Previously I followed the instructions to add a Self Signed Certificate using a Config Map
This is no longer the suggested method for applying a self signed certificate to masters and agents.
Instead I would like to use the new method of Creating a Sidecar Injector
- CloudBees Core
- CloudBees Core on modern cloud platforms - Managed Master
- CloudBees Core on modern cloud platforms - Operations Center
In order to use the sidecar injectors for this, you will first need to undo the existing config map setup. The following steps are to remove the certificates based on the linked steps for setting them up.
Note: Be sure to follow these steps for all of your Pod Templates that use these certificates.
Go to the configuration of the Pod Template.
Remove Environment Variables to the Pod template:
Remove Volumes of type ConfigMap Volume to the Pod template:
- Config Map name:
- Mount path:
Note: Be sure to follow these steps for all of your Managed Masters that use these certificates.
Go to Manage Jenkins > Configure System > Kubernetes Master Provisioning > Advanced
Remove the Global Properties:
Remove the Global Variables:
Remove this from the YAML field:
apiVersion: "apps/v1" kind: "StatefulSet" spec: template: spec: containers: - name: "jenkins" volumeMounts: - name: volume-ca-bundle mountPath: /var/certs volumes: - name: volume-ca-bundle configMap: name: ca-bundle
Note: This configuration is only applied to newly created Managed Masters. For existing Managed Masters, the same configuration needs to be applied in the Managed Master configuration and the master needs to be re-provisioned.
cloudbees-core.yaml edit the
cjoc statefulset and remove the following sections (yours may differ slightly depending on your specific implementation)
volumeMounts: - name: volume-ca-bundle mountPath: /var/certs
volumes: - name: jenkins-configure-jenkins-groovy configMap: name: cjoc-configure-jenkins-groovy - name: volume-ca-bundle configMap: name: ca-bundle
The environment variables for the cjoc container:
env: - name: CURL_CA_BUNDLE value: /var/certs/ca-certificates.crt - name: GIT_SSL_CAINFO value: /var/certs/ca-certificates.crt
The JVM arguments:
env: - name: JAVA_OPTS # To allocate masters using a non-default storage class, add the following # -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName=some-storage-class value: >- -Djavax.net.ssl.trustStore=/var/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Apply this change with:
kubectl apply -f cloudbees.core.yaml -n $CJE_NAMESPACE
Run the command:
kubectl delete configmap ca-bundle -n $CJE_NAMESPACE
You should now have no certificates in your cluster. Make sure that your cluster (minus the missing certificates) is functional at this point. You are then free to move on to the above link and follow the instructions for adding the sidecar injector.