Skip to content

Commit

Permalink
[terraform-google][tanka] Set SSL policy to enforce secure TLS connec…
Browse files Browse the repository at this point in the history
…tions (#1000)
  • Loading branch information
barroco authored Feb 14, 2024
1 parent 1ea7ebf commit 59674f9
Show file tree
Hide file tree
Showing 7 changed files with 23 additions and 0 deletions.
6 changes: 6 additions & 0 deletions build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,12 @@ a PR to that effect would be greatly appreciated.
- If you are only turning up a single DSS instance for development, you
may optionally change `single_cluster` to `true`.
1. `VAR_SSL_POLICY`: When deploying on Google Cloud, a [ssl policy](https://cloud.google.com/load-balancing/docs/ssl-policies-concepts)
can be applied to the DSS Ingress. This can be used to secure the TLS connection.
Follow the [instructions](https://cloud.google.com/load-balancing/docs/use-ssl-policies) to create the Global SSL Policy and
replace VAR_SSL_POLICY variable with its name. `RESTRICTED` profile is recommended.
Leave it empty if not applicable.
1. Edit workspace/$CLUSTER_CONTEXT/spec.json and replace all VAR_*
instances with appropriate values:
Expand Down
9 changes: 9 additions & 0 deletions build/deploy/base.libsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -258,5 +258,14 @@ local util = import 'util.libsonnet';
'service.beta.kubernetes.io/aws-load-balancer-ssl-cert': certARN,
},
},
},

GoogleFrontendConfig(metadata, name, sslPolicy): $._Object('networking.gke.io/v1beta1', 'FrontendConfig', metadata, name) {
metadata+: {
name: name
},
spec+: {
sslPolicy: sslPolicy
}
}
}
4 changes: 4 additions & 0 deletions build/deploy/core-service.libsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ local awsLoadBalancer(metadata) = base.AWSLoadBalancerWithManagedCert(metadata,
annotations: {
'kubernetes.io/ingress.global-static-ip-name': metadata.backend.ipName,
'kubernetes.io/ingress.allow-http': 'false',
[if metadata.backend.sslPolicy != '' then 'networking.gke.io/v1beta1.FrontendConfig']: 'ssl-frontend-config',
},
},
spec: {
Expand All @@ -33,6 +34,8 @@ local awsLoadBalancer(metadata) = base.AWSLoadBalancerWithManagedCert(metadata,
},
},

GoogleSSLPolicyFrontendConfig(metadata): base.GoogleFrontendConfig(metadata, 'ssl-frontend-config', metadata.backend.sslPolicy),

GoogleManagedCertIngress(metadata): {
ingress: $.GoogleIngress(metadata) {
metadata+: {
Expand Down Expand Up @@ -68,6 +71,7 @@ local awsLoadBalancer(metadata) = base.AWSLoadBalancerWithManagedCert(metadata,
CloudNetwork(metadata): {
google: if metadata.cloud_provider == "google" then {
ingress: $.GoogleManagedCertIngress(metadata),
[if metadata.backend.sslPolicy != '' then 'frontendConfig']: $.GoogleSSLPolicyFrontendConfig(metadata),
service: $.GoogleService(metadata),
},
aws_loadbalancer: if metadata.cloud_provider == "aws" then awsLoadBalancer(metadata)
Expand Down
1 change: 1 addition & 0 deletions build/deploy/examples/minimum/main.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ local metadata = metadataBase {
jwksKeyIds: ['VAR_JWKS_KEY_ID'],
hostname: 'VAR_APP_HOSTNAME',
dumpRequests: true,
sslPolicy: 'VAR_SSL_POLICY'
},
schema_manager+: {
image: 'VAR_DOCKER_IMAGE_NAME',
Expand Down
1 change: 1 addition & 0 deletions build/deploy/metadata_base.libsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
hostname: error 'must specify hostname',
dumpRequests: false,
certName: if $.cloud_provider == "aws" then error 'must specify certName for AWS cloud provider', # Only used by AWS
sslPolicy: '', # SSL Policy Name. Only used by Google Cloud.
},
alert: {
enable: false,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ resource "local_file" "tanka_config_main" {
VAR_CLOUD_PROVIDER = var.kubernetes_cloud_provider_name
VAR_CERT_NAME = var.gateway_cert_name
VAR_SUBNET = var.workload_subnet
VAR_SSL_POLICY = var.ssl_policy
})
filename = "${local.workspace_location}/main.jsonnet"
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ local metadata = metadataBase {
jwksKeyIds: ['${VAR_JWKS_KEY_ID}'],
hostname: '${VAR_APP_HOSTNAME}',
dumpRequests: true,
sslPolicy: '${VAR_SSL_POLICY}'
},
schema_manager+: {
image: '${VAR_DOCKER_IMAGE_NAME}',
Expand Down

0 comments on commit 59674f9

Please sign in to comment.