Issue
Previously I followed the instructions to add a Self Signed Certificate using a Config Map
This is no longer the suggested method for applying a self signed certificate to controllers and agents.
Instead I would like to use the new method of Creating a Sidecar Injector
Environment
- CloudBees CI (CloudBees Core)
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
Resolution
In order to use the sidecar injectors for this, you will first need to undo the existing config map setup. The following steps are to remove the certificates based on the linked steps for setting them up.
1) Remove the Configurations from the Agents
Note: Be sure to follow these steps for all of your Pod Templates that use these certificates.
Go to the configuration of the Pod Template.
Remove Environment Variables to the Pod template:
For Java:
- Key:
JAVA_OPTS
- Value:
-Djavax.net.ssl.trustStore=/var/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit
For git
:
- Key:
CURL_CA_BUNDLE
- Value:
/var/certs/ca-certificates.crt
For tools curl
:
- Key:
GIT_SSL_CAINFO
- Value:
/var/certs/ca-certificates.crt
Remove Volumes of type ConfigMap Volume to the Pod template:
- Config Map name:
ca-bundle
- Mount path:
/var/certs/
2) Remove the Configurations from the Managed controllers
Note: Be sure to follow these steps for all of your Managed controllers that use these certificates.
Go to Manage Jenkins > Configure System > Kubernetes controller Provisioning > Advanced
Remove the Global Properties:
javax.net.ssl.trustStore=/var/certs/cacerts
javax.net.ssl.trustStorePassword=changeit
Remove the Global Variables:
CURL_CA_BUNDLE=/var/certs/ca-certificates.crt
GIT_SSL_CAINFO=/var/certs/ca-certificates.crt
Remove this from the YAML field:
apiVersion: "apps/v1"
kind: "StatefulSet"
spec:
template:
spec:
containers:
- name: "jenkins"
volumeMounts:
- name: volume-ca-bundle
mountPath: /var/certs
volumes:
- name: volume-ca-bundle
configMap:
name: ca-bundle
Note: This configuration is only applied to newly created Managed controllers. For existing Managed controllers, the same configuration needs to be applied in the Managed controller configuration and the controller needs to be re-provisioned.
3) Remove the certificates from the CJOC StatefulSet
In the cloudbees-core.yaml
edit the cjoc
statefulset and remove the following sections (yours may differ slightly depending on your specific implementation)
The VolumeMount:
volumeMounts:
- name: volume-ca-bundle
mountPath: /var/certs
The Volume:
volumes:
- name: jenkins-configure-jenkins-groovy
configMap:
name: cjoc-configure-jenkins-groovy
- name: volume-ca-bundle
configMap:
name: ca-bundle
The environment variables for the cjoc container:
env:
- name: CURL_CA_BUNDLE
value: /var/certs/ca-certificates.crt
- name: GIT_SSL_CAINFO
value: /var/certs/ca-certificates.crt
The JVM arguments:
env:
- name: JAVA_OPTS
# To allocate controllers using a non-default storage class, add the following
# -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName=some-storage-class
value: >-
-Djavax.net.ssl.trustStore=/var/certs/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
Apply this change with:
kubectl apply -f cloudbees.core.yaml -n $CJE_NAMESPACE
4) Remove the ConfigMap from CJOC
Run the command:
kubectl delete configmap ca-bundle -n $CJE_NAMESPACE
5) Moving On
You should now have no certificates in your cluster. Make sure that your cluster (minus the missing certificates) is functional at this point. You are then free to move on to the above link and follow the instructions for adding the sidecar injector.
Tested product/plugin versions
- CloudBees CI (CloudBees Core) on Modern Platforms version 2.176.2.3
- Kubernetes Plugin version 1.15.9
0 Comments