From 28e00f95fcfd101eb7003a5fe18a2cb1e8761172 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 15 Jan 2024 12:52:12 +1100 Subject: [PATCH 1/2] fix: remove the secret when tls-acme is set to false too --- legacy/build-deploy-docker-compose.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh index 74b19c1a..a4d28787 100755 --- a/legacy/build-deploy-docker-compose.sh +++ b/legacy/build-deploy-docker-compose.sh @@ -1931,8 +1931,9 @@ TLS_FALSE_INGRESSES=$(kubectl -n ${NAMESPACE} get ingress -o json | jq -r '.item for TLS_FALSE_INGRESS in $TLS_FALSE_INGRESSES; do TLS_SECRETS=$(kubectl -n ${NAMESPACE} get ingress ${TLS_FALSE_INGRESS} -o json | jq -r '.spec.tls[]?.secretName') for TLS_SECRET in $TLS_SECRETS; do + echo ">> Cleaning up certificate for ${TLS_SECRET} as tls-acme is set to false" + kubectl -n ${NAMESPACE} delete secret ${TLS_SECRET}-tls if kubectl -n ${NAMESPACE} get certificates.cert-manager.io ${TLS_SECRET} &> /dev/null; then - echo ">> Cleaning up certificate for ${TLS_SECRET} as tls-acme is set to false" kubectl -n ${NAMESPACE} delete certificates.cert-manager.io ${TLS_SECRET} fi done From 26e5532243f5bfec413494609ae9831ea6ed8a69 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Tue, 16 Jan 2024 13:30:59 +1100 Subject: [PATCH 2/2] refactor: use openssl to inspect the certificate before deletion --- legacy/build-deploy-docker-compose.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh index a4d28787..369c8f4c 100755 --- a/legacy/build-deploy-docker-compose.sh +++ b/legacy/build-deploy-docker-compose.sh @@ -1932,7 +1932,10 @@ for TLS_FALSE_INGRESS in $TLS_FALSE_INGRESSES; do TLS_SECRETS=$(kubectl -n ${NAMESPACE} get ingress ${TLS_FALSE_INGRESS} -o json | jq -r '.spec.tls[]?.secretName') for TLS_SECRET in $TLS_SECRETS; do echo ">> Cleaning up certificate for ${TLS_SECRET} as tls-acme is set to false" - kubectl -n ${NAMESPACE} delete secret ${TLS_SECRET}-tls + # check if it is a lets encrypt certificate + if openssl x509 -in <(kubectl -n ${NAMESPACE} get secret ${TLS_SECRET}-tls -o json | jq -r '.data."tls.crt"' | base64 --decode) -text -noout | grep -o -q "Let's Encrypt" s &> /dev/null; then + kubectl -n ${NAMESPACE} delete secret ${TLS_SECRET}-tls + fi if kubectl -n ${NAMESPACE} get certificates.cert-manager.io ${TLS_SECRET} &> /dev/null; then kubectl -n ${NAMESPACE} delete certificates.cert-manager.io ${TLS_SECRET} fi