[英]Upgrading from Helm stable/cert-manager to jetstack/cert-manager
We have a production AKS cluster that has a stable/cert-manager
helm chart installed to allow using Let's Encrypt certificates. 我们有一个生产AKS集群,该集群已安装了stable/cert-manager
头盔图表,以允许使用“加密我们的证书”。 The current version installed is cert-manager-v0.6.0
in the kube-system
namespace. 在kube-system
命名空间中,当前安装的当前版本是cert-manager-v0.6.0
。
Let's Encrypt is to stop support for traffic from cert-manager pre 8.0 version from 1st of November 2019. 从2019年11月1日开始,我们加密将停止支持cert-manager 8.0之前版本的流量。
I would like to upgrade but the latest available stable
chart version is v0.6.7
. 我想升级,但是最新的可用stable
图表版本是v0.6.7
。 Seems like the way to go is to switch to jetstack/cert-manager
. 好像要走的路是切换到jetstack/cert-manager
。
How do I best approach this? 我如何最好地解决这个问题? Shall I uninstall the current stable/cert-manager
chart and install from scratch with the jetstack/cert-manager
? 我是否应该卸载当前的stable/cert-manager
图表并使用jetstack/cert-manager
从头开始安装? Any resource on how to tackle this without downtime in production would be much appreciated. 任何有关如何在不停机的情况下解决此问题的资源将不胜感激。 Please let me know if I can provide any more details. 如果可以提供更多详细信息,请告诉我。
For anyone asking the same question, I have tried to perform clean install on my test cluster and this seemed to work fairly smoothly. 对于任何询问相同问题的人,我都尝试在我的测试群集上执行全新安装,这似乎运行得很顺利。 I have found what the name of my the helm release was by running helm list
我通过运行helm list
找到了头盔版本的名称
then I have performed the following steps: 然后我执行了以下步骤:
1.Backup : 1.备份
kubectl get -o yaml \
--all-namespaces \
issuer,clusterissuer,certificates,orders,challenges > cert-manager-backup.yaml
2.Delete : 2.删除
# Uninstall the Helm chart
helm delete --purge <your release name here>
# Ensure the cert-manager CustomResourceDefinition resources do not exist:
kubectl delete crd \
certificates.certmanager.k8s.io \
issuers.certmanager.k8s.io \
clusterissuers.certmanager.k8s.io
described in step 2 here 在此处的步骤2中进行了说明
3.Install a fresh jetstack version : 3.安装新的jetstack版本 :
# Install the CustomResourceDefinition resources separately
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.9/deploy/manifests/00-crds.yaml
# Create the namespace for cert-manager
kubectl create namespace cert-manager
# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install --name <your release name here> --namespace cert-manager --version v0.9.1 jetstack/cert-manager
4.Restore : 4.还原
I have tried running 我试过跑步
kubectl apply -f cert-manager-backup.yaml
as described here but this step actually didn't fully work for me. 如此处所述,但此步骤实际上对我而言并不完全有效。 The Issuers were created (self signed and CA) but I could not re-create the Certificates
and ClusterIssuer
. 创建了Certificates
者(自签名和CA),但是我无法重新创建Certificates
和ClusterIssuer
。 These were the errors I have received: 这些是我收到的错误:
Error from server (InternalError): Internal error occurred: failed calling webhook "clusterissuers.admission.certmanager.k8s.io": the server is currently unable to handle the request
Error from server (InternalError): Internal error occurred: failed calling webhook "certificates.admission.certmanager.k8s.io": the server is currently unable to handle the request
I had my original yaml
files and was able to create the ClusterIssuer
and Certificate
by applying them 我有原始的yaml
文件,并且能够通过应用它们来创建ClusterIssuer
和Certificate
I can confirm that the above works. 我可以确认上述方法有效。 (@RVid answer) (@RVid答案)
Though, I've upgraded 0.5.0 to 0.9.1 and had to create a separate namespace to have 'no-downtime' upgrade. 不过,我已经将0.5.0升级到0.9.1,并且必须创建一个单独的命名空间才能进行“无停机时间”升级。
#1 delete old CRDs
kubectl delete crd \
certificates.certmanager.k8s.io \
issuers.certmanager.k8s.io \
clusterissuers.certmanager.k8s.io
#2 create SEPARATE namespace
$ kubectl create namespace cert-manager-new
#3 install new CRDs that corresponds to the new version of cert-manager
$ kubectl apply \
-f https://raw.githubusercontent.com/jetstack/cert-manager/<VERSION>/deploy/manifests/00-crds.yaml
#4 ensure the NEW namespace has an additional label on it in order for the deployment to succeed
$ kubectl label namespace cert-manager-new certmanager.k8s.io/disable-validation="true"
#5 copy secrets to cert-manager-new namespace (For DNS, HTTP and Let's Encrypt account)
## Install the cert-manager helm chart
# jetstack/cert-manager
$ helm install --name cert-manager-new --namespace cert-manager-new jetstack/cert-manager --values <your values file>
#6 apply ClusterIssuer with kubectl apply -f <file.yaml>
Use config from: https://docs.cert-manager.io/en/latest/reference/issuers.html
The new instance of the cert manager will start synchronizing all the certificates you have without destroying the secrets. 证书管理器的新实例将开始同步您拥有的所有证书,而不会破坏机密。 Eventually, all the certs will get renewed with new cert-manager. 最终,所有证书都将使用新的证书管理器进行续订。
Cheers. 干杯。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.