pomerium: tasks.py annotate

annotate tasks.py @ 23:695948b426ae

redo config with kustomize (still has a bug with pomerium-proxy-tls secret name getting a suffix)

author	drewp@bigasterisk.com
date	Wed, 07 Jun 2023 20:22:55 -0700
parents	54b0edb7cca8
children	b53ab97e8979

rev	line source
6 d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	1 from invoke import task
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	2 from invoke.exceptions import UnexpectedExit
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	3
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	4 @task
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	5 def run(ctx):
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	6 ctx.run("cd 00-defs; skaffold run", echo=True)
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	7 ctx.run("cd 10-vols; skaffold run", echo=True)
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	8 ctx.run("cd 20-kube; skaffold run", echo=True)
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	9 # here we must wait for cert-manager-webhook.cert-manager.svc
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	10 ctx.run("cd 30-cert-manager; skaffold run", echo=True, warn=True)
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	11 ctx.run("cd 30-cert-manager; skaffold run", echo=True)
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	12
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	13 try:
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	14 ctx.run("kubectl get -n pomerium ingress \| grep 80")
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	15 except UnexpectedExit:
d3caeaf39d87 deploy with invoke & skaffold drewp@bigasterisk.com parents: diff changeset	16 raise SystemExit("expected cm-acme-http-solver-... ingress on port 80")
11 54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	17
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	18 '''
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	19 troubleshooting, based on
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	20 https://cert-manager.io/docs/troubleshooting/
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	21 then
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	22 https://cert-manager.io/docs/concepts/acme-orders-challenges/
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	23
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	24 I had these open:
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	25 ✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging'
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	26 ✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod'
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	27 ✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide"
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	28 ✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io'
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	29 ✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io'
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	30 ✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io '
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	31
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	32 then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources,
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	33 and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	34 may need to be toggled.
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	35
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	36 The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist.
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	37
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	38 Didn't need 04-gen-secrets-job.yaml
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	39
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	40 Also, CM says this a lot which means it may be afraid to renew bigasterisk.com
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	41
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	42 I1213 07:00:01.946799 1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1"
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	43
54b0edb7cca8 debug notes drewp@bigasterisk.com parents: 6 diff changeset	44 '''

Mercurial > code > home > repos > pomerium

annotate tasks.py @ 23:695948b426ae