Commit 450b857d authored by Ankit Sharma [Microsoft]'s avatar Ankit Sharma [Microsoft]
Browse files

Added documentation to use customer's certificate

parent 96655113
# Bring your own certificate using Keyvault on Application Gateway Ingress
The feature enables the customers to manage and provision certificates used on the frontend of OSDU.
In this approach, we use certificate uploaded by customer to Keyvault.
**NOTE: Presently we support BYOC for Automated Pipelines only.**
## Automated Pipelines - BYOC Guide
### Upload your own certificate
1. Open Azure portal and open keyvault named `osdu-mvp-crxxx-xxxx-kv`.
2. Make sure you have all the permission on **Certificate Management**. Go access policies by selecting on **_Access Policies_** option on left subsection.
Provide yourself necessary permissions on Certificate Management.
3. Once you have view and update permission on Certificate, click Certificates on left subsections.
4. Select Certificate named **`appgw-ssl-cert`**.
5. Click `+ New Version`. Select `Generate` or `Import` based on your preference and certificate you want to provision/upload.
Follow the link [Keyvault certificates](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios) to know more about certificate generation/upload.
6. Click `Create` and wait until the certificate gets created in Keyvault.
### Use uploaded certificate
1. Once upload is complete, Go to Azure Devops Project that you have set up for code mirroring.
2. Setup library variable `ENABLE_KEYVAULT_CERT` in Variable group **Azure - OSDU**
to `true`.
3. Run the pipeline following pipelines manually for master branch:<br>
a. `chart-airflow` <br>
b. `chart-osdu-common`
4. Go to `k8-gitops-manifests` repo in ADO Project, look for file **`appgw-ingress.yaml`**.
Make sure the ingress has annotation **appgw.ingress.kubernetes.io/appgw-ssl-certificate: "appgw-ssl-cert"**
and latest commit has flux sync tag.
5. Access OSDU with DNS configured, validate in the browser that certificate used is the one which was uploaded.
\ No newline at end of file
......@@ -44,7 +44,8 @@ This variable group will be used to hold the common values for the services to b
| NOTIFICATION_BASE_URL | `https://<your_fqdn>/api/notification/v1/` |
| REGISTER_CUSTOM_PUSH_URL_HMAC | `https://<your_fqdn>/api/register/v1/test/challenge/1`|
| AGENT_IMAGE | `ubuntu-latest` |
| PROVIDER_NAME | `azure` |
| PROVIDER_NAME | `azure`
| ENABLE_KEYVAULT_CERT | `false` Set this variable to `true` if you want to use your own certificate from Keyvault certificate - appgw-ssl-cert
```bash
......@@ -97,6 +98,7 @@ az pipelines variable-group create \
REGISTER_CUSTOM_PUSH_URL_HMAC="https://${DNS_HOST}/api/register/v1/test/challenge/1" \
AGENT_IMAGE="ubuntu-latest" \
PROVIDER_NAME="$PROVIDER_NAME" \
ENABLE_KEYVAULT_CERT="false" \
-ojson
```
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment