Commit 32f23241 authored by MANISH KUMAR's avatar MANISH KUMAR
Browse files

Merge branch 'separate-appgw-certs' into 'master'

Add istio-appgw-ssl-cert

See merge request !458
parents 25624d47 0cbea21e
Pipeline #60950 passed with stages
in 1 minute and 47 seconds
......@@ -57,7 +57,7 @@ spec:
- -c
- |
SIDECAR_PORT=15020
KV_CERT_NAME=appgw-ssl-cert
KV_CERT_NAME=istio-appgw-ssl-cert
K8S_ISTIONAMESPACE_NAME=istio-system
# Compare expire dates of certificates in Key Vault and in istio-system namespaces
......@@ -113,7 +113,7 @@ spec:
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
K8S_CERT_SECRET=appgw-ssl-cert
K8S_CERT_SECRET=istio-appgw-ssl-cert
K8S_NAMESPACE_NAME=istio-system
# Check certificate expire date.
......
......@@ -49,7 +49,7 @@ spec:
- -c
- |
SIDECAR_PORT=15020
KV_CERT_NAME=appgw-ssl-cert
KV_CERT_NAME=istio-appgw-ssl-cert
K8S_ISTIONAMESPACE_NAME=istio-system
# Cleanup function
......@@ -84,7 +84,7 @@ spec:
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
K8S_CERT_SECRET=appgw-ssl-cert
K8S_CERT_SECRET=istio-appgw-ssl-cert
K8S_NAMESPACE_NAME=istio-system
# Download BYOC certificate from keyvault
......
......@@ -16,8 +16,8 @@ spec:
- "{{ .Values.global.istio.dns_host }}"
tls:
mode: SIMPLE
{{- if .Values.istio.ingress.enableIstioKeyvaultCert }}
credentialName: appgw-ssl-cert
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
credentialName: istio-appgw-ssl-cert
{{ else }}
credentialName: osdu-certificate
{{- end }}
......
......@@ -54,7 +54,7 @@ In this approach, we use certificate uploaded by customer to Keyvault.
3. Once you have view and update permission on Certificate, click Certificates on left subsections.
4. Select Certificate named **`appgw-ssl-cert`**.
4. Select Certificate named **`istio-appgw-ssl-cert`**.
5. Click `+ New Version`. Select `Generate` or `Import` based on your preference and certificate you want to provision/upload.
Follow the link [Keyvault certificates](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios) to know more about certificate generation/upload.
......
......@@ -76,7 +76,8 @@ resource "azurerm_key_vault_secret" "system_storage_key" {
# Network
#-------------------------------
locals {
ssl_cert_name = "appgw-ssl-cert"
ssl_cert_name = "appgw-ssl-cert"
istio_ssl_cert_name = "istio-appgw-ssl-cert"
}
resource "azurerm_key_vault_certificate" "default" {
......@@ -139,6 +140,65 @@ resource "azurerm_key_vault_certificate" "default" {
}
}
resource "azurerm_key_vault_certificate" "istio_ssl_certificate" {
count = var.ssl_certificate_file == "" ? 1 : 0
name = local.istio_ssl_cert_name
key_vault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject_alternative_names {
dns_names = [var.dns_name, "${local.base_name}-gw.${azurerm_resource_group.main.location}.cloudapp.azure.com"]
}
subject = "CN=*.contoso.com"
validity_in_months = 12
}
}
lifecycle {
ignore_changes = all
}
}
#-------------------------------
# PostgreSQL
......
......@@ -37,7 +37,7 @@ var tfOptions = &terraform.Options{
var istioEnabled = os.Getenv("AUTOSCALING_ENABLED")
var istioResourses = 11
var totalResources = 137
var totalResources = 138
func TestTemplate(t *testing.T) {
expectedAppDevResourceGroup := asMap(t, `{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment