feat(cert-manager): move cert-manager secrets with deploy

Deploy the secrets and the issuer along with cert-manager. Utilize an ArgoCD sync wave to ensure the issuer gets loaded after cert-manager is deployed.
rackerlabs · Aug 19, 2024 · 1c37703 · 1c37703
1 parent d486e5d
commit 1c37703
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 28 deletions.
diff --git a/apps/appsets/infra.yaml b/apps/appsets/infra.yaml
@@ -18,14 +18,18 @@ spec:
               elements:
                 - component: cert-manager
                   skipComponent: '{{has "cert-manager" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}'
-                  source:
-                    repoURL: https://charts.jetstack.io
-                    chart: cert-manager
-                    targetRevision: '1.15.2'
-                    helm:
-                      releaseName: cert-manager
-                      valuesObject:
-                        installCRDs: true
+                  sources:
+                    - repoURL: https://charts.jetstack.io
+                      chart: cert-manager
+                      targetRevision: '1.15.2'
+                      helm:
+                        releaseName: cert-manager
+                        valuesObject:
+                          crds:
+                            enabled: true
+                    - repoURL: '{{index .metadata.annotations "uc_repo_git_url"}}'
+                      targetRevision: '{{index .metadata.annotations "uc_repo_ref"}}'
+                      path: 'secrets/{{.name}}/cert-manager'
                 - component: metallb
                   skipComponent: '{{has "metallb" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}'
                   source:

diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh
@@ -161,7 +161,27 @@ for client in nautobot argo argocd; do
     fi
 done
 
-mkdir -p "${DEST_DIR}/cluster/"
+if [ ! -f "${DEST_DIR}/cert-manager/cluster-issuer.yaml" ]; then
+    echo "Creating cert-manager ClusterIssuer"
+    cat <<- EOF > "${DEST_DIR}/cert-manager/cluster-issuer.yaml"
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${DEPLOY_NAME}-cluster-issuer
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+spec:
+  acme:
+    email: ${UC_DEPLOY_EMAIL}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx
+EOF
+fi
 
 # create constant OpenStack memcache key to avoid cache invalidation on deploy
 MEMCACHE_SECRET_KEY=$(cat "${DEST_DIR}/secret-openstack.yaml" 2>/dev/null | yq '.endpoints.oslo_cache.auth.memcache_secret_key')
@@ -333,25 +353,6 @@ data:
 EOF
 fi
 
-echo "Creating Cert Manager Cluster Issuer"
-[ -f "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/cluster-issuer.yaml" ] && \
-    mv -f "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/cluster-issuer.yaml" "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/cluster/"
-cat << EOF > "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/cluster/cluster-issuer.yaml"
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: ${DEPLOY_NAME}-cluster-issuer
-spec:
-  acme:
-    email: ${UC_DEPLOY_EMAIL}
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    server: https://acme-v02.api.letsencrypt.org/directory
-    solvers:
-    - http01:
-        ingress:
-          ingressClassName: nginx
-EOF
 
 for component in $(find "${DEST_DIR}" -maxdepth 1 -mindepth 1 -type d); do
     if [ ! -f "${component}/kustomization.yaml" ]; then