diff --git a/charts/osdu-istio/templates/cert-checker-cronjob.yaml b/charts/osdu-istio/templates/cert-checker-cronjob.yaml index 296518488d3c356bba03d50dcbdadacfffe1a167..a7dc8d9f249e8917d84841dd0648b569afe7e41d 100644 --- a/charts/osdu-istio/templates/cert-checker-cronjob.yaml +++ b/charts/osdu-istio/templates/cert-checker-cronjob.yaml @@ -57,7 +57,7 @@ spec: - -c - | SIDECAR_PORT=15020 - KV_CERT_NAME=appgw-ssl-cert + KV_CERT_NAME=istio-appgw-ssl-cert K8S_ISTIONAMESPACE_NAME=istio-system # Compare expire dates of certificates in Key Vault and in istio-system namespaces @@ -113,7 +113,7 @@ spec: {{- if .Values.global.istio.enableIstioKeyvaultCert }} - K8S_CERT_SECRET=appgw-ssl-cert + K8S_CERT_SECRET=istio-appgw-ssl-cert K8S_NAMESPACE_NAME=istio-system # Check certificate expire date. diff --git a/charts/osdu-istio/templates/cert-init-job.yaml b/charts/osdu-istio/templates/cert-init-job.yaml index 1e0f54d10ac8d1656d71e39e4de2d4376647494c..fd5250310abc28ba68ae6adeb72b874f237e459b 100644 --- a/charts/osdu-istio/templates/cert-init-job.yaml +++ b/charts/osdu-istio/templates/cert-init-job.yaml @@ -49,7 +49,7 @@ spec: - -c - | SIDECAR_PORT=15020 - KV_CERT_NAME=appgw-ssl-cert + KV_CERT_NAME=istio-appgw-ssl-cert K8S_ISTIONAMESPACE_NAME=istio-system # Cleanup function @@ -84,7 +84,7 @@ spec: {{- if .Values.global.istio.enableIstioKeyvaultCert }} - K8S_CERT_SECRET=appgw-ssl-cert + K8S_CERT_SECRET=istio-appgw-ssl-cert K8S_NAMESPACE_NAME=istio-system # Download BYOC certificate from keyvault diff --git a/charts/osdu-istio/templates/istio-gateway.yaml b/charts/osdu-istio/templates/istio-gateway.yaml index af8135f9c3d09ad691f660a7470528812d28417e..d15f592c2c7da4df046ab654e4448561bf278ecc 100644 --- a/charts/osdu-istio/templates/istio-gateway.yaml +++ b/charts/osdu-istio/templates/istio-gateway.yaml @@ -16,8 +16,8 @@ spec: - "{{ .Values.global.istio.dns_host }}" tls: mode: SIMPLE - {{- if .Values.istio.ingress.enableIstioKeyvaultCert }} - credentialName: appgw-ssl-cert + {{- if .Values.global.istio.enableIstioKeyvaultCert }} + credentialName: istio-appgw-ssl-cert {{ else }} credentialName: osdu-certificate {{- end }} diff --git a/docs/autoscaling.md b/docs/autoscaling.md index 983878cf6fc10428c847c62c30f2f9850991eab0..2c4539174791bb56ea3912fb0c40603123b98ae1 100644 --- a/docs/autoscaling.md +++ b/docs/autoscaling.md @@ -54,7 +54,7 @@ In this approach, we use certificate uploaded by customer to Keyvault. 3. Once you have view and update permission on Certificate, click Certificates on left subsections. -4. Select Certificate named **`appgw-ssl-cert`**. +4. Select Certificate named **`istio-appgw-ssl-cert`**. 5. Click `+ New Version`. Select `Generate` or `Import` based on your preference and certificate you want to provision/upload. Follow the link [Keyvault certificates](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios) to know more about certificate generation/upload. diff --git a/infra/templates/osdu-r3-mvp/service_resources/secrets.tf b/infra/templates/osdu-r3-mvp/service_resources/secrets.tf index 5f54e3c6ea5468346b9f4df1521c5173cf7043b3..f36111db179a134b20066e8dbe873c79b49f8ad7 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/secrets.tf +++ b/infra/templates/osdu-r3-mvp/service_resources/secrets.tf @@ -76,7 +76,8 @@ resource "azurerm_key_vault_secret" "system_storage_key" { # Network #------------------------------- locals { - ssl_cert_name = "appgw-ssl-cert" + ssl_cert_name = "appgw-ssl-cert" + istio_ssl_cert_name = "istio-appgw-ssl-cert" } resource "azurerm_key_vault_certificate" "default" { @@ -139,6 +140,65 @@ resource "azurerm_key_vault_certificate" "default" { } } +resource "azurerm_key_vault_certificate" "istio_ssl_certificate" { + count = var.ssl_certificate_file == "" ? 1 : 0 + + name = local.istio_ssl_cert_name + key_vault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + + lifetime_action { + action { + action_type = "AutoRenew" + } + + trigger { + days_before_expiry = 30 + } + } + + secret_properties { + content_type = "application/x-pkcs12" + } + + x509_certificate_properties { + # Server Authentication = 1.3.6.1.5.5.7.3.1 + # Client Authentication = 1.3.6.1.5.5.7.3.2 + extended_key_usage = ["1.3.6.1.5.5.7.3.1"] + + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + + subject_alternative_names { + dns_names = [var.dns_name, "${local.base_name}-gw.${azurerm_resource_group.main.location}.cloudapp.azure.com"] + } + + subject = "CN=*.contoso.com" + validity_in_months = 12 + } + } + + lifecycle { + ignore_changes = all + } +} #------------------------------- # PostgreSQL diff --git a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go index 57cb87997faf5fd156de40c7714ca098e66de9c2..d1c8948b170dde0fb59dc2966193c39854ea19da 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go +++ b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go @@ -37,7 +37,7 @@ var tfOptions = &terraform.Options{ var istioEnabled = os.Getenv("AUTOSCALING_ENABLED") var istioResourses = 11 -var totalResources = 137 +var totalResources = 138 func TestTemplate(t *testing.T) { expectedAppDevResourceGroup := asMap(t, `{