use kubectl to create cert

Author: iQQBot

.werft/build.ts

@@ -4,7 +4,7 @@ import * as path from 'path';
 import { exec, ExecOptions } from './util/shell';
 import { Werft } from './util/werft';
 import { waitForDeploymentToSucceed, wipeAndRecreateNamespace, setKubectlContextNamespace, deleteNonNamespaceObjects, findFreeHostPorts, createNamespace, helmInstallName } from './util/kubectl';
-import { issueCertficate, installCertficate, IssueCertificateParams, InstallCertificateParams } from './util/certs';
+import { newIssueCertficate, installCertficate, IssueCertificateParams, InstallCertificateParams } from './util/certs';
 import { reportBuildFailureInSlack } from './util/slack';
 import * as semver from 'semver';
 import * as util from 'util';
@@ -874,7 +874,7 @@ export async function issueMetaCerts(namespace: string, domain: string) {
     metaClusterCertParams.ip = getCoreDevIngressIP();
     metaClusterCertParams.bucketPrefixTail = ""
     metaClusterCertParams.additionalSubdomains = additionalSubdomains
-    await issueCertficate(werft, metaClusterCertParams, metaEnv());
+    await newIssueCertficate(werft, metaClusterCertParams, metaEnv());
 }
 
 async function installMetaCertificates(namespace: string) {

.werft/util/certs.ts

@@ -1,5 +1,7 @@
 import { exec, ExecOptions } from './shell';
 import { sleep } from './util';
+import { readFileSync, writeFileSync } from 'fs';
+import * as path from 'path';
 
 
 export class IssueCertificateParams {
@@ -68,6 +70,48 @@ export async function issueCertficate(werft, params: IssueCertificateParams, she
     }
 }
 
+export async function newIssueCertficate(werft, params: IssueCertificateParams, shellOpts: ExecOptions) {
+    var subdomains = [];
+    werft.log("certificate", `Subdomains: ${params.additionalSubdomains}`)
+    for (const sd of params.additionalSubdomains) {
+        subdomains.push(sd);
+    }
+
+    // sanity: check if there is a "SAN short enough to fit into CN (63 characters max)"
+    // source: https://community.letsencrypt.org/t/certbot-errors-with-obtaining-a-new-certificate-an-unexpected-error-occurred-the-csr-is-unacceptable-e-g-due-to-a-short-key-error-finalizing-order-issuing-precertificate-csr-doesnt-contain-a-san-short-enough-to-fit-in-cn/105513/2
+    if (!subdomains.some(sd => {
+        const san = sd + params.domain;
+        return san.length <= 63;
+    })) {
+        throw new Error(`there is no subdomain + '${params.domain}' shorter or equal to 63 characters, max. allowed length for CN. No HTTPS certs for you! Consider using a short branch name...`);
+    }
+    var cmd = `set -x \
+    && cd ${path.join(params.pathToTerraform, 'cert/templates')} \
+    && cp cert-manager_certificate.tpl cert.yaml \
+    && yq w -i cert.yaml metadata.name '${params.namespace}' \
+    && yq w -i cert.yaml spec.secretName '${params.namespace}' \
+    && yq w -i cert.yaml metadata.namespace '${params.certNamespace}' \
+    ${subdomains.map(s => `&& yq w -i cert.yaml spec.dnsNames[+] '${s+params.domain}'`).join('  ')} \
+    && kubectl apply -f cert.yaml`;
+
+    werft.log("certificate", "Kubectl command for cert creation: " + cmd)
+    exec(cmd, { ...shellOpts, slice: 'certificate' });
+
+    werft.log('certificate', `waiting until certificate ${params.certNamespace}/${params.namespace} is ready...`)
+    let notReadyYet = true;
+    for (let i = 0; i < 90 && notReadyYet; i++) {
+        werft.log('certificate', `polling state of ${params.certNamespace}/${params.namespace}...`)
+        const result = exec(`kubectl -n ${params.certNamespace} get certificate ${params.namespace} -o jsonpath="{.status.conditions[?(@.type == 'Ready')].status}"`, { ...shellOpts, silent: true, dontCheckRc: true, async: false });
+        if (result != undefined && result.code === 0 && result.stdout === "True") {
+            notReadyYet = false;
+            break;
+        }
+
+        await sleep(5000);
+    }
+}
+
+
 export async function installCertficate(werft, params: InstallCertificateParams, shellOpts: ExecOptions) {
     let notReadyYet = true;
     werft.log('certificate', `copying certificate from "${params.certNamespace}/${params.certName}" to "${params.destinationNamespace}/${params.certSecretName}"`);