Commit cfe8024e authored by Tiger's avatar Tiger

Allow Cert-Manager to be uninstalled

Our current version of Cert-Manager does not uninstall
cleanly, and we must manually remove custom resource
definitions.
parent 5ebbe95a
......@@ -12,7 +12,7 @@ const CUSTOM_APP_WARNING_TEXT = {
'ClusterIntegration|The associated load balancer and IP will be deleted and cannot be restored.',
),
[CERT_MANAGER]: s__(
'ClusterIntegration|The associated certifcate will be deleted and cannot be restored.',
'ClusterIntegration|The associated private key will be deleted and cannot be restored.',
),
[PROMETHEUS]: s__('ClusterIntegration|All data will be deleted and cannot be restored.'),
[RUNNER]: s__('ClusterIntegration|Any running pipelines will be canceled.'),
......
......@@ -24,12 +24,6 @@ module Clusters
'stable/cert-manager'
end
# We will implement this in future MRs.
# Need to reverse postinstall step
def allowed_to_uninstall?
false
end
def install_command
Gitlab::Kubernetes::Helm::InstallCommand.new(
name: 'certmanager',
......@@ -41,12 +35,42 @@ module Clusters
)
end
def uninstall_command
Gitlab::Kubernetes::Helm::DeleteCommand.new(
name: 'certmanager',
rbac: cluster.platform_kubernetes_rbac?,
files: files,
postdelete: post_delete_script
)
end
private
def post_install_script
["kubectl create -f /data/helm/certmanager/config/cluster_issuer.yaml"]
end
def post_delete_script
[
delete_private_key,
delete_crd('certificates.certmanager.k8s.io'),
delete_crd('clusterissuers.certmanager.k8s.io'),
delete_crd('issuers.certmanager.k8s.io')
].compact
end
def private_key_name
@private_key_name ||= cluster_issuer_content.dig('spec', 'acme', 'privateKeySecretRef', 'name')
end
def delete_private_key
"kubectl delete secret -n #{Gitlab::Kubernetes::Helm::NAMESPACE} #{private_key_name} --ignore-not-found" if private_key_name.present?
end
def delete_crd(definition)
"kubectl delete crd #{definition} --ignore-not-found"
end
def cluster_issuer_file
{
'cluster_issuer.yaml': cluster_issuer_yaml_content
......
---
title: Allow Cert-Manager to be uninstalled
merge_request: 31166
author:
type: added
......@@ -252,6 +252,7 @@ The applications below can be uninstalled.
| Application | GitLab version | Notes |
| ----------- | -------------- | ----- |
| Cert-Manager | 12.2+ | The associated private key will be deleted and cannot be restored. Deployed applications will continue to use HTTPS, but certificates will not be renewed. Before uninstalling, you may wish to [back up your configuration](https://docs.cert-manager.io/en/latest/tasks/backup-restore-crds.html) or [revoke your certificates](https://letsencrypt.org/docs/revoking/) |
| GitLab Runner | 12.2+ | Any running pipelines will be canceled. |
| Helm | 12.2+ | The associated Tiller pod will be deleted and cannot be restored. |
| Ingress | 12.1+ | The associated load balancer and IP will be deleted and cannot be restored. Furthermore, it can only be uninstalled if JupyterHub is not installed. |
......
......@@ -2821,10 +2821,10 @@ msgstr ""
msgid "ClusterIntegration|The associated Tiller pod will be deleted and cannot be restored."
msgstr ""
msgid "ClusterIntegration|The associated certifcate will be deleted and cannot be restored."
msgid "ClusterIntegration|The associated load balancer and IP will be deleted and cannot be restored."
msgstr ""
msgid "ClusterIntegration|The associated load balancer and IP will be deleted and cannot be restored."
msgid "ClusterIntegration|The associated private key will be deleted and cannot be restored."
msgstr ""
msgid "ClusterIntegration|The endpoint is in the process of being assigned. Please check your Kubernetes cluster or Quotas on Google Kubernetes Engine if it takes a long time."
......
......@@ -183,7 +183,7 @@ describe 'Clusters Applications', :js do
Clusters::Cluster.last.application_cert_manager.make_installed!
expect(email_form_value).to eq('new_email@example.org')
expect(page).to have_css('.js-cluster-application-install-button', exact_text: 'Installed')
expect(page).to have_css('.js-cluster-application-uninstall-button', exact_text: 'Uninstall')
end
expect(page).to have_content('Cert-Manager was successfully installed on your Kubernetes cluster')
......
......@@ -13,7 +13,7 @@ describe Clusters::Applications::CertManager do
describe '#can_uninstall?' do
subject { cert_manager.can_uninstall? }
it { is_expected.to be_falsey }
it { is_expected.to be_truthy }
end
describe '#install_command' do
......@@ -80,6 +80,44 @@ describe Clusters::Applications::CertManager do
end
end
describe '#uninstall_command' do
subject { cert_manager.uninstall_command }
it { is_expected.to be_an_instance_of(Gitlab::Kubernetes::Helm::DeleteCommand) }
it 'is initialized with cert_manager arguments' do
expect(subject.name).to eq('certmanager')
expect(subject).to be_rbac
expect(subject.files).to eq(cert_manager.files)
end
it 'specifies a post delete command to remove custom resource definitions' do
expect(subject.postdelete).to eq([
"kubectl delete secret -n gitlab-managed-apps letsencrypt-prod --ignore-not-found",
'kubectl delete crd certificates.certmanager.k8s.io --ignore-not-found',
'kubectl delete crd clusterissuers.certmanager.k8s.io --ignore-not-found',
'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found'
])
end
context 'secret key name is not found' do
before do
allow(File).to receive(:read).and_call_original
expect(File).to receive(:read)
.with(Rails.root.join('vendor', 'cert_manager', 'cluster_issuer.yaml'))
.and_return('key: value')
end
it 'does not try and delete the secret' do
expect(subject.postdelete).to eq([
'kubectl delete crd certificates.certmanager.k8s.io --ignore-not-found',
'kubectl delete crd clusterissuers.certmanager.k8s.io --ignore-not-found',
'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found'
])
end
end
end
describe '#files' do
let(:application) { cert_manager }
let(:values) { subject[:'values.yaml'] }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment