From 484fd04f2bedb09c6ee4444355f8f83d4a4805c0 Mon Sep 17 00:00:00 2001 From: "haixia.cheng@microsoft.com" Date: Thu, 19 Aug 2021 14:54:34 +0800 Subject: [PATCH] On branch signed-ca: upload signed ca certificate to application gateway trusted root certificates. Changes to be committed: modified: pom.xml modified: src/main/arm/createUiDefinition.json modified: src/main/arm/scripts/setupNetworking.sh modified: src/main/arm/scripts/setupWLSDomain.sh new file: weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh modified: src/main/bicep/mainTemplate.bicep modified: src/main/bicep/modules/_azure-resoruces/_appgateway.bicep new file: src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep renamed: src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep -> src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep modified: src/main/bicep/modules/networking.bicep --- weblogic-azure-aks/pom.xml | 2 +- .../src/main/arm/createUiDefinition.json | 45 ++++++++++++++--- .../src/main/arm/scripts/setupNetworking.sh | 15 ++---- .../src/main/arm/scripts/setupWLSDomain.sh | 9 ---- .../scripts/uploadAppGatewayTrutedRootCert.sh | 25 ++++++++++ .../src/main/bicep/mainTemplate.bicep | 9 +++- .../_keyvaultForGatewayBackendCert.bicep | 49 +++++++++++++++++++ ...dapter.bicep => _keyvaultForGateway.bicep} | 20 ++++++++ ...ppgw-upload-trusted-root-certificate.bicep | 27 ++++++++++ .../src/main/bicep/modules/networking.bicep | 34 ++++++++++--- 10 files changed, 200 insertions(+), 35 deletions(-) create mode 100644 weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh create mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep rename weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/{_keyvaultAdapter.bicep => _keyvaultForGateway.bicep} (76%) create mode 100644 weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep diff --git a/weblogic-azure-aks/pom.xml b/weblogic-azure-aks/pom.xml index bee3edb16..affeb4e91 100644 --- a/weblogic-azure-aks/pom.xml +++ b/weblogic-azure-aks/pom.xml @@ -11,7 +11,7 @@ com.oracle.weblogic.azure wls-on-aks-azure-marketplace - 1.0.15 + 1.0.16 com.microsoft.azure.iaas diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json index 2c410f072..c27c7b280 100644 --- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json +++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json @@ -1095,7 +1095,7 @@ "type": "Microsoft.Common.TextBlock", "visible": "[steps('section_appGateway').appgwIngress.enableAppGateway]", "options": { - "text": "    ⁃ Generate a self-signed certificate: generate a self-signed certificate and apply it during deployment.", + "text": "    ⁃ Generate a self-signed frontend certificate: generate a self-signed frontend certificate and apply it during deployment.", "link": { "label": "Learn more", "uri": "https://aka.ms/arm-oraclelinux-wls-cluster-app-gateway-key-vault" @@ -1106,7 +1106,7 @@ "name": "certificateOption", "type": "Microsoft.Common.OptionsGroup", "label": "Select desired TLS/SSL certificate option", - "defaultValue": "Generate a self-signed certificate", + "defaultValue": "Upload a TLS/SSL certificate", "toolTip": "Select desired TLS/SSL certificate option", "constraints": { "allowedValues": [ @@ -1119,7 +1119,7 @@ "value": "haveKeyVault" }, { - "label": "Generate a self-signed certificate", + "label": "Generate a self-signed frontend certificate", "value": "generateCert" } ], @@ -1130,7 +1130,7 @@ { "name": "keyVaultSSLCertData", "type": "Microsoft.Common.FileUpload", - "label": "TLS/SSL certificate(.pfx)", + "label": "Frontend TLS/SSL certificate(.pfx)", "toolTip": "TLS/SSL certificate used for App Gateway", "constraints": { "required": true, @@ -1150,7 +1150,7 @@ "password": "Password", "confirmPassword": "Confirm password" }, - "toolTip": "TLS/SSL certificate password", + "toolTip": "Frontend TLS/SSL certificate password", "constraints": { "required": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]", "regex": "^((?=.*[0-9])(?=.*[a-z])|(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])|(?=.*[0-9])(?=.*[a-z])(?=.*[!@#$%^&*])|(?=.*[0-9])(?=.*[A-Z])(?=.*[!@#$%^&*])|(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*])).{6,128}$", @@ -1161,6 +1161,22 @@ }, "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]" }, + { + "name": "keyVaultBackendSSLCertData", + "type": "Microsoft.Common.FileUpload", + "label": "Trusted root certificate(.cer, cert)", + "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL", + "constraints": { + "required": true, + "accept": ".cer, cert" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary" + }, + "visible": "[and(steps('section_appGateway').appgwIngress.enableAppGateway, steps('section_sslConfiguration').enableCustomSSL, not(equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')))]" + }, { "name": "keyVaultResourceGroup", "type": "Microsoft.Common.TextBox", @@ -1190,7 +1206,7 @@ { "name": "keyVaultSSLCertDataSecretName", "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the TLS/SSL certificate data", + "label": "The name of the secret in the specified Key Vault whose value is the frontend TLS/SSL certificate data", "defaultValue": "", "toolTip": "Use only letters and numbers", "constraints": { @@ -1203,7 +1219,7 @@ { "name": "keyVaultSSLCertPasswordSecretName", "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the password for the TLS/SSL certificate", + "label": "The name of the secret in the specified Key Vault whose value is the password for the frontend TLS/SSL certificate", "defaultValue": "", "toolTip": "Use only letters and numbers", "constraints": { @@ -1213,6 +1229,19 @@ }, "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" }, + { + "name": "keyVaultBackendSSLCertDataSecretName", + "type": "Microsoft.Common.TextBox", + "label": "The name of the secret in the specified Key Vault whose value is the trusted root certificate data", + "defaultValue": "", + "toolTip": "Use only letters and numbers", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." + }, + "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault'))]" + }, { "name": "servicePrincipal", "type": "Microsoft.Common.PasswordBox", @@ -1533,6 +1562,7 @@ "aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]", "aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]", "appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]", + "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]", "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertData]", "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]", "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]", @@ -1563,6 +1593,7 @@ "location": "[location()]", "keyVaultName": "[steps('section_appGateway').appgwIngress.keyVaultName]", "keyVaultResourceGroup": "[steps('section_appGateway').appgwIngress.keyVaultResourceGroup]", + "keyVaultSSLBackendRootCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertDataSecretName]", "keyVaultSSLCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertDataSecretName]", "keyVaultSSLCertPasswordSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertPasswordSecretName]", "managedServerPrefix": "[basics('basicsOptional').managedServerPrefix]", diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh b/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh index 9f82ec1ad..8c504fb25 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/setupNetworking.sh @@ -905,16 +905,12 @@ function create_appgw_ingress() { if [[ "${enableCustomSSL,,}" == "true" ]];then - # create backend tls secret - rootcertPath=${scriptDir}/root.cert - kubectl cp -n ${wlsDomainNS} ${wlsDomainUID}-${adminServerName}:${appgwBackendCertPath} ${rootcertPath} - validate_status "Copy public key from fileshare." - - az network application-gateway root-cert create \ - --gateway-name $appgwName \ + az network application-gateway root-cert list \ + --gateway-name $appgwName \ --resource-group $curRGName \ - --name ${appgwBackendSecretName} \ - --cert-file ${rootcertPath} + | jq '.[] | .name' | grep "${appgwBackendSecretName}" + + validate_status "check if backend cert exists." fi # generate ingress svc config for cluster @@ -1002,7 +998,6 @@ export sharedPath="/shared" export svcAdminServer="${wlsDomainUID}-${adminServerName}" export svcCluster="${wlsDomainUID}-cluster-${clusterName}" export wlsDomainNS="${wlsDomainUID}-ns" -export appgwBackendCertPath="${sharedPath}/security/root.cert" read_sensitive_parameters_from_stdin diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh index 3e1bb69d4..58cf72e90 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh @@ -427,20 +427,12 @@ function output_ssl_keystore() { else rm -f ${mntPath}/$wlsIdentityKeyStoreFileName rm -f ${mntPath}/$wlsTrustKeyStoreFileName - rm -f ${mntPath}/${wlsIdentityRootCertFileName} rm -f ${mntPath}/${wlsTrustKeyStoreJKSFileName} fi #decode cert data once again as it would got base64 encoded echo "$wlsIdentityData" | base64 -d >${mntPath}/$wlsIdentityKeyStoreFileName echo "$wlsTrustData" | base64 -d >${mntPath}/$wlsTrustKeyStoreFileName - # export root cert. Used as gateway backend certificate - ${JAVA_HOME}/bin/keytool -export \ - -alias ${wlsIdentityAlias} \ - -noprompt \ - -file ${mntPath}/${wlsIdentityRootCertFileName} \ - -keystore ${mntPath}/$wlsIdentityKeyStoreFileName \ - -storepass ${wlsIdentityPsw} # export jks file # -Dweblogic.security.SSL.trustedCAKeyStorePassPhrase for PKCS12 is not working correctly @@ -744,7 +736,6 @@ export wlsOptVersion="3.2.5" export wlsIdentityKeyStoreFileName="security/identity.keystore" export wlsTrustKeyStoreFileName="security/trust.keystore" export wlsTrustKeyStoreJKSFileName="security/trust.jks" -export wlsIdentityRootCertFileName="security/root.cert" read_sensitive_parameters_from_stdin diff --git a/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh b/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh new file mode 100644 index 000000000..791377935 --- /dev/null +++ b/weblogic-azure-aks/src/main/arm/scripts/uploadAppGatewayTrutedRootCert.sh @@ -0,0 +1,25 @@ +# Copyright (c) 2021, Oracle Corporation and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +# This script runs on Azure Container Instance with Alpine Linux that Azure Deployment script creates. + +# upload trusted root certificate to Azure Application Gateway +# $1: resource group name +# $2: Application Gateway name +# $3: one line based64 string of the certificate data + +# The value is used in setupNetworking.sh, please do not change it. +export appgwBackendSecretName='backend-tls' + +echo "output certificate data to backend-cert.cer" +echo "$3" | base64 -d >backend-cert.cer + +az network application-gateway root-cert create \ + --gateway-name $2 \ + --resource-group $1 \ + --name ${appgwBackendSecretName} \ + --cert-file backend-cert.cer + +if [ $? -ne 0 ]; then + echo "Failed to upload trusted root certificate to Application Gateway ${2}" + exit 1 +fi diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index d53baea6c..bc4b8196e 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -53,6 +53,8 @@ param aksVersion string = 'default' param appGatewayCertificateOption string = 'haveCert' @description('Public IP Name for the Application Gateway') param appGatewayPublicIPAddressName string = 'gwip' +@description('The one-line, base64 string of the backend SSL root certificate data.') +param appGatewaySSLBackendRootCertData string = 'appgw-ssl-backend-data' @description('The one-line, base64 string of the SSL certificate data.') param appGatewaySSLCertData string = 'appgw-ssl-data' @secure() @@ -120,6 +122,8 @@ param keyVaultName string = 'kv-contoso' param keyVaultResourceGroup string = 'kv-contoso-rg' @description('Price tier for Key Vault.') param keyVaultSku string = 'Standard' +@description('The name of the secret in the specified KeyVault whose value is the SSL Root Certificate Data for Appliation Gateway backend TLS/SSL.') +param keyVaultSSLBackendRootCertDataSecretName string = 'kv-ssl-backend-data' @description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data for Appliation Gateway frontend TLS/SSL.') param keyVaultSSLCertDataSecretName string = 'kv-ssl-data' @description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate of Appliation Gateway frontend TLS/SSL') @@ -421,11 +425,13 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i ] } -module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultAdapter.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) { +module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) { name: 'appgateway-certificates-secrets-deployment' params: { + backendCertificateDataValue: appGatewaySSLBackendRootCertData certificateDataValue: appGatewaySSLCertData certificatePasswordValue: appGatewaySSLCertPassword + enableCustomSSL: enableCustomSSL identity: identity sku: keyVaultSku subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName) @@ -482,6 +488,7 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork identity: identity keyVaultName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultName : appgwSecretDeployment.outputs.keyVaultName keyVaultResourceGroup: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultResourceGroup : resourceGroup().name + keyvaultBackendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLBackendRootCertDataSecretName : appgwSecretDeployment.outputs.sslBackendCertDataSecretName keyVaultSSLCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertDataSecretName : appgwSecretDeployment.outputs.sslCertDataSecretName keyVaultSSLCertPasswordSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertPasswordSecretName : appgwSecretDeployment.outputs.sslCertPwdSecretName location: location diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep new file mode 100644 index 000000000..c5a2ab104 --- /dev/null +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep @@ -0,0 +1,49 @@ +// Copyright (c) 2021, Oracle Corporation and/or its affiliates. +// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +@description('Secret name of certificate data.') +param certificateDataName string + +@description('Certificate data to store in the secret') +param certificateDataValue string + +@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') +param enabledForTemplateDeployment bool = true + +@description('Name of the vault') +param keyVaultName string + +@description('Price tier for Key Vault.') +param sku string + +param utcValue string = utcNow() + +resource keyvault 'Microsoft.KeyVault/vaults@2019-09-01' = { + name: keyVaultName + location: resourceGroup().location + properties: { + enabledForTemplateDeployment: enabledForTemplateDeployment + sku: { + name: sku + family: 'A' + } + accessPolicies: [] + tenantId: subscription().tenantId + } + tags:{ + 'managed-by-azure-weblogic': utcValue + } +} + +resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { + name: '${keyVaultName}/${certificateDataName}' + properties: { + value: certificateDataValue + } + dependsOn: [ + keyvault + ] +} + +output keyVaultName string = keyVaultName +output sslBackendCertDataSecretName string = certificateDataName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep similarity index 76% rename from weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep rename to weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep index e44cd37c2..70fd23fb7 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultAdapter.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep @@ -2,12 +2,18 @@ // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. // Deploy Application Gateway certificate secrets. +@description('Backend certificate data to store in the secret') +param backendCertificateDataValue string + @description('Certificate data to store in the secret') param certificateDataValue string @description('Certificate password to store in the secret') param certificatePasswordValue string +@description('true to upload trusted root certificate') +param enableCustomSSL bool = false + @description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') param enabledForTemplateDeployment bool = true @@ -33,6 +39,7 @@ param useExistingAppGatewaySSLCertificate bool = false @description('Current deployment time. Used as a tag in deployment script.') param keyVaultName string = 'GEN_UNIQUE' +var name_sslBackendCertSercretName= 'myAppGatewaySSLBackendRootCert' var name_sslCertSecretName = 'myAppGatewaySSLCert' var name_sslCertPasswordSecretName = 'myAppGatewaySSLCertPassword' @@ -60,6 +67,19 @@ module keyVaultwithExistingAppGatewaySSLCert '_keyvault/_keyvaultWithExistingCer } } +module keyvaultBackendRootCert '_keyvault/_keyvaultForGatewayBackendCert.bicep' = if (enableCustomSSL) { + name: 'kv-appgw-e2e-ssl-backend-certificate' + params:{ + certificateDataName: name_sslBackendCertSercretName + certificateDataValue: backendCertificateDataValue + enabledForTemplateDeployment: enabledForTemplateDeployment + keyVaultName: keyVaultName + sku: sku + } +} + output keyVaultName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.keyVaultName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.keyVaultName) output sslCertDataSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertDataSecretName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.secretName) output sslCertPwdSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertPwdSecretName: '') +output sslBackendCertDataSecretName string = (enableCustomSSL) ? keyvaultBackendRootCert.outputs.sslBackendCertDataSecretName : '' + diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep new file mode 100644 index 000000000..416d93452 --- /dev/null +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep @@ -0,0 +1,27 @@ +// Copyright (c) 2021, Oracle Corporation and/or its affiliates. +// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +param appgwName string +@secure() +param sslBackendRootCertData string = newGuid() +param identity object +param utcValue string = utcNow() + +var const_arguments = '${resourceGroup().name} ${appgwName} ${sslBackendRootCertData}' +var const_azcliVersion='2.15.0' +var const_deploymentName='ds-upload-trusted-root-certificatre-to-gateway' + +resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: const_deploymentName + location: resourceGroup().location + kind: 'AzureCLI' + identity: identity + properties: { + azCliVersion: const_azcliVersion + arguments: const_arguments + scriptContent: loadTextContent('../../../arm/scripts/uploadAppGatewayTrutedRootCert.sh') + cleanupPreference: 'OnSuccess' + retentionInterval: 'P1D' + forceUpdateTag: utcValue + } +} diff --git a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep index 54aa351ed..72447b7ea 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep @@ -45,6 +45,7 @@ param identity object param keyVaultName string = 'kv-contoso' @description('Resource group name in current subscription containing the KeyVault') param keyVaultResourceGroup string = 'kv-contoso-rg' +param keyvaultBackendCertDataSecretName string = 'kv-ssl-backend-data' @description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data') param keyVaultSSLCertDataSecretName string = 'kv-ssl-data' @description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate') @@ -79,6 +80,12 @@ module pidAppgwStart './_pids/_pid.bicep' = if (enableAppGWIngress) { } } +// get key vault object in a resource group +resource existingKeyvault 'Microsoft.KeyVault/vaults@2019-09-01' existing = if (enableAppGWIngress) { + name: keyVaultName + scope: resourceGroup(keyVaultResourceGroup) +} + module appgwDeployment '_azure-resoruces/_appgateway.bicep' = if (enableAppGWIngress) { name: 'app-gateway-deployment' params: { @@ -90,12 +97,25 @@ module appgwDeployment '_azure-resoruces/_appgateway.bicep' = if (enableAppGWIng ] } -// get key vault object in a resource group -resource existingKeyvault 'Microsoft.KeyVault/vaults@2019-09-01' existing = if (enableAppGWIngress) { - name: keyVaultName - scope: resourceGroup(keyVaultResourceGroup) +/* + Upload trusted root certificate to Azure Application Gateway + To set up e2e TLS/SSL communication between Azure Application Gateway and WebLogic admin server or WebLogic cluster. + The certificate must be the CA certificate of WebLogic Server identity. +*/ +module appgwBackendCertDeployment '_deployment-scripts/_ds-appgw-upload-trusted-root-certificate.bicep' = if (enableAppGWIngress && enableCustomSSL) { + name: 'app-gateway-backend-cert-deployment' + params: { + appgwName: appgwDeployment.outputs.appGatewayName + sslBackendRootCertData: existingKeyvault.getSecret(keyvaultBackendCertDataSecretName) + identity: identity + } + dependsOn: [ + appgwDeployment + ] } + + module dnsZoneDeployment '_azure-resoruces/_dnsZones.bicep' = if (enableDNSConfiguration && createDNSZone) { name: 'dnszone-deployment' params: { @@ -139,7 +159,7 @@ module networkingDeployment '_deployment-scripts/_ds-create-networking.bicep' = wlsDomainUID: wlsDomainUID } dependsOn: [ - appgwDeployment + appgwBackendCertDeployment dnsZoneDeployment ] } @@ -177,7 +197,7 @@ module networkingDeployment2 '_deployment-scripts/_ds-create-networking.bicep' = wlsDomainUID: wlsDomainUID } dependsOn: [ - appgwDeployment + appgwBackendCertDeployment dnsZoneDeployment ] } @@ -214,7 +234,7 @@ module networkingDeployment3 '_deployment-scripts/_ds-create-networking.bicep' = wlsDomainUID: wlsDomainUID } dependsOn: [ - appgwDeployment + appgwBackendCertDeployment dnsZoneDeployment ] }