CI Resources for eirini-release. The pipeline is deployed at GCP.
- Access to private repo, which contains environment specific vars
- Install Aviator (used to merge pipeline YAML files)
- Clone eirini-private-config
- Make sure you have
passconfigured (seeeirini-private-config)
The pipelines are organized in separate directories with individual set-pipeline scripts:
$ pipelines/<pipeline-name>/set-pipeline
The certificates for the eirini.cf website are generated using letsencrypt and cert-manager via the dns01 challenge. To do this the pipeline requires several things to be set up:
- The dns provider for the eirini.cf domain should point to the GCP dns servers and a corresponding entry should be created in GCP.
- In GCS's CloudDNS console, the
eirini.cfdomain should point to the external IP of the Istio Gateway. - The Issuer should be configured to generate with the ACME challenge with a GCP service account that has permissions to create and delete CloudDNS entries. Additionaly a Certificate should be created for the eirini.cf domain using this Issuer.
- The certificate should be present in the namespace where the Istio Gateway is deployed (in cf-for-k8s that's
istio-system). Since that namespace is managed by cf-for-k8s, it will be deleted when doing akapp delete, which will also delete the certificates. Since letsencrypt has an API limit of 5 per week for a single domain, the certificates must be generated in a separate namespace and copied over to a secret inistio-system. - A server must be configured in the Istio Gateway that has the
eirini.cfhost and uses the copied secret inistio-system.