Agid cert self signed

src/core/security.tf

@@ -209,6 +209,16 @@ module "jwt_exchange" {
   tags             = var.tags
 }
 
+module "agid_spid" {
+  source = "../modules/jwt"
+
+  jwt_name         = "agid-spid"
+  key_vault_id     = module.key_vault.id
+  cert_common_name = "selfcare.pagopa.it"
+  cert_password    = ""
+  tags             = var.tags
+}
+
 resource "null_resource" "upload_jwks" {
   triggers = {
     "changes-in-jwt" : module.jwt.certificate_data_pem

src/core/utils/sh/renew-jwt.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+#
+# Renew the JWT token inside the keyvault. After this script you have to be connected to the env VPN and apply the k8s
+# module in order to update configMap and secrets and next run the k8s/scripts/restart-pods.sh in order to apply
+# the new configuration
+#
+# Environments are dev, uat or prod
+# Usage:
+#  ./renew-jwt.sh env jwt_name
+#
+#  ./renew-jwt.sh dev jwt
+#  ./renew-jwt.sh dev jwt_exchange
+#  ./renew-jwt.sh dev agid_spid
+
+set -e
+
+BASEDIR=$(dirname "$0")
+
+env=$1
+jwt_name=$2
+
+if [ -z "$env" ]; then
+  echo "env should be: dev, uat or prod."
+  exit 0
+fi
+
+if [ -z "$jwt_name" ]; then
+  echo "jwt_name should be: jwt, jwt_exchange or agid_spid."
+  exit 0
+fi
+
+"$BASEDIR"/../../terraform.sh taint $env module.$jwt_name.tls_private_key.jwt
+"$BASEDIR"/../../terraform.sh apply $env -target=module.$jwt_name
+
+printf "\n\n************************************************************************************************\n\n"
+echo "Now you have to be connected to env VPN in order to apply k8s module and next run k8s/scripts/restart-pods.sh script"
+printf "\n************************************************************************************************"

src/k8s/selc_secrets.tf

@@ -8,8 +8,8 @@ resource "kubernetes_secret" "hub-spid-login-ms" {
     APPINSIGHTS_INSTRUMENTATIONKEY = local.appinsights_instrumentation_key
     JWT_TOKEN_PRIVATE_KEY          = module.key_vault_secrets_query.values["jwt-private-key"].value
 
-    METADATA_PUBLIC_CERT  = module.key_vault_secrets_query.values["agid-spid-cert"].value        # TODO actually manually populated, but to try to automate in gitops
-    METADATA_PRIVATE_CERT = module.key_vault_secrets_query.values["agid-spid-private-key"].value # TODO actually manually populated, but to try to automate in gitops
+    METADATA_PUBLIC_CERT  = module.key_vault_secrets_query.values["agid-spid-cert"].value
+    METADATA_PRIVATE_CERT = module.key_vault_secrets_query.values["agid-spid-private-key"].value
 
   }
 

src/modules/jwt/main.tf

@@ -40,6 +40,14 @@ resource "azurerm_key_vault_secret" "jwt_public_key" {
   key_vault_id = var.key_vault_id
 }
 
+resource "azurerm_key_vault_secret" "jwt_cert" {
+  name         = format("%s-cert", var.jwt_name)
+  value        = tls_self_signed_cert.jwt_self.cert_pem
+  content_type = "text/plain"
+
+  key_vault_id = var.key_vault_id
+}
+
 resource "azurerm_key_vault_secret" "jwt_kid" {
   name         = format("%s-kid", var.jwt_name)
   value        = local.kid