Resolve "Use SSL.com instead of ZeroSSL"

1ece3b87 · Maarten de Waard · Varac · b12d4960 · 1ece3b87 · 1ece3b87
Commit 1ece3b87 authored 3 years ago by Maarten de Waard Committed by Varac 3 years ago
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -358,16 +358,13 @@ install-stackspin:
    - sed -i "s/1.2.3.4/$IP_ADDRESS/" ${CLUSTER_DIR}/.flux.env
    - sed -i "s/example.org/$FQDN/"  ${CLUSTER_DIR}/.flux.env
    - sed -i "/^\s*#.*$/d; /^\s*$/d" ${CLUSTER_DIR}/.flux.env
-    # Use LE Staging in CI
-    - sed -i "s/acme-v02.api.letsencrypt.org/acme-staging-v02.api.letsencrypt.org/" ${CLUSTER_DIR}/.flux.env
    # Deploy secret/stackspin-cluster-variables
    - cp install/kustomization.yaml ${CLUSTER_DIR}
    - kubectl create namespace flux-system
    - kubectl apply -k ${CLUSTER_DIR}
-    # NOTE: Temporarily disabled because ZeroSSL is unstable
-    # Add an override so cert-manager uses the ZeroSSL ClusterIssuer
-    # - kubectl create namespace cert-manager
-    # - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
+    # Add an override so cert-manager uses the SSL.com ClusterIssuer
+    - kubectl create namespace cert-manager
+    - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
    # Install flux and general, non-app specific secrets
    - bash ./install/install-stackspin.sh
  extends:
@@ -504,17 +501,17 @@ stackspin-kustomization-ready:
 # Stage: configure-stackspin
 #
 # Configure cluster after basic installation
-# i.e. CI-related config like zerossl clusterIssuer
+# i.e. CI-related config like sslcom clusterIssuer
 #
-configure-zerossl-issuer:
+configure-sslcom-issuer:
  stage: configure-stackspin
  needs:
    - job: install-stackspin
    - job: cert-manager-kustomization-ready
  script:
    - *debug_information
-    # Install custom ClusterIssuer for ZeroSSL production certificates
-    - bash ./.gitlab/ci_scripts/install_zerossl_issuer.sh
+    # Install custom ClusterIssuer for SSL.com production certificates
+    - bash ./.gitlab/ci_scripts/install_sslcom_issuer.sh
  extends:
    - .report_artifacts
    - .general_rules
@@ -599,7 +596,7 @@ nextcloud-cert:
  variables:
    RESOURCE: "nextcloud"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert
@@ -609,7 +606,7 @@ kube-prometheus-stack-cert:
  variables:
    RESOURCE: "kube-prometheus-stack"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert
@@ -619,7 +616,7 @@ single-sign-on-cert:
  variables:
    RESOURCE: "single-sign-on"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert
@@ -629,7 +626,7 @@ dashboard-cert:
  variables:
    RESOURCE: "dashboard"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert
@@ -639,7 +636,7 @@ wekan-cert:
  variables:
    RESOURCE: "wekan"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert
@@ -649,7 +646,7 @@ wordpress-cert:
  variables:
    RESOURCE: "wordpress"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert
@@ -659,7 +656,7 @@ zulip-cert:
  variables:
    RESOURCE: "zulip"
  needs:
-    - job: configure-zerossl-issuer
+    - job: configure-sslcom-issuer
    - job: install-stackspin
  extends:
    - .apps-cert

--- a/.gitlab/ci_scripts/install_zerossl_issuer.sh
+++ b/.gitlab/ci_scripts/install_zerossl_issuer.sh
 #!/usr/bin/env bash
 #
-# Waits until cert-manager HelmRelease is ready, and then installs a ZeroSSL
+# Waits until cert-manager HelmRelease is ready, and then installs a SSL.com
 # ClusterIssuer with our credentials into the cert-manager namespace
 #
 # Usage:
 #
-#   ./install_zerossl_issuer.sh
+#   ./install_sslcom_issuer.sh
 set -euo pipefail

 # Create secret with HMAC key
-b64tlskey=$(echo -n "${ZEROSSL_TLS_KEY}" | base64 -w0)
+b64secret=$(echo -n "${SSL_COM_EAB_HMAC_KEY}" | base64 -w0)

-# Add ZeroSSL ClusterIssuer
+# Add SSL.com ClusterIssuer
 kubectl apply -n cert-manager -f - <<EOF
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  namespace: cert-manager
-  name: zerossl-prod
+  name: sslcom-eabsecret
 data:
-  tls.key: ${b64tlskey}
+  secret: ${b64secret}
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: zerossl-issuer
+  name: sslcom-issuer
 spec:
  acme:
+    # The email address used for signing up with ssl.com
+    email: ${SSL_COM_EMAIL_ADDRESS}
    # The ACME server URL
-    server: https://acme.zerossl.com/v2/DV90
-    disableAccountKeyGeneration: true
-    # Name of the secret used to get the ACME account private key
+    server: https://acme.ssl.com/sslcom-dv-rsa
+    externalAccountBinding:
+      keyID: ${SSL_COM_EAB_KID}
+      keySecretRef:
+        name: sslcom-eabsecret
+        key: secret
+    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
-      name: zerossl-prod
+      name: sslcom-prod
    solvers:
      - http01:
          ingress:

--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,6 @@ ENV TAIKO_BROWSER_PATH=/usr/bin/chromium-browser
 ENV TAIKO_BROWSER_ARGS=--no-sandbox,--start-maximized,--disable-dev-shm-usage,--ignore-certificate-errors

 ADD https://github.com/fluxcd/flux2/releases/download/v0.22.0/flux_0.22.0_linux_amd64.tar.gz /tmp/
-COPY ./test/pytest/le-staging-bundle.pem /usr/local/share/ca-certificates/le-staging-bundle.pem
 COPY ./requirements.txt /requirements.txt
 RUN \
  # Install kubectl from alpine edge until alpine 3.16 is released
@@ -38,7 +37,6 @@ RUN \
    yq=~4.14.1-r0 && \
  rm -rf /var/cache/* && \
  mkdir /var/cache/apk && \
-  update-ca-certificates && \
  pip install --no-cache-dir --ignore-installed six -r /requirements.txt && \
  ln -s /usr/bin/python3 /usr/bin/python && \
  tar -xzf /tmp/flux*.tar.gz && mv ./flux /usr/local/bin && \

--- a/install/overrides/stackspin-cert-manager-override.yaml
+++ b/install/overrides/stackspin-cert-manager-override.yaml
@@ -6,5 +6,5 @@ metadata:
 data:
  values.yaml: |
    ingressShim:
-      defaultIssuerName: zerossl-issuer
+      defaultIssuerName: sslcom-issuer
      defaultIssuerKind: ClusterIssuer
--- a/test/pytest/test_certs.py
+++ b/test/pytest/test_certs.py
@@ -2,11 +2,9 @@
 """Test if application ingress uses a valid certificate."""

 import os
-import shutil
 import socket
 import sys

-import certifi
 import pytest
 import requests
 from OpenSSL import SSL
@@ -19,20 +17,6 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
    Check is executed on the local provisioning machine.
    """

-    def add_custom_cert_authorities(ca_file: str,
-                                    custom_ca_files: list,
-                                    dest_file: str =
-                                    '/tmp/custom_ca_bundle.crt'):
-        """Concatenates existing cert bundle with custom CAs."""
-
-        destination = open(dest_file, 'wb')
-        with open(dest_file, 'wb') as destination, open(ca_file, 'rb') as cert_auth:
-            shutil.copyfileobj(cert_auth, destination)
-            for custom_ca_file in custom_ca_files:
-                with open(custom_ca_file, 'rb') as custom_ca:
-                    shutil.copyfileobj(custom_ca, destination)
-
-
    def fetch_certs(domain: str, port: int = 443):
        """Fetches cert fom given domain."""

@@ -68,9 +52,8 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
            print('CN: {0} (Issuer: {1})'.format(common_name, issuer))


-    def valid_cert(domain: str, ca_file: str = '/tmp/custom_ca_bundle.crt',
-                   app: str = "all"):
-        """Validate cert of given domain against a ca_file bundle."""
+    def valid_cert(domain: str):
+        """Validate cert of given domain."""

        valid = False

@@ -80,17 +63,14 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
        print_cert_info(certs)

        try:
-            requests.get(url, verify=ca_file)
+            requests.get(url)
        except requests.exceptions.SSLError as ex:
            print('SSL Verification Error {}'.format(ex))
-            for cert in certs:
-                issuer = cert.get_issuer().CN
-                if issuer == 'cert-manager.local':
-                    print('Allowing exception for self-signed cert-mananger cert.')
-                    valid = True
+            #for cert in certs:
+            #    issuer = cert.get_issuer().CN
            return valid

-        print('Successfully Verified SSL Cert.\n')
+        print('Successfully Verified SSL Cert. \n')
        return True


@@ -111,7 +91,8 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
    elif resource == 'kube-prometheus-stack':
        apps = ['grafana', 'prometheus']
    else:
-        assert resource in app_subdomains, "Error: Unknown app: {}".format(app)
+        assert resource in app_subdomains, \
+            "Error: Unknown app: {}".format(resource)
        apps = [resource]

    print('\n')
@@ -126,8 +107,5 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
            domain = ansible_vars["domain"]
            print("Using domain %s from ansible inventory." % domain)

-        add_custom_cert_authorities(certifi.where(),
-                                    ['pytest/le-staging-bundle.pem'])
-
        fqdn = app_subdomains[app_name] + '.' + domain
-        assert valid_cert(domain=fqdn, app=resource)
+        assert valid_cert(domain=fqdn)