bradenmacdonald
commented
1 year ago Thanks for the report @drrk! I'll come up with a fix and get your help testing it.
Closed drrk closed 1 year ago
bradenmacdonald
commented
1 year ago Thanks for the report @drrk! I'll come up with a fix and get your help testing it.
drrk
commented
1 year ago You are welcome - there might be a bit more to it - whilst this meant the helm chart installed correctly, when I then deployed an instance with tutor it didn't get an SSL certificate correctly, it was still on the fake ingress certificate. I don't know if this was user error, or if there is still some missing steps to get cert-manager functional. I am going to test again tomorrow (I am in the UK)
drrk
commented
1 year ago I've tested again, using a different method, which I thought should work from looking at the cert-manager documentation https://cert-manager.io/docs/installation/compatibility/#gke-autopilot and https://cert-manager.io/docs/installation/helm/#installing-cert-manager-as-subchart
I set the relevant section of values.yaml as such:
cert-manager:
# Set your email address here so auto-generated HTTPS certs will work:
email: "kimball@appsembler.com"
namespace: harmony
global.leaderElection.namespace: harmonyHowever this didn't work at all, the helm chart failed to instal, as it would without trying anything:
Error: INSTALLATION FAILED: failed post-install: 1 error occurred:
* timed out waiting for the conditionI think another option is to try installing cert-manager separately first, and then installing harmony without cert-manager. I will try that when I get a chance.
drrk
commented
1 year ago Okay, I have it working by installing cert-manager first, then installing harmony, then manually adding the Issuer config. However, I think it might also work with my initial step of just adding to the helm command line. The part I missed before is you need an additional DNS entry of app.<lmsfqdn> for cert-manager to get the certificate correctly.
I can do any more tests you need, but only for the next 10 day after which I will change job, but @amirtds should be able to followup.
drrk
commented
1 year ago My process was as follows
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.1 \
--set installCRDs=true \
--set global.leaderElection.namespace=cert-managerAfter this completes successfully, harmony should be installed, with cert-manager.enabled: false set in the values.yaml as documented in GitHub - openedx/openedx-k8s-harmony: A Prototype Helm Chart for deploying multiple Open edX instances (via Tutor) onto a cluster.
Once this is complete, the cert-manager issuer config is needed based on this template: openedx-k8s-harmony/issuer.yaml at main · openedx/openedx-k8s-harmony
This needs to be installed after the harmony chart, as it depends on nginx-ingress
An example file (named issuer.yaml) is:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: harmony-letsencrypt-global
spec:
acme:
email: user@example.com
preferredChain: ""
privateKeySecretRef:
name: harmony-letsencrypt-global
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginxwhich is installed with kubectl apply -f issuer.yaml
bradenmacdonald
commented
1 year ago Thanks for the updates @drrk! I'm sorry for the delay here; I'll try to incorporate this next week.
drrk
commented
1 year ago No worries at all. As I said before, Friday is my last day at Appsembler, and thus working with Open edX for now, but hopefully this will help others. I know others at Appsembler will be following up too.
felipemontoya
commented
1 year ago @drrk nothing has moved in this issue for a while and nobody from Appsembler has reached out. Are you ok if we close this issue for the time being?
drrk
commented
1 year ago Go ahead and close it. Sorry no one else has reached out.
Kimball
felipemontoya
commented
1 year ago Thanks. Closing now
On GKE in Auto Pilot mode a change to the installation instructions is required to install correctly. On this installation command, you need to append
--set global.leaderElection.namespace=harmonyThis is to ensure that cert-manager is correctly setup due to a security limitation imposed by Google. Seehttps://github.com/cert-manager/cert-manager/issues/3717#issuecomment-931567578 for further information.