From 9c06b052eade12a9d4c1665bef1d5abd0176c651 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 30 Nov 2023 20:04:13 +0000 Subject: [PATCH] Bug fix for legacy cert-manager CRDs and disable CM edit for now --- [B | 164 +++++++++++++++++++++++++++++++++++++++ admin/upgrade_cluster.sh | 10 ++- 2 files changed, 172 insertions(+), 2 deletions(-) create mode 100644 [B diff --git a/[B b/[B new file mode 100644 index 00000000..9ea27f35 --- /dev/null +++ b/[B @@ -0,0 +1,164 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubezero + namespace: argocd +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: kubezero + source: + chart: kubezero + helm: + values: | + argocd: + enabled: true + configs: + cm: + url: https://argocd.vi.epmyalptest.com + istio: + enabled: true + gateway: istio-ingress/private-ingressgateway + cert-manager: + enabled: true + IamArn: arn:aws:iam::561550319853:role/us-east-1.plaympe-test-vi.cert-manager + clusterIssuer: + name: letsencrypt-dns-prod + email: admin@dice.net + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - dns01: + route53: + region: us-east-1 + selector: + dnsZones: + - epmyalptest.com + - vi.epmyalptest.com + - plaympetest.com + - vi.plaympetest.com + global: + aws: + accountId: '561550319853' + region: us-east-1 + clusterName: plaympe-test-vi + highAvailable: false + istio: + enabled: true + rateLimiting: + enabled: true + istio-ingress: + enabled: true + certificates: + - name: ingress-cert + dnsNames: + - '*.epmyalptest.com' + - '*.vi.epmyalptest.com' + - '*.plaympetest.com' + - '*.vi.plaympetest.com' + istio-private-ingress: + enabled: true + certificates: + - name: private-ingress-cert + dnsNames: + - '*.epmyalptest.com' + - '*.vi.epmyalptest.com' + - '*.plaympetest.com' + - '*.vi.plaympetest.com' + kubezero: + gitSync: + path: clusters/plaympe-test/us-east-1 + repoURL: https://bitbucket.org/destinymedia/kubernetes + targetRevision: HEAD + syncPolicy: + automated: + prune: true + logging: + enabled: true + fluent-bit: + enabled: true + config: + extraRecords: + source.clustername: plaympe-test-vi + output: + host: fluentd.or.epmyalptest.com + tls: true + metrics: + enabled: true + istio: + alertmanager: + enabled: true + gateway: istio-ingress/private-ingressgateway + url: alertmanager.vi.epmyalptest.com + grafana: + enabled: true + gateway: istio-ingress/private-ingressgateway + url: metrics.vi.epmyalptest.com + prometheus: + enabled: true + gateway: istio-ingress/private-ingressgateway + url: prometheus.vi.epmyalptest.com + kube-prometheus-stack: + alertmanager: + enabled: true + alertmanagerSpec: + externalUrl: https://alertmanager.vi.epmyalptest.com + prometheus: + prometheusSpec: + externalUrl: https://prometheus.vi.epmyalptest.com + network: + cilium: + enabled: true + cluster: + name: plaympe-test-vi + id: 221 + ipam: + operator: + clusterPoolIPv4PodCIDRList: + - 10.221.0.0/16 + operators: + enabled: true + eck-operator: + enabled: true + storage: + enabled: true + aws-ebs-csi-driver: + enabled: true + IamArn: arn:aws:iam::561550319853:role/us-east-1.plaympe-test-vi.ebs-csi-controller-sa + aws-efs-csi-driver: + enabled: true + IamArn: arn:aws:iam::561550319853:role/us-east-1.plaympe-test-vi.efs-csi-controller-sa + PersistentVolumes: + - name: services-dsny-cache + claimRef: + name: dsny-cache + namespace: services + volumeAttributes: + encryptInTransit: 'false' + volumeHandle: fs-ec4ad96f:/services/dsny-cache + - name: services-geolocation + claimRef: + name: geolocation + namespace: services + volumeAttributes: + encryptInTransit: 'false' + volumeHandle: fs-ec4ad96f:/services/geolocation + - name: platform-geolocation + claimRef: + name: geolocation + namespace: platform + volumeAttributes: + encryptInTransit: 'false' + volumeHandle: fs-ec4ad96f:/platform/geolocation + - name: services-soundmouse + claimRef: + name: soundmouse + namespace: services + volumeAttributes: + encryptInTransit: 'false' + volumeHandle: fs-ec4ad96f:/services/soundmouse + repoURL: https://cdn.zero-downtime.net/charts + targetRevision: 1.27.8 + syncPolicy: + automated: + prune: true diff --git a/admin/upgrade_cluster.sh b/admin/upgrade_cluster.sh index 082bb60d..bdf0d30b 100755 --- a/admin/upgrade_cluster.sh +++ b/admin/upgrade_cluster.sh @@ -145,9 +145,9 @@ argo_used && disable_argo control_plane_upgrade kubeadm_upgrade -echo "Adjust kubezero values as needed:" +#echo "Adjust kubezero values as needed:" # shellcheck disable=SC2015 -argo_used && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kube-system +#argo_used && kubectl edit app kubezero -n argocd || kubectl edit cm kubezero-values -n kube-system # v1.27 # We need to restore the network ready file as cilium decided to rename it @@ -186,6 +186,12 @@ for c in $controllers; do done kubectl label node $c topology.ebs.csi.aws.com/zone- done + +# Fix for legacy cert-manager CRDs to be upgraded +for crd_name in certificaterequests.cert-manager.io certificates.cert-manager.io challenges.acme.cert-manager.io clusterissuers.cert-manager.io issuers.cert-manager.io orders.acme.cert-manager.io; do + manager_index="$(kubectl get crd "${crd_name}" --show-managed-fields --output json | jq -r '.metadata.managedFields | map(.manager == "cainjector") | index(true)')" + [ "$manager_index" != "null" ] && kubectl patch crd "${crd_name}" --type=json -p="[{\"op\": \"remove\", \"path\": \"/metadata/managedFields/${manager_index}\"}]" +done # v1.27 control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_telemetry, apply_argocd"