Mercurial > code > home > repos > pomerium

view tasks.py @ 23:695948b426ae

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
redo config with kustomize (still has a bug with pomerium-proxy-tls secret name getting a suffix)
author drewp@bigasterisk.com
date Wed, 07 Jun 2023 20:22:55 -0700
parents 54b0edb7cca8
children b53ab97e8979
line wrap: on
line source

from invoke import task
from invoke.exceptions import UnexpectedExit

@task
def run(ctx):
    ctx.run("cd 00-defs; skaffold run", echo=True)
    ctx.run("cd 10-vols; skaffold run", echo=True)
    ctx.run("cd 20-kube; skaffold run", echo=True)
    # here we must wait for cert-manager-webhook.cert-manager.svc
    ctx.run("cd 30-cert-manager; skaffold run", echo=True, warn=True)
    ctx.run("cd 30-cert-manager; skaffold run", echo=True)

    try:
        ctx.run("kubectl get -n pomerium ingress | grep 80")
    except UnexpectedExit:
        raise SystemExit("expected cm-acme-http-solver-... ingress on port 80")

'''
troubleshooting, based on 
https://cert-manager.io/docs/troubleshooting/
then
https://cert-manager.io/docs/concepts/acme-orders-challenges/

I had these open:
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging'
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod'
✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide"
✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io'
✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io'
✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io '

then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources,
and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line 
may need to be toggled.

The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist.

Didn't need 04-gen-secrets-job.yaml

Also, CM says this a lot which means it may be afraid to renew bigasterisk.com

    I1213 07:00:01.946799       1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1"

'''