Skip to content

Merge branch 'devel' #1397

Merge branch 'devel'

Merge branch 'devel' #1397

name: Application Tests - cert-manager
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
certmgr_http01_tests:
name: certmgr_http01_tests
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Install microk8s"
run: |
sudo snap install microk8s --classic
sudo microk8s status --wait-ready
sudo microk8s enable helm3
sudo microk8s enable ingress
- name: "Install dnsmasq"
run: |
sudo mkdir -p data
sudo cp .github/dnsmasq.conf data
sudo cp .github/dnsmasq.yml data
sudo chmod -R 777 data/dnsmasq.conf
sudo chmod -R 777 data/dnsmasq.yml
sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf
sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml
cat data/dnsmasq.conf
cat data/dnsmasq.yml
docker pull gigantuar/dnsmasq:latest-amd64
docker save gigantuar/dnsmasq -o dnsmasq.tar
sudo microk8s ctr image import dnsmasq.tar
sudo microk8s ctr images ls | grep -i gigantuar
- name: "Deploy dnsmasq pod"
run: |
sudo microk8s.kubectl apply -f data/dnsmasq.yml
- name: "[ WAIT ] Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Check status dnsmasq pod and grab ip"
run: |
sudo microk8s.kubectl get pods -n dnsmasq
sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq
sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running
sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5
echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
- run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}"
- name: "Change and test dns"
run: |
sudo cp .github/k8s-acme-srv.yml data/
sudo chmod 777 data/k8s-acme-srv.yml
sudo sed -i "s/DNSMASQ_IP/${{ env.DNSMASQ_IP }}/g" data/k8s-acme-srv.yml
cat data/k8s-acme-srv.yml
host www.bar.local ${{ env.DNSMASQ_IP }}
- name: "Install cert-manager charts"
run: |
sudo microk8s.kubectl create namespace cert-manager
sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
sudo microk8s.helm3 repo update
sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true --set podDnsPolicy="None",podDnsConfig.nameservers={${{ env.DNSMASQ_IP }}}
echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
- run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
- name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})"
run: |
cat examples/Docker/$WEB_SRV/$DB_HANDLER/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
docker save grindsa/acme2certifier > a2c.tar
sudo microk8s ctr image import a2c.tar
sudo microk8s ctr images ls | grep -i grindsa
env:
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
- name: "Create a2c configuration"
run: |
sudo mkdir -p data
sudo cp .github/acme2certifier.pem data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem data/acme2certifier_key.pem
sudo cp .github/django_settings.py data/settings.py
sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py
sudo mkdir -p data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
- name: "Deploy a2c pod"
run: |
sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
sudo microk8s.kubectl get pods -n cert-manager-acme
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Check status a2c pod and grab ip of a2c pod"
run: |
sudo microk8s.kubectl get pods -n cert-manager-acme
sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
- run: echo "a2c pod IP is ${{ env.ACME_IP }}"
- name: "Deploy cert-manager and trigger enrollment"
run: |
sudo cp .github/k8s-cert-mgr-http-01.yml data
sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml
sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml
sudo sed -i "s/k8.acme.dynamop.de/k8.${{ matrix.websrv }}-${{ matrix.dbhandler }}.acme.dynamop.de/g" data/k8s-cert-mgr-http-01.yml
sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml
- name: "Sleep for 20s"
uses: juliangruber/[email protected]
with:
time: 20s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe ClusterIssuer acme2certifier
sudo microk8s.kubectl describe challenge
- name: "Sleep for 20s"
uses: juliangruber/[email protected]
with:
time: 20s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe ClusterIssuer acme2certifier
sudo microk8s.kubectl describe challenge
- name: "[ WAIT ] Sleep for 20s"
uses: juliangruber/[email protected]
with:
time: 20s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe ClusterIssuer acme2certifier
sudo microk8s.kubectl describe challenge
sudo microk8s.kubectl describe certificate
sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued"
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: cert-certmgr_http01-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
certmgr_dns01_tests:
name: certmgr_dns01_tests
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "[ PREPARE ] change dns"
run: |
sudo mkdir -p data
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo chmod -R 777 /etc/resolv.conf
sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf
sudo cat /etc/resolv.conf
sudo cp .github/k8s-acme-srv.yml data/
sudo chmod 777 data/k8s-acme-srv.yml
sudo sed -i "s/DNSMASQ_IP/8.8.8.8/g" data/k8s-acme-srv.yml
cat data/k8s-acme-srv.yml
- name: "[ PREPARE ] install microk8s"
run: |
sudo snap install microk8s --classic
sudo microk8s status --wait-ready
sudo microk8s enable helm3
- name: "[ PREPARE ] install cert-manager charts"
run: |
sudo microk8s.kubectl create namespace cert-manager
sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io
sudo microk8s.helm3 repo update
sudo microk8s.helm3 install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--set installCRDs=true
echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV
- run: echo "cert-manager ${{ env.CERTMGR_VERSION }}"
- name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})"
run: |
cat examples/Docker/$WEB_SRV/$DB_HANDLER/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache
docker save grindsa/acme2certifier > a2c.tar
sudo microk8s ctr image import a2c.tar
sudo microk8s ctr images ls | grep -i grindsa
env:
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
- name: "Create a2c configuration"
run: |
sudo mkdir -p data
sudo cp .github/acme2certifier.pem data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem data/acme2certifier_key.pem
sudo cp .github/django_settings.py data/settings.py
sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py
sudo mkdir -p data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
- name: "Deploy a2c pod"
run: |
sudo microk8s.kubectl apply -f data/k8s-acme-srv.yml
sudo microk8s.kubectl get pods -n cert-manager-acme
- name: "[ WAIT ] Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Check status a2c pod and grab ip of a2c pod"
run: |
sudo microk8s.kubectl get pods -n cert-manager-acme
sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier
sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running
sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5
echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV
- run: echo "a2c pod IP is ${{ env.ACME_IP }}"
- name: "Deploy cert-manager"
run: |
sudo cp .github/k8s-cert-mgr-dns-01.yml data
sudo chmod -R 777 data/k8s-cert-mgr-dns-01.yml
sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-dns-01.yml
sudo sed -i "s/CF_TOKEN/${{ secrets.CF_TOKEN }}/g" data/k8s-cert-mgr-dns-01.yml
sudo sed -i "s/MY_EMAIL/${{ secrets.EMAIL }}/g" data/k8s-cert-mgr-dns-01.yml
sudo sed -i "s/k8.acme.dynamop.de/k8.${{ matrix.websrv }}-${{ matrix.dbhandler }}.acme.dynamop.de/g" data/k8s-cert-mgr-dns-01.yml
- name: "Deploy cert-manager and trigger enrollment"
run: |
sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml
- name: "Sleep for 20s"
uses: juliangruber/[email protected]
with:
time: 20s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
sudo microk8s.kubectl describe challenge -n cert-manager-acme
- name: "Sleep for 30s"
uses: juliangruber/[email protected]
with:
time: 60s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
sudo microk8s.kubectl describe challenge -n cert-manager-acme
- name: "Sleep for 60s"
uses: juliangruber/[email protected]
with:
time: 60s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
sudo microk8s.kubectl describe challenge -n cert-manager-acme
- name: "Sleep for 60s"
uses: juliangruber/[email protected]
with:
time: 60s
- name: "Check challenge and certificate"
run: |
sudo microk8s.kubectl describe challenge -n cert-manager-acme
sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme
sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued"
- name: "Reconfigure YAML to wildcard domain"
run: |
sudo microk8s.kubectl delete -f data/k8s-cert-mgr-dns-01.yml
sudo sed -i "s/commonName: k8.acme.dynamop.de/commonName: '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml
sudo sed -i "s/- k8.${{ matrix.websrv }}-${{ matrix.dbhandler }}.acme.dynamop.de/- k8.${{ matrix.websrv }}-${{ matrix.dbhandler }}.acme.dynamop.de\n - '*.${{ matrix.websrv }}-${{ matrix.dbhandler }}.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml
- name: "Deploy cert-manager and trigger enrollment"
run: |
sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml
- name: "Sleep for 20s"
uses: juliangruber/[email protected]
with:
time: 20s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
sudo microk8s.kubectl describe challenge -n cert-manager-acme
- name: "[ WAIT ] Sleep for 30s"
uses: juliangruber/[email protected]
with:
time: 60s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
sudo microk8s.kubectl describe challenge -n cert-manager-acme
- name: "Sleep for 60s"
uses: juliangruber/[email protected]
with:
time: 60s
- name: "Check issuer and challenge"
run: |
sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme
sudo microk8s.kubectl describe challenge -n cert-manager-acme
- name: "Sleep for 60s"
uses: juliangruber/[email protected]
with:
time: 60s
- name: "Check challenge and certificate"
run: |
sudo microk8s.kubectl describe challenge -n cert-manager-acme
sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme
sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued"
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: certmgr_dns01-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/