1- # Bootstrap a self-signed Issuer scoped to the cert-manager namespace. This is
2- # only used to mint the CA secret and is not referenced by application
3- # workloads.
4- kubectl apply --context " ${K8S_CTX} " " ${CERT_MANAGER_NAMESPACE} " << EOF_MANIFEST
1+ # Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads.
2+ kubectl apply --context " ${K8S_CTX} " << EOF_MANIFEST
53apiVersion: cert-manager.io/v1
6- kind: Issuer
4+ kind: ClusterIssuer
75metadata:
86 name: ${MDB_TLS_SELF_SIGNED_ISSUER}
97spec:
108 selfSigned: {}
119EOF_MANIFEST
1210
13- kubectl --context " ${K8S_CTX} " wait --namespace " ${CERT_MANAGER_NAMESPACE} " -- for=condition=Ready issuer " ${MDB_TLS_SELF_SIGNED_ISSUER} "
11+ kubectl --context " ${K8S_CTX} " wait --for=condition=Ready clusterissuer " ${MDB_TLS_SELF_SIGNED_ISSUER} "
1412
1513kubectl apply --context " ${K8S_CTX} " << EOF_MANIFEST
1614apiVersion: cert-manager.io/v1
@@ -27,37 +25,29 @@ spec:
2725 size: 256
2826 issuerRef:
2927 name: ${MDB_TLS_SELF_SIGNED_ISSUER}
30- kind: Issuer
28+ kind: ClusterIssuer
3129EOF_MANIFEST
3230
3331kubectl --context " ${K8S_CTX} " wait --for=condition=Ready -n " ${CERT_MANAGER_NAMESPACE} " " ${MDB_TLS_CA_CERT_NAME} "
3432
35- TMP_DIR=" $( mktemp -d) "
36- trap ' rm -rf "${TMP_DIR}"'
37-
38- kubectl --context " ${K8S_CTX} " " ${MDB_TLS_CA_SECRET_NAME} " " ${CERT_MANAGER_NAMESPACE} " " {.data['ca\\ .crt']}" | base64 --decode > " ${TMP_DIR} /ca.crt"
39-
40- cat " ${TMP_DIR} /ca.crt" > " ${TMP_DIR} /mms-ca.crt"
41-
42- kubectl --context " ${K8S_CTX} " " ${MDB_TLS_CA_CONFIGMAP} " " ${MDB_NS} "
43- --from-file=ca-pem=" ${TMP_DIR} /mms-ca.crt" " ${TMP_DIR} /mms-ca.crt"
44- --dry-run=client -o yaml | kubectl --context " ${K8S_CTX} "
45-
46- # Ensure CA secret also exists in application namespace for mounts expecting a Secret (root-secret)
47- if ! kubectl --context " ${K8S_CTX} " " ${MDB_NS} " " ${MDB_TLS_CA_SECRET_NAME} " > /dev/null 2>&1 ; then
48- kubectl --context " ${K8S_CTX} " " ${CERT_MANAGER_NAMESPACE} " " ${MDB_TLS_CA_SECRET_NAME} "
49- | sed ' s/namespace: .*/namespace: ' " ${MDB_NS} " ' /'
50- | kubectl --context " ${K8S_CTX} " " ${MDB_NS} " || echo " Warning: failed to copy ${MDB_TLS_CA_SECRET_NAME} to ${MDB_NS} " >&2
51- fi
52-
53- kubectl apply --context " ${K8S_CTX} " " ${MDB_NS} " << EOF_MANIFEST
33+ kubectl apply --context " ${K8S_CTX} " << EOF_MANIFEST
5434apiVersion: cert-manager.io/v1
55- kind: Issuer
35+ kind: ClusterIssuer
5636metadata:
5737 name: ${MDB_TLS_CA_ISSUER}
5838spec:
5939 ca:
6040 secretName: ${MDB_TLS_CA_SECRET_NAME}
6141EOF_MANIFEST
6242
63- kubectl --context " ${K8S_CTX} " wait --namespace " ${MDB_NS} " " ${MDB_TLS_CA_ISSUER} "
43+ kubectl --context " ${K8S_CTX} " wait --for=condition=Ready clusterissuer " ${MDB_TLS_CA_ISSUER} "
44+
45+ TMP_CA_CERT=" $( mktemp) "
46+ trap ' rm -f "${TMP_CA_CERT}"'
47+
48+ kubectl --context " ${K8S_CTX} " " ${MDB_TLS_CA_SECRET_NAME} " " ${CERT_MANAGER_NAMESPACE} " " {.data['ca\\ .crt']}" | base64 --decode > " ${TMP_CA_CERT} "
49+
50+ kubectl --context " ${K8S_CTX} " " ${MDB_TLS_CA_CONFIGMAP} " " ${MDB_NS} "
51+ --from-file=ca-pem=" ${TMP_CA_CERT} " " ${TMP_CA_CERT} "
52+ --from-file=ca.crt=" ${TMP_CA_CERT} "
53+ --dry-run=client -o yaml | kubectl --context " ${K8S_CTX} "
0 commit comments