diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index caaab8360eaed0926cd30bf2d01f0816cbefd3d7..4c557f96d79878ae041856806d546ff7701bc5bc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -358,16 +358,13 @@ install-stackspin:
- sed -i "s/1.2.3.4/$IP_ADDRESS/" ${CLUSTER_DIR}/.flux.env
- sed -i "s/example.org/$FQDN/" ${CLUSTER_DIR}/.flux.env
- sed -i "/^\s*#.*$/d; /^\s*$/d" ${CLUSTER_DIR}/.flux.env
- # Use LE Staging in CI
- - sed -i "s/acme-v02.api.letsencrypt.org/acme-staging-v02.api.letsencrypt.org/" ${CLUSTER_DIR}/.flux.env
# Deploy secret/stackspin-cluster-variables
- cp install/kustomization.yaml ${CLUSTER_DIR}
- kubectl create namespace flux-system
- kubectl apply -k ${CLUSTER_DIR}
- # NOTE: Temporarily disabled because ZeroSSL is unstable
- # Add an override so cert-manager uses the ZeroSSL ClusterIssuer
- # - kubectl create namespace cert-manager
- # - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
+ # Add an override so cert-manager uses the SSL.com ClusterIssuer
+ - kubectl create namespace cert-manager
+ - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
# Install flux and general, non-app specific secrets
- bash ./install/install-stackspin.sh
extends:
@@ -504,17 +501,17 @@ stackspin-kustomization-ready:
# Stage: configure-stackspin
#
# Configure cluster after basic installation
-# i.e. CI-related config like zerossl clusterIssuer
+# i.e. CI-related config like sslcom clusterIssuer
#
-configure-zerossl-issuer:
+configure-sslcom-issuer:
stage: configure-stackspin
needs:
- job: install-stackspin
- job: cert-manager-kustomization-ready
script:
- *debug_information
- # Install custom ClusterIssuer for ZeroSSL production certificates
- - bash ./.gitlab/ci_scripts/install_zerossl_issuer.sh
+ # Install custom ClusterIssuer for SSL.com production certificates
+ - bash ./.gitlab/ci_scripts/install_sslcom_issuer.sh
extends:
- .report_artifacts
- .general_rules
@@ -599,7 +596,7 @@ nextcloud-cert:
variables:
RESOURCE: "nextcloud"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
@@ -609,7 +606,7 @@ kube-prometheus-stack-cert:
variables:
RESOURCE: "kube-prometheus-stack"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
@@ -619,7 +616,7 @@ single-sign-on-cert:
variables:
RESOURCE: "single-sign-on"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
@@ -629,7 +626,7 @@ dashboard-cert:
variables:
RESOURCE: "dashboard"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
@@ -639,7 +636,7 @@ wekan-cert:
variables:
RESOURCE: "wekan"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
@@ -649,7 +646,7 @@ wordpress-cert:
variables:
RESOURCE: "wordpress"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
@@ -659,7 +656,7 @@ zulip-cert:
variables:
RESOURCE: "zulip"
needs:
- - job: configure-zerossl-issuer
+ - job: configure-sslcom-issuer
- job: install-stackspin
extends:
- .apps-cert
diff --git a/.gitlab/ci_scripts/install_sslcom_issuer.sh b/.gitlab/ci_scripts/install_sslcom_issuer.sh
new file mode 100755
index 0000000000000000000000000000000000000000..332bc4dd5d98443ad5d1e0353c7e46416b647226
--- /dev/null
+++ b/.gitlab/ci_scripts/install_sslcom_issuer.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+#
+# Waits until cert-manager HelmRelease is ready, and then installs a SSL.com
+# ClusterIssuer with our credentials into the cert-manager namespace
+#
+# Usage:
+#
+# ./install_sslcom_issuer.sh
+set -euo pipefail
+
+# Create secret with HMAC key
+b64secret=$(echo -n "${SSL_COM_EAB_HMAC_KEY}" | base64 -w0)
+
+# Add SSL.com ClusterIssuer
+kubectl apply -n cert-manager -f - <<EOF
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cert-manager
+ name: sslcom-eabsecret
+data:
+ secret: ${b64secret}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: sslcom-issuer
+spec:
+ acme:
+ # The email address used for signing up with ssl.com
+ email: ${SSL_COM_EMAIL_ADDRESS}
+ # The ACME server URL
+ server: https://acme.ssl.com/sslcom-dv-rsa
+ externalAccountBinding:
+ keyID: ${SSL_COM_EAB_KID}
+ keySecretRef:
+ name: sslcom-eabsecret
+ key: secret
+ # Name of a secret used to store the ACME account private key
+ privateKeySecretRef:
+ name: sslcom-prod
+ solvers:
+ - http01:
+ ingress:
+ class: nginx
+EOF
diff --git a/.gitlab/ci_scripts/install_zerossl_issuer.sh b/.gitlab/ci_scripts/install_zerossl_issuer.sh
deleted file mode 100755
index beed27a206c3dc695f297ebeb33c9503ea700d84..0000000000000000000000000000000000000000
--- a/.gitlab/ci_scripts/install_zerossl_issuer.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-#
-# Waits until cert-manager HelmRelease is ready, and then installs a ZeroSSL
-# ClusterIssuer with our credentials into the cert-manager namespace
-#
-# Usage:
-#
-# ./install_zerossl_issuer.sh
-set -euo pipefail
-
-# Create secret with HMAC key
-b64tlskey=$(echo -n "${ZEROSSL_TLS_KEY}" | base64 -w0)
-
-# Add ZeroSSL ClusterIssuer
-kubectl apply -n cert-manager -f - <<EOF
----
-apiVersion: v1
-kind: Secret
-metadata:
- namespace: cert-manager
- name: zerossl-prod
-data:
- tls.key: ${b64tlskey}
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- name: zerossl-issuer
-spec:
- acme:
- # The ACME server URL
- server: https://acme.zerossl.com/v2/DV90
- disableAccountKeyGeneration: true
- # Name of the secret used to get the ACME account private key
- privateKeySecretRef:
- name: zerossl-prod
- solvers:
- - http01:
- ingress:
- class: nginx
-EOF
diff --git a/Dockerfile b/Dockerfile
index 7288c2fc7f2e8b685c3753b36c4a2b8d443d5c7c..621733b18d29b64ee18dab61375e63e9ff93c947 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,6 @@ ENV TAIKO_BROWSER_PATH=/usr/bin/chromium-browser
ENV TAIKO_BROWSER_ARGS=--no-sandbox,--start-maximized,--disable-dev-shm-usage,--ignore-certificate-errors
ADD https://github.com/fluxcd/flux2/releases/download/v0.22.0/flux_0.22.0_linux_amd64.tar.gz /tmp/
-COPY ./test/pytest/le-staging-bundle.pem /usr/local/share/ca-certificates/le-staging-bundle.pem
COPY ./requirements.txt /requirements.txt
RUN \
# Install kubectl from alpine edge until alpine 3.16 is released
@@ -38,7 +37,6 @@ RUN \
yq=~4.14.1-r0 && \
rm -rf /var/cache/* && \
mkdir /var/cache/apk && \
- update-ca-certificates && \
pip install --no-cache-dir --ignore-installed six -r /requirements.txt && \
ln -s /usr/bin/python3 /usr/bin/python && \
tar -xzf /tmp/flux*.tar.gz && mv ./flux /usr/local/bin && \
diff --git a/install/overrides/stackspin-cert-manager-override.yaml b/install/overrides/stackspin-cert-manager-override.yaml
index 79e1349a16e25fa9209ded9229e76a72e711e9e2..baef69951d3d4f28f579b3ae07d7dc4dd73d069c 100644
--- a/install/overrides/stackspin-cert-manager-override.yaml
+++ b/install/overrides/stackspin-cert-manager-override.yaml
@@ -6,5 +6,5 @@ metadata:
data:
values.yaml: |
ingressShim:
- defaultIssuerName: zerossl-issuer
+ defaultIssuerName: sslcom-issuer
defaultIssuerKind: ClusterIssuer
diff --git a/test/pytest/test_certs.py b/test/pytest/test_certs.py
index 5d1e2963d3919e0396fd91060652bf5d87508f80..9cfb26f7e5be7437d21bc901d4461b5399e14cf5 100755
--- a/test/pytest/test_certs.py
+++ b/test/pytest/test_certs.py
@@ -2,11 +2,9 @@
"""Test if application ingress uses a valid certificate."""
import os
-import shutil
import socket
import sys
-import certifi
import pytest
import requests
from OpenSSL import SSL
@@ -19,20 +17,6 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
Check is executed on the local provisioning machine.
"""
- def add_custom_cert_authorities(ca_file: str,
- custom_ca_files: list,
- dest_file: str =
- '/tmp/custom_ca_bundle.crt'):
- """Concatenates existing cert bundle with custom CAs."""
-
- destination = open(dest_file, 'wb')
- with open(dest_file, 'wb') as destination, open(ca_file, 'rb') as cert_auth:
- shutil.copyfileobj(cert_auth, destination)
- for custom_ca_file in custom_ca_files:
- with open(custom_ca_file, 'rb') as custom_ca:
- shutil.copyfileobj(custom_ca, destination)
-
-
def fetch_certs(domain: str, port: int = 443):
"""Fetches cert fom given domain."""
@@ -68,9 +52,8 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
print('CN: {0} (Issuer: {1})'.format(common_name, issuer))
- def valid_cert(domain: str, ca_file: str = '/tmp/custom_ca_bundle.crt',
- app: str = "all"):
- """Validate cert of given domain against a ca_file bundle."""
+ def valid_cert(domain: str):
+ """Validate cert of given domain."""
valid = False
@@ -80,17 +63,14 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
print_cert_info(certs)
try:
- requests.get(url, verify=ca_file)
+ requests.get(url)
except requests.exceptions.SSLError as ex:
print('SSL Verification Error {}'.format(ex))
- for cert in certs:
- issuer = cert.get_issuer().CN
- if issuer == 'cert-manager.local':
- print('Allowing exception for self-signed cert-mananger cert.')
- valid = True
+ #for cert in certs:
+ # issuer = cert.get_issuer().CN
return valid
- print('Successfully Verified SSL Cert.\n')
+ print('Successfully Verified SSL Cert. \n')
return True
@@ -111,7 +91,8 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
elif resource == 'kube-prometheus-stack':
apps = ['grafana', 'prometheus']
else:
- assert resource in app_subdomains, "Error: Unknown app: {}".format(app)
+ assert resource in app_subdomains, \
+ "Error: Unknown app: {}".format(resource)
apps = [resource]
print('\n')
@@ -126,8 +107,5 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
domain = ansible_vars["domain"]
print("Using domain %s from ansible inventory." % domain)
- add_custom_cert_authorities(certifi.where(),
- ['pytest/le-staging-bundle.pem'])
-
fqdn = app_subdomains[app_name] + '.' + domain
- assert valid_cert(domain=fqdn, app=resource)
+ assert valid_cert(domain=fqdn)