Files
@ 290342e75927
Branch filter:
Location: pomerium/tasks.py - annotation
290342e75927
2.4 KiB
text/x-python
move to ditto
d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 | from invoke import task
from invoke.exceptions import UnexpectedExit
@task
def delete(ctx):
ctx.run("cd 30-cert-manager; skaffold delete")
ctx.run("cd 20-kube; skaffold delete")
ctx.run("cd 10-vols; skaffold delete")
ctx.run("cd 00-defs; skaffold delete")
@task
def run(ctx):
ctx.run("cd 00-defs; skaffold run", echo=True)
ctx.run("cd 10-vols; skaffold run", echo=True)
ctx.run("cd 20-kube; skaffold run", echo=True)
# here we must wait for cert-manager-webhook.cert-manager.svc
ctx.run("cd 30-cert-manager; skaffold run", echo=True, warn=True)
ctx.run("cd 30-cert-manager; skaffold run", echo=True)
try:
ctx.run("kubectl get -n pomerium ingress | grep 80")
except UnexpectedExit:
raise SystemExit("expected cm-acme-http-solver-... ingress on port 80")
'''
troubleshooting, based on
https://cert-manager.io/docs/troubleshooting/
then
https://cert-manager.io/docs/concepts/acme-orders-challenges/
I had these open:
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging'
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod'
✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide"
✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io'
✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io'
✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io '
then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources,
and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line
may need to be toggled.
The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist.
Didn't need 04-gen-secrets-job.yaml
Also, CM says this a lot which means it may be afraid to renew bigasterisk.com
I1213 07:00:01.946799 1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1"
'''
|