You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by om...@apache.org on 2019/11/05 12:06:31 UTC
[incubator-dlab] branch DLAB-1158 updated: added custom cert option
This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push:
new 1200268 added custom cert option
1200268 is described below
commit 12002683435b3c8e8247dccd7b41649e2e95d684
Author: Oleh Martushevskyi <Ol...@epam.com>
AuthorDate: Tue Nov 5 13:42:15 2019 +0200
added custom cert option
---
.../main/dlab-ui-chart/templates/cert.yaml | 16 ++++++++-
.../ssn-helm-charts/main/dlab-ui-chart/values.yaml | 5 +++
.../terraform/aws/ssn-helm-charts/main/dlab-ui.tf | 12 +++++++
.../aws/ssn-helm-charts/main/variables.tf | 12 +++++++
infrastructure-provisioning/terraform/bin/dlab.py | 8 ++---
services/self-service/entrypoint_aws.sh | 38 +++++++++-------------
6 files changed, 64 insertions(+), 27 deletions(-)
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/cert.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/cert.yaml
index fc66fb1..0e97143 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/cert.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/cert.yaml
@@ -19,6 +19,7 @@
#
# ******************************************************************************
+{{- if eq .Values.ui.custom_certs.enabled False -}}
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
@@ -44,4 +45,17 @@ spec:
issuerRef:
group: certmanager.step.sm
kind: Issuer
- name: step-issuer
\ No newline at end of file
+ name: step-issuer
+{{- end }}
+---
+{{- if eq .Values.ui.custom_certs.enabled True -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "dlab-ui.fullname" . }}-tls
+ namespace: {{ .Values.namespace }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ .Values.ui.custom_certs.crt }}
+ tls.key: {{ .Values.ui.custom_certs.key }}
+{{- end }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
index c9631e0..e0812d2 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
@@ -59,3 +59,8 @@ ui:
keycloak:
auth_server_url: https://${ssn_k8s_alb_dns_name}/auth
redirect_uri: https://${ssn_k8s_alb_dns_name}/
+
+ custom_certs:
+ enabled: ${custom_certs_enabled}
+ crt: ${custom_certs_crt}
+ key: ${custom_certs_key}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
index 9f5330f..d07e9af 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
@@ -19,6 +19,13 @@
#
# ******************************************************************************
+locals {
+ custom_cert_name = var.custom_certs_enabled == "True" ? split("/", var.custom_cert_path)[-1] : ''
+ custom_key_name = var.custom_certs_enabled == "True" ? split("/", var.custom_key_path)[-1] : ''
+ custom_cert = var.custom_certs_enabled == "True" ? base64encode(file('/tmp/${local.custom_cert_name}')) : ''
+ custom_key = var.custom_certs_enabled == "True" ? base64encode(file('/tmp/${local.custom_key_name}')) : ''
+}
+
data "template_file" "dlab_ui_values" {
template = file("./dlab-ui-chart/values.yaml")
vars = {
@@ -31,6 +38,9 @@ data "template_file" "dlab_ui_values" {
service_base_name = var.service_base_name
os = var.env_os
namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
+ custom_certs_enabled = var.custom_certs_enabled
+ custom_certs_crt = local.custom_cert
+ custom_certs_key = local.custom_key
}
}
@@ -52,3 +62,5 @@ data "kubernetes_service" "nginx-service" {
namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
}
}
+
+
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
index bf4cae2..7e800c8 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
@@ -173,6 +173,18 @@ variable "billing_tags" {
variable "env_os" {
default = "debian"
}
+
+variable "custom_certs_enabled" {
+ default = "False"
+}
+
+variable "custom_cert_path" {
+ default = ""
+}
+
+variable "custom_key_path" {
+ default = ""
+}
//variable "nginx_http_port" {
// default = "31080"
// description = "Sets the nodePort that maps to the Ingress' port 80"
diff --git a/infrastructure-provisioning/terraform/bin/dlab.py b/infrastructure-provisioning/terraform/bin/dlab.py
index b6a21fb..c8c3ca5 100644
--- a/infrastructure-provisioning/terraform/bin/dlab.py
+++ b/infrastructure-provisioning/terraform/bin/dlab.py
@@ -685,9 +685,9 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
.add_str('--billing_tag', 'Billing tag', default='dlab',
group='helm_charts')
.add_bool('--custom_certs_enabled', 'Enable custom certificates',
- default=False, group='service')
- .add_str('--custom_cert_path', 'custom_cert_path', group='service')
- .add_str('--custom_key_path', 'custom_key_path', group='service')
+ default=False, group=('service', 'helm_charts'))
+ .add_str('--custom_cert_path', 'custom_cert_path', default='', group=('service', 'helm_charts'))
+ .add_str('--custom_key_path', 'custom_key_path', default='', group=('service', 'helm_charts'))
# Tmp for jenkins job
.add_str('--endpoint_id', 'Endpoint Id',
default='user:tag', group=())
@@ -769,7 +769,7 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
logging.info('transfer certificates to remote')
cert_path = self.service_args.get('custom_cert_path')
key_path = self.service_args.get('custom_key_path')
- remote_dir = '/home/{}/'.format(self.user_name)
+ remote_dir = '/tmp/' # .format(self.user_name)
with Console.ssh(self.ip, self.user_name, self.pkey_path) as conn:
conn.run('mkdir -p {}'.format(remote_dir))
rsync(conn, cert_path, remote_dir, strict_host_keys=False)
diff --git a/services/self-service/entrypoint_aws.sh b/services/self-service/entrypoint_aws.sh
index cb06275..fb57eda 100644
--- a/services/self-service/entrypoint_aws.sh
+++ b/services/self-service/entrypoint_aws.sh
@@ -12,27 +12,20 @@ fi
/bin/mkdir -p /root/keys
-#/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/ssn/ssn.keystore.jks /root/keys/ssn.keystore.jks
-#/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/ssn/ssn.crt /root/keys/ssn.crt
-#/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/endpoint/endpoint.crt /root/keys/endpoint.crt
-
-
-
-#/usr/bin/keytool -importcert -trustcacerts -alias dlab -file /root/keys/ssn.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
-#/usr/bin/keytool -importcert -trustcacerts -file /root/keys/endpoint.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
-
if [ -d "/root/step-certs" ]; then
- while checkfile
- do
- if [ "$RUN" = "false" ];
- then
- echo "Waiting..."
- else
- echo "CA exist!"
- break
- fi
- done
- /usr/bin/keytool -importcert -trustcacerts -alias step-ca -file /root/step-certs/ca.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+ if [ -f /root/step-certs/ca.crt ]; then
+ while checkfile
+ do
+ if [ "$RUN" = "false" ];
+ then
+ echo "Waiting..."
+ else
+ echo "CA exist!"
+ break
+ fi
+ done
+ /usr/bin/keytool -importcert -trustcacerts -alias step-ca -file /root/step-certs/ca.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+ fi
/usr/bin/keytool -importcert -trustcacerts -alias step-crt -file /root/step-certs/tls.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
fi
@@ -40,6 +33,7 @@ fi
/usr/bin/openssl pkcs12 -export -in /root/step-certs/tls.crt -inkey /root/step-certs/tls.key -name ssn -out ssn.p12 -password pass:${SSN_KEYSTORE_PASSWORD}
/usr/bin/keytool -importkeystore -srckeystore ssn.p12 -srcstoretype PKCS12 -alias ssn -destkeystore /root/keys/ssn.keystore.jks -deststorepass "${SSN_KEYSTORE_PASSWORD}" -srcstorepass "${SSN_KEYSTORE_PASSWORD}"
-/usr/bin/keytool -keystore /root/keys/ssn.keystore.jks -alias CARoot -import -file /root/step-certs/ca.crt -deststorepass "${SSN_KEYSTORE_PASSWORD}" -srcstorepass "${SSN_KEYSTORE_PASSWORD}" -noprompt
-
+if [ -f /root/step-certs/ca.crt ]; then
+ /usr/bin/keytool -keystore /root/keys/ssn.keystore.jks -alias CARoot -import -file /root/step-certs/ca.crt -deststorepass "${SSN_KEYSTORE_PASSWORD}" -srcstorepass "${SSN_KEYSTORE_PASSWORD}" -noprompt
+fi
/usr/bin/java -Xmx1024M -jar -Duser.timezone=UTC -Dfile.encoding=UTF-8 -DDLAB_CONF_DIR=/root/ /root/self-service-2.1.jar server /root/self-service.yml
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org