Files
@ 695948b426ae
Branch filter:
Location: pomerium/tasks.py - annotation
695948b426ae
2.2 KiB
text/x-python
redo config with kustomize (still has a bug with pomerium-proxy-tls secret name getting a suffix)
d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 | from invoke import task
from invoke.exceptions import UnexpectedExit
@task
def run(ctx):
ctx.run("cd 00-defs; skaffold run", echo=True)
ctx.run("cd 10-vols; skaffold run", echo=True)
ctx.run("cd 20-kube; skaffold run", echo=True)
# here we must wait for cert-manager-webhook.cert-manager.svc
ctx.run("cd 30-cert-manager; skaffold run", echo=True, warn=True)
ctx.run("cd 30-cert-manager; skaffold run", echo=True)
try:
ctx.run("kubectl get -n pomerium ingress | grep 80")
except UnexpectedExit:
raise SystemExit("expected cm-acme-http-solver-... ingress on port 80")
'''
troubleshooting, based on
https://cert-manager.io/docs/troubleshooting/
then
https://cert-manager.io/docs/concepts/acme-orders-challenges/
I had these open:
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging'
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod'
✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide"
✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io'
✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io'
✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io '
then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources,
and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line
may need to be toggled.
The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist.
Didn't need 04-gen-secrets-job.yaml
Also, CM says this a lot which means it may be afraid to renew bigasterisk.com
I1213 07:00:01.946799 1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1"
'''
|