Merge branch 'separate-appgw-certs' into 'master'

Add istio-appgw-ssl-cert See merge request !458

Merge branch 'separate-appgw-certs' into 'master'
Add istio-appgw-ssl-cert See merge request !458
32f23241 · MANISH KUMAR · 25624d47 · 0cbea21e · 32f23241 · 32f23241
Commit 32f23241 authored Aug 26, 2021 by MANISH KUMAR
--- a/charts/osdu-istio/templates/cert-checker-cronjob.yaml
+++ b/charts/osdu-istio/templates/cert-checker-cronjob.yaml
@@ -57,7 +57,7 @@ spec:
            - -c
            - |
              SIDECAR_PORT=15020
-              KV_CERT_NAME=appgw-ssl-cert
+              KV_CERT_NAME=istio-appgw-ssl-cert
              K8S_ISTIONAMESPACE_NAME=istio-system

              # Compare expire dates of certificates in Key Vault and in istio-system namespaces
@@ -113,7 +113,7 @@ spec:

 {{- if .Values.global.istio.enableIstioKeyvaultCert  }}

-              K8S_CERT_SECRET=appgw-ssl-cert
+              K8S_CERT_SECRET=istio-appgw-ssl-cert
              K8S_NAMESPACE_NAME=istio-system
              
              # Check certificate expire date.

--- a/charts/osdu-istio/templates/cert-init-job.yaml
+++ b/charts/osdu-istio/templates/cert-init-job.yaml
@@ -49,7 +49,7 @@ spec:
        - -c
        - |
          SIDECAR_PORT=15020
-          KV_CERT_NAME=appgw-ssl-cert
+          KV_CERT_NAME=istio-appgw-ssl-cert
          K8S_ISTIONAMESPACE_NAME=istio-system

          # Cleanup function
@@ -84,7 +84,7 @@ spec:

 {{- if .Values.global.istio.enableIstioKeyvaultCert  }}

-          K8S_CERT_SECRET=appgw-ssl-cert
+          K8S_CERT_SECRET=istio-appgw-ssl-cert
          K8S_NAMESPACE_NAME=istio-system

          # Download BYOC certificate from keyvault

--- a/charts/osdu-istio/templates/istio-gateway.yaml
+++ b/charts/osdu-istio/templates/istio-gateway.yaml
@@ -16,8 +16,8 @@ spec:
        - "{{ .Values.global.istio.dns_host }}"
      tls:
        mode: SIMPLE
-        {{- if .Values.istio.ingress.enableIstioKeyvaultCert  }}
-        credentialName: appgw-ssl-cert
+        {{- if .Values.global.istio.enableIstioKeyvaultCert }}
+        credentialName: istio-appgw-ssl-cert
        {{ else }}
        credentialName: osdu-certificate
        {{- end }} 

--- a/docs/autoscaling.md
+++ b/docs/autoscaling.md
@@ -54,7 +54,7 @@ In this approach, we use certificate uploaded by customer to Keyvault.
   
 3. Once you have view and update permission on Certificate, click Certificates on left subsections.

-4. Select Certificate named **`appgw-ssl-cert`**. 
+4. Select Certificate named **`istio-appgw-ssl-cert`**. 

 5. Click `+ New Version`. Select `Generate` or `Import` based on your preference and certificate you want to provision/upload.
   Follow  the link  [Keyvault certificates](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios) to know more about certificate generation/upload.

--- a/infra/templates/osdu-r3-mvp/service_resources/secrets.tf
+++ b/infra/templates/osdu-r3-mvp/service_resources/secrets.tf
@@ -76,7 +76,8 @@ resource "azurerm_key_vault_secret" "system_storage_key" {
 # Network
 #-------------------------------
 locals {
-  ssl_cert_name = "appgw-ssl-cert"
+  ssl_cert_name       = "appgw-ssl-cert"
+  istio_ssl_cert_name = "istio-appgw-ssl-cert"
 }

 resource "azurerm_key_vault_certificate" "default" {
@@ -139,6 +140,65 @@ resource "azurerm_key_vault_certificate" "default" {
  }
 }

+resource "azurerm_key_vault_certificate" "istio_ssl_certificate" {
+  count = var.ssl_certificate_file == "" ? 1 : 0
+
+  name         = local.istio_ssl_cert_name
+  key_vault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id
+
+  certificate_policy {
+    issuer_parameters {
+      name = "Self"
+    }
+
+    key_properties {
+      exportable = true
+      key_size   = 2048
+      key_type   = "RSA"
+      reuse_key  = true
+    }
+
+    lifetime_action {
+      action {
+        action_type = "AutoRenew"
+      }
+
+      trigger {
+        days_before_expiry = 30
+      }
+    }
+
+    secret_properties {
+      content_type = "application/x-pkcs12"
+    }
+
+    x509_certificate_properties {
+      # Server Authentication = 1.3.6.1.5.5.7.3.1
+      # Client Authentication = 1.3.6.1.5.5.7.3.2
+      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
+
+      key_usage = [
+        "cRLSign",
+        "dataEncipherment",
+        "digitalSignature",
+        "keyAgreement",
+        "keyCertSign",
+        "keyEncipherment",
+      ]
+
+      subject_alternative_names {
+        dns_names = [var.dns_name, "${local.base_name}-gw.${azurerm_resource_group.main.location}.cloudapp.azure.com"]
+      }
+
+      subject            = "CN=*.contoso.com"
+      validity_in_months = 12
+    }
+  }
+
+  lifecycle {
+    ignore_changes = all
+  }
+}

 #-------------------------------
 # PostgreSQL

--- a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go
+++ b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go
@@ -37,7 +37,7 @@ var tfOptions = &terraform.Options{

 var istioEnabled = os.Getenv("AUTOSCALING_ENABLED")
 var istioResourses = 11
-var totalResources = 137
+var totalResources = 138

 func TestTemplate(t *testing.T) {
 	expectedAppDevResourceGroup := asMap(t, `{