diff --git a/charts/osdu-istio/templates/cert-checker-cronjob.yaml b/charts/osdu-istio/templates/cert-checker-cronjob.yaml index a7dc8d9f249e8917d84841dd0648b569afe7e41d..f1c4a5c0fae6ca32667f441fd1381a3d5f7671ab 100644 --- a/charts/osdu-istio/templates/cert-checker-cronjob.yaml +++ b/charts/osdu-istio/templates/cert-checker-cronjob.yaml @@ -51,6 +51,11 @@ spec: configMapKeyRef: name: {{ .Values.global.job.configmap_name }} key: ENV_CLUSTER_NAME + - name: ENV_APPGW_NAME + valueFrom: + configMapKeyRef: + name: {{ .Values.global.job.configmap_name }} + key: ENV_APPGW_NAME command: - /bin/sh args: @@ -62,6 +67,7 @@ spec: # Compare expire dates of certificates in Key Vault and in istio-system namespaces function check_expire_date() { + echo "Compare expire dates of certificates in Key Vault and in istio-system namespaces" az keyvault certificate download --vault-name ${ENV_KEYVAULT_NAME} -n ${KV_CERT_NAME} --file ${KV_CERT_NAME}.pem KV_CERT_EXPIREDATE=$(openssl x509 -in ${KV_CERT_NAME}.pem -enddate -noout | cut -d '=' -f2) KV_CERT_EXPIREDATE=$(date "+%Y-%m-%d" --date="${KV_CERT_EXPIREDATE}") @@ -84,7 +90,7 @@ spec: # Cleanup function cleanup() { - echo Clean all existing files + echo "Clean all existing files" rm -f cert.crt cert.key osdu-certificate.pfx ${KV_CERT_NAME}.pem curl -X POST "http://localhost:${SIDECAR_PORT}/quitquitquit" } @@ -111,7 +117,7 @@ spec: # Log In in Azure az login --service-principal -u ${client_id} -p ${client_secret} --tenant ${tenant_id} -{{- if .Values.global.istio.enableIstioKeyvaultCert }} +{{- if .Values.global.istio.enableIstioKeyvaultCert }} K8S_CERT_SECRET=istio-appgw-ssl-cert K8S_NAMESPACE_NAME=istio-system @@ -120,8 +126,13 @@ spec: check_expire_date # Download BYOC certificate from keyvault + echo "Download BYOC certificate from keyvault" az keyvault secret download --file ${KV_CERT_NAME}.pfx --vault-name ${ENV_KEYVAULT_NAME} --encoding base64 --name ${KV_CERT_NAME} + # Upload BYOC certificate to appgw + echo "Upload BYOC certificate to appgw" + az network application-gateway ssl-cert update -g ${ENV_SR_GROUP_NAME} --gateway-name ${ENV_APPGW_NAME} -n ${KV_CERT_NAME} --cert-file ${K8S_CERT_SECRET}.pfx --cert-password "" + # Extract key and crt openssl pkcs12 -in ${K8S_CERT_SECRET}.pfx -out cert.pem -passin pass:"" -nodes -passout pass:"" openssl rsa -in cert.pem -out cert.key @@ -135,6 +146,9 @@ spec: sleep 5 + # Restart istio-ingressgateway pods + kubectl rollout restart -n ${K8S_ISTIONAMESPACE_NAME} deployment/istio-ingressgateway + # Check certificate expire date one more time check_expire_date diff --git a/charts/osdu-istio/templates/cert-init-job.yaml b/charts/osdu-istio/templates/cert-init-job.yaml index fd5250310abc28ba68ae6adeb72b874f237e459b..9f75fffd650f92c0c43235de7957828f0a154ea0 100644 --- a/charts/osdu-istio/templates/cert-init-job.yaml +++ b/charts/osdu-istio/templates/cert-init-job.yaml @@ -43,6 +43,11 @@ spec: configMapKeyRef: name: {{ .Values.global.job.configmap_name }} key: ENV_CLUSTER_NAME + - name: ENV_APPGW_NAME + valueFrom: + configMapKeyRef: + name: {{ .Values.global.job.configmap_name }} + key: ENV_APPGW_NAME command: - /bin/sh args: @@ -82,14 +87,19 @@ spec: az login --service-principal -u ${client_id} -p ${client_secret} --tenant ${tenant_id} az aks get-credentials --resource-group ${ENV_SR_GROUP_NAME} --name ${ENV_CLUSTER_NAME} -{{- if .Values.global.istio.enableIstioKeyvaultCert }} +{{- if .Values.global.istio.enableIstioKeyvaultCert }} K8S_CERT_SECRET=istio-appgw-ssl-cert K8S_NAMESPACE_NAME=istio-system # Download BYOC certificate from keyvault + echo "Download BYOC certificate from keyvault" az keyvault secret download --file ${KV_CERT_NAME}.pfx --vault-name ${ENV_KEYVAULT_NAME} --encoding base64 --name ${KV_CERT_NAME} + # Upload BYOC certificate to appgw + echo "Upload BYOC certificate to appgw" + az network application-gateway ssl-cert create -g ${ENV_SR_GROUP_NAME} --gateway-name ${ENV_APPGW_NAME} -n ${KV_CERT_NAME} --cert-file ${K8S_CERT_SECRET}.pfx --cert-password "" + # Extract key and crt openssl pkcs12 -in ${K8S_CERT_SECRET}.pfx -out cert.pem -passin pass:"" -nodes -passout pass:"" openssl rsa -in cert.pem -out cert.key @@ -101,6 +111,9 @@ spec: --from-file=tls.crt=cert.crt --from-file=tls.key=cert.key \ -o yaml | kubectl apply -f - + # Restart istio-ingressgateway pods + kubectl rollout restart -n ${K8S_ISTIONAMESPACE_NAME} deployment/istio-ingressgateway + {{ else }} K8S_CERT_SECRET=osdu-certificate diff --git a/infra/templates/osdu-r3-mvp/service_resources/config_map.tf b/infra/templates/osdu-r3-mvp/service_resources/config_map.tf index 418c6cec8d6e94124cfeafa1bca01639893a15c2..fc9fa06ed5d477e9e783808921e085de3147ff06 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/config_map.tf +++ b/infra/templates/osdu-r3-mvp/service_resources/config_map.tf @@ -66,6 +66,7 @@ resource "kubernetes_config_map" "appgw_configmap" { ENV_SR_GROUP_NAME = azurerm_resource_group.main.name ENV_KEYVAULT_NAME = data.terraform_remote_state.central_resources.outputs.keyvault_name ENV_CLUSTER_NAME = module.aks.name + ENV_APPGW_NAME = module.istio_appgateway[count.index].name } - depends_on = [kubernetes_namespace.osdu] + depends_on = [kubernetes_namespace.osdu, module.istio_appgateway] } diff --git a/infra/templates/osdu-r3-mvp/service_resources/main.tf b/infra/templates/osdu-r3-mvp/service_resources/main.tf index b04b6cf3f4c9c8d3a731c26f9a8d9ead78a064d8..7b9adecf430a9c318f39e3323fae0f5de82ac0b3 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/main.tf +++ b/infra/templates/osdu-r3-mvp/service_resources/main.tf @@ -441,6 +441,39 @@ data "azurerm_resource_group" "aks_node_resource_group" { name = module.aks.node_resource_group } +// Give AD Principal Access rights to Change the Istio Application Gateway +resource "azurerm_role_assignment" "agic_istio_appgw_contributor" { + count = var.feature_flag.autoscaling ? 1 : 0 + + principal_id = data.terraform_remote_state.central_resources.outputs.osdu_service_principal_id + scope = module.istio_appgateway[count.index].id + role_definition_name = "Contributor" + + depends_on = [module.istio_appgateway] +} + +// Give AD Principal Access rights to Operate the Istio Application Gateway Identity +resource "azurerm_role_assignment" "agic_istio_app_gw_contributor_for_adsp" { + count = var.feature_flag.autoscaling ? 1 : 0 + + principal_id = data.terraform_remote_state.central_resources.outputs.osdu_service_principal_id + scope = module.istio_appgateway[count.index].managed_identity_resource_id + role_definition_name = "Managed Identity Operator" + + depends_on = [module.istio_appgateway] +} + +// Give AD Principal the rights to look at the Resource Group +resource "azurerm_role_assignment" "agic_istio_resourcegroup_reader" { + count = var.feature_flag.autoscaling ? 1 : 0 + + principal_id = data.terraform_remote_state.central_resources.outputs.osdu_service_principal_id + scope = azurerm_resource_group.main.id + role_definition_name = "Reader" + + depends_on = [module.istio_appgateway] +} + // Give AKS Access rights to Operate the Node Resource Group resource "azurerm_role_assignment" "all_mi_operator" { principal_id = module.aks.kubelet_object_id diff --git a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go index d1c8948b170dde0fb59dc2966193c39854ea19da..2ad0d0941a289d1b987e8dec8ec7e0bed01b2fb2 100644 --- a/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go +++ b/infra/templates/osdu-r3-mvp/service_resources/tests/unit/unit_test.go @@ -36,8 +36,8 @@ var tfOptions = &terraform.Options{ } var istioEnabled = os.Getenv("AUTOSCALING_ENABLED") -var istioResourses = 11 -var totalResources = 138 +var istioResourses = 14 +var totalResources = 141 func TestTemplate(t *testing.T) { expectedAppDevResourceGroup := asMap(t, `{