Jump to: navigation, search

StarlingX/Containers/Applications/app-cert-manager

Application: cert-manager-armada-app

Source

Building

  • From the Debian Build environment:
build-pkgs -c -p cert-manager-helm,python3-k8sapp-cert-manager,stx-cert-manager-helm
  • The command above produces the package "stx-cert-manager-helm_<version>_<arch>.deb" that contains the tarball "cert-manager-<version>.tgz"

Testing

Cert-manager app is applied during bootstrap, 

system application-show cert-manager
+---------------+----------------------------------+
| Property      | Value                            |
+---------------+----------------------------------+
| active        | True                             |
| app_version   | 26.09-72                       |
| created_at    | 2024-07-12T10:15:00.955486+00:00 |
| manifest_file | fluxcd-manifests                 |
| manifest_name | cert-manager-fluxcd-manifests    |
| name          | cert-manager                     |
| progress      | completed                        |
| status        | applied                          |
| updated_at    | 2024-07-12T10:16:14.306746+00:00 |
+---------------+----------------------------------+

all the cert-manager pods are deployed in the cert-manager namespace 

kubectl get pods -n cert-manager
NAME                                          READY   STATUS    RESTARTS       AGE
cm-cert-manager-58f86f7c6c-fk4sj              1/1     Running   1 (6d3h ago)   6d3h
cm-cert-manager-cainjector-5676bd98f6-8m48b   1/1     Running   1 (6d3h ago)   6d3h
cm-cert-manager-webhook-58c6f9d64c-df5ph      1/1     Running   1 (6d3h ago)   6d3h

cert-manager app values can be configured/updated by overriding the app, for example to change the livenessProbe of the webhook pod, follow the below steps 

cat <<EOF >>cm_override_values.yaml
webhook:
  livenessProbe:
    failureThreshold: 4
    initialDelaySeconds: 60
    periodSeconds: 10
    successThreshold: 2
    timeoutSeconds: 2
EOF

system helm-override-update --values cm_override_values.yaml  cert-manager cert-manager cert-manager
system application-apply cert-manager
Certificate signing request

A certificate is created by applying the following config, the certificate is signed by the ClusterIssuer "system-local-ca" which exist by default on the system. 

cat <<EOF >>certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-certificate
  namespace: deployment
spec:
  commonName: test-cert
  dnsNames:
  - regionone.starlingx.local
  duration: 2160h
  ipAddresses:
  - 10.10.10.2
  issuerRef:
    kind: ClusterIssuer
    name: system-local-ca
  renewBefore: 360h
  secretName: test-certificate
  subject:
    localities:
    - regionone
    organizations:
    - starlingx
EOF

kubectl apply -f certificate.yaml

Verify the certificate is issued by checking the "READY" changed to "True" 

kubectl get certificate -n deployment test-certificate
NAME               READY   SECRET             AGE
test-certificate   True    test-certificate   13s
Retrieved from "https://wiki.openstack.org/w/index.php?title=StarlingX/Containers/Applications/app-cert-manager&oldid=187671"