[WIP] Upgrade to cert-manager from kube-lego

[sgibson91]

Hi all,

This is my attempt to update mybinder.org to using cert-manager instead of kube-lego, which is deprecated.

So far, I've attempted (but not deployed):

• adding clusterissuer.yaml and _helpers.tpl files,
• renaming secrets that contained references to kube-lego,
• updating the staging config.

Any comments appreciated!

Fixes #1148

[manics]

In the past I've had problems with CRDs and uses of CRDs. Basically the implementation of the CRD has to be installed before anything that defines an instance of the CRD.
https://github.com/helm/helm/blob/master/docs/chart_best_practices/custom_resource_definitions.md

The docs for the cert-manager Helm chart suggest it's even more confusing 😟:
https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html#steps

[sgibson91]

Thanks @manics, yes @consideRatio and I ran into this issue when installing cert-manager on the Turing's BinderHub when we were in Oslo 😊 I'm more asking if I've removed anything important from the config 😱

[consideRatio]

I think renaming all the ingress TLS termination secrets at once could leave us throttled or temporary banned with lets encrypt as there were more than 4 or so. You could copy the existing secrets to the new name if you like to mitigate this issue, or look up lets encrypt documentation details about this as I'm certainly not certain about this being an issue or how it will behave if it is an issue.

I didn't have time to review this in depth but it is better than no review at all :) Thanks for working on this @sgibson91 !!! ❤️

BTW: How is labels typically set in this helm charts kubernetes resources? Perhaps we should mimic that rather than introducing helpers to set the labels? I think we should aim for consistency with the repo rather than consistency with other Helm charts if there is many other resources aligned to follow a certain practice within this meta helm chart.

[sgibson91]

I think renaming all the ingress TLS termination secrets at once could leave us throttled or temporary banned with lets encrypt as there were more than 4 or so. You could copy the existing secrets to the new name if you like to mitigate this issue, or look up lets encrypt documentation details about this as I'm certainly not certain about this being an issue or how it will behave if it is an issue.

I've reverted my renaming of secrets instead.

BTW: How is labels typically set in this helm charts kubernetes resources? Perhaps we should mimic that rather than introducing helpers to set the labels? I think we should aim for consistency with the repo rather than consistency with other Helm charts if there is many other resources aligned to follow a certain practice within this meta helm chart.

I'm not sure that I follow this? @betatim @minrk @choldgraf?

[consideRatio]

Quick input

• The file mybinder/templates/pdb-kube-lego.yaml no longer relates to kube-lego but cert-manager.
• When PDBs are changed, --force will be required on the helm upgrade.
• I noted there was no PDBs as part of the cert-manager helm chart, https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager/templates, so its fine for us to add one.

[sgibson91]

As per jupyterhub/zero-to-jupyterhub-k8s#1448, if anyone wants to help out/take over this PR then they should feel free!

[sgibson91]

Closing due to a new plan of attack, see #1148 (comment)