Files
@ a8c1e2f028f0
Branch filter:
Location: pomerium/tasks.py - annotation
a8c1e2f028f0
3.0 KiB
text/x-python
switch image to local build
b53ab97e8979 b53ab97e8979 d3caeaf39d87 d3caeaf39d87 d3caeaf39d87 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 d3caeaf39d87 d3caeaf39d87 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 b53ab97e8979 d3caeaf39d87 b53ab97e8979 b53ab97e8979 b53ab97e8979 bd2cbc36bc65 bd2cbc36bc65 bd2cbc36bc65 b53ab97e8979 bd2cbc36bc65 bd2cbc36bc65 b53ab97e8979 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 54b0edb7cca8 | import sys
import time
from invoke import task
from invoke.exceptions import UnexpectedExit
def authCert(ctx):
for tries in range(100):
try:
ctx.run("kubectl apply -f config/60-auth-cert.yaml", echo=True, )
sys.stderr.write("worked")
return
except UnexpectedExit:
time.sleep(2)
sys.stderr.write('.')
sys.stderr.flush()
raise ValueError
@task
def run(ctx):
ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True)
ctx.run("skaffold run -f use-invoke-not-skaffold.yaml", echo=True)
authCert(ctx)
ctx.run("./make_global.py | kubectl apply -f -", echo=True)
ctx.run("kubectl apply -f config/51-pomerium-production-issuer.yaml", echo=True)
ctx.run("kubectl apply -f config/51-pomerium-staging-issuer.yaml", echo=True)
@task
def delete(ctx):
# todo don't delete certs that have big timeouts to remake
ctx.run("kubectl delete -f config/51-pomerium-staging-issuer.yaml --ignore-not-found", echo=True)
ctx.run("kubectl delete -f config/51-pomerium-production-issuer.yaml --ignore-not-found", echo=True)
ctx.run("kubectl delete -f config/60-auth-cert.yaml --ignore-not-found", echo=True)
ctx.run("kubectl delete pomerium/global --ignore-not-found", echo=True)
ctx.run("skaffold delete -f use-invoke-not-skaffold.yaml ", echo=True)
ctx.run("kubectl delete -n pomerium job/pomerium-gen-secrets --ignore-not-found", echo=True)
'''
troubleshooting, based on
https://cert-manager.io/docs/troubleshooting/
then
https://cert-manager.io/docs/concepts/acme-orders-challenges/
I had these open:
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-staging'
✨ dash(pts/31):~% watch 'kubectl describe -n pomerium issuers.cert-manager.io letsencrypt-prod'
✨ dash(pts/29):~% watch "kubectl get -n pomerium certificates.cert-manager.io -o wide"
✨ dash(pts/36):~% watch 'kubectl describe -n pomerium certificaterequests.cert-manager.io'
✨ dash(pts/37):~% watch 'kubectl describe -n pomerium orders.acme.cert-manager.io'
✨ dash(pts/38):~% watch 'kubectl describe -n pomerium challenges.acme.cert-manager.io '
then i checked clusterissuer vs issuer, the ns of the 60-auth-cert.yaml resources,
and i often restarted cert-manager and eventually pomerium too. 10-pom-pom.yaml last line
may need to be toggled.
The 'cm-acme-http-solver' ingress for LE comes and goes but i didn't have to force it to exist.
Didn't need 04-gen-secrets-job.yaml
Also, CM says this a lot which means it may be afraid to renew bigasterisk.com
I1213 07:00:01.946799 1 sync.go:394] cert-manager/controller/ingress-shim "msg"="certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" "related_resource_kind"="Certificate" "related_resource_name"="bigasterisk.com-tls" "related_resource_namespace"="default" "related_resource_version"="v1" "resource_kind"="Ingress" "resource_name"="registry" "resource_namespace"="default" "resource_version"="v1"
'''
|