update cert process

examples/full-cluster/common-services/cert.tf

@@ -0,0 +1,125 @@
+# tf-apply  $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g')
+# terraform taint null_resource.ca_cert[0]
+# # (wait for submitted cert to be ready)
+# tf-apply  $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g')
+# tf-apply  $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g')
+
+#---
+# ca
+#---
+locals {
+  ca_dns_name = format("pki.%v.%v", var.cluster_name, var.vpc_domain_name)
+  #  ca_ou = format("ou=%v,ou=EKS,ou=%v,ou=PKI",var.cluster_name,var.vpc_full_name)
+  ca_ou            = format("eks-%v-%v-PKI", var.cluster_name, var.vpc_full_name)
+  ca_cert_download = false
+  ca_cert_san      = [local.ca_dns_name]
+
+  ca_key_filename    = format("${path.root}/certs/%v.key", local.ca_dns_name)
+  ca_key_exists      = fileexists(local.ca_key_filename)
+  ca_cert_filename   = format("${path.root}/certs/%v.crt", local.ca_dns_name)
+  ca_cert_exists     = fileexists(local.ca_cert_filename)
+  ca_root_filename   = "${path.root}/certs/ca-root.crt"
+  ca_root_exists     = fileexists(local.ca_root_filename)
+  ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : ""
+  ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
+}
+
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+
+  certificate_cn                = local.ca_dns_name
+  certificate_san               = [local.ca_dns_name]
+  certificate_download          = true
+  enable_acm_certificate        = false
+  certificate_subject_overrides = { ou = local.ca_ou }
+  certificate_csr_message       = <<EOM
+Now submit file to TCO for signing and return the result as below:
+
+  dns  = ${local.ca_dns_name}
+  csr  = certs/${local.ca_dns_name}.csr
+
+Ask for the certificate to be signed with the Linux (v2) PKI CA with the command:
+
+% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+
+EOM
+}
+
+## resource "tls_private_key" "ca" {
+##   algorithm = "RSA"
+##   rsa_bits  = 4096
+## }
+## 
+## resource "tls_cert_request" "ca" {
+##   key_algorithm   = "RSA"
+##   private_key_pem = tls_private_key.ca.private_key_pem
+## 
+##   dns_names = local.ca_cert_san
+##   subject {
+##     common_name         = local.ca_dns_name
+##     organizational_unit = local.ca_ou
+##     organization        = "U.S. Census Bureau"
+##     country             = "US"
+##   }
+## }
+## 
+## resource "null_resource" "ca_root_cert" {
+##   provisioner "local-exec" {
+##     command = "test -d certs || mkdir certs"
+##   }
+##   provisioner "local-exec" {
+##     command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca"
+##   }
+## }
+## 
+## resource "null_resource" "ca_files" {
+##   triggers = {
+##     ca_key_public = sha256(tls_private_key.ca.public_key_pem)
+##     ca_csr        = sha256(tls_cert_request.ca.cert_request_pem)
+##   }
+## 
+##   # get key
+##   provisioner "local-exec" {
+##     command = "test -d certs || mkdir certs"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key"
+##   }
+##   # get csr
+##   provisioner "local-exec" {
+##     command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr"
+##   }
+## 
+##   # detail how to get certs
+##   provisioner "local-exec" {
+##     command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it.  Then add the .secret to git'"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo 'now submit file to TCO for signing and return the result as below:\n  csr = certs/${local.ca_dns_name}.csr\n  cert = certs/${local.ca_dns_name}.crt\n'"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
+##   }
+## }
+## 
+## resource "null_resource" "ca_cert" {
+##   count = local.ca_cert_download ? 1 : 0
+##   # get cert
+##   provisioner "local-exec" {
+##     command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
+##   }
+## }
+## 
+## resource "local_file" "ca_bundle_cert" {
+##   count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0
+## 
+##   content         = local.ca_bundle_contents
+##   filename        = local.ca_bundle_filename
+##   file_permission = "0644"
+## }

examples/full-cluster/common-services/copy_images.tf

@@ -5,7 +5,7 @@ locals {
   repo_parent_name = format("eks/%v", var.cluster_name)
 
   account_ecr_registry = format("%v.dkr.ecr.%v.amazonaws.com", local.account_id, var.region)
-  account_ecr = format("%v/%v", local.account_ecr_registry, local.repo_parent_name)
+  account_ecr          = format("%v/%v", local.account_ecr_registry, local.repo_parent_name)
 
   images = [
     # cert-manager related images:
@@ -60,14 +60,14 @@ locals {
     },
   ]
   image_repos = { for image in local.images : image.name => format("%v/%v", local.account_ecr, image.name) }
-  image_map = { for image in local.images : image.name => 
+  image_map = { for image in local.images : image.name =>
     merge(
       image,
       tomap(
-        { "full_path"=local.image_repos[image.name], 
-          "registry"=local.account_ecr_registry, 
-          "repository"=format("%v/%v",local.repo_parent_name,image.name), }
-    ) ) }
+        { "full_path" = local.image_repos[image.name],
+          "registry"  = local.account_ecr_registry,
+        "repository" = format("%v/%v", local.repo_parent_name, image.name), }
+  )) }
 }
 
 resource "null_resource" "copy_images" {

examples/full-cluster/common-services/dns.tf

@@ -21,5 +21,5 @@ resource "aws_route53_record" "istio-ingress" {
   ttl     = 900
   zone_id = local.parent_rs.cluster_domain_id
 
-  records = [ data.aws_lb.lb[0].dns_name ]
+  records = [data.aws_lb.lb[0].dns_name]
 }

examples/full-cluster/common-services/locals.tf

@@ -12,6 +12,6 @@ locals {
   subnet_ids           = local.parent_rs.cluster_subnet_ids
   cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
 
-  oidc_provider_url    = local.parent_rs.oidc_provider_url
-  oidc_provider_arn    = local.parent_rs.oidc_provider_arn
+  oidc_provider_url = local.parent_rs.oidc_provider_url
+  oidc_provider_arn = local.parent_rs.oidc_provider_arn
 }

examples/full-cluster/common-services/main.tf

@@ -45,36 +45,36 @@ resource "helm_release" "metrics-server" {
   depends_on = [null_resource.copy_images]
   set {
     name = "extraArgs.kubelet-preferred-address-types"
-#    value = "InternalIP,ExternalIP,Hostname"
+    #    value = "InternalIP,ExternalIP,Hostname"
     value = "InternalIP"
   }
   set {
-    name = "apiService.create"
+    name  = "apiService.create"
     value = "true"
   }
   set {
-    name = "extraArgs.cert-dir"
+    name  = "extraArgs.cert-dir"
     value = "/tmp"
   }
   set {
-    name = "extraArgs.kubelet-use-node-status-port"
+    name  = "extraArgs.kubelet-use-node-status-port"
     value = ""
   }
   set {
-    name = "extraArgs.metric-resolution"
+    name  = "extraArgs.metric-resolution"
     value = "15s"
   }
-#  set {
-#    name = "extraArgs.kubelet-insecure-tls"
-#    value = "true"
-#  }
+  #  set {
+  #    name = "extraArgs.kubelet-insecure-tls"
+  #    value = "true"
+  #  }
   set {
-    name = "image.registry"
+    name  = "image.registry"
     value = local.account_ecr_registry
   }
   set {
-    name  = "image.repository"
-#    value =  format("%v/%v", local.repo_parent_name, local.images["metric-server"].name)
+    name = "image.repository"
+    #    value =  format("%v/%v", local.repo_parent_name, local.images["metric-server"].name)
     value = local.image_map["metrics-server"].repository
   }
 
@@ -87,9 +87,9 @@ resource "helm_release" "metrics-server" {
 }
 
 resource "helm_release" "cluster-autoscaler" {
-  chart = "cluster-autoscaler"
-  name = "cluster-autoscaler"
-  namespace = "kube-system"
+  chart      = "cluster-autoscaler"
+  name       = "cluster-autoscaler"
+  namespace  = "kube-system"
   repository = "${path.module}/charts/"
   depends_on = [null_resource.copy_images]
   set {
@@ -101,7 +101,7 @@ resource "helm_release" "cluster-autoscaler" {
     value = var.cluster_autoscaler_tag
   }
   set {
-    name = "autoDiscovery.clusterName"
+    name  = "autoDiscovery.clusterName"
     value = var.cluster_name
   }
 }

examples/full-cluster/common-services/tf-run.data

@@ -3,18 +3,21 @@ REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
-tls_private_key.ca tls_cert_request.ca null_resource.ca_root_cert null_resource.ca_files
-null_resource.ca_cert
-local_file.ca_bundle_cert
+# tls_private_key.ca tls_cert_request.ca null_resource.ca_root_cert null_resource.ca_files
+# null_resource.ca_cert
+# local_file.ca_bundle_cert
+module.cert
 COMMAND tf-directory-setup.py -l s3
 
 COMMENT submit certs/*csr using command ouptut listed in apply to TCO for signing
 STOP once that is availabile, change cert_download to true
 
-COMMAND terraform taint null_resource.ca_cert
-null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
-COMMENT second run is to complete the steps
-null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
+# COMMAND terraform taint null_resource.ca_cert
+# null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
+# COMMENT second run is to complete the steps
+# null_resource.ca_root_cert null_resource.ca_files null_resource.ca_cert
+module.cert
+module.cert
 
 ALL