From ac55115803c703d2dabe6c69233ef35d8cdca096 Mon Sep 17 00:00:00 2001 From: Aliaksei Babuk Date: Fri, 20 Aug 2021 12:48:24 +0000 Subject: [PATCH 1/2] Merged PR 3851: add istio-appgw-ssl-cert add istio-appgw-ssl-cert --- .../templates/cert-checker-cronjob.yaml | 4 +- .../osdu-istio/templates/cert-init-job.yaml | 4 +- .../osdu-istio/templates/istio-gateway.yaml | 4 +- docs/autoscaling.md | 2 +- .../osdu-r3-mvp/service_resources/secrets.tf | 62 ++++++++++++++++++- 5 files changed, 68 insertions(+), 8 deletions(-) diff --git a/charts/osdu-istio/templates/cert-checker-cronjob.yaml b/charts/osdu-istio/templates/cert-checker-cronjob.yaml index 29651848..a7dc8d9f 100644 --- a/charts/osdu-istio/templates/cert-checker-cronjob.yaml +++ b/charts/osdu-istio/templates/cert-checker-cronjob.yaml @@ -57,7 +57,7 @@ spec: - -c - | SIDECAR_PORT=15020 - KV_CERT_NAME=appgw-ssl-cert + KV_CERT_NAME=istio-appgw-ssl-cert K8S_ISTIONAMESPACE_NAME=istio-system # Compare expire dates of certificates in Key Vault and in istio-system namespaces @@ -113,7 +113,7 @@ spec: {{- if .Values.global.istio.enableIstioKeyvaultCert }} - K8S_CERT_SECRET=appgw-ssl-cert + K8S_CERT_SECRET=istio-appgw-ssl-cert K8S_NAMESPACE_NAME=istio-system # Check certificate expire date. diff --git a/charts/osdu-istio/templates/cert-init-job.yaml b/charts/osdu-istio/templates/cert-init-job.yaml index 1e0f54d1..fd525031 100644 --- a/charts/osdu-istio/templates/cert-init-job.yaml +++ b/charts/osdu-istio/templates/cert-init-job.yaml @@ -49,7 +49,7 @@ spec: - -c - | SIDECAR_PORT=15020 - KV_CERT_NAME=appgw-ssl-cert + KV_CERT_NAME=istio-appgw-ssl-cert K8S_ISTIONAMESPACE_NAME=istio-system # Cleanup function @@ -84,7 +84,7 @@ spec: {{- if .Values.global.istio.enableIstioKeyvaultCert }} - K8S_CERT_SECRET=appgw-ssl-cert + K8S_CERT_SECRET=istio-appgw-ssl-cert K8S_NAMESPACE_NAME=istio-system # Download BYOC certificate from keyvault diff --git a/charts/osdu-istio/templates/istio-gateway.yaml b/charts/osdu-istio/templates/istio-gateway.yaml index af8135f9..d15f592c 100644 --- a/charts/osdu-istio/templates/istio-gateway.yaml +++ b/charts/osdu-istio/templates/istio-gateway.yaml @@ -16,8 +16,8 @@ spec: - "{{ .Values.global.istio.dns_host }}" tls: mode: SIMPLE - {{- if .Values.istio.ingress.enableIstioKeyvaultCert }} - credentialName: appgw-ssl-cert + {{- if .Values.global.istio.enableIstioKeyvaultCert }} + credentialName: istio-appgw-ssl-cert {{ else }} credentialName: osdu-certificate {{- end }} diff --git a/docs/autoscaling.md b/docs/autoscaling.md index 983878cf..2c453917 100644 --- a/docs/autoscaling.md +++ b/docs/autoscaling.md @@ -54,7 +54,7 @@ In this approach, we use certificate uploaded by customer to Keyvault. 3. Once you have view and update permission on Certificate, click Certificates on left subsections. -4. Select Certificate named **`appgw-ssl-cert`**. +4. Select Certificate named **`istio-appgw-ssl-cert`**. 5. Click `+ New Version`. Select `Generate` or `Import` based on your preference and certificate you want to provision/upload. Follow the link [Keyvault certificates](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios) to know more about certificate generation/upload. diff --git a/infra/templates/osdu-r3-mvp/service_resources/secrets.tf b/infra/templates/osdu-r3-mvp/service_resources/secrets.tf index 5f54e3c6..f36111db 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/secrets.tf +++ b/infra/templates/osdu-r3-mvp/service_resources/secrets.tf @@ -76,7 +76,8 @@ resource "azurerm_key_vault_secret" "system_storage_key" { # Network #------------------------------- locals { - ssl_cert_name = "appgw-ssl-cert" + ssl_cert_name = "appgw-ssl-cert" + istio_ssl_cert_name = "istio-appgw-ssl-cert" } resource "azurerm_key_vault_certificate" "default" { @@ -139,6 +140,65 @@ resource "azurerm_key_vault_certificate" "default" { } } +resource "azurerm_key_vault_certificate" "istio_ssl_certificate" { + count = var.ssl_certificate_file == "" ? 1 : 0 + + name = local.istio_ssl_cert_name + key_vault_id = data.terraform_remote_state.central_resources.outputs.keyvault_id + + certificate_policy { + issuer_parameters { + name = "Self" + } + + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + + lifetime_action { + action { + action_type = "AutoRenew" + } + + trigger { + days_before_expiry = 30 + } + } + + secret_properties { + content_type = "application/x-pkcs12" + } + + x509_certificate_properties { + # Server Authentication = 1.3.6.1.5.5.7.3.1 + # Client Authentication = 1.3.6.1.5.5.7.3.2 + extended_key_usage = ["1.3.6.1.5.5.7.3.1"] + + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + + subject_alternative_names { + dns_names = [var.dns_name, "${local.base_name}-gw.${azurerm_resource_group.main.location}.cloudapp.azure.com"] + } + + subject = "CN=*.contoso.com" + validity_in_months = 12 + } + } + + lifecycle { + ignore_changes = all + } +} #------------------------------- # PostgreSQL -- GitLab From 3e6133632dd7289c8d5a4f4a5c8fcd56280f50ec Mon Sep 17 00:00:00 2001 From: "Dzmitry_Paulouski (slb)" <504-Paulouski@users.noreply.community.opengroup.org> Date: Wed, 25 Aug 2021 14:32:55 +0000 Subject: [PATCH 2/2] fix tests --- .../osdu-r3-mvp/service_resources/tests/unit/unit_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go index 57cb8799..d1c8948b 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go +++ b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go @@ -37,7 +37,7 @@ var tfOptions = &terraform.Options{ var istioEnabled = os.Getenv("AUTOSCALING_ENABLED") var istioResourses = 11 -var totalResources = 137 +var totalResources = 138 func TestTemplate(t *testing.T) { expectedAppDevResourceGroup := asMap(t, `{ -- GitLab