Ingress certs

Documentation/variables/config.md

@@ -30,6 +30,9 @@ This document gives an overview of variables used in all platforms of the Tecton
 | tectonic_etcd_tls_enabled | (optional) If set to `true`, TLS secure communication for self-provisioned etcd. will be used.<br><br>Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS. | string | `true` |
 | tectonic_experimental | If set to true, experimental Tectonic assets are being deployed. | string | `false` |
 | tectonic_image_re | (internal) Regular expression used to extract repo and tag components | string | `/^([^/]+/[^/]+/[^/]+):(.*)$/` |
+| tectonic_ingress_ca_cert_pem | (optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate. If left blank, a CA certificate will be automatically generated. | string | `` |
+| tectonic_ingress_cert_pem | (optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`. This field is mandatory if `tectonic_ingress_ca_cert_pem` is set. | string | `` |
+| tectonic_ingress_key_pem | (optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate. This field is mandatory if `tectonic_ingress_ca_cert_pem` is set. | string | `` |
 | tectonic_license_path | The path to the tectonic licence file. You can download the Tectonic license file from your Account overview page at [1].<br><br>[1] https://account.coreos.com/overview<br><br>Note: This field MUST be set manually prior to creating the cluster unless `tectonic_vanilla_k8s` is set to `true`. | string | `` |
 | tectonic_master_count | The number of master nodes to be created. This applies only to cloud platforms. | string | `1` |
 | tectonic_pull_secret_path | The path the pull secret file in JSON format. This is known to be a "Docker pull secret" as produced by the docker login [1] command. A sample JSON content is shown in [2]. You can download the pull secret from your Account overview page at [3].<br><br>[1] https://docs.docker.com/engine/reference/commandline/login/<br><br>[2] https://coreos.com/os/docs/latest/registry-authentication.html#manual-registry-auth-setup<br><br>[3] https://account.coreos.com/overview<br><br>Note: This field MUST be set manually prior to creating the cluster unless `tectonic_vanilla_k8s` is set to `true`. | string | `` |

config.tf

@@ -333,6 +333,36 @@ This field is mandatory if `tectonic_ca_cert` is set.
 EOF
 }
 
+variable "tectonic_ingress_ca_cert_pem" {
+  type    = "string"
+  default = ""
+
+  description = <<EOF
+(optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate.
+If left blank, a CA certificate will be automatically generated.
+EOF
+}
+
+variable "tectonic_ingress_cert_pem" {
+  type    = "string"
+  default = ""
+
+  description = <<EOF
+(optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`.
+This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+EOF
+}
+
+variable "tectonic_ingress_key_pem" {
+  type    = "string"
+  default = ""
+
+  description = <<EOF
+(optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate.
+This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+EOF
+}
+
 variable "tectonic_vanilla_k8s" {
   default = false
 

examples/terraform.tfvars.aws

@@ -250,6 +250,18 @@ tectonic_etcd_count = "0"
 // If set to true, experimental Tectonic assets are being deployed.
 tectonic_experimental = false
 
+// (optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate.
+// If left blank, a CA certificate will be automatically generated.
+// tectonic_ingress_ca_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_key_pem = ""
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

examples/terraform.tfvars.azure

@@ -243,6 +243,18 @@ tectonic_etcd_count = "0"
 // If set to true, experimental Tectonic assets are being deployed.
 tectonic_experimental = false
 
+// (optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate.
+// If left blank, a CA certificate will be automatically generated.
+// tectonic_ingress_ca_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_key_pem = ""
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

examples/terraform.tfvars.metal

@@ -117,6 +117,18 @@ tectonic_etcd_count = "0"
 // If set to true, experimental Tectonic assets are being deployed.
 tectonic_experimental = false
 
+// (optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate.
+// If left blank, a CA certificate will be automatically generated.
+// tectonic_ingress_ca_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_key_pem = ""
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

examples/terraform.tfvars.openstack-neutron

@@ -117,6 +117,18 @@ tectonic_etcd_count = "0"
 // If set to true, experimental Tectonic assets are being deployed.
 tectonic_experimental = false
 
+// (optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate.
+// If left blank, a CA certificate will be automatically generated.
+// tectonic_ingress_ca_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_key_pem = ""
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

examples/terraform.tfvars.vmware

@@ -117,6 +117,18 @@ tectonic_etcd_count = "0"
 // If set to true, experimental Tectonic assets are being deployed.
 tectonic_experimental = false
 
+// (optional) The content of the PEM-encoded CA certificate that was used to sign the Tectonic Console's server certificate.
+// If left blank, a CA certificate will be automatically generated.
+// tectonic_ingress_ca_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate for the Tectonic Console that was signed by `tectonic_ingress_ca_cert_pem`.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_cert_pem = ""
+
+// (optional) The content of the PEM-encoded certificate key for the Tectonic Console certificate.
+// This field is mandatory if `tectonic_ingress_ca_cert_pem` is set.
+// tectonic_ingress_key_pem = ""
+
 // The path to the tectonic licence file.
 // You can download the Tectonic license file from your Account overview page at [1].
 // 

installer/frontend/cluster-config.js

@@ -40,6 +40,9 @@ export const BM_WORKERS = 'workers';
 
 export const CA_CERTIFICATE = 'caCertificate';
 export const CA_PRIVATE_KEY = 'caPrivateKey';
+export const INGRESS_CA_CERTIFICATE = 'ingressCACertificate';
+export const INGRESS_CERTIFICATE = 'ingressCertificate';
+export const INGRESS_PRIVATE_KEY = 'ingressPrivateKey';
 export const CA_TYPE = 'caType';
 export const CLUSTER_NAME = 'clusterName';
 export const CLUSTER_SUBDOMAIN = 'clusterSubdomain';
@@ -177,6 +180,9 @@ export const DEFAULT_CLUSTER_CONFIG = {
   [BM_TECTONIC_DOMAIN]: '',
   [CA_CERTIFICATE]: '',
   [CA_PRIVATE_KEY]: '',
+  [INGRESS_CA_CERTIFICATE]: '',
+  [INGRESS_CERTIFICATE]: '',
+  [INGRESS_PRIVATE_KEY]: '',
   [CA_TYPE]: 'self-signed',
   [CLUSTER_NAME]: '',
   [CONTROLLER_DOMAIN]: '',
@@ -293,7 +299,12 @@ export const toAWS_TF = (cc, FORMS, opts = {}) => {
     ret.variables.tectonic_ca_cert = cc[CA_CERTIFICATE];
     ret.variables.tectonic_ca_key = cc[CA_PRIVATE_KEY];
     ret.variables.tectonic_ca_key_alg = keyToAlg(cc[CA_PRIVATE_KEY]);
+  } else if (cc[CA_TYPE] === 'ca-signed') {
+    ret.variables.tectonic_ingress_ca_cert_pem = cc[INGRESS_CA_CERTIFICATE];
+    ret.variables.tectonic_ingress_cert_pem = cc[INGRESS_CERTIFICATE];
+    ret.variables.tectonic_ingress_key_pem = cc[INGRESS_PRIVATE_KEY];
   }
+
   return ret;
 };
 
@@ -345,6 +356,10 @@ export const toBaremetal_TF = (cc, FORMS, opts = {}) => {
     ret.variables.tectonic_ca_cert = cc[CA_CERTIFICATE];
     ret.variables.tectonic_ca_key = cc[CA_PRIVATE_KEY];
     ret.variables.tectonic_ca_key_alg = keyToAlg(cc[CA_PRIVATE_KEY]);
+  } else if (cc[CA_TYPE] === 'ca-signed') {
+    ret.variables.tectonic_ingress_ca_cert_pem = cc[INGRESS_CA_CERTIFICATE];
+    ret.variables.tectonic_ingress_cert_pem = cc[INGRESS_CERTIFICATE];
+    ret.variables.tectonic_ingress_key_pem = cc[INGRESS_PRIVATE_KEY];
   }
 
   return ret;

installer/frontend/components/certificate-authority.jsx

@@ -3,7 +3,7 @@ import { connect } from 'react-redux';
 
 import { configActionTypes } from '../actions';
 import { validate } from '../validate';
-import { CA_TYPE, CA_CERTIFICATE, CA_PRIVATE_KEY } from '../cluster-config';
+import { CA_TYPE, CA_CERTIFICATE, CA_PRIVATE_KEY, INGRESS_CERTIFICATE, INGRESS_PRIVATE_KEY, INGRESS_CA_CERTIFICATE } from '../cluster-config';
 import { WithClusterConfig, CertArea, PrivateKeyArea } from './ui';
 
 export const CertificateAuthority = connect(
@@ -87,6 +87,55 @@ export const CertificateAuthority = connect(
               }
             </div>
           </div>
+          <div className="wiz-radio-group">
+            <div className="radio wiz-radio-group__radio">
+              <label>
+                <input
+                  type="radio"
+                  name="certificateAuthority"
+                  defaultChecked={caType === 'ca-signed'}
+                  onChange={() => setCAType('ca-signed')} />
+                I'll provide a CA-signed certificate, certificate key, and CA certificate.
+              </label>
+              <p className="text-muted wiz-help-text">Your certificate will be used by the Tectonic Console.</p>
+            </div>
+            <div className="wiz-radio-group__body">
+              {
+                caType === 'ca-signed' && <div>
+                  <div className="row form-group">
+                    <div className="col-xs-12">
+                      <WithClusterConfig field={INGRESS_CERTIFICATE}>
+                        <CertArea
+                          id={INGRESS_CERTIFICATE}
+                          autoFocus="true"
+                          uploadButtonLabel="Upload Certificate" />
+                      </WithClusterConfig>
+                    </div>
+                  </div>
+
+                  <div className="row form-group">
+                    <div className="col-xs-12">
+                      <WithClusterConfig field={INGRESS_PRIVATE_KEY}>
+                        <PrivateKeyArea
+                          id={INGRESS_PRIVATE_KEY}
+                          uploadButtonLabel="Upload Certificate Private Key" />
+                      </WithClusterConfig>
+                    </div>
+                  </div>
+
+                  <div className="row form-group">
+                    <div className="col-xs-12">
+                      <WithClusterConfig field={INGRESS_CA_CERTIFICATE}>
+                        <CertArea
+                          id={INGRESS_CA_CERTIFICATE}
+                          uploadButtonLabel="Upload CA Certificate" />
+                      </WithClusterConfig>
+                    </div>
+                  </div>
+                </div>
+              }
+            </div>
+          </div>
         </div>
       </div>
     </div>
@@ -97,6 +146,13 @@ CertificateAuthority.canNavigateForward = ({clusterConfig}) => {
     return true;
   }
 
-  return (!validate.certificate(clusterConfig[CA_CERTIFICATE]) &&
-          !validate.privateKey(clusterConfig[CA_PRIVATE_KEY]));
+
+  if (clusterConfig[CA_TYPE] === 'owned') {
+    return (!validate.certificate(clusterConfig[CA_CERTIFICATE]) &&
+            !validate.privateKey(clusterConfig[CA_PRIVATE_KEY]));
+  }
+
+  return (!validate.certificate(clusterConfig[INGRESS_CERTIFICATE]) &&
+          !validate.certificate(clusterConfig[INGRESS_CA_CERTIFICATE]) &&
+          !validate.privateKey(clusterConfig[INGRESS_PRIVATE_KEY]));
 };

modules/tectonic/assets.tf

@@ -69,8 +69,9 @@ resource "template_dir" "tectonic" {
     prometheus_callback       = "https://${var.base_address}/prometheus/auth/callback"
 
     ingress_kind     = "${var.ingress_kind}"
-    ingress_tls_cert = "${base64encode(tls_locally_signed_cert.ingress.cert_pem)}"
-    ingress_tls_key  = "${base64encode(tls_private_key.ingress.private_key_pem)}"
+    ingress_ca_cert  = "${base64encode(var.ingress_ca_cert_pem)}"
+    ingress_tls_cert = "${base64encode(var.ingress_cert_pem)}"
+    ingress_tls_key  = "${base64encode(var.ingress_key_pem)}"
 
     identity_server_tls_cert = "${base64encode(tls_locally_signed_cert.identity_server.cert_pem)}"
     identity_server_tls_key  = "${base64encode(tls_private_key.identity_server.private_key_pem)}"

modules/tectonic/crypto.tf

@@ -16,45 +16,6 @@ resource "random_id" "tectonic_monitoring_auth_cookie_secret" {
   byte_length = 16
 }
 
-# Ingress' server certificate
-
-resource "tls_private_key" "ingress" {
-  algorithm = "RSA"
-  rsa_bits  = "2048"
-}
-
-resource "tls_cert_request" "ingress" {
-  key_algorithm   = "${tls_private_key.ingress.algorithm}"
-  private_key_pem = "${tls_private_key.ingress.private_key_pem}"
-
-  subject {
-    common_name = "${element(split(":", var.base_address), 0)}"
-  }
-
-  # subject commonName is deprecated per RFC2818 in favor of
-  # subjectAltName
-  dns_names = [
-    "${element(split(":", var.base_address), 0)}",
-  ]
-}
-
-resource "tls_locally_signed_cert" "ingress" {
-  cert_request_pem = "${tls_cert_request.ingress.cert_request_pem}"
-
-  ca_key_algorithm   = "${var.ca_key_alg}"
-  ca_private_key_pem = "${var.ca_key}"
-  ca_cert_pem        = "${var.ca_cert}"
-
-  validity_period_hours = 8760
-
-  allowed_uses = [
-    "key_encipherment",
-    "digital_signature",
-    "server_auth",
-    "client_auth",
-  ]
-}
-
 # Identity's gRPC server/client certificates
 
 resource "tls_private_key" "identity_server" {

modules/tectonic/resources/manifests/console/deployment.yaml

@@ -98,6 +98,8 @@ spec:
           value: /etc/tectonic-ca-cert-secret/ca-cert
         - name: BRIDGE_LICENSE_FILE
           value: /etc/tectonic/licenses/license
+        - name: BRIDGE_DEX_CLIENT_CA_FILE
+          value: /etc/tectonic-identity-grpc-client-secret/ca-cert
         - name: BRIDGE_DEX_CLIENT_CERT_FILE
           value: /etc/tectonic-identity-grpc-client-secret/tls-cert
         - name: BRIDGE_DEX_CLIENT_KEY_FILE

modules/tectonic/resources/manifests/secrets/ca-cert.yaml

@@ -5,4 +5,4 @@ metadata:
   namespace: tectonic-system
 type: Opaque
 data:
-  ca-cert: ${ca_cert}
+  ca-cert: ${ingress_ca_cert}

modules/tectonic/variables.tf

@@ -129,3 +129,15 @@ EOF
 
   type = "string"
 }
+
+variable "ingress_ca_cert_pem" {
+  type = "string"
+}
+
+variable "ingress_cert_pem" {
+  type = "string"
+}
+
+variable "ingress_key_pem" {
+  type = "string"
+}

modules/tls/ingress/main.tf

@@ -0,0 +1,16 @@
+module "ingress_certs_self_signed" {
+  source = "./self-signed"
+
+  base_address = "${var.base_address}"
+  ca_cert_pem  = "${var.ca_cert_pem}"
+  ca_key_pem   = "${var.ca_key_pem}"
+  ca_key_alg   = "${var.ca_key_alg}"
+}
+
+module "ingress_certs_user_provided" {
+  source = "./user-provided"
+
+  ca_cert_pem = "${var.ingress_ca_cert_pem}"
+  cert_pem    = "${var.ingress_cert_pem}"
+  key_pem     = "${var.ingress_key_pem}"
+}

modules/tls/ingress/outputs.tf

@@ -0,0 +1,11 @@
+output "ca_cert_pem" {
+  value = "${var.ingress_ca_cert_pem == "" ? module.ingress_certs_self_signed.ca_cert_pem : module.ingress_certs_user_provided.ca_cert_pem}"
+}
+
+output "cert_pem" {
+  value = "${var.ingress_ca_cert_pem == "" ? module.ingress_certs_self_signed.cert_pem : module.ingress_certs_user_provided.cert_pem}"
+}
+
+output "key_pem" {
+  value = "${var.ingress_ca_cert_pem == "" ? module.ingress_certs_self_signed.key_pem : module.ingress_certs_user_provided.key_pem}"
+}