Parameterise ClusterIssuer for Dex, Gangway, HTTPBin

ci/aks/aks-cluster.lokocfg.envsubst

@@ -115,4 +115,6 @@ component "external-dns" {
 
 component "httpbin" {
   ingress_host = "httpbin.${var.cluster_name}.${var.aws_dns_zone}"
+
+  certmanager_cluster_issuer = "letsencrypt-staging"
 }

ci/aws/aws-cluster.lokocfg.envsubst

@@ -76,6 +76,8 @@ component "dex" {
 
   issuer_host = "$ISSUER_HOST"
 
+  certmanager_cluster_issuer = "letsencrypt-staging"
+
   connector "github" {
     id   = "github"
     name = "GitHub"
@@ -110,6 +112,8 @@ component "gangway" {
 
   ingress_host = "$GANGWAY_INGRESS_HOST"
 
+  certmanager_cluster_issuer = "letsencrypt-staging"
+
   session_key = "$GANGWAY_SESSION_KEY"
 
   api_server_url = "$API_SERVER_URL"
@@ -132,4 +136,6 @@ component "flatcar-linux-update-operator" {}
 
 component "httpbin" {
   ingress_host = "httpbin.$CLUSTER_ID.$AWS_DNS_ZONE"
+
+  certmanager_cluster_issuer = "letsencrypt-staging"
 }

ci/packet/packet-cluster.lokocfg.envsubst

@@ -83,6 +83,8 @@ component "dex" {
 
   issuer_host = "$ISSUER_HOST"
 
+  certmanager_cluster_issuer = "letsencrypt-staging"
+
   connector "github" {
     id = "github"
     name = "GitHub"
@@ -117,6 +119,8 @@ component "gangway" {
 
   ingress_host = "$GANGWAY_INGRESS_HOST"
 
+  certmanager_cluster_issuer = "letsencrypt-staging"
+
   session_key = "$GANGWAY_SESSION_KEY"
 
   api_server_url = "$API_SERVER_URL"
@@ -155,4 +159,6 @@ component "cluster-autoscaler" {
 
 component "httpbin" {
   ingress_host = "httpbin.$CLUSTER_ID.$AWS_DNS_ZONE"
+
+  certmanager_cluster_issuer = "letsencrypt-staging"
 }

docs/configuration-reference/components/dex.md

@@ -157,6 +157,7 @@ Example:
 |-----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------:|:--------:|
 | `ingress_host`                          | Used as the `hosts` domain in the ingress resource for dex that is automatically created.                                                                                   | -       | true     |
 | `issuer_host`                           | Dex's issuer URL.                                                                                                                                                           | -       | true     |
+| `certmanager_cluster_issuer`             | `ClusterIssuer` to be used by cert-manager while issuing TLS certificates. Supported values: `letsencrypt-production`, `letsencrypt-staging`.                 | `letsencrypt-production` | false |
 | `connector`                             | Dex implements connectors that target OpenID Connect and specific platforms such as GitHub, Google etc. Currently only GitHub and OIDC (Google) are supported from lokoctl. | -       | true     |
 | `connector.id`                          | ID of the connector.                                                                                                                                                        | -       | true     |
 | `connector.name`                        | Name of the connector.                                                                                                                                                      | -       | true     |

docs/configuration-reference/components/gangway.md

@@ -80,6 +80,7 @@ Example:
 |------------------|-----------------------------------------------------------------------------------------------|:-------:|:--------:|
 | `cluster_name`   | The name of the cluster.                                                                      | -       | true     |
 | `ingress_host`   | Used as the `hosts` domain in the ingress resource for gangway that is automatically created. | -       | true     |
+| `certmanager_cluster_issuer` | `ClusterIssuer` to be used by cert-manager while issuing TLS certificates. Supported values: `letsencrypt-production`, `letsencrypt-staging`. | `letsencrypt-production` | false |
 | `sesion_key`     | Gangway session key.                                                                          | -       | true     |
 | `api_server_url` | URL of Kubernetes API server.                                                                 | -       | true     |
 | `authorize_url`  | Auth endpoint of Dex.                                                                         | -       | true     |

docs/configuration-reference/components/httpbin.md

@@ -37,6 +37,7 @@ Example:
 | Argument           | Description                                                                                     Default      | Required |
 |--------------------|-----------------------------------------------------------------------------------------------|:------------:|:--------:|
 | `ingress_host`     | Used as the `hosts` domain in the ingress resource for httpbin that is automatically created. | -            | true     |
+| `certmanager_cluster_issuer` | `ClusterIssuer` to be used by cert-manager while issuing TLS certificates. Supported values: `letsencrypt-production`, `letsencrypt-staging`. | `letsencrypt-production` | false |
 
 ## Applying
 

pkg/components/dex/component.go

@@ -185,7 +185,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: contour
     kubernetes.io/tls-acme: "true"
-    cert-manager.io/cluster-issuer: "letsencrypt-production"
+    cert-manager.io/cluster-issuer: {{ .CertManagerClusterIssuer }}
 spec:
   tls:
     - hosts:
@@ -245,19 +245,22 @@ type staticClient struct {
 }
 
 type component struct {
-	IngressHost          string         `hcl:"ingress_host,attr"`
-	IssuerHost           string         `hcl:"issuer_host,attr"`
-	Connectors           []connector    `hcl:"connector,block"`
-	StaticClients        []staticClient `hcl:"static_client,block"`
-	GSuiteJSONConfigPath string         `hcl:"gsuite_json_config_path,optional"`
+	IngressHost              string         `hcl:"ingress_host,attr"`
+	IssuerHost               string         `hcl:"issuer_host,attr"`
+	Connectors               []connector    `hcl:"connector,block"`
+	StaticClients            []staticClient `hcl:"static_client,block"`
+	GSuiteJSONConfigPath     string         `hcl:"gsuite_json_config_path,optional"`
+	CertManagerClusterIssuer string         `hcl:"certmanager_cluster_issuer,optional"`
 
 	// Those are fields not accessible by user
 	ConnectorsRaw    string
 	StaticClientsRaw string
 }
 
 func newComponent() *component {
-	return &component{}
+	return &component{
+		CertManagerClusterIssuer: "letsencrypt-production",
+	}
 }
 
 func (c *component) LoadConfig(configBody *hcl.Body, evalContext *hcl.EvalContext) hcl.Diagnostics {

pkg/components/gangway/component.go

@@ -243,7 +243,7 @@ metadata:
   namespace: gangway
   annotations:
     kubernetes.io/tls-acme: "true"
-    cert-manager.io/cluster-issuer: "letsencrypt-production"
+    cert-manager.io/cluster-issuer: {{ .CertManagerClusterIssuer }}
     kubernetes.io/ingress.class: contour
 spec:
   tls:
@@ -275,19 +275,22 @@ func init() {
 }
 
 type component struct {
-	ClusterName  string `hcl:"cluster_name,attr"`
-	IngressHost  string `hcl:"ingress_host,attr"`
-	SessionKey   string `hcl:"session_key,attr"`
-	APIServerURL string `hcl:"api_server_url,attr"`
-	AuthorizeURL string `hcl:"authorize_url,attr"`
-	TokenURL     string `hcl:"token_url,attr"`
-	ClientID     string `hcl:"client_id,attr"`
-	ClientSecret string `hcl:"client_secret,attr"`
-	RedirectURL  string `hcl:"redirect_url,attr"`
+	ClusterName              string `hcl:"cluster_name,attr"`
+	IngressHost              string `hcl:"ingress_host,attr"`
+	SessionKey               string `hcl:"session_key,attr"`
+	APIServerURL             string `hcl:"api_server_url,attr"`
+	AuthorizeURL             string `hcl:"authorize_url,attr"`
+	TokenURL                 string `hcl:"token_url,attr"`
+	ClientID                 string `hcl:"client_id,attr"`
+	ClientSecret             string `hcl:"client_secret,attr"`
+	RedirectURL              string `hcl:"redirect_url,attr"`
+	CertManagerClusterIssuer string `hcl:"certmanager_cluster_issuer,optional"`
 }
 
 func newComponent() *component {
-	return &component{}
+	return &component{
+		CertManagerClusterIssuer: "letsencrypt-production",
+	}
 }
 
 func (c *component) LoadConfig(configBody *hcl.Body, evalContext *hcl.EvalContext) hcl.Diagnostics {

pkg/components/httpbin/component.go

@@ -96,7 +96,7 @@ metadata:
   namespace: httpbin
   annotations:
     kubernetes.io/tls-acme: "true"
-    cert-manager.io/cluster-issuer: "letsencrypt-production"
+    cert-manager.io/cluster-issuer: {{ .CertManagerClusterIssuer }}
     kubernetes.io/ingress.class: contour
 spec:
   tls:
@@ -117,11 +117,14 @@ func init() {
 }
 
 type component struct {
-	IngressHost string `hcl:"ingress_host,attr"`
+	IngressHost              string `hcl:"ingress_host,attr"`
+	CertManagerClusterIssuer string `hcl:"certmanager_cluster_issuer,optional"`
 }
 
 func newComponent() *component {
-	return &component{}
+	return &component{
+		CertManagerClusterIssuer: "letsencrypt-production",
+	}
 }
 
 func (c *component) LoadConfig(configBody *hcl.Body, evalContext *hcl.EvalContext) hcl.Diagnostics {

test/ingress/aws/aws_test.go

@@ -18,6 +18,8 @@
 package aws
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"testing"
@@ -42,9 +44,10 @@ func TestAWSIngress(t *testing.T) {
 	}
 
 	h := i.Spec.Rules[0].Host
+	c := getHTTPClient()
 
 	err = retryutil.Retry(retryIntervalSeconds*time.Second, maxRetries, func() (bool, error) {
-		resp, err := http.Get(fmt.Sprintf("https://%s/get", h))
+		resp, err := c.Get(fmt.Sprintf("https://%s/get", h))
 		if err != nil {
 			t.Logf("got an HTTP error: %v", err)
 			return false, nil
@@ -67,3 +70,51 @@ func TestAWSIngress(t *testing.T) {
 		t.Fatal("could not get a successful HTTP response in time")
 	}
 }
+
+// getHTTPClient creates a HTTP client with LetsEncrypt Staging Root PEM certificate.
+func getHTTPClient() *http.Client {
+	// Get this Root PEM from https://letsencrypt.org/docs/staging-environment/#root-certificate
+	letsEncryptStagingRootPEM := `-----BEGIN CERTIFICATE-----
+MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2
+MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ
+diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP
+xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG
+TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj
+EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd
+O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa
+aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0
+A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr
+IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe
+Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb
+Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50
+qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA
+A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln
+uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H
+sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm
+dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd
+oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV
+/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ
+zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc
+VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1
+Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4
+8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c
+idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng==
+-----END CERTIFICATE-----`
+
+	rootCAs := x509.NewCertPool()
+	if ok := rootCAs.AppendCertsFromPEM([]byte(letsEncryptStagingRootPEM)); !ok {
+		// This should fail in the developer testing itself.
+		panic("Failed to parse root certificate")
+	}
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: rootCAs,
+			},
+		},
+	}
+}