diff --git a/README.md b/README.md index c497e0c..4ce77ec 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,7 @@ This will: * Use the etcd key-value store. * Demonstrate how to automatically deploy the [`docdb-example` workload](stacks/eks-workloads/docdb-example.tf). * Use [the deployed example AWS DocumentDB](stacks/eks/docdb.tf). + * Use a `trust-manager` managed CA certificates volume that includes the [Amazon RDS CA certificates (i.e. `global-bundle.pem`)](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions). The main components are: @@ -407,6 +408,16 @@ while [ -z "$(dig +short "$docdb_example_host")" ]; do sleep 5; done && dig "$do wget -qO- "$docdb_example_url" ``` +Verify the trusted CA certificates, this should include the Amazon RDS CA +certificates (e.g. `Amazon RDS eu-west-1 Root CA RSA2048 G1`): + +```bash +kubectl exec --stdin deployment/docdb-example -- bash <<'EOF' +openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt \ + | openssl pkcs7 -print_certs -text -noout +EOF +``` + List all the used container images: ```bash diff --git a/config.tm.hcl b/config.tm.hcl index 3aee566..9850b6c 100644 --- a/config.tm.hcl +++ b/config.tm.hcl @@ -75,6 +75,13 @@ globals "terraform" "providers" "helm" { version = "2.13.2" } +# see https://registry.terraform.io/providers/hashicorp/http +# see https://github.com/hashicorp/terraform-provider-http +globals "terraform" "providers" "http" { + # renovate: datasource=terraform-provider depName=hashicorp/http + version = "3.4.2" +} + # see https://registry.terraform.io/providers/hashicorp/local # see https://github.com/hashicorp/terraform-provider-local globals "terraform" "providers" "local" { diff --git a/stacks/eks-workloads/.terraform.lock.hcl b/stacks/eks-workloads/.terraform.lock.hcl index 00381f1..a7d2175 100644 --- a/stacks/eks-workloads/.terraform.lock.hcl +++ b/stacks/eks-workloads/.terraform.lock.hcl @@ -64,6 +64,26 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.4.2" + constraints = "3.4.2" + hashes = [ + "h1:eqo0hkFNrixeaT93PC5NiU893s7rUwwOMeqnCjjj3u0=", + "zh:0ba051c9c8659ce0fec94a3d50926745f11759509c4d6de0ad5f5eb289f0edd9", + "zh:23e6760e8406fef645913bf47bfab1ca984c1c5805d2bb0ef8310b16913d29cd", + "zh:3c69fde4548bfe65b968534c4df8d699648c921d6a065b97fec5faece73a442b", + "zh:41c7f9a8c117704b7a8fa96a57ebfb92b72129d9625128eeb0dee7d5a09d1110", + "zh:59d09d2e00727df10565cc82a33250b44201fcd353eb2b1579507a5a0adcce18", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:c95b2f63d4357b3068531b90d9dca62a32551d7693defb7ab14b650b5d139c57", + "zh:cc0a3bbd3026191b35f417d3a8f26bdfad376d15be9e8d99a8803487ca5b0105", + "zh:d1185c6abb3ba25123fb7df1ad7dbe2b9cd8f43962628da551040fbe1934656f", + "zh:dfb26fccab7ecdc150f67415e6cfe19d699dc43e8bf5722f36032b17b46a0fbe", + "zh:eb1fcc00073bc0463f64e49600a73d925b1a0c0ae5b94dd7b67d3ebac248a113", + "zh:ec9b9ad69cf790cb0603a1036d758063bbbc35c0c75f72dd04a1eddaf46ad010", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.30.0" constraints = "2.30.0" diff --git a/stacks/eks-workloads/_providers.tf b/stacks/eks-workloads/_providers.tf index aeca820..3f7875f 100644 --- a/stacks/eks-workloads/_providers.tf +++ b/stacks/eks-workloads/_providers.tf @@ -15,6 +15,10 @@ terraform { source = "hashicorp/helm" version = "2.13.2" } + http = { + source = "hashicorp/http" + version = "3.4.2" + } kubernetes = { source = "hashicorp/kubernetes" version = "2.30.0" diff --git a/stacks/eks-workloads/docdb-example.tf b/stacks/eks-workloads/docdb-example.tf index ac0ec7c..21380e7 100644 --- a/stacks/eks-workloads/docdb-example.tf +++ b/stacks/eks-workloads/docdb-example.tf @@ -2,7 +2,7 @@ locals { docdb_example_fqdn = "docdb-example.${var.ingress_domain}" # see Connecting Programmatically to Amazon DocumentDB at https://docs.aws.amazon.com/documentdb/latest/developerguide/ docdb_example_master_connection_string = format( - "mongodb://%s:%s@%s:%d/?tls=true&tlsCAFile=global-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false", + "mongodb://%s:%s@%s:%d/?tls=true&tlsCAFile=/etc/ssl/certs/ca-certificates.crt&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false", urlencode("master"), urlencode("Ex0mple!"), data.external.docdb_example.result.endpoint, @@ -176,6 +176,12 @@ resource "kubernetes_deployment_v1" "docdb_example" { } } } + # see https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/root_linux.go + volume_mount { + name = "ca-certificates" + mount_path = "/etc/ssl/certs" + read_only = true + } port { name = "web" container_port = 8000 @@ -197,6 +203,70 @@ resource "kubernetes_deployment_v1" "docdb_example" { } } } + volume { + name = "ca-certificates" + config_map { + name = kubernetes_manifest.docdb_example_ca_certificates.manifest.metadata.name + default_mode = "0444" + } + } + } + } + } +} + +# see https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled +# see https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http +data "http" "aws_rds_ca_certificates" { + url = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" +} + +# see https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html#connect_programmatically-tls_enabled +# see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1 +resource "kubernetes_config_map_v1" "aws_rds_ca_certificates" { + metadata { + namespace = "cert-manager" + name = "aws-rds-ca-certificates" + } + data = { + "ca-certificates.crt" = data.http.aws_rds_ca_certificates.response_body + } +} + +# NB the bundle object will create the docdb-example-ca-certificates configmap. +# NB this is a kubernetes cluster level object. +# see https://cert-manager.io/docs/trust/trust-manager/api-reference/ +# see https://cert-manager.io/docs/tutorials/getting-started-with-trust-manager/ +# see https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/root_linux.go +# see https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest +resource "kubernetes_manifest" "docdb_example_ca_certificates" { + manifest = { + apiVersion = "trust.cert-manager.io/v1alpha1" + kind = "Bundle" + metadata = { + name = "docdb-example-ca-certificates" + } + spec = { + sources = [ + { + useDefaultCAs = true + }, + { + configMap = { + name = kubernetes_config_map_v1.aws_rds_ca_certificates.metadata[0].name + key = "ca-certificates.crt" + } + }, + ] + target = { + namespaceSelector = { + matchLabels = { + "kubernetes.io/metadata.name" = "default" + } + } + configMap = { + key = "ca-certificates.crt" + } } } } diff --git a/stacks/eks-workloads/providers.tm.hcl b/stacks/eks-workloads/providers.tm.hcl index baf21f0..039a36c 100644 --- a/stacks/eks-workloads/providers.tm.hcl +++ b/stacks/eks-workloads/providers.tm.hcl @@ -21,6 +21,12 @@ generate_hcl "_providers.tf" { source = "hashicorp/helm" version = global.terraform.providers.helm.version } + # see https://registry.terraform.io/providers/hashicorp/http + # see https://github.com/hashicorp/terraform-provider-http + http = { + source = "hashicorp/http" + version = global.terraform.providers.http.version + } # see https://registry.terraform.io/providers/hashicorp/external # see https://github.com/hashicorp/terraform-provider-external external = {