From d827f763a21269ac9cec96caa3b17171d9677ce5 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Tue, 14 Dec 2021 12:53:27 +0000
Subject: [PATCH] temporarily disable zerossl override

---
 .gitlab-ci.yml            |  7 +++++--
 Dockerfile                |  2 ++
 test/pytest/test_certs.py | 40 ++++++++++++++++++++++++++++++---------
 3 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c19bfec4b..caaab8360 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -358,13 +358,16 @@ install-stackspin:
     - sed -i "s/1.2.3.4/$IP_ADDRESS/" ${CLUSTER_DIR}/.flux.env
     - sed -i "s/example.org/$FQDN/"  ${CLUSTER_DIR}/.flux.env
     - sed -i "/^\s*#.*$/d; /^\s*$/d" ${CLUSTER_DIR}/.flux.env
+    # Use LE Staging in CI
+    - sed -i "s/acme-v02.api.letsencrypt.org/acme-staging-v02.api.letsencrypt.org/" ${CLUSTER_DIR}/.flux.env
     # Deploy secret/stackspin-cluster-variables
     - cp install/kustomization.yaml ${CLUSTER_DIR}
     - kubectl create namespace flux-system
     - kubectl apply -k ${CLUSTER_DIR}
+    # NOTE: Temporarily disabled because ZeroSSL is unstable
     # Add an override so cert-manager uses the ZeroSSL ClusterIssuer
-    - kubectl create namespace cert-manager
-    - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
+    # - kubectl create namespace cert-manager
+    # - kubectl apply -n cert-manager -f ./install/overrides/stackspin-cert-manager-override.yaml
     # Install flux and general, non-app specific secrets
     - bash ./install/install-stackspin.sh
   extends:
diff --git a/Dockerfile b/Dockerfile
index 621733b18..7288c2fc7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,7 @@ ENV TAIKO_BROWSER_PATH=/usr/bin/chromium-browser
 ENV TAIKO_BROWSER_ARGS=--no-sandbox,--start-maximized,--disable-dev-shm-usage,--ignore-certificate-errors
 
 ADD https://github.com/fluxcd/flux2/releases/download/v0.22.0/flux_0.22.0_linux_amd64.tar.gz /tmp/
+COPY ./test/pytest/le-staging-bundle.pem /usr/local/share/ca-certificates/le-staging-bundle.pem
 COPY ./requirements.txt /requirements.txt
 RUN \
   # Install kubectl from alpine edge until alpine 3.16 is released
@@ -37,6 +38,7 @@ RUN \
     yq=~4.14.1-r0 && \
   rm -rf /var/cache/* && \
   mkdir /var/cache/apk && \
+  update-ca-certificates && \
   pip install --no-cache-dir --ignore-installed six -r /requirements.txt && \
   ln -s /usr/bin/python3 /usr/bin/python && \
   tar -xzf /tmp/flux*.tar.gz && mv ./flux /usr/local/bin && \
diff --git a/test/pytest/test_certs.py b/test/pytest/test_certs.py
index 9cfb26f7e..5d1e2963d 100755
--- a/test/pytest/test_certs.py
+++ b/test/pytest/test_certs.py
@@ -2,9 +2,11 @@
 """Test if application ingress uses a valid certificate."""
 
 import os
+import shutil
 import socket
 import sys
 
+import certifi
 import pytest
 import requests
 from OpenSSL import SSL
@@ -17,6 +19,20 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
     Check is executed on the local provisioning machine.
     """
 
+    def add_custom_cert_authorities(ca_file: str,
+                                    custom_ca_files: list,
+                                    dest_file: str =
+                                    '/tmp/custom_ca_bundle.crt'):
+        """Concatenates existing cert bundle with custom CAs."""
+
+        destination = open(dest_file, 'wb')
+        with open(dest_file, 'wb') as destination, open(ca_file, 'rb') as cert_auth:
+            shutil.copyfileobj(cert_auth, destination)
+            for custom_ca_file in custom_ca_files:
+                with open(custom_ca_file, 'rb') as custom_ca:
+                    shutil.copyfileobj(custom_ca, destination)
+
+
     def fetch_certs(domain: str, port: int = 443):
         """Fetches cert fom given domain."""
 
@@ -52,8 +68,9 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
             print('CN: {0} (Issuer: {1})'.format(common_name, issuer))
 
 
-    def valid_cert(domain: str):
-        """Validate cert of given domain."""
+    def valid_cert(domain: str, ca_file: str = '/tmp/custom_ca_bundle.crt',
+                   app: str = "all"):
+        """Validate cert of given domain against a ca_file bundle."""
 
         valid = False
 
@@ -63,14 +80,17 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
         print_cert_info(certs)
 
         try:
-            requests.get(url)
+            requests.get(url, verify=ca_file)
         except requests.exceptions.SSLError as ex:
             print('SSL Verification Error {}'.format(ex))
-            #for cert in certs:
-            #    issuer = cert.get_issuer().CN
+            for cert in certs:
+                issuer = cert.get_issuer().CN
+                if issuer == 'cert-manager.local':
+                    print('Allowing exception for self-signed cert-mananger cert.')
+                    valid = True
             return valid
 
-        print('Successfully Verified SSL Cert. \n')
+        print('Successfully Verified SSL Cert.\n')
         return True
 
 
@@ -91,8 +111,7 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
     elif resource == 'kube-prometheus-stack':
         apps = ['grafana', 'prometheus']
     else:
-        assert resource in app_subdomains, \
-            "Error: Unknown app: {}".format(resource)
+        assert resource in app_subdomains, "Error: Unknown app: {}".format(app)
         apps = [resource]
 
     print('\n')
@@ -107,5 +126,8 @@ def test_cert_validation(host, resource): # pylint: disable=too-many-statements
             domain = ansible_vars["domain"]
             print("Using domain %s from ansible inventory." % domain)
 
+        add_custom_cert_authorities(certifi.where(),
+                                    ['pytest/le-staging-bundle.pem'])
+
         fqdn = app_subdomains[app_name] + '.' + domain
-        assert valid_cert(domain=fqdn)
+        assert valid_cert(domain=fqdn, app=resource)
-- 
GitLab