Skip to content

Commit

Permalink
Merge pull request #1135 from equinor/bootstrap-flux-digicert-issuer-…
Browse files Browse the repository at this point in the history
…secrets

bootstrap digicert flux values
  • Loading branch information
nilsgstrabo authored Dec 19, 2023
2 parents 215050e + 4847803 commit fb0c7a5
Show file tree
Hide file tree
Showing 12 changed files with 248 additions and 499 deletions.
42 changes: 1 addition & 41 deletions scripts/cert-manager/README.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
# Cert-manager - v1.1
# Cert-manager

We use [cert-manager](https://github.com/jetstack/cert-manager) to provide automatic SSL/TLS certificate generation in the cluster using Let's Encrypt.
Depending on use case we can use it to either create certificates according to a crd manifest, or auto-create the certificate based on an ingress notation.
For certificate management in general in Radix then please see [radix certificate management](https://github.com/equinor/radix-private/blob/master/docs/radix-platform/cert-management.md)

- [Overview](#overview)
- [Bootstrap](#bootstrap)
- [Teardown](#teardown)
- [Upgrade](#upgrade)
- [Credentials](#credentials)
- [Troubleshooting](#troubleshooting)

Expand Down Expand Up @@ -72,44 +70,6 @@ RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=my-little-cluster S
# Done!
```


## Teardown

Run script [`./teardown.sh`](./teardown.sh), see script header for more info.

Teardown will
1. Delete cert-manager and all related custom resources
1. It will _not_ delete the k8s tls secrets


## Upgrade

As long as cert-manager has the following status

> As this project is pre-1.0, we do not currently offer strong guarantees around our API stability.
>
> Notably, we may choose to make breaking changes to our API specification (i.e. the Issuer, ClusterIssuer and Certificate resources) in new minor releases.
then we need to handle deployment of cert-manager by scripts that are customized for that specific version.

Due to the high possibility of breaking changes you will need to
1. Verify that the custom resources are still valid (old version vs new version)
1. Prepare bootstrap and removal script of new version
1. Remove any trace of old version from the cluster (use the teardown script for the old version)
1. When previous version is gone, install new version (use the bootstrap script for the new version)
1. Update this `README.md` title to show the new version number

The k8s tls secrets will be kept intact during this process as it does not belong to cert-manager.

Example:
```sh
# Upgrading cert-manager from v0.8.1 to v0.11.0 in cluster "my-little-cluster" that lives in radix-zone "dev"
# Step 1: Remove v0.8.1
RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=my-little-cluster ./teardown_v0.8.1.sh
# Step 2: Install v0.11.0
RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=my-little-cluster ./bootstrap.sh
```

## Credentials

`cert-manager` use dedicated service principal to work with the DNS.
Expand Down
1 change: 0 additions & 1 deletion scripts/cert-manager/bootstrap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,6 @@ echo -e " - RADIX_ZONE : $RADIX_ZONE"
echo -e ""
echo -e " > WHAT:"
echo -e " -------------------------------------------------------------------"
echo -e " - CERT-MANAGER : v1.1"
echo -e " - CERT_ISSUER : $CERT_ISSUER"
echo -e ""
echo -e " > WHO:"
Expand Down
18 changes: 18 additions & 0 deletions scripts/cert-manager/cluster-issuers/digicert/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Digicert cluster issuer

Scripts for managing secrets required by Flux to install Digicert cluster issuers.

## Bootstrap

Run script [`./bootstrap.sh`](./bootstrap.sh), see script header for more how.

Bootstrap will
1. Read Digicert external account info from keyvault.
1. Create a Kubernetes secret with this info used by Flux to install ACME cluster issuers for Digicert

## Update external account values

Run script [`./update_account.sh`](./update_account.sh), see script header for more how.
The script will update the Key Vault secret that holds Digicert account info. You should run [`./bootstrap.sh`](./bootstrap.sh) afterwards to update the Kubernetes secret used by Flux.

Required input values must be obtained from Equinor's account manager for Digicert.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
### PURPOSE
###

# Tear down cert-manager in a radix cluster, v1.1
# Bootstrap secrets required by Flux to install cluster issuers for DigiCert ACME http01 and dns01


#######################################################################################
Expand All @@ -14,7 +14,6 @@

# - AKS cluster is available
# - User has role cluster-admin
# - Helm RBAC is configured in cluster


#######################################################################################
Expand All @@ -34,33 +33,26 @@
###

# Normal usage
# RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME="weekly-2" ./teardown.sh


#######################################################################################
### DOCS
###

# - https://cert-manager.io/docs/installation/helm/#uninstalling
# RADIX_ZONE_ENV=../../../radix-zone/radix_zone_dev.env CLUSTER_NAME="weekly-49" ./bootstrap.sh


#######################################################################################
### START
###

echo ""
echo "Start tear down of cert-manager... "
echo "Start bootstrap of DigiCert secrets for Flux... "


#######################################################################################
### Check for prerequisites binaries
###

echo ""
printf "Check for neccesary executables... "
printf "Check for necessary executables... "
hash az 2> /dev/null || { echo -e "\nERROR: Azure-CLI not found in PATH. Exiting..." >&2; exit 1; }
hash kubectl 2> /dev/null || { echo -e "\nERROR: kubectl not found in PATH. Exiting..." >&2; exit 1; }
hash helm 2> /dev/null || { echo -e "\nERROR: helm not found in PATH. Exiting..." >&2; exit 1; }
hash jq 2> /dev/null || { echo -e "\nERROR: jq not found in PATH. Exiting..." >&2; exit 1; }
printf "All is good."
echo ""

Expand Down Expand Up @@ -97,12 +89,6 @@ if [[ -z "$USER_PROMPT" ]]; then
USER_PROMPT=true
fi

# Script vars

WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"



#######################################################################################
### Prepare az session
###
Expand All @@ -118,17 +104,13 @@ printf "Done.\n"
###

echo -e ""
echo -e "Tear down of cert-manager will use the following configuration:"
echo -e "Bootstrap of DigiCert secrets for Flux will use the following configuration:"
echo -e ""
echo -e " > WHERE:"
echo -e " ------------------------------------------------------------------"
echo -e " - CLUSTER_NAME : $CLUSTER_NAME"
echo -e " - RADIX_ZONE : $RADIX_ZONE"
echo -e ""
echo -e " > WHAT:"
echo -e " -------------------------------------------------------------------"
echo -e " - CERT-MANAGER : v1.1"
echo -e ""
echo -e " > WHO:"
echo -e " -------------------------------------------------------------------"
echo -e " - AZ_SUBSCRIPTION : $(az account show --query name -otsv)"
Expand All @@ -155,10 +137,10 @@ fi

# Exit if cluster does not exist
printf "Connecting kubectl..."
get_credentials "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" || {
get_credentials "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" || {
# Send message to stderr
echo -e "ERROR: Cluster \"$CLUSTER_NAME\" not found." >&2
exit 1
exit 1
}
printf "...Done.\n"

Expand All @@ -167,46 +149,37 @@ printf "...Done.\n"
###
verify_cluster_access


#######################################################################################
### MAIN
### Bootstrap Digicert external account secret for Flux
###

# Step 1: Remove all custom resources
#kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces
printf "\nDelete all custom resources..."
kubectl delete Issuers --all --all-namespaces 2>&1 >/dev/null
kubectl delete ClusterIssuers --all --all-namespaces 2>&1 >/dev/null
kubectl delete Certificates --all --all-namespaces 2>&1 >/dev/null
kubectl delete CertificateRequests --all --all-namespaces 2>&1 >/dev/null
kubectl delete Orders --all --all-namespaces 2>&1 >/dev/null
kubectl delete Challenges --all --all-namespaces 2>&1 >/dev/null
printf "...Done.\n"

# Step 2: Remove the helm release
printf "\nDelete the helm release..."
helm --namespace cert-manager delete cert-manager 2>&1 >/dev/null
printf "...Done.\n"

# Step 3: Remove the namespace
printf "\nDelete the namespace..."
kubectl delete namespace cert-manager 2>&1 >/dev/null
printf "...Done.\n"

# Step 4: Remove all the custom resource definitions using the link to the version installed.
printf "\nDelete all the custom resource definitions..."
kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml
printf "...Done.\n"

# Step 5: Making sure the webhook is really gone
printf "\nMaking sure the webhook is really gone..."
kubectl delete apiservice v1beta1.webhook.cert-manager.io 2>&1 >/dev/null
printf "...Done.\n"


#######################################################################################
### END
###
printf "\nCreating secret for Flux...\n"

# Create secret for flux
account_values="$(az keyvault secret show \
--vault-name $AZ_RESOURCE_KEYVAULT \
--name $DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET \
| jq '.value | fromjson')"

# Set variables used in the manifest template
kid="$(echo $account_values | jq -r '.accountKeyID')"
hmac="$(echo $account_values | jq -r '.accountHMACKey')"
email="$(echo $account_values | jq -r '.accountEmail')"
server="$(echo $account_values | jq -r '.acmeServer')"

cat <<EOF | kubectl apply -f - || exit
apiVersion: v1
kind: Secret
metadata:
name: digicert-clusterissuer-external-account-flux-values
namespace: flux-system
type: Opaque
stringData:
accountKeyID: ${kid}
accountHMACKey: ${hmac}
accountEmail: ${email}
acmeServer: ${server}
EOF

echo ""
echo "Tear down of cert-manager is done!"
printf "Bootstrapping of DigiCert secrets for Flux done!\n"
Loading

0 comments on commit fb0c7a5

Please sign in to comment.