From ae4b97802220635e0ef7025305f5f70c3f318cd6 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Mon, 29 Nov 2021 11:57:21 +0100
Subject: [PATCH] add ZeroSSL clusterIssuer and use it

---
 .gitlab-ci.yml                                |  4 ++
 .gitlab/ci_scripts/install_zerossl_issuer.sh  | 41 +++++++++++++++++++
 .../stackspin-cert-manager-override.yaml      | 10 +++++
 3 files changed, 55 insertions(+)
 create mode 100755 .gitlab/ci_scripts/install_zerossl_issuer.sh
 create mode 100644 install/overrides/stackspin-cert-manager-override.yaml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index eb826cf09..e4ee478fd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -330,8 +330,12 @@ setup-stackspin:
     - cp install/kustomization.yaml ${CLUSTER_DIR}
     - kubectl create namespace flux-system
     - kubectl apply -k ${CLUSTER_DIR}
+    # Add an override so cert-manager uses the ZeroSSL ClusterIssuer
+    - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
     # Install flux and general, non-app specific secrets
     - bash ./install/install-stackspin.sh
+    # Install custom ClusterIssuer for ZeroSSL production certificates
+    - bash ./.gitlab/ci_scripts/install_zerossl_issuer.sh
   extends:
     - .ssh_setup
     - .report_artifacts
diff --git a/.gitlab/ci_scripts/install_zerossl_issuer.sh b/.gitlab/ci_scripts/install_zerossl_issuer.sh
new file mode 100755
index 000000000..09160ea2d
--- /dev/null
+++ b/.gitlab/ci_scripts/install_zerossl_issuer.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+#
+# Waits until ClusterIssuer crd exists, and then installs a ZeroSSL
+# ClusterIssuer with our credentials into the cert-manager namespace
+#
+# Usage:
+#
+#   ./install_zerossl_issuer.sh
+set -euo pipefail
+
+# Create secret with HMAC key
+kubectl -n cert-manager create secret generic zerossl-eabsecret --from-literal "secret=${ZEROSSL_EAB_HMAC_KEY}"
+
+# Wait until ClusterIssuer CRD exists
+"$(dirname "$0")/retry_cmd_until_success.sh" 30 10 kubectl get crd clusterissuers.cert-manager.io
+
+# Add ZeroSSL ClusterIssuer
+kubectl apply -n cert-manager -f - <<EOF
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: zerossl-issuer
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme.zerossl.com/v2/DV90
+    externalAccountBinding:
+      keyID: ${ZEROSSL_EAB_KID}
+      keySecretRef:
+        name: zerossl-eabsecret
+        key: secret
+      keyAlgorithm: HS256
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: zerossl-prod
+    solvers:
+      - http01:
+        ingress:
+          class: nginx
+EOF
diff --git a/install/overrides/stackspin-cert-manager-override.yaml b/install/overrides/stackspin-cert-manager-override.yaml
new file mode 100644
index 000000000..b9b845f0e
--- /dev/null
+++ b/install/overrides/stackspin-cert-manager-override.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-cert-manager-values
+data:
+  values.yaml: |
+    ingressShim:
+      defaultIssuerName: zerossl-issuer
+      defaultIssuerKind: ClusterIssuer
-- 
GitLab