Experimentation: cert-manager end to end canary - EKS

[obriensystems]

via

• https://github.com/cert-manager/cert-manager?tab=readme-ov-file
• https://cert-manager.io/docs/getting-started/
• https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/
• https://github.com/stakater/Reloader#how-to-use-reloader

ELB for EKS pod

• $0.60/day or $19/month

(venv-metal) michaelobrien@Michaels-MBP pipeline % git checkout -b 3-cert-manager
Switched to a new branch '3-cert-manager'
(venv-metal) michaelobrien@Michaels-MBP pipeline % aws configure
AWS Access Key ID [None]: A...
AWS Secret Access Key [None]: h...
Default region name [None]: us-east-1
Default output format [None]: json
(venv-metal) michaelobrien@Michaels-MBP pipeline % export AWS_DEFAULT_OUTPUT=json
(venv-metal) michaelobrien@Michaels-MBP pipeline % export AWS_DEFAULT_REGION=us-east-1
(venv-metal) michaelobrien@Michaels-MBP pipeline % export DOMAIN_NAME=eventfield.io
(venv-metal) michaelobrien@Michaels-MBP pipeline % HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $DOMAIN_NAME --query "HostedZones[0].Id" --output text)
(venv-metal) michaelobrien@Michaels-MBP pipeline % echo $HOSTED_ZONE_ID
/hostedzone/Z...T
(venv-metal) michaelobrien@Michaels-MBP pipeline % aws route53 get-hosted-zone --id ${HOSTED_ZONE_ID}
{
    "HostedZone": {
        "Id": "/hostedzone/Z...T",
        "Name": "eventfield.io.",
        "CallerReference": "RISWorkflow-RD:db...39",
        "Config": {
            "Comment": "HostedZone created by Route53 Registrar",
            "PrivateZone": false
        },
        "ResourceRecordSetCount": 11
    },
    "DelegationSet": {
        "NameServers": [
            "ns-1994.awsdns-57.co.uk",
            "ns-554.awsdns-05.net",
            "ns-1212.awsdns-23.org",
            "ns-273.awsdns-34.com"
        ]
    }
}

(venv-metal) michaelobrien@Michaels-MBP pipeline % dig $DOMAIN_NAME ns +trace +nodnssec

; <<>> DiG 9.10.6 <<>> eventfield.io ns +trace +nodnssec
;; global options: +cmd
.			518400	IN	NS	a.root-servers.net.
.			518400	IN	NS	b.root-servers.net.
.			518400	IN	NS	c.root-servers.net.
.			518400	IN	NS	d.root-servers.net.
.			518400	IN	NS	e.root-servers.net.
.			518400	IN	NS	f.root-servers.net.
.			518400	IN	NS	g.root-servers.net.
.			518400	IN	NS	h.root-servers.net.
.			518400	IN	NS	i.root-servers.net.
.			518400	IN	NS	j.root-servers.net.
.			518400	IN	NS	k.root-servers.net.
.			518400	IN	NS	l.root-servers.net.
.			518400	IN	NS	m.root-servers.net.
;; Received 239 bytes from 2607:fea8:e25d:7b60:688f:2eff:fe18:cd81#53(2607:fea8:e25d:7b60:688f:2eff:fe18:cd81) in 29 ms

io.			172800	IN	NS	a0.nic.io.
io.			172800	IN	NS	a2.nic.io.
io.			172800	IN	NS	b0.nic.io.
io.			172800	IN	NS	c0.nic.io.
;; Received 290 bytes from 2001:500:2f::f#53(f.root-servers.net) in 27 ms

eventfield.io.		3600	IN	NS	ns-554.awsdns-05.net.
eventfield.io.		3600	IN	NS	ns-1212.awsdns-23.org.
eventfield.io.		3600	IN	NS	ns-273.awsdns-34.com.
eventfield.io.		3600	IN	NS	ns-1994.awsdns-57.co.uk.
;; Received 182 bytes from 2a01:8840:9e::17#53(a0.nic.io) in 72 ms

eventfield.io.		172800	IN	NS	ns-1212.awsdns-23.org.
eventfield.io.		172800	IN	NS	ns-1994.awsdns-57.co.uk.
eventfield.io.		172800	IN	NS	ns-273.awsdns-34.com.
eventfield.io.		172800	IN	NS	ns-554.awsdns-05.net.
;; Received 182 bytes from 205.251.199.202#53(ns-1994.awsdns-57.co.uk) in 28 ms


create eks cluster

get context to eks cluster
(venv-metal) michaelobrien@Michaels-MBP pipeline % aws eks update-kubeconfig --region us-east-1 --name prod
Added new context arn:aws:eks:us-east-1:4...0:cluster/prod to /Users/mic..n/.kube/config

(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl config get-contexts                             
CURRENT   NAME                                              CLUSTER                                           AUTHINFO                                          NAMESPACE
*         arn:aws:eks:us-east-1:45...0:cluster/prod   arn:aws:eks:us-east-1:4...0:cluster/prod   
          docker-desktop                                    docker-desktop                                    docker-desktop                                    
          minikube                                          minikube                                          minikube                                          default

(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl get nodes        
NAME                            STATUS   ROLES    AGE   VERSION
ip-172-31-42-248.ec2.internal   Ready    <none>   41d   v1.30.4-eks-a737599
ip-172-31-80-165.ec2.internal   Ready    <none>   41d   v1.30.4-eks-a737599

helm install cert-manager cert-manager \
  --repo https://charts.jetstack.io \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true

AME: cert-manager
LAST DEPLOYED: Thu Dec  5 12:52:41 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.16.2 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl get pods --all-namespaces
NAMESPACE      NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager   cert-manager-b6fd485d9-cp9pg              1/1     Running   0          43s
cert-manager   cert-manager-cainjector-dcc5966bc-jgrxp   1/1     Running   0          43s
cert-manager   cert-manager-webhook-dfb76c7bd-hwq8d      1/1     Running   0          43s
kube-system    aws-node-8bwzk                            2/2     Running   0          41d
kube-system    aws-node-f9mz4                            2/2     Running   0          41d
kube-system    coredns-586b798467-fdvwr                  1/1     Running   0          52d
kube-system    coredns-586b798467-gff7r                  1/1     Running   0          52d
kube-system    eks-pod-identity-agent-cq8nn              1/1     Running   0          41d
kube-system    eks-pod-identity-agent-g4wxv              1/1     Running   0          41d
kube-system    kube-proxy-b8v4z                          1/1     Running   0          41d
kube-system    kube-proxy-h2ttb                          1/1     Running   0          41d

venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl -n cert-manager get all
NAME                                          READY   STATUS    RESTARTS   AGE
pod/cert-manager-b6fd485d9-cp9pg              1/1     Running   0          7m46s
pod/cert-manager-cainjector-dcc5966bc-jgrxp   1/1     Running   0          7m46s
pod/cert-manager-webhook-dfb76c7bd-hwq8d      1/1     Running   0          7m46s

NAME                              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)            AGE
service/cert-manager              ClusterIP   10.100.175.92    <none>        9402/TCP           7m47s
service/cert-manager-cainjector   ClusterIP   10.100.130.103   <none>        9402/TCP           7m47s
service/cert-manager-webhook      ClusterIP   10.100.20.33     <none>        443/TCP,9402/TCP   7m47s

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           7m46s
deployment.apps/cert-manager-cainjector   1/1     1            1           7m46s
deployment.apps/cert-manager-webhook      1/1     1            1           7m46s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-b6fd485d9              1         1         1       7m46s
replicaset.apps/cert-manager-cainjector-dcc5966bc   1         1         1       7m46s
replicaset.apps/cert-manager-webhook-dfb76c7bd      1         1         1       7m46s

check CRDs
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl explain Certificate
GROUP:      cert-manager.io
KIND:       Certificate
VERSION:    v1

DESCRIPTION:
    A Certificate resource should be created to ensure an up to date and signed
    X.509 certificate is stored in the Kubernetes Secret resource named in
    `spec.secretName`.
    
    The stored certificate will be renewed before it expires (as configured by
    `spec.renewBefore`).
    
FIELDS:
  apiVersion	<string>
    APIVersion defines the versioned schema of this representation of an object.
    Servers should convert recognized schemas to the latest internal value, and
    may reject unrecognized values. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

  kind	<string>
    Kind is a string value representing the REST resource this object
    represents. Servers may infer this from the endpoint the client submits
    requests to. Cannot be updated. In CamelCase. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

  metadata	<ObjectMeta>
    Standard object's metadata. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  spec	<Object>
    Specification of the desired state of the Certificate resource.
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

  status	<Object>
    Status of the Certificate.
    This is set and managed automatically.
    Read-only.
    More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status


(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl explain CertificateRequest
GROUP:      cert-manager.io
KIND:       CertificateRequest
VERSION:    v1

DESCRIPTION:
    A CertificateRequest is used to request a signed certificate from one of the
    configured issuers.
    
    All fields within the CertificateRequest's `spec` are immutable after
    creation.
    A CertificateRequest will either succeed or fail, as denoted by its `Ready`
    status
    condition and its `status.failureTime` field.
    
    A CertificateRequest is a one-shot resource, meaning it represents a single
    point in time request for a certificate and cannot be re-used.
    
FIELDS:
  apiVersion	<string>
    APIVersion defines the versioned schema of this representation of an object.
    Servers should convert recognized schemas to the latest internal value, and
    may reject unrecognized values. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

  kind	<string>
    Kind is a string value representing the REST resource this object
    represents. Servers may infer this from the endpoint the client submits
    requests to. Cannot be updated. In CamelCase. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

  metadata	<ObjectMeta>
    Standard object's metadata. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  spec	<Object>
    Specification of the desired state of the CertificateRequest resource.
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

  status	<Object>
    Status of the CertificateRequest.
    This is set and managed automatically.
    Read-only.
    More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status


(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl explain Issuer            
GROUP:      cert-manager.io
KIND:       Issuer
VERSION:    v1

DESCRIPTION:
    An Issuer represents a certificate issuing authority which can be
    referenced as part of `issuerRef` fields.
    It is scoped to a single namespace and can therefore only be referenced by
    resources within the same namespace.
    
FIELDS:
  apiVersion	<string>
    APIVersion defines the versioned schema of this representation of an object.
    Servers should convert recognized schemas to the latest internal value, and
    may reject unrecognized values. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

  kind	<string>
    Kind is a string value representing the REST resource this object
    represents. Servers may infer this from the endpoint the client submits
    requests to. Cannot be updated. In CamelCase. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

  metadata	<ObjectMeta>
    Standard object's metadata. More info:
    https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

  spec	<Object> -required-
    Desired state of the Issuer resource.

  status	<Object>
    Status of the Issuer. This is set and managed automatically.

https://cert-manager.io/docs/tutorials/

create clusterissuer-selfsigned.yaml

# clusterissuer-selfsigned.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}

(venv-metal) michaelobrien@Michaels-MBP eks % kubectl apply -f clusterissuer-selfsigned.yaml
clusterissuer.cert-manager.io/selfsigned created

install
https://github.com/a8m/envsubst

create certificate.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: www
spec:
  secretName: www-tls
  revisionHistoryLimit: 1
  privateKey:
    rotationPolicy: Always
  commonName: www.$DOMAIN_NAME
  dnsNames:
    - www.$DOMAIN_NAME
  usages:
    - digital signature
    - key encipherment
    - server auth
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer

(venv-metal) michaelobrien@Michaels-MBP eks % curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o envsubst
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 2080k  100 2080k    0     0  4133k      0 --:--:-- --:--:-- --:--:-- 18.6M
(venv-metal) michaelobrien@Michaels-MBP eks % chmod +x envsubst
(venv-metal) michaelobrien@Michaels-MBP eks % sudo mv envsubst /usr/local/bin



(venv-metal) michaelobrien@Michaels-MBP eks % envsubst < certificate.yaml | kubectl apply -f -
certificate.cert-manager.io/www created

Bug: cmctl install notes missing
https://cert-manager.io/docs/reference/cmctl/
from
https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/

install cmctl

brew install cmctl

check certificate

(venv-metal) michaelobrien@Michaels-MBP eks % cmctl status certificate www
Name: www
Namespace: default
Created at: 2024-12-05T14:19:16-05:00
Conditions:
  Ready: True, Reason: Ready, Message: Certificate is up to date and has not expired
DNS Names:
- www.eventfield.io
Events:
  Type    Reason     Age    From                                       Message
  ----    ------     ----   ----                                       -------
  Normal  Issuing    4m22s  cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  4m22s  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "www-z9xth"
  Normal  Requested  4m22s  cert-manager-certificates-request-manager  Created new CertificateRequest resource "www-1"
  Normal  Issuing    4m22s  cert-manager-certificates-issuing          The certificate has been successfully issued
Issuer:
  Name: selfsigned
  Kind: ClusterIssuer
  Conditions:
    Ready: True, Reason: IsReady, Message: 
  Events:  <none>
Secret:
  Name: www-tls
  Issuer Country: 
  Issuer Organisation: 
  Issuer Common Name: www.eventfield.io
  Key Usage: Digital Signature, Key Encipherment
  Extended Key Usages: Server Authentication
  Public Key Algorithm: RSA
  Signature Algorithm: SHA256-RSA
  Subject Key ID: 
  Authority Key ID: 
  Serial Number: 69f7dd814d9d9e271f66f3dcba10b28b
  Events:  <none>
Not Before: 2024-12-05T14:19:16-05:00
Not After: 2025-03-05T14:19:16-05:00
Renewal Time: 2025-02-03T14:19:16-05:00
No CertificateRequest found for this Certificate


look for certificate
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get secret --all-namespaces
NAMESPACE      NAME                                 TYPE                 DATA   AGE
cert-manager   cert-manager-webhook-ca              Opaque               3      7d3h
cert-manager   sh.helm.release.v1.cert-manager.v1   helm.sh/release.v1   1      93m
default        www-tls                              kubernetes.io/tls    3      7m5s

inspect certificate
(venv-metal) michaelobrien@Michaels-MBP eks % cmctl inspect secret www-tls       
Valid for:
	DNS Names: 
		- www.eventfield.io
	URIs: <none>
	IP Addresses: <none>
	Email Addresses: <none>
	Usages: 
		- digital signature
		- key encipherment
		- server auth

Validity period:
	Not Before: Thu, 05 Dec 2024 19:19:16 UTC
	Not After: Wed, 05 Mar 2025 19:19:16 UTC

Issued By:
	Common Name:	www.eventfield.io
	Organization:	<none>
	OrganizationalUnit:	<none>
	Country:	<none>

Issued For:
	Common Name:	www.eventfield.io
	Organization:	<none>
	OrganizationalUnit:	<none>
	Country:	<none>

Certificate:
	Signing Algorithm:	SHA256-RSA
	Public Key Algorithm: 	RSA
	Serial Number:	140855929538450534403923159175450899083
	Fingerprints: 	8B:4E:13:35:13:C7:54:BD:78:2E:42:05:A9:3F:69:45:A8:90:27:20:FB:3C:AE:71:A6:79:D7:E2:47:B6:06:5D
	Is a CA certificate: false
	CRL:	<none>
	OCSP:	<none>

Debugging:
	Trusted by this computer:	no: x509: certificate signed by unknown authority
	CRL Status:	No CRL endpoints set
	OCSP Status:	Cannot check OCSP: No OCSP Server set

add web server

deployment.yaml

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloweb
  labels:
    app: hello
spec:
  selector:
    matchLabels:
      app: hello
      tier: web
  template:
    metadata:
      labels:
        app: hello
        tier: web
    spec:
      containers:
      - name: hello-app
        image: us-docker.pkg.dev/google-samples/containers/gke/hello-app-tls:1.0
        imagePullPolicy: Always
        ports:
        - containerPort: 8443
        volumeMounts:
          - name: tls
            mountPath: /etc/tls
            readOnly: true
        env:
          - name: TLS_CERT
            value: /etc/tls/tls.crt
          - name: TLS_KEY
            value: /etc/tls/tls.key
      volumes:
      - name: tls
        secret:
          secretName: www-tls

deploy server

(venv-metal) michaelobrien@Michaels-MBP eks % kubectl apply -f deployment.yaml
deployment.apps/helloweb created

create loadbalancer

# service.yaml
apiVersion: v1
kind: Service
metadata:
    name: helloweb
spec:
    ports:
    - port: 443
      protocol: TCP
      targetPort: 8443
    selector:
        app: hello
        tier: web
    type: LoadBalancer

(venv-metal) michaelobrien@Michaels-MBP eks % kubectl apply -f service.yaml 
service/helloweb created

(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get service helloweb
NAME       TYPE           CLUSTER-IP      EXTERNAL-IP                                                               PORT(S)         AGE
helloweb   LoadBalancer   10.100.137.75   a14e2cd253b504a59ba28c5dd984808c-1311392204.us-east-1.elb.amazonaws.com   443:32639/TCP   24s

get dns

(venv-metal) michaelobrien@Michaels-MBP eks % HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $DOMAIN_NAME --query "HostedZones[0].Id" --output text)
(venv-metal) michaelobrien@Michaels-MBP eks % echo $HOSTED_ZONE_ID
/hostedzone/Z1...1T

(venv-metal) michaelobrien@Michaels-MBP eks % ELB_CANONICAL_HOSTED_ZONE_NAME=$(kubectl get svc helloweb --output=jsonpath='{ .status.loadBalancer.ingress[0].hostname }')
(venv-metal) michaelobrien@Michaels-MBP eks % echo $ELB_CANONICAL_HOSTED_ZONE_NAME
a1...04.us-east-1.elb.amazonaws.com

aws elb describe-load-balancers --query "LoadBalancerDescriptions[?CanonicalHostedZoneName == '$ELB_CANONICAL_HOSTED_ZONE_NAME'] | [0]" \
| jq '{
  "Comment": "Creating an alias record",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "www.\($DOMAIN_NAME)",
        "Type": "A",
        "AliasTarget": {
          "HostedZoneId": .CanonicalHostedZoneNameID,
          "DNSName": .CanonicalHostedZoneName,
          "EvaluateTargetHealth": false
        }
      }
    }
  ]
}' \
    --arg DOMAIN_NAME "${DOMAIN_NAME}" \
| aws route53 change-resource-record-sets --hosted-zone-id $HOSTED_ZONE_ID --change-batch file:///dev/stdin


{
    "ChangeInfo": {
        "Id": "/change/C07654933GDZBOQJHH4F0",
        "Status": "PENDING",
        "SubmittedAt": "2024-12-05T20:24:01.600000+00:00",
        "Comment": "Creating an alias record"
    }
}

(venv-metal) michaelobrien@Michaels-MBP eks % dig www.$DOMAIN_NAME A

; <<>> DiG 9.10.6 <<>> www.eventfield.io A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58493
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;www.eventfield.io.		IN	A

;; ANSWER SECTION:
www.eventfield.io.	60	IN	A	54.173.67.175
www.eventfield.io.	60	IN	A	18.233.109.65

;; Query time: 66 msec
;; SERVER: 2607:fea8:e25d:7b60:688f:2eff:fe18:cd81#53(2607:fea8:e25d:7b60:688f:2eff:fe18:cd81)
;; WHEN: Thu Dec 05 15:26:18 EST 2024
;; MSG SIZE  rcvd: 78

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

check website via curl

(venv-metal) michaelobrien@Michaels-MBP eks % curl --insecure -v https://www.$DOMAIN_NAME
* Host www.eventfield.io:443 was resolved.
* IPv6: (none)
* IPv4: 18.233.109.65, 54.173.67.175
*   Trying 18.233.109.65:443...
* Connected to www.eventfield.io (18.233.109.65) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.eventfield.io
*  start date: Dec  5 19:19:16 2024 GMT
*  expire date: Mar  5 19:19:16 2025 GMT
*  issuer: CN=www.eventfield.io
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.eventfield.io/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.eventfield.io]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: www.eventfield.io
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 200 
< content-type: text/plain; charset=utf-8
< content-length: 69
< date: Thu, 05 Dec 2024 20:26:45 GMT
< 
Hello, world!
Protocol: HTTP/2.0!
Hostname: helloweb-cbc7c88b9-nkwrr
* Connection #0 to host www.eventfield.io left intact
(venv-metal) michaelobrien@Michaels-MBP eks % 


(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get serviceaccount                 
NAME                SECRETS   AGE
default             0         59d
reloader-reloader   0         3m53s

(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get clusterrole                       
NAME                                                                   CREATED AT
cert-manager-cainjector                                                2024-12-05T17:52:47Z
cert-manager-cluster-view                                              2024-12-05T17:52:47Z
cert-manager-controller-approve:cert-manager-io                        2024-12-05T17:52:47Z
cert-manager-controller-certificates                                   2024-12-05T17:52:47Z
cert-manager-controller-certificatesigningrequests                     2024-12-05T17:52:47Z
cert-manager-controller-challenges                                     2024-12-05T17:52:47Z
cert-manager-controller-clusterissuers                                 2024-12-05T17:52:47Z
cert-manager-controller-ingress-shim                                   2024-12-05T17:52:47Z
cert-manager-controller-issuers                                        2024-12-05T17:52:47Z
cert-manager-controller-orders                                         2024-12-05T17:52:47Z
cert-manager-edit                                                      2024-12-05T17:52:47Z
cert-manager-view                                                      2024-12-05T17:52:47Z

(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get clusterrolebinding                
NAME                                                            ROLE                                                                        AGE
cert-manager-cainjector                                         ClusterRole/cert-manager-cainjector                                         6d22h
cert-manager-controller-approve:cert-manager-io                 ClusterRole/cert-manager-controller-approve:cert-manager-io                 6d22h
cert-manager-controller-certificates                            ClusterRole/cert-manager-controller-certificates                            6d22h
cert-manager-controller-certificatesigningrequests              ClusterRole/cert-manager-controller-certificatesigningrequests              6d22h
cert-manager-controller-challenges                              ClusterRole/cert-manager-controller-challenges                              6d22h
cert-manager-controller-clusterissuers                          ClusterRole/cert-manager-controller-clusterissuers                          6d22h
cert-manager-controller-ingress-shim                            ClusterRole/cert-manager-controller-ingress-shim                            6d22h
cert-manager-controller-issuers                                 ClusterRole/cert-manager-controller-issuers                                 6d22h
cert-manager-controller-orders                                  ClusterRole/cert-manager-controller-orders                                  6d22h
cert-manager-webhook:subjectaccessreviews                       ClusterRole/cert-manager-webhook:subjectaccessreviews                       6d22h

[obriensystems]

part 2 - lets encrypt and AWS Route 53
https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/#part-2

setup eksctl
https://docs.aws.amazon.com/eks/latest/userguide/setting-up.html
https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html#eksctl-install-update
https://eksctl.io/installation/

brew tap weaveworks/tap
brew install weaveworks/tap/eksctl
(venv-metal) michaelobrien@Michaels-MBP eks % eksctl version  
0.197.0

eks cluster was already up
(venv-metal) michaelobrien@Michaels-MBP eks % export CLUSTER=prod
(venv-metal) michaelobrien@Michaels-MBP eks % eksctl utils associate-iam-oidc-provider --cluster $CLUSTER --approve
2024-12-09 10:23:49 [ℹ]  will create IAM Open ID Connect provider for cluster "prod" in "us-east-1"
2024-12-09 10:23:49 [✔]  created IAM Open ID Connect provider for cluster "prod" in "us-east-1"

read on OpenID connect https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

[obriensystems]

reloader on #6

[obriensystems]

I need an ELB rotation trigger
change ELB rotated on 19 Dec

[obriensystems]

Fix $DOMAIN_NAME deployment workflow substitution