diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9333eed02626b3c3de1e7ddea90c1875694d4d5c..65fd9a93d8bb8ed64d7d293601727f7be17167ec 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -189,6 +189,7 @@ stages:
- build
- create-vps
- setup-cluster
+ - configure-cluster
- kustomization
- install-apps
- apps-kustomizations-ready
@@ -351,15 +352,33 @@ setup-stackspin:
- kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
# Install flux and general, non-app specific secrets
- bash ./install/install-stackspin.sh
+ extends:
+ - .ssh_setup
+ - .report_artifacts
+ - .general_rules
+ interruptible: true
+
+
+# Stage: configure-cluster
+# ====================
+#
+# Configure cluster after basic installation
+# i.e. CI-related config like zerossl clusterIssuer
+
+configure-stackspin:
+ stage: configure-cluster
+ script:
+ - *debug_information
# Install custom ClusterIssuer for ZeroSSL production certificates
- bash ./.gitlab/ci_scripts/install_zerossl_issuer.sh
extends:
- - .ssh_setup
- .report_artifacts
- .general_rules
interruptible: true
+
+
# Stage: kustomization
# ====================
#
@@ -367,7 +386,7 @@ setup-stackspin:
.kustomization-ready:
stage: kustomization
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
- job: test-dns
script:
- *debug_information
@@ -502,7 +521,7 @@ enable-zulip:
monitoring-kustomization-ready:
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
- job: enable-monitoring
variables:
RESOURCE: "monitoring"
@@ -512,7 +531,7 @@ monitoring-kustomization-ready:
nextcloud-kustomization-ready:
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
- job: enable-nextcloud
variables:
RESOURCE: "nextcloud"
@@ -522,7 +541,7 @@ nextcloud-kustomization-ready:
wekan-kustomization-ready:
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
- job: enable-wekan
variables:
RESOURCE: "wekan"
@@ -532,7 +551,7 @@ wekan-kustomization-ready:
wordpress-kustomization-ready:
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
- job: enable-wordpress
variables:
RESOURCE: "wordpress"
@@ -542,7 +561,7 @@ wordpress-kustomization-ready:
zulip-kustomization-ready:
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
- job: enable-zulip
variables:
RESOURCE: "zulip"
@@ -570,7 +589,7 @@ nextcloud-cert:
RESOURCE: "nextcloud"
needs:
- job: enable-nextcloud
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .nextcloud_rules
@@ -580,7 +599,7 @@ kube-prometheus-stack-cert:
RESOURCE: "kube-prometheus-stack"
needs:
- job: enable-monitoring
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .kube_prometheus_stack_rules
@@ -590,7 +609,7 @@ single-sign-on-cert:
RESOURCE: "single-sign-on"
needs:
- job: single-sign-on-kustomization-ready
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .general_rules
@@ -600,7 +619,7 @@ dashboard-cert:
RESOURCE: "dashboard"
needs:
- job: dashboard-kustomization-ready
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .general_rules
@@ -610,7 +629,7 @@ wekan-cert:
RESOURCE: "wekan"
needs:
- job: enable-wekan
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .wekan_rules
@@ -620,7 +639,7 @@ wordpress-cert:
RESOURCE: "wordpress"
needs:
- job: enable-wordpress
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .wordpress_rules
@@ -630,7 +649,7 @@ zulip-cert:
RESOURCE: "zulip"
needs:
- job: enable-zulip
- - job: setup-stackspin
+ - job: configure-stackspin
extends:
- .apps-cert
- .zulip_rules
@@ -695,7 +714,8 @@ dashboard-taiko:
variables:
RESOURCE: "dashboard"
needs:
- - job: setup-stackspin
+ - job: configure-stackspin
+ - job: dashboard-cert
- job: dashboard-kustomization-ready
extends:
- .taiko
@@ -705,8 +725,8 @@ grafana-taiko:
variables:
RESOURCE: "grafana"
needs:
+ - job: configure-stackspin
- job: kube-prometheus-stack-cert
- - job: setup-stackspin
- job: monitoring-kustomization-ready
extends:
- .taiko
@@ -716,8 +736,8 @@ nextcloud-taiko:
variables:
RESOURCE: "nextcloud"
needs:
+ - job: configure-stackspin
- job: nextcloud-cert
- - job: setup-stackspin
- job: nextcloud-kustomization-ready
extends:
- .taiko
@@ -727,8 +747,8 @@ wekan-taiko:
variables:
RESOURCE: "wekan"
needs:
+ - job: configure-stackspin
- job: wekan-cert
- - job: setup-stackspin
- job: wekan-kustomization-ready
extends:
- .taiko
@@ -738,8 +758,8 @@ wordpress-taiko:
variables:
RESOURCE: "wordpress"
needs:
+ - job: configure-stackspin
- job: wordpress-cert
- - job: setup-stackspin
- job: wordpress-kustomization-ready
extends:
- .taiko
@@ -749,8 +769,8 @@ zulip-taiko:
variables:
RESOURCE: "zulip"
needs:
+ - job: configure-stackspin
- job: zulip-cert
- - job: setup-stackspin
- job: zulip-kustomization-ready
extends:
- .taiko
diff --git a/.gitlab/ci_scripts/install_zerossl_issuer.sh b/.gitlab/ci_scripts/install_zerossl_issuer.sh
index 855cc440a1420cda803c030f9b03d9bd077f9d0f..d6f41df3a48e28de5f7ac9a39ce25e318ac53393 100755
--- a/.gitlab/ci_scripts/install_zerossl_issuer.sh
+++ b/.gitlab/ci_scripts/install_zerossl_issuer.sh
@@ -9,14 +9,22 @@
set -euo pipefail
# Create secret with HMAC key
-kubectl -n cert-manager create secret generic zerossl-eabsecret --from-literal "secret=${ZEROSSL_EAB_HMAC_KEY}"
+b64tlskey=$(echo -n "${ZEROSSL_TLS_KEY}" | base64 -w0)
# Wait until cert-manager is ready
-"$(dirname "$0")/retry_cmd_until_success.sh" 30 10 "flux get helmrelease -n cert-manager --status-selector ready=true --no-header | grep cert-manager"
+"$(dirname "$0")/retry_cmd_until_success.sh" 30 10 "flux get kustomization --status-selector ready=true --no-header | grep '^cert-manager'"
# Add ZeroSSL ClusterIssuer
kubectl apply -n cert-manager -f - <<EOF
---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cert-manager
+ name: zerossl-prod
+data:
+ tls.key: ${b64tlskey}
+---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
@@ -25,13 +33,8 @@ spec:
acme:
# The ACME server URL
server: https://acme.zerossl.com/v2/DV90
- externalAccountBinding:
- keyID: ${ZEROSSL_EAB_KID}
- keySecretRef:
- name: zerossl-eabsecret
- key: secret
- keyAlgorithm: HS256
- # Name of a secret used to store the ACME account private key
+ disableAccountKeyGeneration: true
+ # Name of the secret used to get the ACME account private key
privateKeySecretRef:
name: zerossl-prod
solvers: