Migrate Self Signed Certificate Config Map to Sidecar Injector

Issue

Previously I followed the instructions to add a Self Signed Certificate using a Config Map
This is no longer the suggested method for applying a self signed certificate to masters and agents.
Instead I would like to use the new method of Creating a Sidecar Injector

Environment

Resolution

In order to use the sidecar injectors for this, you will first need to undo the existing config map setup. The following steps are to remove the certificates based on the linked steps for setting them up.

1) Remove the Configurations from the Agents

Note: Be sure to follow these steps for all of your Pod Templates that use these certificates.

Go to the configuration of the Pod Template.

Remove Environment Variables to the Pod template:

For Java:

  • Key: JAVA_OPTS
  • Value: -Djavax.net.ssl.trustStore=/var/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit

For git:

  • Key: CURL_CA_BUNDLE
  • Value: /var/certs/ca-certificates.crt

For tools curl:

  • Key: GIT_SSL_CAINFO
  • Value: /var/certs/ca-certificates.crt

Remove Volumes of type ConfigMap Volume to the Pod template:

  • Config Map name: ca-bundle
  • Mount path: /var/certs/

2) Remove the Configurations from the Managed Masters

Note: Be sure to follow these steps for all of your Managed Masters that use these certificates.

Go to Manage Jenkins > Configure System > Kubernetes Master Provisioning > Advanced

Remove the Global Properties:

javax.net.ssl.trustStore=/var/certs/cacerts
javax.net.ssl.trustStorePassword=changeit

Remove the Global Variables:

CURL_CA_BUNDLE=/var/certs/ca-certificates.crt
GIT_SSL_CAINFO=/var/certs/ca-certificates.crt

Remove this from the YAML field:

apiVersion: "apps/v1"
kind: "StatefulSet"
spec:
  template:
    spec:
      containers:
        - name: "jenkins"
          volumeMounts:
          - name: volume-ca-bundle
            mountPath: /var/certs
      volumes:
      - name: volume-ca-bundle
        configMap:
          name: ca-bundle

Note: This configuration is only applied to newly created Managed Masters. For existing Managed Masters, the same configuration needs to be applied in the Managed Master configuration and the master needs to be re-provisioned.

3) Remove the certificates from the CJOC StatefulSet

In the cloudbees-core.yaml edit the cjoc statefulset and remove the following sections (yours may differ slightly depending on your specific implementation)

The VolumeMount:

        volumeMounts:
        - name: volume-ca-bundle
          mountPath: /var/certs

The Volume:

      volumes:
      - name: jenkins-configure-jenkins-groovy
        configMap:
          name: cjoc-configure-jenkins-groovy
      - name: volume-ca-bundle
        configMap:
          name: ca-bundle

The environment variables for the cjoc container:

        env:
        - name: CURL_CA_BUNDLE
          value: /var/certs/ca-certificates.crt
        - name: GIT_SSL_CAINFO
          value: /var/certs/ca-certificates.crt

The JVM arguments:

        env:
        - name: JAVA_OPTS
          # To allocate masters using a non-default storage class, add the following
          # -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName=some-storage-class
          value: >-
            -Djavax.net.ssl.trustStore=/var/certs/cacerts
            -Djavax.net.ssl.trustStorePassword=changeit

Apply this change with:

kubectl apply -f cloudbees.core.yaml -n $CJE_NAMESPACE

4) Remove the ConfigMap from CJOC

Run the command:

kubectl delete configmap ca-bundle -n $CJE_NAMESPACE

5) Moving On

You should now have no certificates in your cluster. Make sure that your cluster (minus the missing certificates) is functional at this point. You are then free to move on to the above link and follow the instructions for adding the sidecar injector.

Tested product/plugin versions

References

Have more questions?

0 Comments

Please sign in to leave a comment.