Experimentation: cert-manager end to end canary - EKS #3
Description
via
- https://github.com/cert-manager/cert-manager?tab=readme-ov-file
- https://cert-manager.io/docs/getting-started/
- https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/
- https://github.com/stakater/Reloader#how-to-use-reloader
ELB for EKS pod
- $0.60/day or $19/month
(venv-metal) michaelobrien@Michaels-MBP pipeline % git checkout -b 3-cert-manager
Switched to a new branch '3-cert-manager'
(venv-metal) michaelobrien@Michaels-MBP pipeline % aws configure
AWS Access Key ID [None]: A...
AWS Secret Access Key [None]: h...
Default region name [None]: us-east-1
Default output format [None]: json
(venv-metal) michaelobrien@Michaels-MBP pipeline % export AWS_DEFAULT_OUTPUT=json
(venv-metal) michaelobrien@Michaels-MBP pipeline % export AWS_DEFAULT_REGION=us-east-1
(venv-metal) michaelobrien@Michaels-MBP pipeline % export DOMAIN_NAME=eventfield.io
(venv-metal) michaelobrien@Michaels-MBP pipeline % HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $DOMAIN_NAME --query "HostedZones[0].Id" --output text)
(venv-metal) michaelobrien@Michaels-MBP pipeline % echo $HOSTED_ZONE_ID
/hostedzone/Z...T
(venv-metal) michaelobrien@Michaels-MBP pipeline % aws route53 get-hosted-zone --id ${HOSTED_ZONE_ID}
{
"HostedZone": {
"Id": "/hostedzone/Z...T",
"Name": "eventfield.io.",
"CallerReference": "RISWorkflow-RD:db...39",
"Config": {
"Comment": "HostedZone created by Route53 Registrar",
"PrivateZone": false
},
"ResourceRecordSetCount": 11
},
"DelegationSet": {
"NameServers": [
"ns-1994.awsdns-57.co.uk",
"ns-554.awsdns-05.net",
"ns-1212.awsdns-23.org",
"ns-273.awsdns-34.com"
]
}
}
(venv-metal) michaelobrien@Michaels-MBP pipeline % dig $DOMAIN_NAME ns +trace +nodnssec
; <<>> DiG 9.10.6 <<>> eventfield.io ns +trace +nodnssec
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 239 bytes from 2607:fea8:e25d:7b60:688f:2eff:fe18:cd81#53(2607:fea8:e25d:7b60:688f:2eff:fe18:cd81) in 29 ms
io. 172800 IN NS a0.nic.io.
io. 172800 IN NS a2.nic.io.
io. 172800 IN NS b0.nic.io.
io. 172800 IN NS c0.nic.io.
;; Received 290 bytes from 2001:500:2f::f#53(f.root-servers.net) in 27 ms
eventfield.io. 3600 IN NS ns-554.awsdns-05.net.
eventfield.io. 3600 IN NS ns-1212.awsdns-23.org.
eventfield.io. 3600 IN NS ns-273.awsdns-34.com.
eventfield.io. 3600 IN NS ns-1994.awsdns-57.co.uk.
;; Received 182 bytes from 2a01:8840:9e::17#53(a0.nic.io) in 72 ms
eventfield.io. 172800 IN NS ns-1212.awsdns-23.org.
eventfield.io. 172800 IN NS ns-1994.awsdns-57.co.uk.
eventfield.io. 172800 IN NS ns-273.awsdns-34.com.
eventfield.io. 172800 IN NS ns-554.awsdns-05.net.
;; Received 182 bytes from 205.251.199.202#53(ns-1994.awsdns-57.co.uk) in 28 ms
create eks cluster
get context to eks cluster
(venv-metal) michaelobrien@Michaels-MBP pipeline % aws eks update-kubeconfig --region us-east-1 --name prod
Added new context arn:aws:eks:us-east-1:4...0:cluster/prod to /Users/mic..n/.kube/config
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* arn:aws:eks:us-east-1:45...0:cluster/prod arn:aws:eks:us-east-1:4...0:cluster/prod
docker-desktop docker-desktop docker-desktop
minikube minikube minikube default
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-172-31-42-248.ec2.internal Ready <none> 41d v1.30.4-eks-a737599
ip-172-31-80-165.ec2.internal Ready <none> 41d v1.30.4-eks-a737599
helm install cert-manager cert-manager \
--repo https://charts.jetstack.io \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true
AME: cert-manager
LAST DEPLOYED: Thu Dec 5 12:52:41 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.16.2 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
cert-manager cert-manager-b6fd485d9-cp9pg 1/1 Running 0 43s
cert-manager cert-manager-cainjector-dcc5966bc-jgrxp 1/1 Running 0 43s
cert-manager cert-manager-webhook-dfb76c7bd-hwq8d 1/1 Running 0 43s
kube-system aws-node-8bwzk 2/2 Running 0 41d
kube-system aws-node-f9mz4 2/2 Running 0 41d
kube-system coredns-586b798467-fdvwr 1/1 Running 0 52d
kube-system coredns-586b798467-gff7r 1/1 Running 0 52d
kube-system eks-pod-identity-agent-cq8nn 1/1 Running 0 41d
kube-system eks-pod-identity-agent-g4wxv 1/1 Running 0 41d
kube-system kube-proxy-b8v4z 1/1 Running 0 41d
kube-system kube-proxy-h2ttb 1/1 Running 0 41d
venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl -n cert-manager get all
NAME READY STATUS RESTARTS AGE
pod/cert-manager-b6fd485d9-cp9pg 1/1 Running 0 7m46s
pod/cert-manager-cainjector-dcc5966bc-jgrxp 1/1 Running 0 7m46s
pod/cert-manager-webhook-dfb76c7bd-hwq8d 1/1 Running 0 7m46s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.100.175.92 <none> 9402/TCP 7m47s
service/cert-manager-cainjector ClusterIP 10.100.130.103 <none> 9402/TCP 7m47s
service/cert-manager-webhook ClusterIP 10.100.20.33 <none> 443/TCP,9402/TCP 7m47s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 7m46s
deployment.apps/cert-manager-cainjector 1/1 1 1 7m46s
deployment.apps/cert-manager-webhook 1/1 1 1 7m46s
NAME DESIRED CURRENT READY AGE
replicaset.apps/cert-manager-b6fd485d9 1 1 1 7m46s
replicaset.apps/cert-manager-cainjector-dcc5966bc 1 1 1 7m46s
replicaset.apps/cert-manager-webhook-dfb76c7bd 1 1 1 7m46s
check CRDs
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl explain Certificate
GROUP: cert-manager.io
KIND: Certificate
VERSION: v1
DESCRIPTION:
A Certificate resource should be created to ensure an up to date and signed
X.509 certificate is stored in the Kubernetes Secret resource named in
`spec.secretName`.
The stored certificate will be renewed before it expires (as configured by
`spec.renewBefore`).
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <ObjectMeta>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object>
Specification of the desired state of the Certificate resource.
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
status <Object>
Status of the Certificate.
This is set and managed automatically.
Read-only.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl explain CertificateRequest
GROUP: cert-manager.io
KIND: CertificateRequest
VERSION: v1
DESCRIPTION:
A CertificateRequest is used to request a signed certificate from one of the
configured issuers.
All fields within the CertificateRequest's `spec` are immutable after
creation.
A CertificateRequest will either succeed or fail, as denoted by its `Ready`
status
condition and its `status.failureTime` field.
A CertificateRequest is a one-shot resource, meaning it represents a single
point in time request for a certificate and cannot be re-used.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <ObjectMeta>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object>
Specification of the desired state of the CertificateRequest resource.
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
status <Object>
Status of the CertificateRequest.
This is set and managed automatically.
Read-only.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
(venv-metal) michaelobrien@Michaels-MBP pipeline % kubectl explain Issuer
GROUP: cert-manager.io
KIND: Issuer
VERSION: v1
DESCRIPTION:
An Issuer represents a certificate issuing authority which can be
referenced as part of `issuerRef` fields.
It is scoped to a single namespace and can therefore only be referenced by
resources within the same namespace.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <ObjectMeta>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object> -required-
Desired state of the Issuer resource.
status <Object>
Status of the Issuer. This is set and managed automatically.
https://cert-manager.io/docs/tutorials/
create clusterissuer-selfsigned.yaml
# clusterissuer-selfsigned.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {}
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl apply -f clusterissuer-selfsigned.yaml
clusterissuer.cert-manager.io/selfsigned created
install
https://github.com/a8m/envsubst
create certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: www
spec:
secretName: www-tls
revisionHistoryLimit: 1
privateKey:
rotationPolicy: Always
commonName: www.$DOMAIN_NAME
dnsNames:
- www.$DOMAIN_NAME
usages:
- digital signature
- key encipherment
- server auth
issuerRef:
name: selfsigned
kind: ClusterIssuer
(venv-metal) michaelobrien@Michaels-MBP eks % curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o envsubst
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2080k 100 2080k 0 0 4133k 0 --:--:-- --:--:-- --:--:-- 18.6M
(venv-metal) michaelobrien@Michaels-MBP eks % chmod +x envsubst
(venv-metal) michaelobrien@Michaels-MBP eks % sudo mv envsubst /usr/local/bin
(venv-metal) michaelobrien@Michaels-MBP eks % envsubst < certificate.yaml | kubectl apply -f -
certificate.cert-manager.io/www created
Bug: cmctl install notes missing
https://cert-manager.io/docs/reference/cmctl/
from
https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/
install cmctl
brew install cmctl
check certificate
(venv-metal) michaelobrien@Michaels-MBP eks % cmctl status certificate www
Name: www
Namespace: default
Created at: 2024-12-05T14:19:16-05:00
Conditions:
Ready: True, Reason: Ready, Message: Certificate is up to date and has not expired
DNS Names:
- www.eventfield.io
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 4m22s cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 4m22s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-z9xth"
Normal Requested 4m22s cert-manager-certificates-request-manager Created new CertificateRequest resource "www-1"
Normal Issuing 4m22s cert-manager-certificates-issuing The certificate has been successfully issued
Issuer:
Name: selfsigned
Kind: ClusterIssuer
Conditions:
Ready: True, Reason: IsReady, Message:
Events: <none>
Secret:
Name: www-tls
Issuer Country:
Issuer Organisation:
Issuer Common Name: www.eventfield.io
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID:
Authority Key ID:
Serial Number: 69f7dd814d9d9e271f66f3dcba10b28b
Events: <none>
Not Before: 2024-12-05T14:19:16-05:00
Not After: 2025-03-05T14:19:16-05:00
Renewal Time: 2025-02-03T14:19:16-05:00
No CertificateRequest found for this Certificate
look for certificate
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get secret --all-namespaces
NAMESPACE NAME TYPE DATA AGE
cert-manager cert-manager-webhook-ca Opaque 3 7d3h
cert-manager sh.helm.release.v1.cert-manager.v1 helm.sh/release.v1 1 93m
default www-tls kubernetes.io/tls 3 7m5s
inspect certificate
(venv-metal) michaelobrien@Michaels-MBP eks % cmctl inspect secret www-tls
Valid for:
DNS Names:
- www.eventfield.io
URIs: <none>
IP Addresses: <none>
Email Addresses: <none>
Usages:
- digital signature
- key encipherment
- server auth
Validity period:
Not Before: Thu, 05 Dec 2024 19:19:16 UTC
Not After: Wed, 05 Mar 2025 19:19:16 UTC
Issued By:
Common Name: www.eventfield.io
Organization: <none>
OrganizationalUnit: <none>
Country: <none>
Issued For:
Common Name: www.eventfield.io
Organization: <none>
OrganizationalUnit: <none>
Country: <none>
Certificate:
Signing Algorithm: SHA256-RSA
Public Key Algorithm: RSA
Serial Number: 140855929538450534403923159175450899083
Fingerprints: 8B:4E:13:35:13:C7:54:BD:78:2E:42:05:A9:3F:69:45:A8:90:27:20:FB:3C:AE:71:A6:79:D7:E2:47:B6:06:5D
Is a CA certificate: false
CRL: <none>
OCSP: <none>
Debugging:
Trusted by this computer: no: x509: certificate signed by unknown authority
CRL Status: No CRL endpoints set
OCSP Status: Cannot check OCSP: No OCSP Server set
add web server
deployment.yaml
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloweb
labels:
app: hello
spec:
selector:
matchLabels:
app: hello
tier: web
template:
metadata:
labels:
app: hello
tier: web
spec:
containers:
- name: hello-app
image: us-docker.pkg.dev/google-samples/containers/gke/hello-app-tls:1.0
imagePullPolicy: Always
ports:
- containerPort: 8443
volumeMounts:
- name: tls
mountPath: /etc/tls
readOnly: true
env:
- name: TLS_CERT
value: /etc/tls/tls.crt
- name: TLS_KEY
value: /etc/tls/tls.key
volumes:
- name: tls
secret:
secretName: www-tls
deploy server
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl apply -f deployment.yaml
deployment.apps/helloweb created
create loadbalancer
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: helloweb
spec:
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
app: hello
tier: web
type: LoadBalancer
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl apply -f service.yaml
service/helloweb created
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get service helloweb
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
helloweb LoadBalancer 10.100.137.75 a14e2cd253b504a59ba28c5dd984808c-1311392204.us-east-1.elb.amazonaws.com 443:32639/TCP 24s
get dns
(venv-metal) michaelobrien@Michaels-MBP eks % HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name $DOMAIN_NAME --query "HostedZones[0].Id" --output text)
(venv-metal) michaelobrien@Michaels-MBP eks % echo $HOSTED_ZONE_ID
/hostedzone/Z1...1T
(venv-metal) michaelobrien@Michaels-MBP eks % ELB_CANONICAL_HOSTED_ZONE_NAME=$(kubectl get svc helloweb --output=jsonpath='{ .status.loadBalancer.ingress[0].hostname }')
(venv-metal) michaelobrien@Michaels-MBP eks % echo $ELB_CANONICAL_HOSTED_ZONE_NAME
a1...04.us-east-1.elb.amazonaws.com
aws elb describe-load-balancers --query "LoadBalancerDescriptions[?CanonicalHostedZoneName == '$ELB_CANONICAL_HOSTED_ZONE_NAME'] | [0]" \
| jq '{
"Comment": "Creating an alias record",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "www.\($DOMAIN_NAME)",
"Type": "A",
"AliasTarget": {
"HostedZoneId": .CanonicalHostedZoneNameID,
"DNSName": .CanonicalHostedZoneName,
"EvaluateTargetHealth": false
}
}
}
]
}' \
--arg DOMAIN_NAME "${DOMAIN_NAME}" \
| aws route53 change-resource-record-sets --hosted-zone-id $HOSTED_ZONE_ID --change-batch file:///dev/stdin
{
"ChangeInfo": {
"Id": "/change/C07654933GDZBOQJHH4F0",
"Status": "PENDING",
"SubmittedAt": "2024-12-05T20:24:01.600000+00:00",
"Comment": "Creating an alias record"
}
}
(venv-metal) michaelobrien@Michaels-MBP eks % dig www.$DOMAIN_NAME A
; <<>> DiG 9.10.6 <<>> www.eventfield.io A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58493
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;www.eventfield.io. IN A
;; ANSWER SECTION:
www.eventfield.io. 60 IN A 54.173.67.175
www.eventfield.io. 60 IN A 18.233.109.65
;; Query time: 66 msec
;; SERVER: 2607:fea8:e25d:7b60:688f:2eff:fe18:cd81#53(2607:fea8:e25d:7b60:688f:2eff:fe18:cd81)
;; WHEN: Thu Dec 05 15:26:18 EST 2024
;; MSG SIZE rcvd: 78
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
check website via curl
(venv-metal) michaelobrien@Michaels-MBP eks % curl --insecure -v https://www.$DOMAIN_NAME
* Host www.eventfield.io:443 was resolved.
* IPv6: (none)
* IPv4: 18.233.109.65, 54.173.67.175
* Trying 18.233.109.65:443...
* Connected to www.eventfield.io (18.233.109.65) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=www.eventfield.io
* start date: Dec 5 19:19:16 2024 GMT
* expire date: Mar 5 19:19:16 2025 GMT
* issuer: CN=www.eventfield.io
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.eventfield.io/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.eventfield.io]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: www.eventfield.io
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< content-length: 69
< date: Thu, 05 Dec 2024 20:26:45 GMT
<
Hello, world!
Protocol: HTTP/2.0!
Hostname: helloweb-cbc7c88b9-nkwrr
* Connection #0 to host www.eventfield.io left intact
(venv-metal) michaelobrien@Michaels-MBP eks %
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get serviceaccount
NAME SECRETS AGE
default 0 59d
reloader-reloader 0 3m53s
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get clusterrole
NAME CREATED AT
cert-manager-cainjector 2024-12-05T17:52:47Z
cert-manager-cluster-view 2024-12-05T17:52:47Z
cert-manager-controller-approve:cert-manager-io 2024-12-05T17:52:47Z
cert-manager-controller-certificates 2024-12-05T17:52:47Z
cert-manager-controller-certificatesigningrequests 2024-12-05T17:52:47Z
cert-manager-controller-challenges 2024-12-05T17:52:47Z
cert-manager-controller-clusterissuers 2024-12-05T17:52:47Z
cert-manager-controller-ingress-shim 2024-12-05T17:52:47Z
cert-manager-controller-issuers 2024-12-05T17:52:47Z
cert-manager-controller-orders 2024-12-05T17:52:47Z
cert-manager-edit 2024-12-05T17:52:47Z
cert-manager-view 2024-12-05T17:52:47Z
(venv-metal) michaelobrien@Michaels-MBP eks % kubectl get clusterrolebinding
NAME ROLE AGE
cert-manager-cainjector ClusterRole/cert-manager-cainjector 6d22h
cert-manager-controller-approve:cert-manager-io ClusterRole/cert-manager-controller-approve:cert-manager-io 6d22h
cert-manager-controller-certificates ClusterRole/cert-manager-controller-certificates 6d22h
cert-manager-controller-certificatesigningrequests ClusterRole/cert-manager-controller-certificatesigningrequests 6d22h
cert-manager-controller-challenges ClusterRole/cert-manager-controller-challenges 6d22h
cert-manager-controller-clusterissuers ClusterRole/cert-manager-controller-clusterissuers 6d22h
cert-manager-controller-ingress-shim ClusterRole/cert-manager-controller-ingress-shim 6d22h
cert-manager-controller-issuers ClusterRole/cert-manager-controller-issuers 6d22h
cert-manager-controller-orders ClusterRole/cert-manager-controller-orders 6d22h
cert-manager-webhook:subjectaccessreviews ClusterRole/cert-manager-webhook:subjectaccessreviews 6d22h
Metadata
Metadata
Assignees
Labels
No labels