fix(renew-tls): update TLS secret in ALL namespaces, not just kyverno
Kyverno generate+synchronize only manages secrets it created itself. Existing Terraform-managed secrets in ~70 namespaces weren't updated. Now loops through all namespaces and kubectl apply the new cert.
This commit is contained in:
parent
dadbec0eb4
commit
3bca7a97c2
1 changed files with 6 additions and 3 deletions
|
|
@ -57,10 +57,13 @@ steps:
|
||||||
- "apk update && apk add curl"
|
- "apk update && apk add curl"
|
||||||
- "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
|
- "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
|
||||||
- |
|
- |
|
||||||
kubectl create secret tls tls-secret \
|
SECRET_YAML=$(kubectl create secret tls tls-secret \
|
||||||
--cert=secrets/fullchain.pem --key=secrets/privkey.pem \
|
--cert=secrets/fullchain.pem --key=secrets/privkey.pem \
|
||||||
--namespace=kyverno --dry-run=client -o yaml | kubectl apply -f -
|
--namespace=placeholder --dry-run=client -o yaml)
|
||||||
- "echo 'Source TLS secret updated in kyverno namespace — Kyverno will sync to all namespaces'"
|
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep -v '^kube-'); do
|
||||||
|
echo "$SECRET_YAML" | sed "s/namespace: placeholder/namespace: $ns/" | kubectl apply -f - 2>/dev/null || true
|
||||||
|
done
|
||||||
|
- "echo 'TLS secret updated in all namespaces'"
|
||||||
|
|
||||||
- name: slack
|
- name: slack
|
||||||
image: curlimages/curl
|
image: curlimages/curl
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue