Script File to Update SSL Certificate for Load Balancer
You must create a script file, update_lb_ssl_cert.sh
to
update the OCI load balancer SSL certificate, in the administration instance.
#!/bin/bash
# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
# This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
# This script provides a way to update the OCI load balancer ssl certificate.
#
# The script will:
# * Create a TLS secret in kubernetes
# * Run Helm upgrade for ingress controller charts with new certificate
# * Runs a check on the svc. Please check the annotations for the new secret name.
#
# Please refer to https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancer.htm for more information
usage()
{
cat <<EOF
Usage: $0 [OPTION]
[Mandatory]
-d WebLogic Domain Name
-s Kubernetes secret name
-k SSL Certificate Key file (e.g. tls.key)
-c SSL Certificate file (e.g. tls.cert)
EOF
}
if [ "$#" -eq 0 ]; then
usage
exit 1
fi
while getopts ":d:s:k:c:h" opt; do
case $opt in
d) DOMAIN_NAME=$OPTARG >&2 ;;
s) SSL_CERT_SECRET=$OPTARG >&2 ;;
k) SSL_KEY_FILE=$OPTARG >&2 ;;
c) SSL_CERT_FILE=$OPTARG >&2 ;;
h) usage; exit 0 ;;
\?) echo "Invalid option: -$OPTARG" >&2; usage; exit 1 ;;
:) echo "Option -$OPTARG requires an argument." >&2; usage; exit 1 ;;
esac
done
echo $DOMAIN_NAME $SSL_CERT_SECRET $SSL_KEY_FILE $SSL_CERT_FILE
if [[ $DOMAIN_NAME == "" || $SSL_CERT_SECRET == "" || $SSL_KEY_FILE == "" || $SSL_CERT_FILE == "" ]];then
usage; exit 0;
fi
[[ ! -f $SSL_KEY_FILE ]] && echo "Error:Cannot find $SSL_KEY_FILE." && exit 1
[[ ! -f $SSL_CERT_FILE ]] && echo "Error:Cannot find $SSL_CERT_FILE." && exit 1
PROPERTIES_FILE="/u01/shared/provisioning_metadata.properties"
RELEASE_NAME="ingress-controller"
INGRESS_CHARTS=/u01/shared/scripts/pipeline/create_domain/ingress-controller
DEFAULT_VALUES=/u01/shared/weblogic-domains/$DOMAIN_NAME/ingress-controller-inputs.yaml
[[ ! -f $PROPERTIES_FILE ]] && echo "Error:Missing $PROPERTIES_FILE file." && exit 1;
[[ ! -f $DEFAULT_VALUES ]] && echo "Error:Missing helm chart values file [$DEFAULT_VALUES]" && exit 1;
INGRESS_NAMESPACE=$(cat $PROPERTIES_FILE| grep ingress_namespace | cut -d'=' -f2)
OCIR_INGRESS_CONTROLLER_REPO=$(cat $PROPERTIES_FILE| grep ocir_ingress_controller_repo | cut -d'=' -f2)
#1. Use the following command to create a TLS secret in Kubernetes, whose key and certificate values are set by --key and --cert, respectively.
kubectl create secret tls $SSL_CERT_SECRET --key $SSL_KEY_FILE --cert $SSL_CERT_FILE -n $INGRESS_NAMESPACE
kubectl create secret tls $SSL_CERT_SECRET --key $SSL_KEY_FILE --cert $SSL_CERT_FILE -n $DOMAIN_NAME-ns
#2. Update helm charts with new SSL secret value
cmd_output=$(helm upgrade --install $RELEASE_NAME $INGRESS_CHARTS --values $DEFAULT_VALUES --set cert_secret_name=$SSL_CERT_SECRET --set ocir_ingress_image_tag=$OCIR_INGRESS_CONTROLLER_REPO --wait 2>&1)
exit_code=$?
echo "${cmd_output}"
#3. Verify lb service is updated
kubectl describe svc "${DOMAIN_NAME}-lb-external" -n "${INGRESS_NAMESPACE}"