From e4ca99b23765d5e3d242e881acbde540e071c1f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Behmo?= <regis@behmo.com>
Date: Thu, 26 Mar 2020 11:33:06 +0100
Subject: [PATCH] Upgrade cert-manager installation in k8s

Note that the spec has changed for v1alpha2.
---
 CHANGELOG.md                    |  1 +
 docs/k8s.rst                    |  4 +---
 tutor/templates/k8s/ingress.yml | 20 ++++++++------------
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3ab6253..0117809 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@ Note: Breaking changes between versions are indicated by "💥".
 
 ## Unreleased
 
+- [Improvement] Upgrade k8s certificate issuer to cert-manager.io/v1alpha2
 - [Feature] Add SCORM XBlock to default openedx docker image
 
 ## v3.11.12 (2020-04-16)
diff --git a/docs/k8s.rst b/docs/k8s.rst
index f57b00d..9842968 100644
--- a/docs/k8s.rst
+++ b/docs/k8s.rst
@@ -50,9 +50,7 @@ cert-manager for TLS certificates
 
 Tutor relies on `cert-manager <https://docs.cert-manager.io/>`_ to generate TLS certificates for HTTPS access. In order to activate HTTPS support, you will have to install cert-manager yourself. To do so, follow the `instructions from the official documentation <https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html>`_. It might be as simple as running::
 
-    kubectl create namespace cert-manager
-    kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
-    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.8.0/cert-manager.yaml
+    kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml
 
 If you decide to enable HTTPS certificates, you will also have to set ``WEB_PROXY=true`` in the platform configuration, because the SSL/TLS termination will not occur in the Nginx container, but in the Ingress controller. To do so, run::
   
diff --git a/tutor/templates/k8s/ingress.yml b/tutor/templates/k8s/ingress.yml
index 39d422b..3e2934e 100644
--- a/tutor/templates/k8s/ingress.yml
+++ b/tutor/templates/k8s/ingress.yml
@@ -7,8 +7,8 @@ metadata:
     app.kubernetes.io/name: web
   annotations:
     nginx.ingress.kubernetes.io/proxy-body-size: 1000m
-    {% if ACTIVATE_HTTPS%}certmanager.k8s.io/issuer: letsencrypt
-    certmanager.k8s.io/acme-challenge-type: http01{% endif %}
+    {% if ACTIVATE_HTTPS%}cert-manager.io/issuer: letsencrypt
+    cert-manager.io/acme-challenge-type: http01{% endif %}
 spec:
   rules:
   {% for host in hosts %}
@@ -29,7 +29,7 @@ spec:
   {%endif%}
 {% if ACTIVATE_HTTPS %}
 ---
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1alpha2
 kind: Issuer
 metadata:
   name: letsencrypt
@@ -41,9 +41,12 @@ spec:
     email: {{ CONTACT_EMAIL }}
     privateKeySecretRef:
       name: letsencrypt-privatekey
-    http01: {}
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
 ---
-apiVersion: certmanager.k8s.io/v1alpha1
+apiVersion: cert-manager.io/v1alpha2
 kind: Certificate
 metadata:
   name: {{ LMS_HOST|replace(".", "-") }}
@@ -55,12 +58,5 @@ spec:
   dnsNames:
   - {{ LMS_HOST }}
   - {{ CMS_HOST }}
-  acme:
-    config:
-    - http01:
-        ingress: web
-      domains:
-      - {{ LMS_HOST }}
-      - {{ CMS_HOST }}
 {{ patch("k8s-ingress-certificates") }}
 {% endif %}