问题描述
我们有一个生产AKS集群,该集群安装了stable/cert-manager舵图,以允许使用Let's Encrypt证书.安装的当前版本是kube-system名称空间中的cert-manager-v0.6.0.
We have a production AKS cluster that has a stable/cert-manager helm chart installed to allow using Let's Encrypt certificates. The current version installed is cert-manager-v0.6.0 in the kube-system namespace.
从2019年11月1日起,我们的加密将停止支持cert-manager 8.0之前版本的流量.
Let's Encrypt is to stop support for traffic from cert-manager pre 8.0 version from 1st of November 2019.
我想升级,但是最新的stable图表版本是v0.6.7.似乎要去的方法是切换到jetstack/cert-manager.
I would like to upgrade but the latest available stable chart version is v0.6.7. Seems like the way to go is to switch to jetstack/cert-manager.
如何最好地解决这个问题?我应该卸载当前的stable/cert-manager图表并使用jetstack/cert-manager从头开始安装吗?任何有关如何在不停机的情况下解决此问题的资源将不胜感激.如果可以提供更多详细信息,请告诉我.
How do I best approach this? Shall I uninstall the current stable/cert-manager chart and install from scratch with the jetstack/cert-manager? Any resource on how to tackle this without downtime in production would be much appreciated. Please let me know if I can provide any more details.
推荐答案
对于任何问相同问题的人,我都尝试在我的测试群集上执行全新安装,这似乎运行得很顺利.通过运行helm list
For anyone asking the same question, I have tried to perform clean install on my test cluster and this seemed to work fairly smoothly. I have found what the name of my the helm release was by running helm list
然后我执行了以下步骤:
then I have performed the following steps:
1.备份:
kubectl get -o yaml \
--all-namespaces \
issuer,clusterissuer,certificates,orders,challenges > cert-manager-backup.yaml
2.删除:
# Uninstall the Helm chart
helm delete --purge <your release name here>
# Ensure the cert-manager CustomResourceDefinition resources do not exist:
kubectl delete crd \
certificates.certmanager.k8s.io \
issuers.certmanager.k8s.io \
clusterissuers.certmanager.k8s.io
在第2步中此处
3.安装新的jetstack版本:
# Install the CustomResourceDefinition resources separately
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.9/deploy/manifests/00-crds.yaml
# Create the namespace for cert-manager
kubectl create namespace cert-manager
# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install --name <your release name here> --namespace cert-manager --version v0.9.1 jetstack/cert-manager
4.还原:
我尝试跑步
kubectl apply -f cert-manager-backup.yaml
如此处所述但实际上这一步对我来说并不完全有效.创建了发卡行(自签名和CA),但是我无法重新创建Certificates和ClusterIssuer.这些是我收到的错误:
as described here but this step actually didn't fully work for me. The Issuers were created (self signed and CA) but I could not re-create the Certificates and ClusterIssuer. These were the errors I have received:
Error from server (InternalError): Internal error occurred: failed calling webhook "clusterissuers.admission.certmanager.k8s.io": the server is currently unable to handle the request
Error from server (InternalError): Internal error occurred: failed calling webhook "certificates.admission.certmanager.k8s.io": the server is currently unable to handle the request
我有原始的yaml文件,并能够通过应用它们来创建ClusterIssuer和Certificate
I had my original yaml files and was able to create the ClusterIssuer and Certificate by applying them
这篇关于从Helm stable/cert-manager升级到jetstack/cert-manager的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!