diff --git a/weblogic-azure-aks/pom.xml b/weblogic-azure-aks/pom.xml
index bee3edb16..affeb4e91 100644
--- a/weblogic-azure-aks/pom.xml
+++ b/weblogic-azure-aks/pom.xml
@@ -11,7 +11,7 @@
com.oracle.weblogic.azure
wls-on-aks-azure-marketplace
- 1.0.15
+ 1.0.16
com.microsoft.azure.iaas
diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json
index 2c410f072..c27c7b280 100644
--- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json
+++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json
@@ -1095,7 +1095,7 @@
"type": "Microsoft.Common.TextBlock",
"visible": "[steps('section_appGateway').appgwIngress.enableAppGateway]",
"options": {
- "text": " ⁃ Generate a self-signed certificate: generate a self-signed certificate and apply it during deployment.",
+ "text": " ⁃ Generate a self-signed frontend certificate: generate a self-signed frontend certificate and apply it during deployment.",
"link": {
"label": "Learn more",
"uri": "https://aka.ms/arm-oraclelinux-wls-cluster-app-gateway-key-vault"
@@ -1106,7 +1106,7 @@
"name": "certificateOption",
"type": "Microsoft.Common.OptionsGroup",
"label": "Select desired TLS/SSL certificate option",
- "defaultValue": "Generate a self-signed certificate",
+ "defaultValue": "Upload a TLS/SSL certificate",
"toolTip": "Select desired TLS/SSL certificate option",
"constraints": {
"allowedValues": [
@@ -1119,7 +1119,7 @@
"value": "haveKeyVault"
},
{
- "label": "Generate a self-signed certificate",
+ "label": "Generate a self-signed frontend certificate",
"value": "generateCert"
}
],
@@ -1130,7 +1130,7 @@
{
"name": "keyVaultSSLCertData",
"type": "Microsoft.Common.FileUpload",
- "label": "TLS/SSL certificate(.pfx)",
+ "label": "Frontend TLS/SSL certificate(.pfx)",
"toolTip": "TLS/SSL certificate used for App Gateway",
"constraints": {
"required": true,
@@ -1150,7 +1150,7 @@
"password": "Password",
"confirmPassword": "Confirm password"
},
- "toolTip": "TLS/SSL certificate password",
+ "toolTip": "Frontend TLS/SSL certificate password",
"constraints": {
"required": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]",
"regex": "^((?=.*[0-9])(?=.*[a-z])|(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])|(?=.*[0-9])(?=.*[a-z])(?=.*[!@#$%^&*])|(?=.*[0-9])(?=.*[A-Z])(?=.*[!@#$%^&*])|(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*])).{6,128}$",
@@ -1161,6 +1161,22 @@
},
"visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]"
},
+ {
+ "name": "keyVaultBackendSSLCertData",
+ "type": "Microsoft.Common.FileUpload",
+ "label": "Trusted root certificate(.cer, cert)",
+ "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL",
+ "constraints": {
+ "required": true,
+ "accept": ".cer, cert"
+ },
+ "options": {
+ "multiple": false,
+ "uploadMode": "file",
+ "openMode": "binary"
+ },
+ "visible": "[and(steps('section_appGateway').appgwIngress.enableAppGateway, steps('section_sslConfiguration').enableCustomSSL, not(equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')))]"
+ },
{
"name": "keyVaultResourceGroup",
"type": "Microsoft.Common.TextBox",
@@ -1190,7 +1206,7 @@
{
"name": "keyVaultSSLCertDataSecretName",
"type": "Microsoft.Common.TextBox",
- "label": "The name of the secret in the specified Key Vault whose value is the TLS/SSL certificate data",
+ "label": "The name of the secret in the specified Key Vault whose value is the frontend TLS/SSL certificate data",
"defaultValue": "",
"toolTip": "Use only letters and numbers",
"constraints": {
@@ -1203,7 +1219,7 @@
{
"name": "keyVaultSSLCertPasswordSecretName",
"type": "Microsoft.Common.TextBox",
- "label": "The name of the secret in the specified Key Vault whose value is the password for the TLS/SSL certificate",
+ "label": "The name of the secret in the specified Key Vault whose value is the password for the frontend TLS/SSL certificate",
"defaultValue": "",
"toolTip": "Use only letters and numbers",
"constraints": {
@@ -1213,6 +1229,19 @@
},
"visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]"
},
+ {
+ "name": "keyVaultBackendSSLCertDataSecretName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "The name of the secret in the specified Key Vault whose value is the trusted root certificate data",
+ "defaultValue": "",
+ "toolTip": "Use only letters and numbers",
+ "constraints": {
+ "required": true,
+ "regex": "^[a-z0-9A-Z]{1,30}$",
+ "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers."
+ },
+ "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault'))]"
+ },
{
"name": "servicePrincipal",
"type": "Microsoft.Common.PasswordBox",
@@ -1533,6 +1562,7 @@
"aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]",
"aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]",
"appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]",
+ "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]",
"appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertData]",
"appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]",
"appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]",
@@ -1563,6 +1593,7 @@
"location": "[location()]",
"keyVaultName": "[steps('section_appGateway').appgwIngress.keyVaultName]",
"keyVaultResourceGroup": "[steps('section_appGateway').appgwIngress.keyVaultResourceGroup]",
+ "keyVaultSSLBackendRootCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertDataSecretName]",
"keyVaultSSLCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertDataSecretName]",
"keyVaultSSLCertPasswordSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertPasswordSecretName]",
"managedServerPrefix": "[basics('basicsOptional').managedServerPrefix]",
diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh b/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh
index 9f82ec1ad..8c504fb25 100644
--- a/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh
+++ b/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh
@@ -905,16 +905,12 @@ function create_appgw_ingress() {
if [[ "${enableCustomSSL,,}" == "true" ]];then
- # create backend tls secret
- rootcertPath=${scriptDir}/root.cert
- kubectl cp -n ${wlsDomainNS} ${wlsDomainUID}-${adminServerName}:${appgwBackendCertPath} ${rootcertPath}
- validate_status "Copy public key from fileshare."
-
- az network application-gateway root-cert create \
- --gateway-name $appgwName \
+ az network application-gateway root-cert list \
+ --gateway-name $appgwName \
--resource-group $curRGName \
- --name ${appgwBackendSecretName} \
- --cert-file ${rootcertPath}
+ | jq '.[] | .name' | grep "${appgwBackendSecretName}"
+
+ validate_status "check if backend cert exists."
fi
# generate ingress svc config for cluster
@@ -1002,7 +998,6 @@ export sharedPath="/shared"
export svcAdminServer="${wlsDomainUID}-${adminServerName}"
export svcCluster="${wlsDomainUID}-cluster-${clusterName}"
export wlsDomainNS="${wlsDomainUID}-ns"
-export appgwBackendCertPath="${sharedPath}/security/root.cert"
read_sensitive_parameters_from_stdin
diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh
index 3e1bb69d4..58cf72e90 100644
--- a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh
+++ b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh
@@ -427,20 +427,12 @@ function output_ssl_keystore() {
else
rm -f ${mntPath}/$wlsIdentityKeyStoreFileName
rm -f ${mntPath}/$wlsTrustKeyStoreFileName
- rm -f ${mntPath}/${wlsIdentityRootCertFileName}
rm -f ${mntPath}/${wlsTrustKeyStoreJKSFileName}
fi
#decode cert data once again as it would got base64 encoded
echo "$wlsIdentityData" | base64 -d >${mntPath}/$wlsIdentityKeyStoreFileName
echo "$wlsTrustData" | base64 -d >${mntPath}/$wlsTrustKeyStoreFileName
- # export root cert. Used as gateway backend certificate
- ${JAVA_HOME}/bin/keytool -export \
- -alias ${wlsIdentityAlias} \
- -noprompt \
- -file ${mntPath}/${wlsIdentityRootCertFileName} \
- -keystore ${mntPath}/$wlsIdentityKeyStoreFileName \
- -storepass ${wlsIdentityPsw}
# export jks file
# -Dweblogic.security.SSL.trustedCAKeyStorePassPhrase for PKCS12 is not working correctly
@@ -744,7 +736,6 @@ export wlsOptVersion="3.2.5"
export wlsIdentityKeyStoreFileName="security/identity.keystore"
export wlsTrustKeyStoreFileName="security/trust.keystore"
export wlsTrustKeyStoreJKSFileName="security/trust.jks"
-export wlsIdentityRootCertFileName="security/root.cert"
read_sensitive_parameters_from_stdin
diff --git a/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh b/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh
new file mode 100644
index 000000000..791377935
--- /dev/null
+++ b/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh
@@ -0,0 +1,25 @@
+# Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# This script runs on Azure Container Instance with Alpine Linux that Azure Deployment script creates.
+
+# upload trusted root certificate to Azure Application Gateway
+# $1: resource group name
+# $2: Application Gateway name
+# $3: one line based64 string of the certificate data
+
+# The value is used in setupNetworking.sh, please do not change it.
+export appgwBackendSecretName='backend-tls'
+
+echo "output certificate data to backend-cert.cer"
+echo "$3" | base64 -d >backend-cert.cer
+
+az network application-gateway root-cert create \
+ --gateway-name $2 \
+ --resource-group $1 \
+ --name ${appgwBackendSecretName} \
+ --cert-file backend-cert.cer
+
+if [ $? -ne 0 ]; then
+ echo "Failed to upload trusted root certificate to Application Gateway ${2}"
+ exit 1
+fi
diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep
index d53baea6c..bc4b8196e 100644
--- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep
+++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep
@@ -53,6 +53,8 @@ param aksVersion string = 'default'
param appGatewayCertificateOption string = 'haveCert'
@description('Public IP Name for the Application Gateway')
param appGatewayPublicIPAddressName string = 'gwip'
+@description('The one-line, base64 string of the backend SSL root certificate data.')
+param appGatewaySSLBackendRootCertData string = 'appgw-ssl-backend-data'
@description('The one-line, base64 string of the SSL certificate data.')
param appGatewaySSLCertData string = 'appgw-ssl-data'
@secure()
@@ -120,6 +122,8 @@ param keyVaultName string = 'kv-contoso'
param keyVaultResourceGroup string = 'kv-contoso-rg'
@description('Price tier for Key Vault.')
param keyVaultSku string = 'Standard'
+@description('The name of the secret in the specified KeyVault whose value is the SSL Root Certificate Data for Appliation Gateway backend TLS/SSL.')
+param keyVaultSSLBackendRootCertDataSecretName string = 'kv-ssl-backend-data'
@description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data for Appliation Gateway frontend TLS/SSL.')
param keyVaultSSLCertDataSecretName string = 'kv-ssl-data'
@description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate of Appliation Gateway frontend TLS/SSL')
@@ -421,11 +425,13 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i
]
}
-module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultAdapter.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) {
+module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) {
name: 'appgateway-certificates-secrets-deployment'
params: {
+ backendCertificateDataValue: appGatewaySSLBackendRootCertData
certificateDataValue: appGatewaySSLCertData
certificatePasswordValue: appGatewaySSLCertPassword
+ enableCustomSSL: enableCustomSSL
identity: identity
sku: keyVaultSku
subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName)
@@ -482,6 +488,7 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork
identity: identity
keyVaultName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultName : appgwSecretDeployment.outputs.keyVaultName
keyVaultResourceGroup: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultResourceGroup : resourceGroup().name
+ keyvaultBackendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLBackendRootCertDataSecretName : appgwSecretDeployment.outputs.sslBackendCertDataSecretName
keyVaultSSLCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertDataSecretName : appgwSecretDeployment.outputs.sslCertDataSecretName
keyVaultSSLCertPasswordSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertPasswordSecretName : appgwSecretDeployment.outputs.sslCertPwdSecretName
location: location
diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep
new file mode 100644
index 000000000..c5a2ab104
--- /dev/null
+++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep
@@ -0,0 +1,49 @@
+// Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+@description('Secret name of certificate data.')
+param certificateDataName string
+
+@description('Certificate data to store in the secret')
+param certificateDataValue string
+
+@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
+param enabledForTemplateDeployment bool = true
+
+@description('Name of the vault')
+param keyVaultName string
+
+@description('Price tier for Key Vault.')
+param sku string
+
+param utcValue string = utcNow()
+
+resource keyvault 'Microsoft.KeyVault/vaults@2019-09-01' = {
+ name: keyVaultName
+ location: resourceGroup().location
+ properties: {
+ enabledForTemplateDeployment: enabledForTemplateDeployment
+ sku: {
+ name: sku
+ family: 'A'
+ }
+ accessPolicies: []
+ tenantId: subscription().tenantId
+ }
+ tags:{
+ 'managed-by-azure-weblogic': utcValue
+ }
+}
+
+resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
+ name: '${keyVaultName}/${certificateDataName}'
+ properties: {
+ value: certificateDataValue
+ }
+ dependsOn: [
+ keyvault
+ ]
+}
+
+output keyVaultName string = keyVaultName
+output sslBackendCertDataSecretName string = certificateDataName
diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep
similarity index 76%
rename from weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep
rename to weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep
index e44cd37c2..70fd23fb7 100644
--- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep
+++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep
@@ -2,12 +2,18 @@
// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
// Deploy Application Gateway certificate secrets.
+@description('Backend certificate data to store in the secret')
+param backendCertificateDataValue string
+
@description('Certificate data to store in the secret')
param certificateDataValue string
@description('Certificate password to store in the secret')
param certificatePasswordValue string
+@description('true to upload trusted root certificate')
+param enableCustomSSL bool = false
+
@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
param enabledForTemplateDeployment bool = true
@@ -33,6 +39,7 @@ param useExistingAppGatewaySSLCertificate bool = false
@description('Current deployment time. Used as a tag in deployment script.')
param keyVaultName string = 'GEN_UNIQUE'
+var name_sslBackendCertSercretName= 'myAppGatewaySSLBackendRootCert'
var name_sslCertSecretName = 'myAppGatewaySSLCert'
var name_sslCertPasswordSecretName = 'myAppGatewaySSLCertPassword'
@@ -60,6 +67,19 @@ module keyVaultwithExistingAppGatewaySSLCert '_keyvault/_keyvaultWithExistingCer
}
}
+module keyvaultBackendRootCert '_keyvault/_keyvaultForGatewayBackendCert.bicep' = if (enableCustomSSL) {
+ name: 'kv-appgw-e2e-ssl-backend-certificate'
+ params:{
+ certificateDataName: name_sslBackendCertSercretName
+ certificateDataValue: backendCertificateDataValue
+ enabledForTemplateDeployment: enabledForTemplateDeployment
+ keyVaultName: keyVaultName
+ sku: sku
+ }
+}
+
output keyVaultName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.keyVaultName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.keyVaultName)
output sslCertDataSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertDataSecretName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.secretName)
output sslCertPwdSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertPwdSecretName: '')
+output sslBackendCertDataSecretName string = (enableCustomSSL) ? keyvaultBackendRootCert.outputs.sslBackendCertDataSecretName : ''
+
diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep
new file mode 100644
index 000000000..416d93452
--- /dev/null
+++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep
@@ -0,0 +1,27 @@
+// Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+param appgwName string
+@secure()
+param sslBackendRootCertData string = newGuid()
+param identity object
+param utcValue string = utcNow()
+
+var const_arguments = '${resourceGroup().name} ${appgwName} ${sslBackendRootCertData}'
+var const_azcliVersion='2.15.0'
+var const_deploymentName='ds-upload-trusted-root-certificatre-to-gateway'
+
+resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+ name: const_deploymentName
+ location: resourceGroup().location
+ kind: 'AzureCLI'
+ identity: identity
+ properties: {
+ azCliVersion: const_azcliVersion
+ arguments: const_arguments
+ scriptContent: loadTextContent('../../../arm/scripts/uploadAppGatewayTrutedRootCert.sh')
+ cleanupPreference: 'OnSuccess'
+ retentionInterval: 'P1D'
+ forceUpdateTag: utcValue
+ }
+}
diff --git a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep
index 54aa351ed..72447b7ea 100644
--- a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep
+++ b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep
@@ -45,6 +45,7 @@ param identity object
param keyVaultName string = 'kv-contoso'
@description('Resource group name in current subscription containing the KeyVault')
param keyVaultResourceGroup string = 'kv-contoso-rg'
+param keyvaultBackendCertDataSecretName string = 'kv-ssl-backend-data'
@description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data')
param keyVaultSSLCertDataSecretName string = 'kv-ssl-data'
@description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate')
@@ -79,6 +80,12 @@ module pidAppgwStart './_pids/_pid.bicep' = if (enableAppGWIngress) {
}
}
+// get key vault object in a resource group
+resource existingKeyvault 'Microsoft.KeyVault/vaults@2019-09-01' existing = if (enableAppGWIngress) {
+ name: keyVaultName
+ scope: resourceGroup(keyVaultResourceGroup)
+}
+
module appgwDeployment '_azure-resoruces/_appgateway.bicep' = if (enableAppGWIngress) {
name: 'app-gateway-deployment'
params: {
@@ -90,12 +97,25 @@ module appgwDeployment '_azure-resoruces/_appgateway.bicep' = if (enableAppGWIng
]
}
-// get key vault object in a resource group
-resource existingKeyvault 'Microsoft.KeyVault/vaults@2019-09-01' existing = if (enableAppGWIngress) {
- name: keyVaultName
- scope: resourceGroup(keyVaultResourceGroup)
+/*
+ Upload trusted root certificate to Azure Application Gateway
+ To set up e2e TLS/SSL communication between Azure Application Gateway and WebLogic admin server or WebLogic cluster.
+ The certificate must be the CA certificate of WebLogic Server identity.
+*/
+module appgwBackendCertDeployment '_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep' = if (enableAppGWIngress && enableCustomSSL) {
+ name: 'app-gateway-backend-cert-deployment'
+ params: {
+ appgwName: appgwDeployment.outputs.appGatewayName
+ sslBackendRootCertData: existingKeyvault.getSecret(keyvaultBackendCertDataSecretName)
+ identity: identity
+ }
+ dependsOn: [
+ appgwDeployment
+ ]
}
+
+
module dnsZoneDeployment '_azure-resoruces/_dnsZones.bicep' = if (enableDNSConfiguration && createDNSZone) {
name: 'dnszone-deployment'
params: {
@@ -139,7 +159,7 @@ module networkingDeployment '_deployment-scripts/_ds-create-networking.bicep' =
wlsDomainUID: wlsDomainUID
}
dependsOn: [
- appgwDeployment
+ appgwBackendCertDeployment
dnsZoneDeployment
]
}
@@ -177,7 +197,7 @@ module networkingDeployment2 '_deployment-scripts/_ds-create-networking.bicep' =
wlsDomainUID: wlsDomainUID
}
dependsOn: [
- appgwDeployment
+ appgwBackendCertDeployment
dnsZoneDeployment
]
}
@@ -214,7 +234,7 @@ module networkingDeployment3 '_deployment-scripts/_ds-create-networking.bicep' =
wlsDomainUID: wlsDomainUID
}
dependsOn: [
- appgwDeployment
+ appgwBackendCertDeployment
dnsZoneDeployment
]
}