From 6622f798a6aff8732c9c51acd3bf2d69561a848f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= Date: Mon, 18 Dec 2023 10:27:26 +0100 Subject: [PATCH] bootstrap digicert flux values --- scripts/cert-manager/README.md | 42 +-- scripts/cert-manager/bootstrap.sh | 1 - .../cluster-issuers/digicert/README.md | 18 + .../digicert/bootstrap.sh} | 101 ++--- .../digicert/update_account.sh | 175 +++++++++ scripts/cert-manager/configure.sh | 346 ------------------ .../mi-azure-identity-and-issuer.yaml | 47 --- scripts/install_base_components.sh | 9 + scripts/radix-zone/radix_zone_c2.env | 2 + scripts/radix-zone/radix_zone_dev.env | 2 + scripts/radix-zone/radix_zone_playground.env | 2 + scripts/radix-zone/radix_zone_prod.env | 2 + 12 files changed, 248 insertions(+), 499 deletions(-) create mode 100644 scripts/cert-manager/cluster-issuers/digicert/README.md rename scripts/cert-manager/{teardown.sh => cluster-issuers/digicert/bootstrap.sh} (61%) create mode 100755 scripts/cert-manager/cluster-issuers/digicert/update_account.sh delete mode 100755 scripts/cert-manager/configure.sh delete mode 100644 scripts/cert-manager/mi-azure-identity-and-issuer.yaml diff --git a/scripts/cert-manager/README.md b/scripts/cert-manager/README.md index cf9929ca1..2bc003f51 100644 --- a/scripts/cert-manager/README.md +++ b/scripts/cert-manager/README.md @@ -1,4 +1,4 @@ -# Cert-manager - v1.1 +# Cert-manager We use [cert-manager](https://github.com/jetstack/cert-manager) to provide automatic SSL/TLS certificate generation in the cluster using Let's Encrypt. Depending on use case we can use it to either create certificates according to a crd manifest, or auto-create the certificate based on an ingress notation. @@ -6,8 +6,6 @@ For certificate management in general in Radix then please see [radix certificat - [Overview](#overview) - [Bootstrap](#bootstrap) -- [Teardown](#teardown) -- [Upgrade](#upgrade) - [Credentials](#credentials) - [Troubleshooting](#troubleshooting) @@ -72,44 +70,6 @@ RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=my-little-cluster S # Done! ``` - -## Teardown - -Run script [`./teardown.sh`](./teardown.sh), see script header for more info. - -Teardown will -1. Delete cert-manager and all related custom resources -1. It will _not_ delete the k8s tls secrets - - -## Upgrade - -As long as cert-manager has the following status - -> As this project is pre-1.0, we do not currently offer strong guarantees around our API stability. -> -> Notably, we may choose to make breaking changes to our API specification (i.e. the Issuer, ClusterIssuer and Certificate resources) in new minor releases. - -then we need to handle deployment of cert-manager by scripts that are customized for that specific version. - -Due to the high possibility of breaking changes you will need to -1. Verify that the custom resources are still valid (old version vs new version) -1. Prepare bootstrap and removal script of new version -1. Remove any trace of old version from the cluster (use the teardown script for the old version) -1. When previous version is gone, install new version (use the bootstrap script for the new version) -1. Update this `README.md` title to show the new version number - -The k8s tls secrets will be kept intact during this process as it does not belong to cert-manager. - -Example: -```sh -# Upgrading cert-manager from v0.8.1 to v0.11.0 in cluster "my-little-cluster" that lives in radix-zone "dev" -# Step 1: Remove v0.8.1 -RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=my-little-cluster ./teardown_v0.8.1.sh -# Step 2: Install v0.11.0 -RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME=my-little-cluster ./bootstrap.sh -``` - ## Credentials `cert-manager` use dedicated service principal to work with the DNS. diff --git a/scripts/cert-manager/bootstrap.sh b/scripts/cert-manager/bootstrap.sh index 2a67d3138..a1c3ee706 100755 --- a/scripts/cert-manager/bootstrap.sh +++ b/scripts/cert-manager/bootstrap.sh @@ -143,7 +143,6 @@ echo -e " - RADIX_ZONE : $RADIX_ZONE" echo -e "" echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" -echo -e " - CERT-MANAGER : v1.1" echo -e " - CERT_ISSUER : $CERT_ISSUER" echo -e "" echo -e " > WHO:" diff --git a/scripts/cert-manager/cluster-issuers/digicert/README.md b/scripts/cert-manager/cluster-issuers/digicert/README.md new file mode 100644 index 000000000..e89062e3d --- /dev/null +++ b/scripts/cert-manager/cluster-issuers/digicert/README.md @@ -0,0 +1,18 @@ +# Digicert cluster issuer + +Scripts for managing secrets required by Flux to install Digicert cluster issuers. + +## Bootstrap + +Run script [`./bootstrap.sh`](./bootstrap.sh), see script header for more how. + +Bootstrap will +1. Read Digicert external account info from keyvault. +1. Create a Kubernetes secret with this info used by Flux to install ACME cluster issuers for Digicert + +## Update external account values + +Run script [`./update_account.sh`](./update_account.sh), see script header for more how. +The script will update the Key Vault secret that holds Digicert account info. You should run [`./bootstrap.sh`](./bootstrap.sh) afterwards to update the Kubernetes secret used by Flux. + +Required input values must be obtained from Equinor's account manager for Digicert. diff --git a/scripts/cert-manager/teardown.sh b/scripts/cert-manager/cluster-issuers/digicert/bootstrap.sh similarity index 61% rename from scripts/cert-manager/teardown.sh rename to scripts/cert-manager/cluster-issuers/digicert/bootstrap.sh index 87e5123f9..a0980a910 100755 --- a/scripts/cert-manager/teardown.sh +++ b/scripts/cert-manager/cluster-issuers/digicert/bootstrap.sh @@ -5,7 +5,7 @@ ### PURPOSE ### -# Tear down cert-manager in a radix cluster, v1.1 +# Bootstrap secrets required by Flux to install cluster issuers for DigiCert ACME http01 and dns01 ####################################################################################### @@ -14,7 +14,6 @@ # - AKS cluster is available # - User has role cluster-admin -# - Helm RBAC is configured in cluster ####################################################################################### @@ -34,14 +33,7 @@ ### # Normal usage -# RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME="weekly-2" ./teardown.sh - - -####################################################################################### -### DOCS -### - -# - https://cert-manager.io/docs/installation/helm/#uninstalling +# RADIX_ZONE_ENV=../../../radix-zone/radix_zone_dev.env CLUSTER_NAME="weekly-49" ./bootstrap.sh ####################################################################################### @@ -49,7 +41,7 @@ ### echo "" -echo "Start tear down of cert-manager... " +echo "Start bootstrap of DigiCert secrets for Flux... " ####################################################################################### @@ -57,10 +49,10 @@ echo "Start tear down of cert-manager... " ### echo "" -printf "Check for neccesary executables... " +printf "Check for necessary executables... " hash az 2> /dev/null || { echo -e "\nERROR: Azure-CLI not found in PATH. Exiting..." >&2; exit 1; } hash kubectl 2> /dev/null || { echo -e "\nERROR: kubectl not found in PATH. Exiting..." >&2; exit 1; } -hash helm 2> /dev/null || { echo -e "\nERROR: helm not found in PATH. Exiting..." >&2; exit 1; } +hash jq 2> /dev/null || { echo -e "\nERROR: jq not found in PATH. Exiting..." >&2; exit 1; } printf "All is good." echo "" @@ -97,12 +89,6 @@ if [[ -z "$USER_PROMPT" ]]; then USER_PROMPT=true fi -# Script vars - -WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - - - ####################################################################################### ### Prepare az session ### @@ -118,17 +104,13 @@ printf "Done.\n" ### echo -e "" -echo -e "Tear down of cert-manager will use the following configuration:" +echo -e "Bootstrap of DigiCert secrets for Flux will use the following configuration:" echo -e "" echo -e " > WHERE:" echo -e " ------------------------------------------------------------------" echo -e " - CLUSTER_NAME : $CLUSTER_NAME" echo -e " - RADIX_ZONE : $RADIX_ZONE" echo -e "" -echo -e " > WHAT:" -echo -e " -------------------------------------------------------------------" -echo -e " - CERT-MANAGER : v1.1" -echo -e "" echo -e " > WHO:" echo -e " -------------------------------------------------------------------" echo -e " - AZ_SUBSCRIPTION : $(az account show --query name -otsv)" @@ -155,10 +137,10 @@ fi # Exit if cluster does not exist printf "Connecting kubectl..." -get_credentials "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" || { +get_credentials "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" || { # Send message to stderr echo -e "ERROR: Cluster \"$CLUSTER_NAME\" not found." >&2 - exit 1 + exit 1 } printf "...Done.\n" @@ -167,46 +149,37 @@ printf "...Done.\n" ### verify_cluster_access - ####################################################################################### -### MAIN +### Bootstrap Digicert external account secret for Flux ### -# Step 1: Remove all custom resources -#kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces -printf "\nDelete all custom resources..." -kubectl delete Issuers --all --all-namespaces 2>&1 >/dev/null -kubectl delete ClusterIssuers --all --all-namespaces 2>&1 >/dev/null -kubectl delete Certificates --all --all-namespaces 2>&1 >/dev/null -kubectl delete CertificateRequests --all --all-namespaces 2>&1 >/dev/null -kubectl delete Orders --all --all-namespaces 2>&1 >/dev/null -kubectl delete Challenges --all --all-namespaces 2>&1 >/dev/null -printf "...Done.\n" - -# Step 2: Remove the helm release -printf "\nDelete the helm release..." -helm --namespace cert-manager delete cert-manager 2>&1 >/dev/null -printf "...Done.\n" - -# Step 3: Remove the namespace -printf "\nDelete the namespace..." -kubectl delete namespace cert-manager 2>&1 >/dev/null -printf "...Done.\n" - -# Step 4: Remove all the custom resource definitions using the link to the version installed. -printf "\nDelete all the custom resource definitions..." -kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml -printf "...Done.\n" - -# Step 5: Making sure the webhook is really gone -printf "\nMaking sure the webhook is really gone..." -kubectl delete apiservice v1beta1.webhook.cert-manager.io 2>&1 >/dev/null -printf "...Done.\n" - - -####################################################################################### -### END -### +printf "\nCreating secret for Flux...\n" + +# Create secret for flux +account_values="$(az keyvault secret show \ + --vault-name $AZ_RESOURCE_KEYVAULT \ + --name $DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET \ + | jq '.value | fromjson')" + +# Set variables used in the manifest template +kid="$(echo $account_values | jq -r '.accountKeyID')" +hmac="$(echo $account_values | jq -r '.accountHMACKey')" +email="$(echo $account_values | jq -r '.accountEmail')" +server="$(echo $account_values | jq -r '.acmeServer')" + +cat < ACME_ACCOUNT_HMAC_KEY= ACME_ACCOUNT_EMAIL=any@equinor.com ACME_SERVER=https://acme.digicert.com/v2/acme/directory/ ./update_account.sh + + +####################################################################################### +### START +### + +echo "" +echo "Start bootstrap of DigiCert secrets for Flux... " + + +####################################################################################### +### Check for prerequisites binaries +### + +echo "" +printf "Check for necessary executables... " +hash az 2> /dev/null || { echo -e "\nERROR: Azure-CLI not found in PATH. Exiting..." >&2; exit 1; } +hash jq 2> /dev/null || { echo -e "\nERROR: jq not found in PATH. Exiting..." >&2; exit 1; } +printf "All is good." +echo "" + + +####################################################################################### +### Read inputs and configs +### + +# Required inputs + +if [[ -z "$RADIX_ZONE_ENV" ]]; then + echo "ERROR: Please provide RADIX_ZONE_ENV" >&2 + exit 1 +else + if [[ ! -f "$RADIX_ZONE_ENV" ]]; then + echo "ERROR: RADIX_ZONE_ENV=$RADIX_ZONE_ENV is invalid, the file does not exist." >&2 + exit 1 + fi + source "$RADIX_ZONE_ENV" +fi + +if [[ -z "$ACME_ACCOUNT_KID" ]]; then + echo "ERROR: Please provide ACME_ACCOUNT_KID" >&2 + exit 1 +fi + +if [[ -z "$ACME_ACCOUNT_HMAC_KEY" ]]; then + echo "ERROR: Please provide ACME_ACCOUNT_HMAC_KEY" >&2 + exit 1 +fi + +if [[ -z "$ACME_ACCOUNT_EMAIL" ]]; then + echo "ERROR: Please provide ACME_ACCOUNT_EMAIL" >&2 + exit 1 +fi + +if [[ -z "$ACME_SERVER" ]]; then + echo "ERROR: Please provide ACME_SERVER" >&2 + exit 1 +fi + +# Optional inputs + +if [[ -z "$USER_PROMPT" ]]; then + USER_PROMPT=true +fi + +####################################################################################### +### Prepare az session +### + +printf "Logging you in to Azure if not already logged in... " +az account show >/dev/null || az login >/dev/null +az account set --subscription "$AZ_SUBSCRIPTION_ID" >/dev/null +printf "Done.\n" + + +####################################################################################### +### Verify task at hand +### + +echo -e "" +echo -e "Store Digicert ACME external account info in Key Vault will use the following configuration:" +echo -e "" +echo -e " > WHERE:" +echo -e " ------------------------------------------------------------------" +echo -e " - RADIX_ZONE : $RADIX_ZONE" +echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_RESOURCE_KEYVAULT" +echo -e " - DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET : $DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET" +echo -e "" +echo -e " > WHAT:" +echo -e " -------------------------------------------------------------------" +echo -e " - ACME_ACCOUNT_KID : $ACME_ACCOUNT_KID" +echo -e " - ACME_ACCOUNT_HMAC_KEY : " +echo -e " - ACME_ACCOUNT_EMAIL : $ACME_ACCOUNT_EMAIL" +echo -e " - ACME_SERVER : $ACME_SERVER" +echo -e "" +echo -e " > WHO:" +echo -e " -------------------------------------------------------------------" +echo -e " - AZ_SUBSCRIPTION : $(az account show --query name -otsv)" +echo -e " - AZ_USER : $(az account show --query user.name -o tsv)" +echo -e "" + +echo "" + +if [[ $USER_PROMPT == true ]]; then + while true; do + read -p "Is this correct? (Y/n) " yn + case $yn in + [Yy]* ) break;; + [Nn]* ) echo ""; echo "Quitting."; exit 0;; + * ) echo "Please answer yes or no.";; + esac + done + echo "" +fi + +####################################################################################### +### Update Key Vault secret +### + +printf "\nUpdating Digicert external account info in Key Vault...\n" + +secret=$(jq --null-input -r \ + --arg accountKeyID "$ACME_ACCOUNT_KID" \ + --arg accountHMACKey "$ACME_ACCOUNT_HMAC_KEY" \ + --arg accountEmail "$ACME_ACCOUNT_EMAIL" \ + --arg acmeServer "$ACME_SERVER" \ + '{accountKeyID: $accountKeyID, accountHMACKey: $accountHMACKey, accountEmail: $accountEmail, acmeServer: $acmeServer}' +) || exit + +az keyvault secret set --only-show-errors \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" \ + --name "${DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET}" \ + --value "${secret}" \ + 2>&1 >/dev/null || exit + +echo "" +printf "Updating Digicert external account info done!\n" diff --git a/scripts/cert-manager/configure.sh b/scripts/cert-manager/configure.sh deleted file mode 100755 index e39f1f527..000000000 --- a/scripts/cert-manager/configure.sh +++ /dev/null @@ -1,346 +0,0 @@ -#!/usr/bin/env bash - - -####################################################################################### -### PURPOSE -### - -# Apply cert-manager manifests and annotate secrets for Kubed sync - -####################################################################################### -### PRECONDITIONS -### - -# - AKS cluster is available -# - User has role cluster-admin -# - Flux has been deployed to the cluster -# - Cert-manager has been deployed in the cluster - -####################################################################################### -### INPUTS -### - -# Required: -# - RADIX_ZONE_ENV : Path to *.env file -# - CLUSTER_NAME : Ex: "test-2", "weekly-93" - -# Optional: -# - STAGING : Use cert issuer staging api? true/false. Default is false. -# - USER_PROMPT : Is human interaction is required to run script? true/false. Default is true. - -####################################################################################### -### HOW TO USE -### - -# NORMAL -# RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME="weekly-2" ./configure.sh - -# STAGING -# RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env CLUSTER_NAME="weekly-2" STAGING=true ./configure.sh - - -####################################################################################### -### DOCS -### - -# - https://cert-manager.io/docs/configuration/acme/dns01/azuredns/ - - -####################################################################################### -### START -### - -echo "" -echo "Start applying cert-manager manifests and annotate secrets for Kubed sync... " - -####################################################################################### -### Check for prerequisites binaries -### - -echo "" -printf "Check for necessary executables... " -hash az 2> /dev/null || { echo -e "\nERROR: Azure-CLI not found in PATH. Exiting..." >&2; exit 1; } -hash kubectl 2> /dev/null || { echo -e "\nERROR: kubectl not found in PATH. Exiting..." >&2; exit 1; } -hash helm 2> /dev/null || { echo -e "\nERROR: helm not found in PATH. Exiting..." >&2; exit 1; } -hash jq 2> /dev/null || { echo -e "\nERROR: jq not found in PATH. Exiting..." >&2; exit 1; } -printf "All is good." -echo "" - -####################################################################################### -### Read inputs and configs -### - -# Required inputs - -if [[ -z "$RADIX_ZONE_ENV" ]]; then - echo "ERROR: Please provide RADIX_ZONE_ENV" >&2 - exit 1 -else - if [[ ! -f "$RADIX_ZONE_ENV" ]]; then - echo "ERROR: RADIX_ZONE_ENV=$RADIX_ZONE_ENV is invalid, the file does not exist." >&2 - exit 1 - fi - source "$RADIX_ZONE_ENV" -fi - -if [[ -z "$CLUSTER_NAME" ]]; then - echo "ERROR: Please provide CLUSTER_NAME" >&2 - exit 1 -fi - -# Source util scripts - -source ${RADIX_PLATFORM_REPOSITORY_PATH}/scripts/utility/util.sh - -# Optional inputs - -if [[ -z "$USER_PROMPT" ]]; then - USER_PROMPT=true -fi - -if [[ -z "$STAGING" ]]; then - STAGING=false -fi - -# Script vars - -WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -if [[ $STAGING == false ]]; then - CERT_ISSUER="letsencrypt-prod" - ACME_URL="https://acme-v02.api.letsencrypt.org/directory" -else - CERT_ISSUER="letsencrypt-staging" - ACME_URL="https://acme-staging-v02.api.letsencrypt.org/directory" -fi - - -####################################################################################### -### Prepare az session -### - -printf "Logging you in to Azure if not already logged in... " -az account show >/dev/null || az login >/dev/null -az account set --subscription "$AZ_SUBSCRIPTION_ID" >/dev/null -printf "Done.\n" - - -####################################################################################### -### Verify task at hand -### - -echo -e "" -echo -e "Configuration of cert-manager will use the following configuration:" -echo -e "" -echo -e " > WHERE:" -echo -e " ------------------------------------------------------------------" -echo -e " - CLUSTER_NAME : $CLUSTER_NAME" -echo -e " - AZ_RESOURCE_DNS : $AZ_RESOURCE_DNS" -echo -e " - RADIX_ZONE : $RADIX_ZONE" -echo -e "" -echo -e " > WHAT:" -echo -e " -------------------------------------------------------------------" -echo -e " - CERT-MANAGER : v1.1" -echo -e " - CERT_ISSUER : $CERT_ISSUER" -echo -e " - ACME_URL : $ACME_URL" -echo -e "" -echo -e " > WHO:" -echo -e " -------------------------------------------------------------------" -echo -e " - AZ_SUBSCRIPTION : $(az account show --query name -otsv)" -echo -e " - AZ_USER : $(az account show --query user.name -o tsv)" -echo -e "" - -echo "" - -if [[ $USER_PROMPT == true ]]; then - while true; do - read -p "Is this correct? (Y/n) " yn - case $yn in - [Yy]* ) break;; - [Nn]* ) echo ""; echo "Quitting."; exit 0;; - * ) echo "Please answer yes or no.";; - esac - done - echo "" -fi - -####################################################################################### -### Connect kubectl -### - -# Exit if cluster does not exist -printf "Connecting kubectl..." -get_credentials "$AZ_RESOURCE_GROUP_CLUSTERS" "$CLUSTER_NAME" || { - # Send message to stderr - echo -e "ERROR: Cluster \"$CLUSTER_NAME\" not found." >&2 - exit 1 -} -printf "...Done.\n" - -####################################################################################### -### Verify cluster access -### -verify_cluster_access - -####################################################################################### -### Verify cert-manager deployment -### - -# https://cert-manager.io/docs/installation/verify/ - -# We already know that the pods are in a running state from the migration script, so here we create an issuer and issue a certificate -echo "" -echo "Verify cert-manager deployment..." - -echo "Create test resources..." -cat < test-resources.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager-test ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: test-selfsigned - namespace: cert-manager-test -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: selfsigned-cert - namespace: cert-manager-test -spec: - dnsNames: - - example.com - secretName: selfsigned-cert-tls - issuerRef: - name: test-selfsigned -EOF - -# Verify that the test resources can be deployed -kubectl create namespace cert-manager-test 2>&1 >/dev/null -while [[ "$(kubectl apply --dry-run=server -f test-resources.yaml 2>&1)" == *"error"* ]]; do - printf "." - sleep 1 -done -kubectl delete namespace cert-manager-test 2>&1 >/dev/null - -# Deploy the test resources -kubectl apply -f test-resources.yaml - -# Wait for the certificate status to be True -printf "Validate test certificate...\n" -while [[ "$(kubectl get certificate -n cert-manager-test selfsigned-cert -ojson | jq -r '.status.conditions[0].status' 2>&1)" != "True" ]]; do - printf "." - sleep 1 -done -printf "...Done.\n" - -echo "Validation successful!" - -echo "Remove test resources..." -kubectl delete -f test-resources.yaml -rm -f test-resources.yaml - -####################################################################################### -### Transform and apply all custom resources -### - -function createIdentityResourceAndBinding() { - # Use managed identity - printf "\nCreate identity resource and binding, and certificate issuer...\n" - - # Get the already created identity - printf "Getting identity..." - IDENTITY="$(az identity show --name $MI_CERT_MANAGER --resource-group $AZ_RESOURCE_GROUP_COMMON --output json 2>&1)" - if [[ $IDENTITY == *"ERROR"* ]]; then - echo "ERROR: Could not get identity." >&2 - exit 1 - fi - printf " Done.\n" - - # Used for identity binding - CLIENT_ID=$(echo $IDENTITY | jq -r '.clientId') - RESOURCE_ID=$(echo $IDENTITY | jq -r '.id') - - # Combine and use the templated manifest as a heredocs. - # First we paste it into a heredoc script file. - # Then we will then run the heredoc script in context of caller using the "source" command so that it share scope with caller and have access the same vars. - # The final output will be a yaml file which contains the translated manifest. - local TMP_DIR="${WORK_DIR}/tmp" - test -d "$TMP_DIR" && rm -rf "$TMP_DIR" - mkdir "$TMP_DIR" - (echo "#!/bin/sh"; echo "cat <>${TMP_DIR}/translated-manifest.yaml"; cat $WORK_DIR/mi-azure-identity-and-issuer.yaml | cat; echo ""; echo "EOF";)>${TMP_DIR}/heredoc.sh && chmod +x ${TMP_DIR}/heredoc.sh - source ${TMP_DIR}/heredoc.sh - - kubectl apply -f ${TMP_DIR}/translated-manifest.yaml - rm -rf "${TMP_DIR}" - printf "...Done.\n" -} - -function transformManifests() { - # Use Service Principal - - # Fetch dns system user credentials - # Read secret, extract stringified json from property "value" and convert it into json - local DNS_SP="$(az keyvault secret show \ - --vault-name $AZ_RESOURCE_KEYVAULT \ - --name $APP_REGISTRATION_CERT_MANAGER \ - | jq '.value | fromjson')" - - # Set variables used in the manifest templates - local DNS_SP_ID="$(echo $DNS_SP | jq -r '.id')" - local DNS_SP_TENANT_ID="$(echo $DNS_SP | jq -r '.tenantId')" - local DNS_SP_PASSWORD="$(echo $DNS_SP | jq -r '.password')" - local DNS_SP_PASSWORD_base64="$(echo $DNS_SP_PASSWORD | base64 -)" - - # Combine and use the templated manifests as a heredocs. - # First we combine them all into one heredoc script file. - # Then we will then run the heredoc script in context of caller using the "source" command so that it share scope with caller and have access the same vars. - # The final output will be a yaml file that contains all the translated manifests. - local TMP_DIR="${WORK_DIR}/tmp" - test -d "$TMP_DIR" && rm -rf "$TMP_DIR" - mkdir "$TMP_DIR" - (echo "#!/bin/sh"; echo "cat <>${TMP_DIR}/translated-manifests.yaml"; (for templateFile in "$WORK_DIR"/manifests/*.yaml; do cat $templateFile; done;) | cat; echo ""; echo "EOF";)>${TMP_DIR}/heredoc.sh && chmod +x ${TMP_DIR}/heredoc.sh - source ${TMP_DIR}/heredoc.sh - printf "...Done.\n" -} - -function applyManifests() { - # Use Service principal - printf "\nStart applying manifests...\n" - - local TMP_DIR="${WORK_DIR}/tmp" - kubectl apply -f "${TMP_DIR}/translated-manifests.yaml" - rm -rf "${TMP_DIR}" - - # # Use managed identity - # test -d "$TMP_DIR" && rm -rf "$TMP_DIR" - # mkdir "$TMP_DIR" - - # (echo "#!/bin/sh"; - # echo "cat <>${TMP_DIR}/translated-manifests.yaml"; - # cat $WORK_DIR/manifests/radix-wildcard-tls-cert.yaml | cat; - # echo ""; - # echo "EOF";)>${TMP_DIR}/heredoc.sh && chmod +x ${TMP_DIR}/heredoc.sh - - # source ${TMP_DIR}/heredoc.sh - - # kubectl apply -f ${TMP_DIR}/translated-manifests.yaml - # rm -rf "${TMP_DIR}" - printf "...Done.\n" -} - -####################################################################################### -### MAIN -### - -# # Use managed identity -# createIdentityResourceAndBinding # Do not use this until aad-pod-identity is generally available. - -# Use service principal -transformManifests - -applyManifests diff --git a/scripts/cert-manager/mi-azure-identity-and-issuer.yaml b/scripts/cert-manager/mi-azure-identity-and-issuer.yaml deleted file mode 100644 index 5422ba3fd..000000000 --- a/scripts/cert-manager/mi-azure-identity-and-issuer.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: "aadpodidentity.k8s.io/v1" -kind: AzureIdentity -metadata: - annotations: - # recommended to use namespaced identites https://azure.github.io/aad-pod-identity/docs/configure/match_pods_in_namespace/ - aadpodidentity.k8s.io/Behavior: namespaced - name: certman-identity - namespace: cert-manager # change to your preferred namespace -spec: - type: 0 # MSI - resourceID: ${RESOURCE_ID} # Resource Id From Previous step - clientID: ${CLIENT_ID} # Client Id from previous step ---- -apiVersion: "aadpodidentity.k8s.io/v1" -kind: AzureIdentityBinding -metadata: - name: certman-id-binding - namespace: cert-manager # change to your preferred namespace -spec: - azureIdentity: certman-identity - selector: certman-label # This is the label that needs to be set on cert-manager pods ---- -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: ${CERT_ISSUER} -spec: - acme: - # The ACME server URL - server: ${ACME_URL} - # Email address used for ACME registration. - # Let's Encrypt will use this to contact you about expiring certificates and issues related to your account. - email: Radix@StatoilSRM.onmicrosoft.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: ${CERT_ISSUER} - # HTTP challenge is not supported for wildcard certificates - # http01: {} - solvers: - - dns01: - azureDNS: - subscriptionID: "${AZ_SUBSCRIPTION_ID}" # The id of the subscription that controls the az dns zone. Ex: az account show -s "Omnia Radix Development" --query id - resourceGroupName: "${AZ_RESOURCE_GROUP_COMMON}" - hostedZoneName: "${AZ_RESOURCE_DNS}" - # Azure Cloud Environment, default to AzurePublicCloud - environment: AzurePublicCloud \ No newline at end of file diff --git a/scripts/install_base_components.sh b/scripts/install_base_components.sh index dcc99b392..8524efacc 100755 --- a/scripts/install_base_components.sh +++ b/scripts/install_base_components.sh @@ -253,6 +253,15 @@ printf "%s► Execute %s%s\n" "${grn}" "$WORKDIR_PATH/scripts/cert-manager/boots (USER_PROMPT="false" STAGING="${STAGING}" ./cert-manager/bootstrap.sh) wait +####################################################################################### +### Install Digicert issuer values for Flux +### + +echo "" +printf "%s► Execute %s%s\n" "${grn}" "$WORKDIR_PATH/scripts/cert-manager/cluster-issuers/digicert/bootstrap.sh" "${normal}" +(USER_PROMPT="$USER_PROMPT" ./cert-manager/cluster-issuers/digicert/bootstrap.sh) +wait + ####################################################################################### ### Create storage classes ### diff --git a/scripts/radix-zone/radix_zone_c2.env b/scripts/radix-zone/radix_zone_c2.env index c5105e6aa..6bb6d9d90 100644 --- a/scripts/radix-zone/radix_zone_c2.env +++ b/scripts/radix-zone/radix_zone_c2.env @@ -116,6 +116,8 @@ MI_AKSKUBELET="id-radix-akskubelet-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" ### KV_SECRET_SLACK_WEBHOOK="slack-webhook-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" +DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET="digicert-external-account-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" + KV_EXPIRATION_TIME="12 months" ####################################################################################### diff --git a/scripts/radix-zone/radix_zone_dev.env b/scripts/radix-zone/radix_zone_dev.env index e9af8ef17..be0e9b69a 100644 --- a/scripts/radix-zone/radix_zone_dev.env +++ b/scripts/radix-zone/radix_zone_dev.env @@ -122,6 +122,8 @@ MI_GITHUB_MAINTENANCE="radix-github-maintenance" ### KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE" +DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET="digicert-external-account-$RADIX_ZONE" + KV_EXPIRATION_TIME="12 months" ####################################################################################### diff --git a/scripts/radix-zone/radix_zone_playground.env b/scripts/radix-zone/radix_zone_playground.env index 77c233632..f9ffcf34e 100644 --- a/scripts/radix-zone/radix_zone_playground.env +++ b/scripts/radix-zone/radix_zone_playground.env @@ -119,6 +119,8 @@ MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-northeurope" ### KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE" +DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET="digicert-external-account-$RADIX_ZONE" + KV_EXPIRATION_TIME="12 months" ####################################################################################### diff --git a/scripts/radix-zone/radix_zone_prod.env b/scripts/radix-zone/radix_zone_prod.env index 58dd03e62..155132948 100644 --- a/scripts/radix-zone/radix_zone_prod.env +++ b/scripts/radix-zone/radix_zone_prod.env @@ -121,6 +121,8 @@ MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-northeurope" ### KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE" +DIGICERT_EXTERNAL_ACCOUNT_KV_SECRET="digicert-external-account-$RADIX_ZONE" + KV_EXPIRATION_TIME="12 months" #######################################################################################