kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c205a692a3ca9b244f6fefdb4273f349dbf82798
hunfabric/blueprints/gke/patterns/kong-cloudrun/cert.tf
Julio Diez c205a692a3 Kong Gateway on GKE offloading to Cloud Run (#2299) 
* First working version including certificates and HTTPS.

It uses a mix of self-managed certificates and the CA Service.

* One CR service only behind the ILB

* Functional deployment including auto-configuration

A k8s job configures the root certificate, service and route in the admin
api to reach the CR service via Kong proxy.

* Admin API exposed internally only, and some cleanup

* Some name changes

* README

* Remove data source for the vpc and subnet

* Remove data source for Kubernetes services

* Update README

---------

Co-authored-by: Julio Castillo <jccb@google.com>
2024-05-29 16:26:25 +02:00

128 lines
3.3 KiB
HCL
Raw Blame History

/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_privateca_ca_pool" "default" {
project = var.project_id
name = "Acme-CA-pool"
location = var.region
tier = "ENTERPRISE"
}
resource "google_privateca_certificate_authority" "default" {
project = var.project_id
certificate_authority_id = "Acme-CA"
location = var.region
pool = google_privateca_ca_pool.default.name
config {
subject_config {
subject {
common_name = "Acme-CA"
organization = "Acme"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
client_auth = true
server_auth = true
}
}
}
}
lifetime = "31536000s" // 1 year
key_spec {
algorithm = "EC_P256_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup while testing.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
# TLS certificate for the ILB
#
resource "tls_private_key" "ilb_cert_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "google_privateca_certificate" "ilb_cert" {
project = var.project_id
certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
location = var.region
pool = google_privateca_ca_pool.default.name
lifetime = "2592000s" // 30 days
name = var.cloudrun_svcname
config {
subject_config {
subject {
common_name = var.custom_domain
organization = "Acme"
}
subject_alt_name {
dns_names = [var.custom_domain]
}
}
x509_config {
ca_options {
is_ca = false
}
key_usage {
base_key_usage {
key_agreement = true
}
extended_key_usage {
server_auth = true
}
}
}
public_key {
format = "PEM"
key = base64encode(tls_private_key.ilb_cert_key.public_key_pem)
}
}
}
# TLS certificate to secure the control plane/data plane Kong communication
#
resource "tls_private_key" "kong" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "kong" {
allowed_uses = [
"cert_signing",
"client_auth",
"digital_signature",
"key_encipherment",
"server_auth",
]
private_key_pem = tls_private_key.kong.private_key_pem
validity_period_hours = 365 * 24 // 1 year
is_ca_certificate = true
subject {
common_name = "kong_clustering"
}
}
Reference in New Issue View Git Blame Copy Permalink