You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by om...@apache.org on 2019/07/31 15:53:29 UTC
[incubator-dlab] branch DLAB-terraform updated: added generation of
Java SSL certificates to SSN deployment
This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-terraform
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-terraform by this push:
new 3c49310 added generation of Java SSL certificates to SSN deployment
3c49310 is described below
commit 3c49310b9772459557d0fabf146694d3a34829a2
Author: Oleh Martushevskyi <Ol...@epam.com>
AuthorDate: Wed Jul 31 18:53:20 2019 +0300
added generation of Java SSL certificates to SSN deployment
---
.../dlab-ui-chart/templates/configmap-ui-conf.yaml | 4 +--
.../main/dlab-ui-chart/templates/deployment.yaml | 7 +++++
.../ssn-helm-charts/main/dlab-ui-chart/values.yaml | 1 +
.../terraform/aws/ssn-helm-charts/main/dlab-ui.tf | 9 +++---
.../terraform/aws/ssn-helm-charts/main/secrets.tf | 20 +++++++++++++
.../aws/ssn-helm-charts/main/variables.tf | 6 ++++
.../aws/ssn-k8s/main/auto_scaling_groups.tf | 33 ++++++++++++++++++----
.../aws/ssn-k8s/main/files/masters-user-data.sh | 21 ++++++++++++++
8 files changed, 89 insertions(+), 12 deletions(-)
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/configmap-ui-conf.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/configmap-ui-conf.yaml
index 5839dc3..545d523 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/configmap-ui-conf.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/configmap-ui-conf.yaml
@@ -29,8 +29,8 @@ data:
ssn.yml: |
<#assign LOG_ROOT_DIR="/var/opt/dlab/log">
<#assign KEYS_DIR="/root/keys">
- <#assign KEY_STORE_PATH="/root/keys/dlab.keystore.jks">
- <#assign KEY_STORE_PASSWORD="jhMDPlwgGb">
+ <#assign KEY_STORE_PATH="/root/keys/ssn.keystore.jks">
+ <#assign KEY_STORE_PASSWORD="${SSN_KEYSTORE_PASSWORD}">
<#assign TRUST_STORE_PATH="/usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts">
<#assign TRUST_STORE_PASSWORD="changeit">
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml
index f4c202c..92ca29e 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml
@@ -53,6 +53,13 @@ spec:
secretKeyRef:
name: mongo-db-password
key: password
+ - name: SSN_KEYSTORE_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: ssn-keystore-password
+ key: password
+ - name: SSN_BUCKET_NAME
+ value: {{ .Values.bucketName }}
ports:
# - name: https
# containerPort: 443
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
index 0b26657..66ddc9e 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
@@ -24,6 +24,7 @@
# Declare variables to be passed into your templates.
replicaCount: 1
+bucketName: ${ssn_bucket_name}
image:
repository: koppox/dlab-ui
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
index 5ba4abc..0d7801e 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
@@ -22,11 +22,12 @@
data "template_file" "dlab_ui_values" {
template = file("./dlab-ui-chart/values.yaml")
vars = {
- mongo_db_name = var.mongo_dbname
- mongo_user = var.mongo_db_username
- mongo_port = var.mongo_service_port
- mongo_service_name = var.mongo_service_name
+ mongo_db_name = var.mongo_dbname
+ mongo_user = var.mongo_db_username
+ mongo_port = var.mongo_service_port
+ mongo_service_name = var.mongo_service_name
ssn_k8s_alb_dns_name = var.ssn_k8s_alb_dns_name
+ ssn_bucket_name = var.ssn_bucket_name
}
}
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf
index 3cb1e1e..03b6cc7 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf
@@ -105,4 +105,24 @@ resource "kubernetes_secret" "mysql_user_password_secret" {
data = {
password = random_string.mysql_user_password.result
}
+}
+
+resource "kubernetes_secret" "ssn_keystore_password" {
+ metadata {
+ name = "ssn-keystore-password"
+ }
+
+ data = {
+ password = var.ssn_keystore_password
+ }
+}
+
+resource "kubernetes_secret" "endpoint_keystore_password" {
+ metadata {
+ name = "endpoint-keystore-password"
+ }
+
+ data = {
+ password = var.endpoint_keystore_password
+ }
}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
index 3d84931..aba1c0a 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
@@ -92,6 +92,12 @@ variable "ssn_k8s_workers_count" {
default = "2"
}
+variable "ssn_keystore_password" {}
+
+variable "endpoint_keystore_password" {}
+
+variable "ssn_bucket_name" {}
+
//variable "nginx_http_port" {
// default = "31080"
// description = "Sets the nodePort that maps to the Ingress' port 80"
diff --git a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf
index 76f90fa..f5de6fa 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf
@@ -23,15 +23,36 @@ locals {
subnet_c_id = data.aws_subnet.k8s-subnet-c-data == [] ? "" : data.aws_subnet.k8s-subnet-c-data.0.id
}
+resource "random_string" "ssn_keystore_password" {
+ length = 16
+ special = false
+}
+
+resource "random_string" "endpoint_keystore_password" {
+ length = 16
+ special = false
+}
+
+output "ssn_keystore_password" {
+ value = random_string.ssn_keystore_password.result
+}
+
+output "endpoint_keystore_password" {
+ value = random_string.endpoint_keystore_password.result
+}
+
data "template_file" "ssn_k8s_masters_user_data" {
template = file("./files/masters-user-data.sh")
vars = {
- k8s-asg = "${var.service_base_name}-ssn-masters"
- k8s-region = var.region
- k8s-bucket-name = aws_s3_bucket.ssn_k8s_bucket.id
- k8s-nlb-dns-name = aws_lb.ssn_k8s_nlb.dns_name #aws_eip.k8s-lb-eip.public_ip
- k8s-tg-arn = aws_lb_target_group.ssn_k8s_nlb_api_target_group.arn
- k8s_os_user = var.os_user
+ k8s-asg = "${var.service_base_name}-ssn-masters"
+ k8s-region = var.region
+ k8s-bucket-name = aws_s3_bucket.ssn_k8s_bucket.id
+ k8s-nlb-dns-name = aws_lb.ssn_k8s_nlb.dns_name #aws_eip.k8s-lb-eip.public_ip
+ k8s-tg-arn = aws_lb_target_group.ssn_k8s_nlb_api_target_group.arn
+ k8s_os_user = var.os_user
+ ssn_keystore_password = random_string.ssn_keystore_password.result
+ endpoint_keystore_password = random_string.endpoint_keystore_password.result
+ endpoint_elastic_ip = aws_eip.k8s-endpoint-eip.public_ip
}
}
diff --git a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh
index 2e6567f..c5746fc 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh
+++ b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh
@@ -45,6 +45,8 @@ sudo chmod 600 /home/${k8s_os_user}/.ssh/authorized_keys
sudo apt-get update
sudo apt-get install -y python-pip jq unzip
+sudo apt-get install -y default-jre
+sudo apt-get install -y default-jdk
sudo pip install -U pip
sudo pip install awscli
@@ -118,6 +120,25 @@ subjects:
EOF
sudo -i -u ${k8s_os_user} kubectl create -f /tmp/rbac-config.yaml
sudo -i -u ${k8s_os_user} helm init --service-account tiller --history-max 200
+# Generating Java SSL certs
+sudo mkdir -p /home/${k8s_os_user}/keys
+sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${ssn_keystore_password} \
+ -keypass ${ssn_keystore_password} -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks \
+ -keysize 2048 -dname "CN=${k8s-nlb-dns-name}" -ext SAN=dns:localhost
+sudo keytool -exportcert -alias dlab -storepass ${ssn_keystore_password} -file /home/${k8s_os_user}/keys/ssn.crt \
+ -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks
+
+aws s3 cp /home/${k8s_os_user}/keys/ssn.keystore.jks s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.keystore.jks
+aws s3 cp /home/${k8s_os_user}/keys/ssn.crt s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.crt
+
+sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${endpoint_keystore_password} \
+ -keypass ${endpoint_keystore_password} -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks \
+ -keysize 2048 -dname "CN=${endpoint_elastic_ip}" -ext SAN=dns:localhost
+sudo keytool -exportcert -alias dlab -storepass ${endpoint_keystore_password} -file /home/${k8s_os_user}/keys/endpoint.crt \
+ -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks
+
+aws s3 cp /home/${k8s_os_user}/keys/endpoint.keystore.jks s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.keystore.jks
+aws s3 cp /home/${k8s_os_user}/keys/endpoint.crt s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.crt
sleep 60
aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org