mdelder/generate-update-issuer-cert-manifest.sh

## generate-update-issuer-cert-manifest.sh
#!/bin/bash

# manually recreate the Issuers and Certificates for cert-manager

NS=${NS:-open-cluster-management}
CLUSTER_NAME=${CLUSTER:-mycluster}
BASE_DOMAIN=${BASE_DOMAIN:-mydomain.com}

APPLICATION_UI_DEPLOYMENT=$(oc get deployment -n $NS | grep applicationui | awk '{print $1}')
CONSOLE_CHART=$(oc get helmrelease -A | grep console | awk '{print $2}')
MGMT_INGRESS_CHART=$(oc get helmrelease -A | grep ingress | awk '{print $2}')
GRC_CHART=$(oc get helmrelease -A | grep grc | awk '{print $2}')
SEARCH_CHART=$(oc get helmrelease -A | grep search-prod | awk '{print $2}')
TOPOLOGY_CHART=$(oc get helmrelease -A | grep topology | awk '{print $2}')

echo "Current ACM Certificate ..."
oc get -n $NS certificates.certmanager.k8s.io
oc apply -n $NS -f - <<EOF
---
apiVersion: v1
items:
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Issuer
  metadata:
    name: cert-manager-rhacm-selfsign
    namespace: open-cluster-management
  spec:
    selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Issuer
  metadata:
    name: cert-manager-webhook-selfsign
    namespace: open-cluster-management
  spec:
    selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Issuer
  metadata:
    name: multicloud-ca-issuer
    namespace: open-cluster-management
  spec:
    ca:
      secretName: multicloud-ca-cert
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Issuer
  metadata:
    name: multicluster-hub-mcm-server-ca-issuer
    namespace: open-cluster-management
  spec:
    selfSigned: {}
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${APPLICATION_UI_DEPLOYMENT}-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: applicationui
    issuerRef:
      kind: Issuer
      name: multicloud-ca-issuer
    organization:
    - Red Hat
    secretName: ${APPLICATION_UI_DEPLOYMENT}-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${CONSOLE_CHART}-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: ${CONSOLE_CHART}
    issuerRef:
      kind: Issuer
      name: multicluster-hub-mcm-server-ca-issuer
    organization:
    - Red Hat
    secretName: ${CONSOLE_CHART}-uiapi-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${GRC_CHART}-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: ${GRC_CHART}
    issuerRef:
      kind: Issuer
      name: multicluster-hub-mcm-server-ca-issuer
    organization:
    - Red Hat
    secretName: ${GRC_CHART}-grc-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: kui-proxy
    namespace: open-cluster-management
  spec:
    commonName: kui-proxy
    dnsNames:
    - kui-proxy.kube-system
    - kui-proxy.kube-system.svc
    - localhost
    - 127.0.0.1
    issuerRef:
      kind: Issuer
      name: multicloud-ca-issuer
    secretName: kui-proxy-secret
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${MGMT_INGRESS_CHART}-cert
    namespace: open-cluster-management
  spec:
    commonName: management-ingress
    dnsNames:
    - mycluster.icp
    - ${MGMT_INGRESS_CHART}-cluster-management
    - ${MGMT_INGRESS_CHART}.open-cluster-management.svc
    - ${MGMT_INGRESS_CHART}
    - ${MGMT_INGRESS_CHART}.open-cluster-management
    - ${MGMT_INGRESS_CHART}.open-cluster-management.svc
    - management-ingress
    - management-ingress.open-cluster-management
    - management-ingress.open-cluster-management.svc
    - multicloud-console.apps.wilds.${CLUSTER_NAME}.${BASE_DOMAIN}
    - localhost
    duration: 2160h0m0s
    ipAddresses:
    - 127.0.0.1
    - 127.0.0.1
    - 127.0.0.1
    issuerRef:
      kind: Issuer
      name: multicloud-ca-issuer
    organization:
    - Red Hat
    renewBefore: 24h0m0s
    secretName: ${MGMT_INGRESS_CHART}-tls-secret
    usages:
    - server auth
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: multicloud-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: www.redhat.com
    dnsNames:
    - www.redhat.com
    duration: 43800h0m0s
    isCA: true
    issuerRef:
      kind: Issuer
      name: cert-manager-rhacm-selfsign
    keySize: 4096
    organization:
    - OpenShift ACM
    renewBefore: 720h0m0s
    secretName: multicloud-ca-cert
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: search-aggregator-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: search-aggregator
    dnsNames:
    - search-aggregator
    - search-aggregator.open-cluster-management
    - search-aggregator.open-cluster-management.svc
    issuerRef:
      kind: Issuer
      name: multicloud-ca-issuer
    organization:
    - Red Hat
    secretName: search-aggregator-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${SEARCH_CHART}-redis-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: search-redisgraph
    dnsNames:
    - ${SEARCH_CHART}-search-redisgraph
    issuerRef:
      kind: Issuer
      name: multicloud-ca-issuer
    organization:
    - Red Hat
    secretName: ${SEARCH_CHART}-redisgraph-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${SEARCH_CHART}-search-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: search-api
    dnsNames:
    - ${SEARCH_CHART}-search-api
    - ${SEARCH_CHART}-search-api.open-cluster-management
    - ${SEARCH_CHART}-search-api.open-cluster-management.svc
    issuerRef:
      kind: Issuer
      name: multicloud-ca-issuer
    organization:
    - Red Hat
    secretName: ${SEARCH_CHART}-search-api-secrets
- apiVersion: certmanager.k8s.io/v1alpha1
  kind: Certificate
  metadata:
    name: ${TOPOLOGY_CHART}-ca-cert
    namespace: open-cluster-management
  spec:
    commonName: ${TOPOLOGY_CHART}
    issuerRef:
      kind: Issuer
      name: multicluster-hub-mcm-server-ca-issuer
    organization:
    - Red Hat
    secretName: ${TOPOLOGY_CHART}-topology-secrets
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
EOF

sleep 20

echo "Verify All Certificate in True state..."
oc get -n $NS certificates.certmanager.k8s.io
	#!/bin/bash

	# manually recreate the Issuers and Certificates for cert-manager

	NS=${NS:-open-cluster-management}
	CLUSTER_NAME=${CLUSTER:-mycluster}
	BASE_DOMAIN=${BASE_DOMAIN:-mydomain.com}

	APPLICATION_UI_DEPLOYMENT=$(oc get deployment -n $NS \| grep applicationui \| awk '{print $1}')
	CONSOLE_CHART=$(oc get helmrelease -A \| grep console \| awk '{print $2}')
	MGMT_INGRESS_CHART=$(oc get helmrelease -A \| grep ingress \| awk '{print $2}')
	GRC_CHART=$(oc get helmrelease -A \| grep grc \| awk '{print $2}')
	SEARCH_CHART=$(oc get helmrelease -A \| grep search-prod \| awk '{print $2}')
	TOPOLOGY_CHART=$(oc get helmrelease -A \| grep topology \| awk '{print $2}')

	echo "Current ACM Certificate ..."
	oc get -n $NS certificates.certmanager.k8s.io
	oc apply -n $NS -f - <<EOF
	---
	apiVersion: v1
	items:
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Issuer
	metadata:
	name: cert-manager-rhacm-selfsign
	namespace: open-cluster-management
	spec:
	selfSigned: {}
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Issuer
	metadata:
	name: cert-manager-webhook-selfsign
	namespace: open-cluster-management
	spec:
	selfSigned: {}
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Issuer
	metadata:
	name: multicloud-ca-issuer
	namespace: open-cluster-management
	spec:
	ca:
	secretName: multicloud-ca-cert
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Issuer
	metadata:
	name: multicluster-hub-mcm-server-ca-issuer
	namespace: open-cluster-management
	spec:
	selfSigned: {}
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${APPLICATION_UI_DEPLOYMENT}-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: applicationui
	issuerRef:
	kind: Issuer
	name: multicloud-ca-issuer
	organization:
	- Red Hat
	secretName: ${APPLICATION_UI_DEPLOYMENT}-secrets
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${CONSOLE_CHART}-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: ${CONSOLE_CHART}
	issuerRef:
	kind: Issuer
	name: multicluster-hub-mcm-server-ca-issuer
	organization:
	- Red Hat
	secretName: ${CONSOLE_CHART}-uiapi-secrets
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${GRC_CHART}-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: ${GRC_CHART}
	issuerRef:
	kind: Issuer
	name: multicluster-hub-mcm-server-ca-issuer
	organization:
	- Red Hat
	secretName: ${GRC_CHART}-grc-secrets
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: kui-proxy
	namespace: open-cluster-management
	spec:
	commonName: kui-proxy
	dnsNames:
	- kui-proxy.kube-system
	- kui-proxy.kube-system.svc
	- localhost
	- 127.0.0.1
	issuerRef:
	kind: Issuer
	name: multicloud-ca-issuer
	secretName: kui-proxy-secret
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${MGMT_INGRESS_CHART}-cert
	namespace: open-cluster-management
	spec:
	commonName: management-ingress
	dnsNames:
	- mycluster.icp
	- ${MGMT_INGRESS_CHART}-cluster-management
	- ${MGMT_INGRESS_CHART}.open-cluster-management.svc
	- ${MGMT_INGRESS_CHART}
	- ${MGMT_INGRESS_CHART}.open-cluster-management
	- ${MGMT_INGRESS_CHART}.open-cluster-management.svc
	- management-ingress
	- management-ingress.open-cluster-management
	- management-ingress.open-cluster-management.svc
	- multicloud-console.apps.wilds.${CLUSTER_NAME}.${BASE_DOMAIN}
	- localhost
	duration: 2160h0m0s
	ipAddresses:
	- 127.0.0.1
	- 127.0.0.1
	- 127.0.0.1
	issuerRef:
	kind: Issuer
	name: multicloud-ca-issuer
	organization:
	- Red Hat
	renewBefore: 24h0m0s
	secretName: ${MGMT_INGRESS_CHART}-tls-secret
	usages:
	- server auth
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: multicloud-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: www.redhat.com
	dnsNames:
	- www.redhat.com
	duration: 43800h0m0s
	isCA: true
	issuerRef:
	kind: Issuer
	name: cert-manager-rhacm-selfsign
	keySize: 4096
	organization:
	- OpenShift ACM
	renewBefore: 720h0m0s
	secretName: multicloud-ca-cert
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: search-aggregator-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: search-aggregator
	dnsNames:
	- search-aggregator
	- search-aggregator.open-cluster-management
	- search-aggregator.open-cluster-management.svc
	issuerRef:
	kind: Issuer
	name: multicloud-ca-issuer
	organization:
	- Red Hat
	secretName: search-aggregator-secrets
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${SEARCH_CHART}-redis-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: search-redisgraph
	dnsNames:
	- ${SEARCH_CHART}-search-redisgraph
	issuerRef:
	kind: Issuer
	name: multicloud-ca-issuer
	organization:
	- Red Hat
	secretName: ${SEARCH_CHART}-redisgraph-secrets
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${SEARCH_CHART}-search-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: search-api
	dnsNames:
	- ${SEARCH_CHART}-search-api
	- ${SEARCH_CHART}-search-api.open-cluster-management
	- ${SEARCH_CHART}-search-api.open-cluster-management.svc
	issuerRef:
	kind: Issuer
	name: multicloud-ca-issuer
	organization:
	- Red Hat
	secretName: ${SEARCH_CHART}-search-api-secrets
	- apiVersion: certmanager.k8s.io/v1alpha1
	kind: Certificate
	metadata:
	name: ${TOPOLOGY_CHART}-ca-cert
	namespace: open-cluster-management
	spec:
	commonName: ${TOPOLOGY_CHART}
	issuerRef:
	kind: Issuer
	name: multicluster-hub-mcm-server-ca-issuer
	organization:
	- Red Hat
	secretName: ${TOPOLOGY_CHART}-topology-secrets
	kind: List
	metadata:
	resourceVersion: ""
	selfLink: ""
	EOF

	sleep 20

	echo "Verify All Certificate in True state..."
	oc get -n $NS certificates.certmanager.k8s.io