fix(helmfile): Allow usage of pre-defined CA certificates.

.gitlab-ci.yml

@@ -223,9 +223,6 @@ env-cleanup:
   stage: "env-cleanup"
 
 env-start:
-  environment:
-    name: "${NAMESPACE}"
-    on_stop: "env-stop"
   extends: ".deploy-common"
   image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
   rules:
@@ -236,6 +233,34 @@ env-start:
   script:
     - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
     - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
+    - "export FILENAME_CERT_SECRET=cert_to_import.yaml"
+    # from self-signed-certificates.md:
+    # "Copy this cert's secret into the/each namespace you want to make use of the cert."
+    - |
+      kubectl get secret opendesk-root-cert-secret -n cert-manager -o yaml | \
+        grep -v \ uid\: | \
+        grep -v \ resourceVersion\: | \
+        grep -v \ creationTimestamp\: | \
+        sed --expression 's/namespace\:\ cert-manager/namespace: '"${NAMESPACE}"'/g' \
+        >${FILENAME_CERT_SECRET} || true
+    - |
+      if [ -s ${FILENAME_CERT_SECRET} ]; then
+        echo "Applying ${FILENAME_CERT_SECRET}"
+        kubectl apply -f ${FILENAME_CERT_SECRET}
+      fi
+    # from self-signed-certificates.md:
+    # "Create issuer in the/each namespace you want to make use of the cert."
+    - |
+      kubectl apply -f - <<EOF
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: "selfsigned-issuer"
+        namespace: ${NAMESPACE}
+      spec:
+        ca:
+          secretName: opendesk-root-cert-secret
+      EOF
   stage: "env"
 
 policies-deploy:
@@ -408,25 +433,6 @@ element-deploy:
   variables:
     COMPONENT: "element"
 
-env-stop:
-  extends: ".deploy-common"
-  environment:
-    name: "${NAMESPACE}"
-    action: "stop"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
-  needs: []
-  rules:
-    - if: >
-          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/
-      when: "manual"
-  script:
-    - "echo 'We do not stop the env (delete the namespace) at the moment in this stage, as deleting a branches also
-      triggers this env-stop stage and we do not want this to happen.'"
-    # - kubectl delete namespace "${NAMESPACE}"
-  stage: "env-stop"
-  variables:
-    GIT_STRATEGY: "none"
-
 .ums-default-password: &ums-default-password
   - |
     DEFAULT_ADMINISTRATOR_PASSWORD=$(

docs/enhanced-configuration/self-signed-certificates.md

@@ -6,10 +6,10 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Self-signed certificate and custom Certificate Authority (CA)</h1>
 
 <!-- TOC -->
-* [Use case](#use-case)
 * [Configuration](#configuration)
   * [Option 1: Bring Your Own Certificate](#option-1-bring-your-own-certificate)
-  * [Option 2: Use cert-manager.io](#option-2-use-cert-managerio)
+  * [Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate](#option-2a-use-cert-managerio-with-auto-generated-namespace-based-root-certificate)
+  * [Option 2b: Use cert-manager.io with pre-defined/shared root-certificate](#option-2b-use-cert-managerio-with-pre-definedshared-root-certificate)
 <!-- TOC -->
 
 Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of
@@ -48,10 +48,10 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
 1. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
 trust store password.
 
-## Option 2: Use cert-manager.io
+## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
 
 This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from
-Let’s Encrypt.
+Let’s Encrypt. It will result in a cert-manager managed root certificate in the namespace you deploy openDesk into.
 
 1. Create self-signed cert-manager.io Cluster Issuer:
     ```yaml
@@ -70,3 +70,38 @@ Let’s Encrypt.
         name: "selfsigned-issuer"
       selfSigned: true
     ```
+
+## Option 2b: Use cert-manager.io with pre-defined/shared root-certificate
+
+Use this approach if you like to use a pre-created CA root certificate that can be "shared" (as copy) between
+multiple namespaces in a cluster.
+
+1. Create self-signed cert-manager.io Cluster Issuer root certificate the same was as in *Option 2a*.
+
+1. Create the root certificate for the previously created CA, in the example it is placed into the namespace `cert-manager`.
+    ```yaml
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+      name: opendesk-root
+      namespace: cert-manager
+    spec:
+      isCA: true
+      commonName: opendesk.eu
+      secretName: opendesk-root-cert-secret
+      subject:
+        organizations: "openDesk cluster root certificate organization"
+      privateKey:
+        algorithm: ECDSA
+        size: 256
+      issuerRef:
+        name: selfsigned-issuer
+        kind: ClusterIssuer
+        group: cert-manager.io
+    ```
+
+1. Copy this cert's secret into the/each namespace you want to make use of the cert.
+
+1. Create issuer in the/each namespace you want to make use of the cert.
+
+The latter two steps are part of the `env-start:` section within [`.gitlab-ci.yml`](../../.gitlab-ci.yml).