Merge pull request #13 from galiacheng/signed-ca

mriccell · web-flow · commit 3ef4831e92f1 · 2021-09-01T14:02:21.000-04:00
Add CA certificate to application gateway trusted root certificates
diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json
@@ -1095,7 +1095,7 @@
                                 "type": "Microsoft.Common.TextBlock",
                                 "visible": "[steps('section_appGateway').appgwIngress.enableAppGateway]",
                                 "options": {
-                                    "text": "    ⁃ Generate a self-signed certificate: generate a self-signed certificate and apply it during deployment.",
+                                    "text": "    ⁃ Generate a self-signed frontend certificate: generate a self-signed frontend certificate and apply it during deployment.",
                                     "link": {
                                         "label": "Learn more",
                                         "uri": "https://aka.ms/arm-oraclelinux-wls-cluster-app-gateway-key-vault"
@@ -1106,7 +1106,7 @@
                                 "name": "certificateOption",
                                 "type": "Microsoft.Common.OptionsGroup",
                                 "label": "Select desired TLS/SSL certificate option",
-                                "defaultValue": "Generate a self-signed certificate",
+                                "defaultValue": "Upload a TLS/SSL certificate",
                                 "toolTip": "Select desired TLS/SSL certificate option",
                                 "constraints": {
                                     "allowedValues": [
@@ -1119,7 +1119,7 @@
                                             "value": "haveKeyVault"
                                         },
                                         {
-                                            "label": "Generate a self-signed certificate",
+                                            "label": "Generate a self-signed frontend certificate",
                                             "value": "generateCert"
                                         }
                                     ],
@@ -1130,7 +1130,7 @@
                             {
                                 "name": "keyVaultSSLCertData",
                                 "type": "Microsoft.Common.FileUpload",
-                                "label": "TLS/SSL certificate(.pfx)",
+                                "label": "Frontend TLS/SSL certificate(.pfx)",
                                 "toolTip": "TLS/SSL certificate used for App Gateway",
                                 "constraints": {
                                     "required": true,
@@ -1150,7 +1150,7 @@
                                     "password": "Password",
                                     "confirmPassword": "Confirm password"
                                 },
-                                "toolTip": "TLS/SSL certificate password",
+                                "toolTip": "Frontend TLS/SSL certificate password",
                                 "constraints": {
                                     "required": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]",
                                     "regex": "^((?=.*[0-9])(?=.*[a-z])|(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])|(?=.*[0-9])(?=.*[a-z])(?=.*[!@#$%^&*])|(?=.*[0-9])(?=.*[A-Z])(?=.*[!@#$%^&*])|(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*])).{6,128}$",
@@ -1161,6 +1161,22 @@
                                 },
                                 "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]"
                             },
+                            {
+                                "name": "keyVaultBackendSSLCertData",
+                                "type": "Microsoft.Common.FileUpload",
+                                "label": "Trusted root certificate(.cer, cert)",
+                                "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL",
+                                "constraints": {
+                                    "required": true,
+                                    "accept": ".cer, cert"
+                                },
+                                "options": {
+                                    "multiple": false,
+                                    "uploadMode": "file",
+                                    "openMode": "binary"
+                                },
+                                "visible": "[and(steps('section_appGateway').appgwIngress.enableAppGateway, steps('section_sslConfiguration').enableCustomSSL, not(equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')))]"
+                            },
                             {
                                 "name": "keyVaultResourceGroup",
                                 "type": "Microsoft.Common.TextBox",
@@ -1190,7 +1206,7 @@
                             {
                                 "name": "keyVaultSSLCertDataSecretName",
                                 "type": "Microsoft.Common.TextBox",
-                                "label": "The name of the secret in the specified Key Vault whose value is the TLS/SSL certificate data",
+                                "label": "The name of the secret in the specified Key Vault whose value is the frontend TLS/SSL certificate data",
                                 "defaultValue": "",
                                 "toolTip": "Use only letters and numbers",
                                 "constraints": {
@@ -1203,7 +1219,7 @@
                             {
                                 "name": "keyVaultSSLCertPasswordSecretName",
                                 "type": "Microsoft.Common.TextBox",
-                                "label": "The name of the secret in the specified Key Vault whose value is the password for the TLS/SSL certificate",
+                                "label": "The name of the secret in the specified Key Vault whose value is the password for the frontend TLS/SSL certificate",
                                 "defaultValue": "",
                                 "toolTip": "Use only letters and numbers",
                                 "constraints": {
@@ -1213,6 +1229,19 @@
                                 },
                                 "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]"
                             },
+                            {
+                                "name": "keyVaultBackendSSLCertDataSecretName",
+                                "type": "Microsoft.Common.TextBox",
+                                "label": "The name of the secret in the specified Key Vault whose value is the trusted root certificate data",
+                                "defaultValue": "",
+                                "toolTip": "Use only letters and numbers",
+                                "constraints": {
+                                    "required": true,
+                                    "regex": "^[a-z0-9A-Z]{1,30}$",
+                                    "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers."
+                                },
+                                "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault'))]"
+                            },
                             {
                                 "name": "servicePrincipal",
                                 "type": "Microsoft.Common.PasswordBox",
@@ -1533,6 +1562,7 @@
             "aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]",
             "aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]",
             "appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]",
+            "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]",
             "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertData]",
             "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]",
             "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]",
@@ -1563,6 +1593,7 @@
             "location": "[location()]",
             "keyVaultName": "[steps('section_appGateway').appgwIngress.keyVaultName]",
             "keyVaultResourceGroup": "[steps('section_appGateway').appgwIngress.keyVaultResourceGroup]",
+            "keyVaultSSLBackendRootCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertDataSecretName]",
             "keyVaultSSLCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertDataSecretName]",
             "keyVaultSSLCertPasswordSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertPasswordSecretName]",
             "managedServerPrefix": "[basics('basicsOptional').managedServerPrefix]",
diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh b/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh
@@ -905,16 +905,12 @@ function create_appgw_ingress() {
 
   
   if [[ "${enableCustomSSL,,}" == "true" ]];then
-    # create backend tls secret
-    rootcertPath=${scriptDir}/root.cert
-    kubectl cp -n ${wlsDomainNS} ${wlsDomainUID}-${adminServerName}:${appgwBackendCertPath} ${rootcertPath}
-    validate_status "Copy public key from fileshare."
-
-    az network application-gateway root-cert create \
-      --gateway-name $appgwName  \
+    az network application-gateway root-cert list \
+      --gateway-name $appgwName \
       --resource-group $curRGName \
-      --name ${appgwBackendSecretName} \
-      --cert-file ${rootcertPath}
+      | jq '.[] | .name' | grep "${appgwBackendSecretName}"
+
+    validate_status "check if backend cert exists."
   fi
 
   # generate ingress svc config for cluster  
@@ -1002,7 +998,6 @@ export sharedPath="/shared"
 export svcAdminServer="${wlsDomainUID}-${adminServerName}"
 export svcCluster="${wlsDomainUID}-cluster-${clusterName}"
 export wlsDomainNS="${wlsDomainUID}-ns"
-export appgwBackendCertPath="${sharedPath}/security/root.cert"
 
 read_sensitive_parameters_from_stdin
 
diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh
@@ -427,20 +427,12 @@ function output_ssl_keystore() {
     else
         rm -f ${mntPath}/$wlsIdentityKeyStoreFileName
         rm -f ${mntPath}/$wlsTrustKeyStoreFileName
-        rm -f ${mntPath}/${wlsIdentityRootCertFileName}
         rm -f ${mntPath}/${wlsTrustKeyStoreJKSFileName}
     fi
 
     #decode cert data once again as it would got base64 encoded
     echo "$wlsIdentityData" | base64 -d >${mntPath}/$wlsIdentityKeyStoreFileName
     echo "$wlsTrustData" | base64 -d >${mntPath}/$wlsTrustKeyStoreFileName
-    # export root cert. Used as gateway backend certificate
-    ${JAVA_HOME}/bin/keytool -export \
-        -alias ${wlsIdentityAlias} \
-        -noprompt \
-        -file ${mntPath}/${wlsIdentityRootCertFileName} \
-        -keystore ${mntPath}/$wlsIdentityKeyStoreFileName \
-        -storepass ${wlsIdentityPsw}
 
     # export jks file
     # -Dweblogic.security.SSL.trustedCAKeyStorePassPhrase for PKCS12 is not working correctly
@@ -744,7 +736,6 @@ export wlsOptVersion="3.2.5"
 export wlsIdentityKeyStoreFileName="security/identity.keystore"
 export wlsTrustKeyStoreFileName="security/trust.keystore"
 export wlsTrustKeyStoreJKSFileName="security/trust.jks"
-export wlsIdentityRootCertFileName="security/root.cert"
 
 read_sensitive_parameters_from_stdin
 
diff --git a/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh b/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh
@@ -0,0 +1,25 @@
+# Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# This script runs on Azure Container Instance with Alpine Linux that Azure Deployment script creates.
+
+# upload trusted root certificate to Azure Application Gateway
+# $1: resource group name
+# $2: Application Gateway name
+# $3: one line based64 string of the certificate data
+
+# The value is used in setupNetworking.sh, please do not change it.
+export appgwBackendSecretName='backend-tls'
+
+echo "output certificate data to backend-cert.cer"
+echo "$3" | base64 -d >backend-cert.cer
+
+az network application-gateway root-cert create \
+      --gateway-name $2  \
+      --resource-group $1 \
+      --name ${appgwBackendSecretName} \
+      --cert-file backend-cert.cer
+
+if [ $? -ne 0 ]; then
+    echo "Failed to upload trusted root certificate to Application Gateway ${2}"
+    exit 1
+fi
diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep
@@ -53,6 +53,8 @@ param aksVersion string = 'default'
 param appGatewayCertificateOption string = 'haveCert'
 @description('Public IP Name for the Application Gateway')
 param appGatewayPublicIPAddressName string = 'gwip'
+@description('The one-line, base64 string of the backend SSL root certificate data.')
+param appGatewaySSLBackendRootCertData string = 'appgw-ssl-backend-data'
 @description('The one-line, base64 string of the SSL certificate data.')
 param appGatewaySSLCertData string = 'appgw-ssl-data'
 @secure()
@@ -120,6 +122,8 @@ param keyVaultName string = 'kv-contoso'
 param keyVaultResourceGroup string = 'kv-contoso-rg'
 @description('Price tier for Key Vault.')
 param keyVaultSku string = 'Standard'
+@description('The name of the secret in the specified KeyVault whose value is the SSL Root Certificate Data for Appliation Gateway backend TLS/SSL.')
+param keyVaultSSLBackendRootCertDataSecretName string = 'kv-ssl-backend-data'
 @description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data for Appliation Gateway frontend TLS/SSL.')
 param keyVaultSSLCertDataSecretName string = 'kv-ssl-data'
 @description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate of Appliation Gateway frontend TLS/SSL')
@@ -421,11 +425,13 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i
   ]
 }
 
-module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultAdapter.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) {
+module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) {
   name: 'appgateway-certificates-secrets-deployment'
   params: {
+    backendCertificateDataValue: appGatewaySSLBackendRootCertData
     certificateDataValue: appGatewaySSLCertData
     certificatePasswordValue: appGatewaySSLCertPassword
+    enableCustomSSL: enableCustomSSL
     identity: identity
     sku: keyVaultSku
     subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName)
@@ -482,6 +488,7 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork
     identity: identity
     keyVaultName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultName : appgwSecretDeployment.outputs.keyVaultName
     keyVaultResourceGroup: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultResourceGroup : resourceGroup().name
+    keyvaultBackendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLBackendRootCertDataSecretName : appgwSecretDeployment.outputs.sslBackendCertDataSecretName
     keyVaultSSLCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertDataSecretName : appgwSecretDeployment.outputs.sslCertDataSecretName
     keyVaultSSLCertPasswordSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertPasswordSecretName : appgwSecretDeployment.outputs.sslCertPwdSecretName
     location: location
diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep
@@ -0,0 +1,49 @@
+// Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+@description('Secret name of certificate data.')
+param certificateDataName string
+
+@description('Certificate data to store in the secret')
+param certificateDataValue string
+
+@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
+param enabledForTemplateDeployment bool = true
+
+@description('Name of the vault')
+param keyVaultName string
+
+@description('Price tier for Key Vault.')
+param sku string
+
+param utcValue string = utcNow()
+
+resource keyvault 'Microsoft.KeyVault/vaults@2019-09-01' = {
+  name: keyVaultName
+  location: resourceGroup().location
+  properties: {
+    enabledForTemplateDeployment: enabledForTemplateDeployment
+    sku: {
+      name: sku
+      family: 'A'
+    }
+    accessPolicies: []
+    tenantId: subscription().tenantId
+  }
+  tags:{
+    'managed-by-azure-weblogic': utcValue
+  }
+}
+
+resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
+  name: '${keyVaultName}/${certificateDataName}'
+  properties: {
+    value: certificateDataValue
+  }
+  dependsOn: [
+    keyvault
+  ]
+}
+
+output keyVaultName string = keyVaultName
+output sslBackendCertDataSecretName string = certificateDataName
diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep
@@ -2,12 +2,18 @@
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 // Deploy Application Gateway certificate secrets.
 
+@description('Backend certificate data to store in the secret')
+param backendCertificateDataValue string
+
 @description('Certificate data to store in the secret')
 param certificateDataValue string
 
 @description('Certificate password to store in the secret')
 param certificatePasswordValue string
 
+@description('true to upload trusted root certificate')
+param enableCustomSSL bool = false
+
 @description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
 param enabledForTemplateDeployment bool = true
 
@@ -33,6 +39,7 @@ param useExistingAppGatewaySSLCertificate bool = false
 @description('Current deployment time. Used as a tag in deployment script.')
 param keyVaultName string = 'GEN_UNIQUE'
 
+var name_sslBackendCertSercretName= 'myAppGatewaySSLBackendRootCert'
 var name_sslCertSecretName = 'myAppGatewaySSLCert'
 var name_sslCertPasswordSecretName = 'myAppGatewaySSLCertPassword'
 
@@ -60,6 +67,19 @@ module keyVaultwithExistingAppGatewaySSLCert '_keyvault/_keyvaultWithExistingCer
   }
 }
 
+module keyvaultBackendRootCert '_keyvault/_keyvaultForGatewayBackendCert.bicep' = if (enableCustomSSL) {
+  name: 'kv-appgw-e2e-ssl-backend-certificate'
+  params:{
+    certificateDataName: name_sslBackendCertSercretName
+    certificateDataValue: backendCertificateDataValue
+    enabledForTemplateDeployment: enabledForTemplateDeployment
+    keyVaultName: keyVaultName
+    sku: sku
+  }
+}
+
 output keyVaultName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.keyVaultName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.keyVaultName)
 output sslCertDataSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertDataSecretName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.secretName)
 output sslCertPwdSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertPwdSecretName: '')
+output sslBackendCertDataSecretName string = (enableCustomSSL) ? keyvaultBackendRootCert.outputs.sslBackendCertDataSecretName : ''
+
diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep
diff --git a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep
