Skip to content

Instantly share code, notes, and snippets.

@cdoan1
Last active December 4, 2020 16:02
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save cdoan1/79451b3d75a2f3f1b74b3622029d6989 to your computer and use it in GitHub Desktop.
Update certificate from cert-manager certificate
#!/bin/bash
# manually recreate the Issuers and Certificates for cert-manager
NS=${NS:-open-cluster-management}
CLUSTER=${CLUSTER:-mycluster}
BASE_DOMAIN=${BASE_DOMAIN:-mydomain.com}
APPLICATION_UI_DEPLOYMENT=$(oc get deployment -n $NS | grep applicationui | awk '{print $1}')
CONSOLE_CHART=$(oc get helmrelease -A | grep console | awk '{print $2}')
MGMT_INGRESS_CHART=$(oc get helmrelease -A | grep ingress | awk '{print $2}')
GRC_CHART=$(oc get helmrelease -A | grep grc | awk '{print $2}')
SEARCH_CHART=$(oc get helmrelease -A | grep search-prod | awk '{print $2}')
TOPOLOGY_CHART=$(oc get helmrelease -A | grep topology | awk '{print $2}')
cat > issuer-cert-manifest.yaml <<EOF
---
apiVersion: v1
items:
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: cert-manager-rhacm-selfsign
namespace: open-cluster-management
spec:
selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: cert-manager-webhook-selfsign
namespace: open-cluster-management
spec:
selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: multicloud-ca-issuer
namespace: open-cluster-management
spec:
ca:
secretName: multicloud-ca-cert
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: multicluster-hub-mcm-server-ca-issuer
namespace: open-cluster-management
spec:
selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${APPLICATION_UI_DEPLOYMENT}-ca-cert
namespace: open-cluster-management
spec:
commonName: applicationui
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: ${APPLICATION_UI_DEPLOYMENT}-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${CONSOLE_CHART}-ca-cert
namespace: open-cluster-management
spec:
commonName: ${CONSOLE_CHART}
issuerRef:
kind: Issuer
name: multicluster-hub-mcm-server-ca-issuer
organization:
- Red Hat
secretName: ${CONSOLE_CHART}-uiapi-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${GRC_CHART}-ca-cert
namespace: open-cluster-management
spec:
commonName: ${GRC_CHART}
issuerRef:
kind: Issuer
name: multicluster-hub-mcm-server-ca-issuer
organization:
- Red Hat
secretName: ${GRC_CHART}-grc-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: kui-proxy
namespace: open-cluster-management
spec:
commonName: kui-proxy
dnsNames:
- kui-proxy.kube-system
- kui-proxy.kube-system.svc
- localhost
- 127.0.0.1
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
secretName: kui-proxy-secret
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${MGMT_INGRESS_CHART}-cert
namespace: open-cluster-management
spec:
commonName: management-ingress
dnsNames:
- mycluster.icp
- ${MGMT_INGRESS_CHART}-cluster-management
- ${MGMT_INGRESS_CHART}.open-cluster-management.svc
- ${MGMT_INGRESS_CHART}
- ${MGMT_INGRESS_CHART}.open-cluster-management
- ${MGMT_INGRESS_CHART}.open-cluster-management.svc
- management-ingress
- management-ingress.open-cluster-management
- management-ingress.open-cluster-management.svc
- multicloud-console.apps.wilds.${CLUSTER_NAME}.${BASE_DOMAIN}
- localhost
duration: 2160h0m0s
ipAddresses:
- 127.0.0.1
- 127.0.0.1
- 127.0.0.1
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
renewBefore: 24h0m0s
secretName: ${MGMT_INGRESS_CHART}-tls-secret
usages:
- server auth
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: multicloud-ca-cert
namespace: open-cluster-management
spec:
commonName: www.redhat.com
dnsNames:
- www.redhat.com
duration: 43800h0m0s
isCA: true
issuerRef:
kind: Issuer
name: cert-manager-rhacm-selfsign
keySize: 4096
organization:
- OpenShift ACM
renewBefore: 720h0m0s
secretName: multicloud-ca-cert
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: search-aggregator-ca-cert
namespace: open-cluster-management
spec:
commonName: search-aggregator
dnsNames:
- search-aggregator
- search-aggregator.open-cluster-management
- search-aggregator.open-cluster-management.svc
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: search-aggregator-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${SEARCH_CHART}-redis-ca-cert
namespace: open-cluster-management
spec:
commonName: search-redisgraph
dnsNames:
- ${SEARCH_CHART}-search-redisgraph
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: ${SEARCH_CHART}-redisgraph-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${SEARCH_CHART}-search-ca-cert
namespace: open-cluster-management
spec:
commonName: search-api
dnsNames:
- ${SEARCH_CHART}-search-api
- ${SEARCH_CHART}-search-api.open-cluster-management
- ${SEARCH_CHART}-search-api.open-cluster-management.svc
issuerRef:
kind: Issuer
name: multicloud-ca-issuer
organization:
- Red Hat
secretName: ${SEARCH_CHART}-search-api-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: ${TOPOLOGY_CHART}-ca-cert
namespace: open-cluster-management
spec:
commonName: ${TOPOLOGY_CHART}
issuerRef:
kind: Issuer
name: multicluster-hub-mcm-server-ca-issuer
organization:
- Red Hat
secretName: ${TOPOLOGY_CHART}-topology-secrets
kind: List
metadata:
resourceVersion: ""
selfLink: ""
EOF
echo "Current ACM Certificate ..."
oc get certificates.certmanager.k8s.io
oc apply -f issuer-cert-manifest.yaml -n $NS
sleep 20
echo "Verify All Certificate in True state..."
oc get certificates.certmanager.k8s.io
@cdoan1
Copy link
Author

cdoan1 commented Sep 28, 2020

Recovering cert-manager after removing the helmrelease

In some cases, a customer may need to remove the cert-manager/cert-manager-webhook helmreleases. When these helm releases are removed, they will automatically trigger a redeploy of the charts, and generate a new certificate. This certificate must be sync to the other helm charts that make up other RHACM components. Or, these helm charts got removed partially, and we need to recover the hub, without reinstalling ACM entirely.

  1. remove the helmrelease for certmanager
oc delete helmrelease cert-manager-5ffd5
oc delete helmrelease cert-manager-webhook-5ca82
  1. make sure that the helmrelease is recreated and the pods are running

  2. make sure the certificate is generated

oc get certificates.certmanager.k8s.io
(base) ➜  cert-manager git:(master) ✗ oc get certificates.certmanager.k8s.io                                                                                 NAME                                            READY   SECRET                                          AGE   EXPIRATION
multicloud-ca-cert                              True    multicloud-ca-cert                              61m   2025-09-27T17:10:47Z
  1. update the other components with this certificate, by downloading and running this script.
    https://gist.github.com/cdoan1/79451b3d75a2f3f1b74b3622029d6989

  2. ensure that all the secrets from oc get certificates.certmanager.k8s.io have the ready state True

@mdelder
Copy link

mdelder commented Dec 4, 2020

Missing:

    oc get -n $NS certificates.certmanager.k8s.io
...
    oc get -n $NS certificates.certmanager.k8s.io

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment