From 2e5a74a2720841cb696a4161c74a51bc5e92e5f4 Mon Sep 17 00:00:00 2001 From: anttorre Date: Mon, 13 Dec 2021 20:04:30 +0100 Subject: [PATCH] agid cert is a self signed cert renew jwt token script --- src/core/security.tf | 10 +++++++++ src/core/utils/sh/renew-jwt.sh | 38 ++++++++++++++++++++++++++++++++++ src/k8s/selc_secrets.tf | 4 ++-- src/modules/jwt/main.tf | 8 +++++++ 4 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 src/core/utils/sh/renew-jwt.sh diff --git a/src/core/security.tf b/src/core/security.tf index d92ef40ec..ea1f27291 100644 --- a/src/core/security.tf +++ b/src/core/security.tf @@ -209,6 +209,16 @@ module "jwt_exchange" { tags = var.tags } +module "agid_spid" { + source = "../modules/jwt" + + jwt_name = "agid-spid" + key_vault_id = module.key_vault.id + cert_common_name = "selfcare.pagopa.it" + cert_password = "" + tags = var.tags +} + resource "null_resource" "upload_jwks" { triggers = { "changes-in-jwt" : module.jwt.certificate_data_pem diff --git a/src/core/utils/sh/renew-jwt.sh b/src/core/utils/sh/renew-jwt.sh new file mode 100644 index 000000000..e3f4053c0 --- /dev/null +++ b/src/core/utils/sh/renew-jwt.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# +# Renew the JWT token inside the keyvault. After this script you have to be connected to the env VPN and apply the k8s +# module in order to update configMap and secrets and next run the k8s/scripts/restart-pods.sh in order to apply +# the new configuration +# +# Environments are dev, uat or prod +# Usage: +# ./renew-jwt.sh env jwt_name +# +# ./renew-jwt.sh dev jwt +# ./renew-jwt.sh dev jwt_exchange +# ./renew-jwt.sh dev agid_spid + +set -e + +BASEDIR=$(dirname "$0") + +env=$1 +jwt_name=$2 + +if [ -z "$env" ]; then + echo "env should be: dev, uat or prod." + exit 0 +fi + +if [ -z "$jwt_name" ]; then + echo "jwt_name should be: jwt, jwt_exchange or agid_spid." + exit 0 +fi + +"$BASEDIR"/../../terraform.sh taint $env module.$jwt_name.tls_private_key.jwt +"$BASEDIR"/../../terraform.sh apply $env -target=module.$jwt_name + +printf "\n\n************************************************************************************************\n\n" +echo "Now you have to be connected to env VPN in order to apply k8s module and next run k8s/scripts/restart-pods.sh script" +printf "\n************************************************************************************************" \ No newline at end of file diff --git a/src/k8s/selc_secrets.tf b/src/k8s/selc_secrets.tf index 0a51b9dc8..1a8d4d2d4 100644 --- a/src/k8s/selc_secrets.tf +++ b/src/k8s/selc_secrets.tf @@ -8,8 +8,8 @@ resource "kubernetes_secret" "hub-spid-login-ms" { APPINSIGHTS_INSTRUMENTATIONKEY = local.appinsights_instrumentation_key JWT_TOKEN_PRIVATE_KEY = module.key_vault_secrets_query.values["jwt-private-key"].value - METADATA_PUBLIC_CERT = module.key_vault_secrets_query.values["agid-spid-cert"].value # TODO actually manually populated, but to try to automate in gitops - METADATA_PRIVATE_CERT = module.key_vault_secrets_query.values["agid-spid-private-key"].value # TODO actually manually populated, but to try to automate in gitops + METADATA_PUBLIC_CERT = module.key_vault_secrets_query.values["agid-spid-cert"].value + METADATA_PRIVATE_CERT = module.key_vault_secrets_query.values["agid-spid-private-key"].value } diff --git a/src/modules/jwt/main.tf b/src/modules/jwt/main.tf index d1807cd3c..c7e9f7fc7 100644 --- a/src/modules/jwt/main.tf +++ b/src/modules/jwt/main.tf @@ -40,6 +40,14 @@ resource "azurerm_key_vault_secret" "jwt_public_key" { key_vault_id = var.key_vault_id } +resource "azurerm_key_vault_secret" "jwt_cert" { + name = format("%s-cert", var.jwt_name) + value = tls_self_signed_cert.jwt_self.cert_pem + content_type = "text/plain" + + key_vault_id = var.key_vault_id +} + resource "azurerm_key_vault_secret" "jwt_kid" { name = format("%s-kid", var.jwt_name) value = local.kid