Migrate Self Signed Certificate Config Map to Sidecar Injector

Article ID:360040081512
2 minute readKnowledge base

Issue

Previously I followed the instructions to add a Self Signed Certificate using a Config Map This is no longer the suggested method for applying a self signed certificate to controllers and agents. Instead I would like to use the new method of Creating a Sidecar Injector

Environment

Resolution

In order to use the sidecar injectors for this, you will first need to undo the existing config map setup. The following steps are to remove the certificates based on the linked steps for setting them up.

1) Remove the Configurations from the Agents

Note: Be sure to follow these steps for all of your Pod Templates that use these certificates.

Go to the configuration of the Pod Template.

Remove Environment Variables to the Pod template:

For Java:

  • Key: JAVA_OPTS

  • Value: -Djavax.net.ssl.trustStore=/var/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit

For git:

  • Key: CURL_CA_BUNDLE

  • Value: /var/certs/ca-certificates.crt

For tools curl:

  • Key: GIT_SSL_CAINFO

  • Value: /var/certs/ca-certificates.crt

Remove Volumes of type ConfigMap Volume to the Pod template:

  • Config Map name: ca-bundle

  • Mount path: /var/certs/

2) Remove the Configurations from the Managed controllers

Note: Be sure to follow these steps for all of your Managed controllers that use these certificates.

Go to Manage Jenkins  Configure System  Kubernetes controller Provisioning  Advanced

Remove the Global Properties:

javax.net.ssl.trustStore=/var/certs/cacerts
javax.net.ssl.trustStorePassword=changeit

Remove the Global Variables:

CURL_CA_BUNDLE=/var/certs/ca-certificates.crt
GIT_SSL_CAINFO=/var/certs/ca-certificates.crt

Remove this from the YAML field:

apiVersion: "apps/v1"
kind: "StatefulSet"
spec:
  template:
    spec:
      containers:
        - name: "jenkins"
          volumeMounts:
          - name: volume-ca-bundle
            mountPath: /var/certs
      volumes:
      - name: volume-ca-bundle
        configMap:
          name: ca-bundle

Note: This configuration is only applied to newly created Managed controllers. For existing Managed controllers, the same configuration needs to be applied in the Managed controller configuration and the controller needs to be re-provisioned.

3) Remove the certificates from the CJOC StatefulSet

In the cloudbees-core.yaml edit the cjoc statefulset and remove the following sections (yours may differ slightly depending on your specific implementation)

The VolumeMount:

        volumeMounts:
        - name: volume-ca-bundle
          mountPath: /var/certs

The Volume:

      volumes:
      - name: jenkins-configure-jenkins-groovy
        configMap:
          name: cjoc-configure-jenkins-groovy
      - name: volume-ca-bundle
        configMap:
          name: ca-bundle

The environment variables for the cjoc container:

        env:
        - name: CURL_CA_BUNDLE
          value: /var/certs/ca-certificates.crt
        - name: GIT_SSL_CAINFO
          value: /var/certs/ca-certificates.crt

The JVM arguments:

        env:
        - name: JAVA_OPTS
          # To allocate controllers using a non-default storage class, add the following
          # -Dcom.cloudbees.masterprovisioning.kubernetes.KubernetesMasterProvisioning.storageClassName=some-storage-class
          value: >-
            -Djavax.net.ssl.trustStore=/var/certs/cacerts
            -Djavax.net.ssl.trustStorePassword=changeit

Apply this change with:

kubectl apply -f cloudbees.core.yaml -n $CJE_NAMESPACE

4) Remove the ConfigMap from CJOC

Run the command:

kubectl delete configmap ca-bundle -n $CJE_NAMESPACE

5) Moving On

You should now have no certificates in your cluster. Make sure that your cluster (minus the missing certificates) is functional at this point. You are then free to move on to the above link and follow the instructions for adding the sidecar injector.

Tested product/plugin versions

References