Last active
December 4, 2020 16:02
Star
You must be signed in to star a gist
Update certificate from cert-manager certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# manually recreate the Issuers and Certificates for cert-manager | |
NS=${NS:-open-cluster-management} | |
CLUSTER=${CLUSTER:-mycluster} | |
BASE_DOMAIN=${BASE_DOMAIN:-mydomain.com} | |
APPLICATION_UI_DEPLOYMENT=$(oc get deployment -n $NS | grep applicationui | awk '{print $1}') | |
CONSOLE_CHART=$(oc get helmrelease -A | grep console | awk '{print $2}') | |
MGMT_INGRESS_CHART=$(oc get helmrelease -A | grep ingress | awk '{print $2}') | |
GRC_CHART=$(oc get helmrelease -A | grep grc | awk '{print $2}') | |
SEARCH_CHART=$(oc get helmrelease -A | grep search-prod | awk '{print $2}') | |
TOPOLOGY_CHART=$(oc get helmrelease -A | grep topology | awk '{print $2}') | |
cat > issuer-cert-manifest.yaml <<EOF | |
--- | |
apiVersion: v1 | |
items: | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Issuer | |
metadata: | |
name: cert-manager-rhacm-selfsign | |
namespace: open-cluster-management | |
spec: | |
selfSigned: {} | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Issuer | |
metadata: | |
name: cert-manager-webhook-selfsign | |
namespace: open-cluster-management | |
spec: | |
selfSigned: {} | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Issuer | |
metadata: | |
name: multicloud-ca-issuer | |
namespace: open-cluster-management | |
spec: | |
ca: | |
secretName: multicloud-ca-cert | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Issuer | |
metadata: | |
name: multicluster-hub-mcm-server-ca-issuer | |
namespace: open-cluster-management | |
spec: | |
selfSigned: {} | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${APPLICATION_UI_DEPLOYMENT}-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: applicationui | |
issuerRef: | |
kind: Issuer | |
name: multicloud-ca-issuer | |
organization: | |
- Red Hat | |
secretName: ${APPLICATION_UI_DEPLOYMENT}-secrets | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${CONSOLE_CHART}-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: ${CONSOLE_CHART} | |
issuerRef: | |
kind: Issuer | |
name: multicluster-hub-mcm-server-ca-issuer | |
organization: | |
- Red Hat | |
secretName: ${CONSOLE_CHART}-uiapi-secrets | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${GRC_CHART}-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: ${GRC_CHART} | |
issuerRef: | |
kind: Issuer | |
name: multicluster-hub-mcm-server-ca-issuer | |
organization: | |
- Red Hat | |
secretName: ${GRC_CHART}-grc-secrets | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: kui-proxy | |
namespace: open-cluster-management | |
spec: | |
commonName: kui-proxy | |
dnsNames: | |
- kui-proxy.kube-system | |
- kui-proxy.kube-system.svc | |
- localhost | |
- 127.0.0.1 | |
issuerRef: | |
kind: Issuer | |
name: multicloud-ca-issuer | |
secretName: kui-proxy-secret | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${MGMT_INGRESS_CHART}-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: management-ingress | |
dnsNames: | |
- mycluster.icp | |
- ${MGMT_INGRESS_CHART}-cluster-management | |
- ${MGMT_INGRESS_CHART}.open-cluster-management.svc | |
- ${MGMT_INGRESS_CHART} | |
- ${MGMT_INGRESS_CHART}.open-cluster-management | |
- ${MGMT_INGRESS_CHART}.open-cluster-management.svc | |
- management-ingress | |
- management-ingress.open-cluster-management | |
- management-ingress.open-cluster-management.svc | |
- multicloud-console.apps.wilds.${CLUSTER_NAME}.${BASE_DOMAIN} | |
- localhost | |
duration: 2160h0m0s | |
ipAddresses: | |
- 127.0.0.1 | |
- 127.0.0.1 | |
- 127.0.0.1 | |
issuerRef: | |
kind: Issuer | |
name: multicloud-ca-issuer | |
organization: | |
- Red Hat | |
renewBefore: 24h0m0s | |
secretName: ${MGMT_INGRESS_CHART}-tls-secret | |
usages: | |
- server auth | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: multicloud-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: www.redhat.com | |
dnsNames: | |
- www.redhat.com | |
duration: 43800h0m0s | |
isCA: true | |
issuerRef: | |
kind: Issuer | |
name: cert-manager-rhacm-selfsign | |
keySize: 4096 | |
organization: | |
- OpenShift ACM | |
renewBefore: 720h0m0s | |
secretName: multicloud-ca-cert | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: search-aggregator-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: search-aggregator | |
dnsNames: | |
- search-aggregator | |
- search-aggregator.open-cluster-management | |
- search-aggregator.open-cluster-management.svc | |
issuerRef: | |
kind: Issuer | |
name: multicloud-ca-issuer | |
organization: | |
- Red Hat | |
secretName: search-aggregator-secrets | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${SEARCH_CHART}-redis-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: search-redisgraph | |
dnsNames: | |
- ${SEARCH_CHART}-search-redisgraph | |
issuerRef: | |
kind: Issuer | |
name: multicloud-ca-issuer | |
organization: | |
- Red Hat | |
secretName: ${SEARCH_CHART}-redisgraph-secrets | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${SEARCH_CHART}-search-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: search-api | |
dnsNames: | |
- ${SEARCH_CHART}-search-api | |
- ${SEARCH_CHART}-search-api.open-cluster-management | |
- ${SEARCH_CHART}-search-api.open-cluster-management.svc | |
issuerRef: | |
kind: Issuer | |
name: multicloud-ca-issuer | |
organization: | |
- Red Hat | |
secretName: ${SEARCH_CHART}-search-api-secrets | |
- apiVersion: certmanager.k8s.io/v1alpha1 | |
kind: Certificate | |
metadata: | |
name: ${TOPOLOGY_CHART}-ca-cert | |
namespace: open-cluster-management | |
spec: | |
commonName: ${TOPOLOGY_CHART} | |
issuerRef: | |
kind: Issuer | |
name: multicluster-hub-mcm-server-ca-issuer | |
organization: | |
- Red Hat | |
secretName: ${TOPOLOGY_CHART}-topology-secrets | |
kind: List | |
metadata: | |
resourceVersion: "" | |
selfLink: "" | |
EOF | |
echo "Current ACM Certificate ..." | |
oc get certificates.certmanager.k8s.io | |
oc apply -f issuer-cert-manifest.yaml -n $NS | |
sleep 20 | |
echo "Verify All Certificate in True state..." | |
oc get certificates.certmanager.k8s.io |
Missing:
oc get -n $NS certificates.certmanager.k8s.io
...
oc get -n $NS certificates.certmanager.k8s.io
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recovering cert-manager after removing the helmrelease
In some cases, a customer may need to remove the cert-manager/cert-manager-webhook helmreleases. When these helm releases are removed, they will automatically trigger a redeploy of the charts, and generate a new certificate. This certificate must be sync to the other helm charts that make up other RHACM components. Or, these helm charts got removed partially, and we need to recover the hub, without reinstalling ACM entirely.
make sure that the helmrelease is recreated and the pods are running
make sure the certificate is generated
update the other components with this certificate, by downloading and running this script.
https://gist.github.com/cdoan1/79451b3d75a2f3f1b74b3622029d6989
ensure that all the secrets from oc get certificates.certmanager.k8s.io have the ready state True