Skip to content

Ah/refactor istio cert job

Arturo Hernandez [EPAM] requested to merge ah/refactor-istio-cert-job into master

Ref: infra-azure-provisioning#236 (closed)

  • Merged azure/m12-master branch to master for osdu-istio/templates.
  • Fixed osdu-cert jobs to use appgw.
    • Needed to add VS and GW for health check in appgw on port 80 as well as rules for clusterissuer cert manager auto certificate update
    • osdu-base should have the istio ingress annotation to handle the cert manager certificate creation.
    • job will take care of upload the new created cert to the kv and update the KV, need to apply this change in infra Infra Azure provisioning MR
    • Created helm-hooks to avoid installation errors when first deploying osdu-istio helm charts.

@nursheikh would like to propose to upgrade istio to latest version 1.15.x as we are on 1.8.x, It can be either on this same MR or another, I think it will make sense to upgrade those from the original istio repo, just to publish the istio image in the msosdu ACR.

If the istio gets upgraded we can take advantage of the responseCode at virtual service and cert creation will be handled without depending of partition common resources.

Output Log Example of job:

15:54 [root:~] # stern cert-c
+ cert-checker-6zbpv › cert-checker
cert-checker-6zbpv cert-checker Download and install kubectl...
cert-checker-6zbpv cert-checker   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
cert-checker-6zbpv cert-checker                                  Dload  Upload   Total   Spent    Left  Speed
100 42.9M  100 42.9M    0     0  61.3M      0 --:--:-- --:--:-- --:--:-- 61.4M
cert-checker-6zbpv cert-checker [
cert-checker-6zbpv cert-checker   {
cert-checker-6zbpv cert-checker     "environmentName": "AzureCloud",

cert-checker-6zbpv cert-checker     "user": {
cert-checker-6zbpv cert-checker       "assignedIdentityInfo": "MSI",
cert-checker-6zbpv cert-checker       "name": "systemAssignedIdentity",
cert-checker-6zbpv cert-checker       "type": "servicePrincipal"
cert-checker-6zbpv cert-checker     }
cert-checker-6zbpv cert-checker   }
cert-checker-6zbpv cert-checker ]
cert-checker-6zbpv cert-checker fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
cert-checker-6zbpv cert-checker fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
cert-checker-6zbpv cert-checker (1/5) Installing libacl (2.3.1-r0)
cert-checker-6zbpv cert-checker (2/5) Installing libattr (2.5.1-r1)
cert-checker-6zbpv cert-checker (3/5) Installing skalibs (2.11.2.0-r0)
cert-checker-6zbpv cert-checker (4/5) Installing utmps-libs (0.1.2.0-r0)
cert-checker-6zbpv cert-checker (5/5) Installing coreutils (9.1-r0)
cert-checker-6zbpv cert-checker Executing busybox-1.35.0-r13.trigger
cert-checker-6zbpv cert-checker OK: 208 MiB in 88 packages
cert-checker-6zbpv cert-checker [INFO] Getting secrets from istio-system and upload to kv
cert-checker-6zbpv cert-checker NAME                     TYPE                DATA   AGE
cert-checker-6zbpv cert-checker osdu-istio-certificate   kubernetes.io/tls   2      2m38s
cert-checker-6zbpv cert-checker [INFO] Uploading osdu-certificate.pfx to kv...
cert-checker-6zbpv cert-checker [INFO] Updating secret id in ssl appgw profile https://osdu-mvp-crdev-******-kv.vault.azure.net/secrets/osdu-istio-certificate/287b646dc0c14529886fefbcd6da87e7
cert-checker-6zbpv cert-checker WARNING: Item 'osdu-istio-certificate' already exists. Replacing with new values.
cert-checker-6zbpv cert-checker {
cert-checker-6zbpv cert-checker   "authenticationCertificates": null,

cert-checker-6zbpv cert-checker   "zones": [
cert-checker-6zbpv cert-checker     "1",
cert-checker-6zbpv cert-checker     "2"
cert-checker-6zbpv cert-checker   ]
cert-checker-6zbpv cert-checker }
cert-checker-6zbpv cert-checker [INFO] Updating listener https-osdu-mvp-srdev-******-vnet-httplstn || with SSL osdu-istio-certificate
cert-checker-6zbpv cert-checker {
cert-checker-6zbpv cert-checker   "customErrorConfigurations": [],

cert-checker-6zbpv cert-checker   "type": "Microsoft.Network/applicationGateways/httpListeners"
cert-checker-6zbpv cert-checker }
cert-checker-6zbpv cert-checker Clean all existing files
cert-checker-6zbpv cert-checker removed 'cert.crt'
cert-checker-6zbpv cert-checker removed 'cert.key'
cert-checker-6zbpv cert-checker removed 'osdu-certificate.pfx'

Installation output in pipeline.

Edited by Arturo Hernandez [EPAM]

Merge request reports