cert-init-job.yaml 5.49 KB
Newer Older
dzmitry_paulouski's avatar
dzmitry_paulouski committed
1
{{- if and (eq (.Values.global.isDataPartitionDeployment | default false) false)  .Values.global.isAutoscalingEnabled }}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ .Values.global.job.name }}
  namespace: osdu
  labels:
    app: "{{ .Values.global.job.name }}"
spec:
  template:
    spec:
      containers:
      - name: cert-checker
        image: {{ .Values.global.job.image }}
        env:
        - name: client_id
          valueFrom:
            secretKeyRef:
              name: active-directory
              key: principal-clientid
        - name: client_secret
          valueFrom:
            secretKeyRef:
              name: active-directory
              key: principal-clientpassword
        - name: tenant_id
          valueFrom:
            secretKeyRef:
              name: active-directory
              key: tenantid
        - name: ENV_SR_GROUP_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Values.global.job.configmap_name }}
              key: ENV_SR_GROUP_NAME
        - name: ENV_KEYVAULT_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Values.global.job.configmap_name }}
              key: ENV_KEYVAULT_NAME
        - name: ENV_CLUSTER_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Values.global.job.configmap_name }}
              key: ENV_CLUSTER_NAME
dzmitry_paulouski's avatar
dzmitry_paulouski committed
46
47
48
49
50
        - name: ENV_APPGW_NAME
          valueFrom:
            configMapKeyRef:
              name: {{ .Values.global.job.configmap_name }}
              key: ENV_APPGW_NAME        
51
52
53
54
55
56
        command:
        - /bin/sh
        args:
        - -c
        - |
          SIDECAR_PORT=15020
57
          KV_CERT_NAME=istio-appgw-ssl-cert
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
          K8S_ISTIONAMESPACE_NAME=istio-system

          # Cleanup function
          cleanup() {
              echo Clean all existing files
              rm -f cert.crt cert.key osdu-certificate.pfx ${KV_CERT_NAME}.pem
              curl -X POST "http://localhost:${SIDECAR_PORT}/quitquitquit"
          }

          trap cleanup 0 2 3 6 ERR

          set -e
          # Wait for internet connection
          until nc -z google.com 80
          do
            sleep 1
          done
          
          # Install kubectl
          if [ ! -x /usr/local/bin/kubectl ]; then
            echo "Download and install kubectl..."
            curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
            chmod a+x /usr/local/bin/kubectl
          fi

          # Install coreutils
          apk add --update coreutils

          # Log in in Azure and get cluster credentials
          az login --service-principal -u ${client_id} -p ${client_secret} --tenant ${tenant_id}
          az aks get-credentials --resource-group ${ENV_SR_GROUP_NAME} --name ${ENV_CLUSTER_NAME}

dzmitry_paulouski's avatar
dzmitry_paulouski committed
90
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
91

92
          K8S_CERT_SECRET=istio-appgw-ssl-cert
93
94
95
          K8S_NAMESPACE_NAME=istio-system

          # Download BYOC certificate from keyvault
dzmitry_paulouski's avatar
dzmitry_paulouski committed
96
          echo "Download BYOC certificate from keyvault"
97
98
          az keyvault secret download --file ${KV_CERT_NAME}.pfx --vault-name ${ENV_KEYVAULT_NAME} --encoding base64 --name ${KV_CERT_NAME}

dzmitry_paulouski's avatar
dzmitry_paulouski committed
99
100
101
102
          # Upload BYOC certificate to appgw
          echo "Upload BYOC certificate to appgw" 
          az network application-gateway ssl-cert create -g ${ENV_SR_GROUP_NAME} --gateway-name ${ENV_APPGW_NAME} -n ${KV_CERT_NAME} --cert-file ${K8S_CERT_SECRET}.pfx --cert-password ""
          
103
104
105
106
107
108
109
110
111
112
113
          # Extract key and crt
          openssl pkcs12 -in ${K8S_CERT_SECRET}.pfx -out cert.pem -passin pass:"" -nodes -passout pass:""
          openssl rsa -in cert.pem -out cert.key
          openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -out cert.crt

          # Create secret for istio-ingressgateway in istio-system namespace
          kubectl create secret -n ${K8S_ISTIONAMESPACE_NAME} generic ${K8S_CERT_SECRET} \
          --save-config --dry-run=client \
          --from-file=tls.crt=cert.crt --from-file=tls.key=cert.key \
          -o yaml | kubectl apply -f -

dzmitry_paulouski's avatar
dzmitry_paulouski committed
114
115
116
          # Restart istio-ingressgateway pods
          kubectl rollout restart -n ${K8S_ISTIONAMESPACE_NAME} deployment/istio-ingressgateway

117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
{{ else }}
          
          K8S_CERT_SECRET=osdu-certificate
          K8S_NAMESPACE_NAME=osdu

          # Get osdu-certificate secret created by cert-manager in osdu namespace and extract key and crt
          kubectl get secret -n ${K8S_NAMESPACE_NAME} ${K8S_CERT_SECRET} -o jsonpath="{ .data.tls\.crt }" | base64 -d > cert.crt
          kubectl get secret -n ${K8S_NAMESPACE_NAME} ${K8S_CERT_SECRET} -o jsonpath="{ .data.tls\.key }" | base64 -d > cert.key

          # Create secret for istio-ingressgateway in istio-system namespace from key and crt
          kubectl create secret -n ${K8S_ISTIONAMESPACE_NAME} generic ${K8S_CERT_SECRET} \
          --save-config --dry-run=client \
          --from-file=tls.crt=cert.crt --from-file=tls.key=cert.key \
          -o yaml | kubectl apply -f -

          # Create certificate file
          openssl pkcs12 \
            -passout pass: \
            -export \
            -out osdu-certificate.pfx \
            -in cert.crt \
            -inkey cert.key

          # Upload certificate file in Key Vault to use in in AppGW
          az keyvault certificate import --vault-name ${ENV_KEYVAULT_NAME} -n ${KV_CERT_NAME} -f osdu-certificate.pfx

{{- end }} 
      restartPolicy: Never
dzmitry_paulouski's avatar
dzmitry_paulouski committed
145
{{- end }}