staging/deposit: Drop crt configuration
In the dedicated 'certificates' view in k9s, it's complaining about it [1].
And it's actually exposed through the reverse proxy which has the correct certificate. So the ingress does not need it. Internally, we only use http connection to communicate.
I'm only applying this to the current staging instance to check it's ok (prior to adapt accordingly the production instance which is soon to be deployed).
make swh-helm-diff
Switched to branch 'production'
Switched to branch 'fix-deposit-crt-config'
Switched to branch 'production'
Switched to branch 'fix-deposit-crt-config'
./swh/helm-diff.sh
[swh] Comparing changes between branches production and fix-deposit-crt-config (per environment)...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment staging, namespace swh...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra...
[swh] Generate config in production branch for environment staging, namespace swh-cassandra-next-version...
[swh] Generate config in fix-deposit-crt-config branch for environment staging...
[swh] Generate config in fix-deposit-crt-config branch for environment staging...
[swh] Generate config in fix-deposit-crt-config branch for environment staging...
Your branch is up to date with 'origin/production'.
[swh] Generate config in production branch for environment production, namespace swh...
[swh] Generate config in production branch for environment production, namespace swh-cassandra...
[swh] Generate config in production branch for environment production, namespace swh-cassandra-next-version...
[swh] Generate config in fix-deposit-crt-config branch for environment production...
[swh] Generate config in fix-deposit-crt-config branch for environment production...
[swh] Generate config in fix-deposit-crt-config branch for environment production...
------------- diff for environment staging namespace swh -------------
No differences
------------- diff for environment staging namespace swh-cassandra -------------
--- /tmp/swh-chart.swh.gG9FxTfi/staging-swh-cassandra.before 2024-01-10 15:36:19.685279531 +0100
+++ /tmp/swh-chart.swh.gG9FxTfi/staging-swh-cassandra.after 2024-01-10 15:36:20.393279569 +0100
@@ -23692,22 +23692,20 @@
---
# Source: swh/templates/deposit/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
name: deposit-ingress-authenticated
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
- kubernetes.io/tls-acme: "true"
- nginx.ingress.kubernetes.io/ssl-redirect: "false"
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# an htpasswd file in the key auth within the secret
nginx.ingress.kubernetes.io/auth-secret-type: auth-file
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: swh-cassandra/deposit-auth-secrets
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
@@ -23737,39 +23735,30 @@
- host: deposit-dynamic.internal.staging.swh.network
http:
paths:
- path: /1/private/
pathType: Prefix
backend:
service:
name: deposit
port:
number: 5006
-
- tls:
- - hosts:
- - deposit-rpc-ingress
- - deposit.staging.swh.network
- - deposit-dynamic.internal.staging.swh.network
- secretName: swh-deposit-crt
---
# Source: swh/templates/deposit/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
name: deposit-ingress-default
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production-gandi
kubernetes.io/ingress.class: nginx
- kubernetes.io/tls-acme: "true"
- nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- host: deposit-rpc-ingress
http:
paths:
- path: /
pathType: Prefix
backend:
service:
@@ -23815,27 +23804,20 @@
port:
number: 5006
- path: /static
pathType: Prefix
backend:
service:
name: deposit
port:
number: 80
-
- tls:
- - hosts:
- - deposit-rpc-ingress
- - deposit.staging.swh.network
- - deposit-dynamic.internal.staging.swh.network
- secretName: swh-deposit-crt
---
# Source: swh/templates/graphql/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: swh-cassandra
name: graphql-cassandra-ingress-default
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.42.0.0/16,10.43.0.0/16,192.168.101.0/24,192.168.130.0/24,192.168.50.0/24
nginx.ingress.kubernetes.io/rewrite-target: /
------------- diff for environment staging namespace swh-cassandra-next-version -------------
No differences
------------- diff for environment production namespace swh -------------
No differences
------------- diff for environment production namespace swh-cassandra -------------
No differences[1]
Status:
Conditions:
Last Transition Time: 2023-11-16T10:33:15Z
Message: Fields on existing CertificateRequest resource not up to date: [spec.dnsNames]
Observed Generation: 3
Reason: RequestChanged
Status: False
Type: Ready
Last Transition Time: 2024-01-10T01:34:54Z
Message: The certificate request has failed to complete and will be retried: Failed to wait for order resource "swh-deposit-crt-87z6c-2334378601" to become ready: order is in "errored" state:
Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: Error creating new order :: Cannot issue for "deposit-rpc-ingress": Domain name needs at least one dot
Observed Generation: 3
Reason: Failed
Status: False
Type: IssuingEdited by Antoine R. Dumont