Commit 98311342 authored by MANISH KUMAR's avatar MANISH KUMAR
Browse files

Merge branch 'change_cert_job' into 'master'

Change cert job

See merge request !474
parents 145827cb 1927aaca
Pipeline #66283 passed with stages
in 1 minute and 49 seconds
......@@ -51,6 +51,11 @@ spec:
configMapKeyRef:
name: {{ .Values.global.job.configmap_name }}
key: ENV_CLUSTER_NAME
- name: ENV_APPGW_NAME
valueFrom:
configMapKeyRef:
name: {{ .Values.global.job.configmap_name }}
key: ENV_APPGW_NAME
command:
- /bin/sh
args:
......@@ -62,6 +67,7 @@ spec:
# Compare expire dates of certificates in Key Vault and in istio-system namespaces
function check_expire_date() {
echo "Compare expire dates of certificates in Key Vault and in istio-system namespaces"
az keyvault certificate download --vault-name ${ENV_KEYVAULT_NAME} -n ${KV_CERT_NAME} --file ${KV_CERT_NAME}.pem
KV_CERT_EXPIREDATE=$(openssl x509 -in ${KV_CERT_NAME}.pem -enddate -noout | cut -d '=' -f2)
KV_CERT_EXPIREDATE=$(date "+%Y-%m-%d" --date="${KV_CERT_EXPIREDATE}")
......@@ -84,7 +90,7 @@ spec:
# Cleanup function
cleanup() {
echo Clean all existing files
echo "Clean all existing files"
rm -f cert.crt cert.key osdu-certificate.pfx ${KV_CERT_NAME}.pem
curl -X POST "http://localhost:${SIDECAR_PORT}/quitquitquit"
}
......@@ -111,7 +117,7 @@ spec:
# Log In in Azure
az login --service-principal -u ${client_id} -p ${client_secret} --tenant ${tenant_id}
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
K8S_CERT_SECRET=istio-appgw-ssl-cert
K8S_NAMESPACE_NAME=istio-system
......@@ -120,8 +126,13 @@ spec:
check_expire_date
# Download BYOC certificate from keyvault
echo "Download BYOC certificate from keyvault"
az keyvault secret download --file ${KV_CERT_NAME}.pfx --vault-name ${ENV_KEYVAULT_NAME} --encoding base64 --name ${KV_CERT_NAME}
# Upload BYOC certificate to appgw
echo "Upload BYOC certificate to appgw"
az network application-gateway ssl-cert update -g ${ENV_SR_GROUP_NAME} --gateway-name ${ENV_APPGW_NAME} -n ${KV_CERT_NAME} --cert-file ${K8S_CERT_SECRET}.pfx --cert-password ""
# Extract key and crt
openssl pkcs12 -in ${K8S_CERT_SECRET}.pfx -out cert.pem -passin pass:"" -nodes -passout pass:""
openssl rsa -in cert.pem -out cert.key
......@@ -135,6 +146,9 @@ spec:
sleep 5
# Restart istio-ingressgateway pods
kubectl rollout restart -n ${K8S_ISTIONAMESPACE_NAME} deployment/istio-ingressgateway
# Check certificate expire date one more time
check_expire_date
......
......@@ -43,6 +43,11 @@ spec:
configMapKeyRef:
name: {{ .Values.global.job.configmap_name }}
key: ENV_CLUSTER_NAME
- name: ENV_APPGW_NAME
valueFrom:
configMapKeyRef:
name: {{ .Values.global.job.configmap_name }}
key: ENV_APPGW_NAME
command:
- /bin/sh
args:
......@@ -82,14 +87,19 @@ spec:
az login --service-principal -u ${client_id} -p ${client_secret} --tenant ${tenant_id}
az aks get-credentials --resource-group ${ENV_SR_GROUP_NAME} --name ${ENV_CLUSTER_NAME}
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
{{- if .Values.global.istio.enableIstioKeyvaultCert }}
K8S_CERT_SECRET=istio-appgw-ssl-cert
K8S_NAMESPACE_NAME=istio-system
# Download BYOC certificate from keyvault
echo "Download BYOC certificate from keyvault"
az keyvault secret download --file ${KV_CERT_NAME}.pfx --vault-name ${ENV_KEYVAULT_NAME} --encoding base64 --name ${KV_CERT_NAME}
# Upload BYOC certificate to appgw
echo "Upload BYOC certificate to appgw"
az network application-gateway ssl-cert create -g ${ENV_SR_GROUP_NAME} --gateway-name ${ENV_APPGW_NAME} -n ${KV_CERT_NAME} --cert-file ${K8S_CERT_SECRET}.pfx --cert-password ""
# Extract key and crt
openssl pkcs12 -in ${K8S_CERT_SECRET}.pfx -out cert.pem -passin pass:"" -nodes -passout pass:""
openssl rsa -in cert.pem -out cert.key
......@@ -101,6 +111,9 @@ spec:
--from-file=tls.crt=cert.crt --from-file=tls.key=cert.key \
-o yaml | kubectl apply -f -
# Restart istio-ingressgateway pods
kubectl rollout restart -n ${K8S_ISTIONAMESPACE_NAME} deployment/istio-ingressgateway
{{ else }}
K8S_CERT_SECRET=osdu-certificate
......
......@@ -66,6 +66,7 @@ resource "kubernetes_config_map" "appgw_configmap" {
ENV_SR_GROUP_NAME = azurerm_resource_group.main.name
ENV_KEYVAULT_NAME = data.terraform_remote_state.central_resources.outputs.keyvault_name
ENV_CLUSTER_NAME = module.aks.name
ENV_APPGW_NAME = module.istio_appgateway[count.index].name
}
depends_on = [kubernetes_namespace.osdu]
depends_on = [kubernetes_namespace.osdu, module.istio_appgateway]
}
......@@ -441,6 +441,39 @@ data "azurerm_resource_group" "aks_node_resource_group" {
name = module.aks.node_resource_group
}
// Give AD Principal Access rights to Change the Istio Application Gateway
resource "azurerm_role_assignment" "agic_istio_appgw_contributor" {
count = var.feature_flag.autoscaling ? 1 : 0
principal_id = data.terraform_remote_state.central_resources.outputs.osdu_service_principal_id
scope = module.istio_appgateway[count.index].id
role_definition_name = "Contributor"
depends_on = [module.istio_appgateway]
}
// Give AD Principal Access rights to Operate the Istio Application Gateway Identity
resource "azurerm_role_assignment" "agic_istio_app_gw_contributor_for_adsp" {
count = var.feature_flag.autoscaling ? 1 : 0
principal_id = data.terraform_remote_state.central_resources.outputs.osdu_service_principal_id
scope = module.istio_appgateway[count.index].managed_identity_resource_id
role_definition_name = "Managed Identity Operator"
depends_on = [module.istio_appgateway]
}
// Give AD Principal the rights to look at the Resource Group
resource "azurerm_role_assignment" "agic_istio_resourcegroup_reader" {
count = var.feature_flag.autoscaling ? 1 : 0
principal_id = data.terraform_remote_state.central_resources.outputs.osdu_service_principal_id
scope = azurerm_resource_group.main.id
role_definition_name = "Reader"
depends_on = [module.istio_appgateway]
}
// Give AKS Access rights to Operate the Node Resource Group
resource "azurerm_role_assignment" "all_mi_operator" {
principal_id = module.aks.kubelet_object_id
......
......@@ -36,8 +36,8 @@ var tfOptions = &terraform.Options{
}
var istioEnabled = os.Getenv("AUTOSCALING_ENABLED")
var istioResourses = 11
var totalResources = 138
var istioResourses = 14
var totalResources = 141
func TestTemplate(t *testing.T) {
expectedAppDevResourceGroup := asMap(t, `{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment