Merge pull request #370 from sap-contributions/cert_renewal_jobs_wg_ci

Automatic certificate regeneration for capi load balancer certificates
cloudfoundry · May 23, 2024 · d0e4f8c · d0e4f8c
2 parents 217fe41 + e231635
commit d0e4f8c
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 3 deletions.
diff --git a/docs/concourse/certificate_regeneration.md b/docs/concourse/certificate_regeneration.md
@@ -6,7 +6,7 @@ The automated regeneration is provided as separate Terragrunt module which must
 
 ## Prerequisites
 
-The certificate's CA must be stored in CredHub, and they must be correctly linked.
+The certificate's CA must be stored in CredHub, and the certificate must be correctly linked to the CA.
 
 ## Configuration and deployment
 
@@ -46,6 +46,10 @@ value: <redacted>
 version_created_at: "2024-05-07T12:23:43Z"
 (...)
 ```
+Afterward, you should delete the job with:
+```
+kubectl -n concourse delete job cert-regen-job
+```
 
 ## Limitations
 

diff --git a/docs/concourse/concourse-architecture.drawio.svg b/docs/concourse/concourse-architecture.drawio.svg
diff --git a/terragrunt/concourse-wg-ci/automatic_certificate_regeneration/.terraform.lock.hcl b/terragrunt/concourse-wg-ci/automatic_certificate_regeneration/.terraform.lock.hcl
diff --git a/terragrunt/concourse-wg-ci/automatic_certificate_regeneration/cert_regen.hcl b/terragrunt/concourse-wg-ci/automatic_certificate_regeneration/cert_regen.hcl
@@ -0,0 +1,34 @@
+locals {
+  config = yamldecode(file("../config.yaml"))
+}
+
+remote_state {
+  backend = "gcs"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite"
+  }
+  config = {
+    bucket         = "${local.config.gcs_bucket}"
+    prefix         = "${local.config.gcs_prefix}/automatic-certificate-regeneration"
+    project        = "${local.config.project}"
+    location       = "${local.config.region}"
+    # use for uniform bucket-level access
+    # (https://cloud.google.com/storage/docs/uniform-bucket-level-access)
+    enable_bucket_policy_only = false
+  }
+}
+
+terraform {
+  source = local.config.tf_modules.automatic_certificate_regeneration
+}
+
+inputs = {
+  project = local.config.project
+  region  = local.config.region
+  zone    = local.config.zone
+
+  gke_name = local.config.gke_name
+
+  certificates_to_regenerate = local.config.certificates_to_regenerate
+}
diff --git a/terragrunt/concourse-wg-ci/config.yaml b/terragrunt/concourse-wg-ci/config.yaml
@@ -34,6 +34,7 @@ tf_modules:
   dr_create: "../../..//terraform-modules/concourse/dr_create"
   dr_restore: "../../..//terraform-modules/concourse/dr_restore"
   secret_rotation_postgresql: "../../..//terraform-modules/concourse/secret_rotation_postgresql"
+  automatic_certificate_regeneration: "../../..//terraform-modules/concourse/automatic_certificate_regeneration"
 
 
 
@@ -110,3 +111,7 @@ wg_ci_cnrm_service_account_permissions: [
     "cloudsql.databases.list",
     "cloudsql.databases.update"
   ]
+
+# list of certificates that shall be automatically renewed every month
+# enter as one string with a comma-separated list of CredHub certificate names
+certificates_to_regenerate: "/concourse/capi-team/kiki_lb,/concourse/capi-team/scar_lb,/concourse/capi-team/elsa_lb,/concourse/capi-team/asha_lb"