Merge branch '1043-use-production-certs-in-ci' into 'main'

Resolve "Use production certs in CI" Closes #1043 See merge request stackspin/stackspin!640

Merge branch '1043-use-production-certs-in-ci' into 'main'
Resolve "Use production certs in CI" Closes #1043 See merge request stackspin/stackspin!640
2d562b8b · Varac · f555d1cb · decb1266 · 2d562b8b · 2d562b8b
Commit 2d562b8b authored 3 years ago by Varac
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -330,8 +330,13 @@ setup-stackspin:
    - cp install/kustomization.yaml ${CLUSTER_DIR}
    - kubectl create namespace flux-system
    - kubectl apply -k ${CLUSTER_DIR}
+    # Add an override so cert-manager uses the ZeroSSL ClusterIssuer
+    - kubectl create namespace cert-manager
+    - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
    # Install flux and general, non-app specific secrets
    - bash ./install/install-stackspin.sh
+    # Install custom ClusterIssuer for ZeroSSL production certificates
+    - bash ./.gitlab/ci_scripts/install_zerossl_issuer.sh
  extends:
    - .ssh_setup
    - .report_artifacts

--- a/.gitlab/ci_scripts/install_zerossl_issuer.sh
+++ b/.gitlab/ci_scripts/install_zerossl_issuer.sh
+#!/usr/bin/env bash
+#
+# Waits until cert-manager HelmRelease is ready, and then installs a ZeroSSL
+# ClusterIssuer with our credentials into the cert-manager namespace
+#
+# Usage:
+#
+#   ./install_zerossl_issuer.sh
+set -euo pipefail
+# Create secret with HMAC key
+kubectl -n cert-manager create secret generic zerossl-eabsecret --from-literal "secret=${ZEROSSL_EAB_HMAC_KEY}"
+# Wait until cert-manager is ready
+"$(dirname "$0")/retry_cmd_until_success.sh" 30 10 "flux get helmrelease -n cert-manager --status-selector ready=true --no-header | grep cert-manager"
+# Add ZeroSSL ClusterIssuer
+kubectl apply -n cert-manager -f - <<EOF
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: zerossl-issuer
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme.zerossl.com/v2/DV90
+    externalAccountBinding:
+      keyID: ${ZEROSSL_EAB_KID}
+      keySecretRef:
+        name: zerossl-eabsecret
+        key: secret
+      keyAlgorithm: HS256
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: zerossl-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+EOF
--- a/install/overrides/stackspin-cert-manager-override.yaml
+++ b/install/overrides/stackspin-cert-manager-override.yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-cert-manager-values
+data:
+  values.yaml: |
+    ingressShim:
+      defaultIssuerName: zerossl-issuer
+      defaultIssuerKind: ClusterIssuer