-ca-cert
namespace: open-cluster-management
spec:
commonName: ${CONSOLE_CHART}
issuerRef:
kind: Issuer
name: multicluster-hub-mcm-server-ca-issuer
organization:
- Red Hat
secretName: ${CONSOLE_CHART}-uiapi-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${GRC_CHART}-ca-cert
namespace: open-cluster-management
spec:
commonName: ${GRC_CHART}
issuerRef:
kind: Issuer
name: multicluster-hub-mcm-server-ca-issuer
organization:
- Red Hat
secretName: ${GRC_CHART}-grc-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: kui-proxy
namespace: open-cluster-management
spec:
commonName: kui-proxy
dnsNames:
- kui-proxy.kube-system
- kui-proxy.kube-system.svc
- localhost
- 127.0.0.1
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
secretName: kui-proxy-secret
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${MGMT_INGRESS_CHART}-cert
namespace: open-cluster-management
spec:
commonName: management-ingress
dnsNames:
- mycluster.icp
- ${MGMT_INGRESS_CHART}-cluster-management
- ${MGMT_INGRESS_CHART}.open-cluster-management.svc
- ${MGMT_INGRESS_CHART}
- ${MGMT_INGRESS_CHART}.open-cluster-management
- ${MGMT_INGRESS_CHART}.open-cluster-management.svc
- management-ingress
- management-ingress.open-cluster-management
- management-ingress.open-cluster-management.svc
- multicloud-console.apps.wilds.${CLUSTER_NAME}.${BASE_DOMAIN}
- localhost
duration: 2160h0m0s
ipAddresses:
- 127.0.0.1
- 127.0.0.1
- 127.0.0.1
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
renewBefore: 24h0m0s
secretName: ${MGMT_INGRESS_CHART}-tls-secret
usages:
- server auth
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: multicloud-ca-cert
namespace: open-cluster-management
spec:
commonName: www.redhat.com
dnsNames:
- www.redhat.com
duration: 43800h0m0s
isCA: true
issuerRef:
kind: Issuer
name: cert-manager-rhacm-selfsign
keySize: 4096
organization:
- OpenShift ACM
renewBefore: 720h0m0s
secretName: multicloud-ca-cert
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: search-aggregator-ca-cert
namespace: open-cluster-management
spec:
commonName: search-aggregator
dnsNames:
- search-aggregator
- search-aggregator.open-cluster-management
- search-aggregator.open-cluster-management.svc
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: search-aggregator-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${SEARCH_CHART}-redis-ca-cert
namespace: open-cluster-management
spec:
commonName: search-redisgraph
dnsNames:
- ${SEARCH_CHART}-search-redisgraph
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: ${SEARCH_CHART}-redisgraph-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${SEARCH_CHART}-search-ca-cert
namespace: open-cluster-management
spec:
commonName: search-api
dnsNames:
- ${SEARCH_CHART}-search-api
- ${SEARCH_CHART}-search-api.open-cluster-management
- ${SEARCH_CHART}-search-api.open-cluster-management.svc
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: ${SEARCH_CHART}-search-api-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${TOPOLOGY_CHART}-ca-cert
namespace: open-cluster-management
spec:
commonName: ${TOPOLOGY_CHART}
issuerRef:
kind: Issuer
name: multicluster-hub-mcm-server-ca-issuer
organization:
- Red Hat
secretName: ${TOPOLOGY_CHART}-topology-secrets
kind: List
metadata:
resourceVersion: ""
selfLink: ""
EOF