Merge pull request #1245 from munnerz/ca-sync-backoff
Set CA sync backoff limit & add verifying installation docs
This commit is contained in:
jetstack-bot
GitHub
commit
557c6297cc
@ -1,5 +1,5 @@
|
|||||||
name: cert-manager
|
name: cert-manager
|
||||||
version: v0.6.0-beta.1
|
version: v0.6.0-beta.2
|
||||||
appVersion: v0.6.0-beta.0
|
appVersion: v0.6.0-beta.0
|
||||||
description: A Helm chart for cert-manager
|
description: A Helm chart for cert-manager
|
||||||
home: https://github.com/jetstack/cert-manager
|
home: https://github.com/jetstack/cert-manager
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
dependencies:
|
dependencies:
|
||||||
- name: webhook
|
- name: webhook
|
||||||
repository: file://webhook
|
repository: file://webhook
|
||||||
version: v0.6.0-beta.0
|
version: v0.6.0-beta.1
|
||||||
digest: sha256:fcbb95a8494138cfb4f01735cf8a4fa181952d3bd2a628b10eb082c145130f38
|
digest: sha256:9775bc7a85cde517b043552472b2cb52016e8c944673cd5eee3827e11f175869
|
||||||
generated: 2019-01-17T15:44:50.976304931Z
|
generated: 2019-01-22T12:13:09.082779567Z
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
# requirements.yaml
|
# requirements.yaml
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: webhook
|
- name: webhook
|
||||||
version: "v0.6.0-beta.0"
|
version: "v0.6.0-beta.1"
|
||||||
repository: "file://webhook"
|
repository: "file://webhook"
|
||||||
condition: webhook.enabled
|
condition: webhook.enabled
|
||||||
|
|||||||
@ -8,6 +8,9 @@ global:
|
|||||||
imagePullSecrets: []
|
imagePullSecrets: []
|
||||||
# - name: "image-pull-secret"
|
# - name: "image-pull-secret"
|
||||||
|
|
||||||
|
# Optional priority class to be used for the cert-manager pods
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
replicaCount: 1
|
replicaCount: 1
|
||||||
|
|
||||||
strategy: {}
|
strategy: {}
|
||||||
@ -114,6 +117,3 @@ affinity: {}
|
|||||||
# value: master
|
# value: master
|
||||||
# effect: NoSchedule
|
# effect: NoSchedule
|
||||||
tolerations: []
|
tolerations: []
|
||||||
|
|
||||||
global:
|
|
||||||
priorityClassName: ""
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
version: "v0.6.0-beta.0"
|
version: "v0.6.0-beta.1"
|
||||||
appVersion: "v0.6.0-beta.0"
|
appVersion: "v0.6.0-beta.0"
|
||||||
description: A Helm chart for deploying the cert-manager webhook component
|
description: A Helm chart for deploying the cert-manager webhook component
|
||||||
name: webhook
|
name: webhook
|
||||||
|
|||||||
@ -16,6 +16,7 @@ spec:
|
|||||||
schedule: "@weekly"
|
schedule: "@weekly"
|
||||||
jobTemplate:
|
jobTemplate:
|
||||||
spec:
|
spec:
|
||||||
|
backoffLimit: 20
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
@ -55,6 +56,7 @@ metadata:
|
|||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
heritage: {{ .Release.Service }}
|
heritage: {{ .Release.Service }}
|
||||||
spec:
|
spec:
|
||||||
|
backoffLimit: 20
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
|
|||||||
@ -155,7 +155,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
|
|
||||||
@ -168,7 +168,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.6.0-beta.1
|
chart: cert-manager-v0.6.0-beta.2
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
---
|
---
|
||||||
@ -179,7 +179,7 @@ metadata:
|
|||||||
name: cert-manager
|
name: cert-manager
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.6.0-beta.1
|
chart: cert-manager-v0.6.0-beta.2
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
rules:
|
rules:
|
||||||
@ -199,7 +199,7 @@ metadata:
|
|||||||
name: cert-manager
|
name: cert-manager
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.6.0-beta.1
|
chart: cert-manager-v0.6.0-beta.2
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
roleRef:
|
roleRef:
|
||||||
@ -217,7 +217,7 @@ metadata:
|
|||||||
name: cert-manager-view
|
name: cert-manager-view
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.6.0-beta.1
|
chart: cert-manager-v0.6.0-beta.2
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||||
@ -234,7 +234,7 @@ metadata:
|
|||||||
name: cert-manager-edit
|
name: cert-manager-edit
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.6.0-beta.1
|
chart: cert-manager-v0.6.0-beta.2
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||||
@ -255,7 +255,7 @@ metadata:
|
|||||||
name: cert-manager-webhook:auth-delegator
|
name: cert-manager-webhook:auth-delegator
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
roleRef:
|
roleRef:
|
||||||
@ -280,7 +280,7 @@ metadata:
|
|||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
roleRef:
|
roleRef:
|
||||||
@ -301,7 +301,7 @@ metadata:
|
|||||||
name: cert-manager-webhook:webhook-requester
|
name: cert-manager-webhook:webhook-requester
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
rules:
|
rules:
|
||||||
@ -323,7 +323,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -345,7 +345,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -397,7 +397,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: cert-manager
|
app: cert-manager
|
||||||
chart: cert-manager-v0.6.0-beta.1
|
chart: cert-manager-v0.6.0-beta.2
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -445,13 +445,14 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
schedule: "@weekly"
|
schedule: "@weekly"
|
||||||
jobTemplate:
|
jobTemplate:
|
||||||
spec:
|
spec:
|
||||||
|
backoffLimit: 20
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
@ -487,10 +488,11 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
|
backoffLimit: 20
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
@ -526,7 +528,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
data:
|
data:
|
||||||
@ -559,7 +561,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
---
|
---
|
||||||
@ -569,7 +571,7 @@ metadata:
|
|||||||
name: cert-manager-webhook-ca-sync
|
name: cert-manager-webhook-ca-sync
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
rules:
|
rules:
|
||||||
@ -595,7 +597,7 @@ metadata:
|
|||||||
name: cert-manager-webhook-ca-sync
|
name: cert-manager-webhook-ca-sync
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
roleRef:
|
roleRef:
|
||||||
@ -615,7 +617,7 @@ metadata:
|
|||||||
name: v1beta1.admission.certmanager.k8s.io
|
name: v1beta1.admission.certmanager.k8s.io
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -639,7 +641,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -655,7 +657,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -675,7 +677,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -692,7 +694,7 @@ metadata:
|
|||||||
namespace: "cert-manager"
|
namespace: "cert-manager"
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
spec:
|
spec:
|
||||||
@ -712,7 +714,7 @@ metadata:
|
|||||||
name: cert-manager-webhook
|
name: cert-manager-webhook
|
||||||
labels:
|
labels:
|
||||||
app: webhook
|
app: webhook
|
||||||
chart: webhook-v0.6.0-beta.0
|
chart: webhook-v0.6.0-beta.1
|
||||||
release: cert-manager
|
release: cert-manager
|
||||||
heritage: Tiller
|
heritage: Tiller
|
||||||
webhooks:
|
webhooks:
|
||||||
|
|||||||
@ -67,6 +67,82 @@ To install cert-manager using the static manifests, you should run:
|
|||||||
This issue is resolved in Kubernetes 1.13 onwards. More details can be found
|
This issue is resolved in Kubernetes 1.13 onwards. More details can be found
|
||||||
in `kubernetes/kubernetes#69590`_.
|
in `kubernetes/kubernetes#69590`_.
|
||||||
|
|
||||||
|
Verifying your installation
|
||||||
|
===========================
|
||||||
|
|
||||||
|
During installation, a number of operations including a Kubernetes 'Job' will
|
||||||
|
be created.
|
||||||
|
These resources **must** complete successfully in order for cert-manager to
|
||||||
|
run.
|
||||||
|
|
||||||
|
To verify your installation has completed, you should check the Status of all
|
||||||
|
pods in your cert-manager namespace:
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
|
# Get all pods, including Completed and Errored pods
|
||||||
|
$ kubectl get pods --show-all --namespace cert-manager
|
||||||
|
NAME READY STATUS RESTARTS AGE
|
||||||
|
cert-manager-7cbdc48784-rpgnt 1/1 Running 0 3m
|
||||||
|
cert-manager-webhook-5b5dd6999-kst4x 1/1 Running 0 3m
|
||||||
|
cert-manager-webhook-ca-sync-1547942400-g6985 0/1 Completed 0 3m
|
||||||
|
|
||||||
|
If the 'ca-sync' pod above does not show Completed, you may need to re-start
|
||||||
|
the Job using the ``kubectl create job`` command:
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
|
# Find the name of the CronJob resource
|
||||||
|
$ kubectl get cronjob --namespace cert-manager
|
||||||
|
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
|
||||||
|
cert-manager-webhook-ca-sync @weekly False 0 3m
|
||||||
|
|
||||||
|
# Trigger the CronJob to run immediately
|
||||||
|
$ kubectl create job \
|
||||||
|
--namespace cert-manager \
|
||||||
|
--from cronjob/cert-manager-webhook-ca-sync \
|
||||||
|
ca-sync-manually-triggered
|
||||||
|
|
||||||
|
This will trigger the cert-manager job to run again.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
If the job continues to fail, please read the
|
||||||
|
:doc:`Resource Validating Webhook </admin/resource-validation-webhook>` docs
|
||||||
|
for additional information.
|
||||||
|
|
||||||
|
Once all the pods are 'Ready', you should be good to go. To confirm, attempt
|
||||||
|
to create a basic 'selfsigned' ClusterIssuer. If you do not receive any errors
|
||||||
|
when creating the resource, the deployment should be good to go!
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
|
# Create a ClusterIssuer to test the webhook works okay
|
||||||
|
$ cat <<EOF > test-clusterissuer.yaml
|
||||||
|
apiVersion: certmanager.k8s.io/v1alpha1
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: test-selfsigned
|
||||||
|
spec:
|
||||||
|
selfSigned: {}
|
||||||
|
|
||||||
|
# Create the new ClusterIssuer (if this step fails, please read the resource
|
||||||
|
# validation webhook doc linked in the note above)
|
||||||
|
$ kubectl apply -f test-clusterissuer.yaml
|
||||||
|
|
||||||
|
# Delete the newly created test ClusterIssuer
|
||||||
|
$ kubectl delete -f test-clusterissuer.yaml
|
||||||
|
|
||||||
|
If all the above steps have completed with error, you are good to go!
|
||||||
|
|
||||||
|
Next steps
|
||||||
|
==========
|
||||||
|
|
||||||
|
You'll need to set yourself at least one Issuer or ClusterIssuer resource in
|
||||||
|
order to begin issuing certificates. Take a look at the next page,
|
||||||
|
:doc:`Configuring your first Issuer or ClusterIssuer
|
||||||
|
</getting-started/3-configuring-first-issuer>`
|
||||||
|
for more information.
|
||||||
|
|
||||||
.. _`charts repository`: https://github.com/kubernetes/charts
|
.. _`charts repository`: https://github.com/kubernetes/charts
|
||||||
.. _`Helm chart README`: https://github.com/kubernetes/charts/blob/master/stable/cert-manager/README.md
|
.. _`Helm chart README`: https://github.com/kubernetes/charts/blob/master/stable/cert-manager/README.md
|
||||||
.. _`deploy directory`: https://github.com/jetstack/cert-manager/blob/master/contrib/manifests/cert-manager
|
.. _`deploy directory`: https://github.com/jetstack/cert-manager/blob/master/contrib/manifests/cert-manager
|
||||||
|
|||||||
@ -2,8 +2,9 @@
|
|||||||
3. Configuring your first Issuer or ClusterIssuer
|
3. Configuring your first Issuer or ClusterIssuer
|
||||||
=================================================
|
=================================================
|
||||||
|
|
||||||
Before you can issue any Certificates, you will need to configure an :doc:`Issuer </reference/issuers>`
|
Before you can issue any Certificates, you will need to configure an
|
||||||
or :doc:`ClusterIssuer </reference/clusterissuers>` resource.
|
:doc:`Issuer </reference/issuers>` or
|
||||||
|
:doc:`ClusterIssuer </reference/clusterissuers>` resource.
|
||||||
|
|
||||||
These represent a certificate authority from which signed x509 certificates can
|
These represent a certificate authority from which signed x509 certificates can
|
||||||
be obtained, such as Let's Encrypt, or your own signing key pair stored in a
|
be obtained, such as Let's Encrypt, or your own signing key pair stored in a
|
||||||
|
|||||||
@ -75,7 +75,7 @@ chartlib::detect_changed_directories() {
|
|||||||
## subdirectory, we must modify the below line from $1/$2 to be $1/$2/$3.
|
## subdirectory, we must modify the below line from $1/$2 to be $1/$2/$3.
|
||||||
## In future, we should PR upstream so we no longer hardcode the depth of
|
## In future, we should PR upstream so we no longer hardcode the depth of
|
||||||
## directories required for this script.
|
## directories required for this script.
|
||||||
done < <(git diff --find-renames --name-only "$merge_base" "${CHART_DIRS[@]}" | awk -F/ '{ print $1"/"$2 }' | uniq)
|
done < <(git diff --find-renames --name-only "$merge_base" "${CHART_DIRS[@]}" | awk -F/ '{ print $1"/"$2"/"$3 }' | uniq)
|
||||||
|
|
||||||
echo "${changed_dirs[@]}"
|
echo "${changed_dirs[@]}"
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user