Skip to content

Commit d0e4f8c

Browse files
stephanmestephanme
authored
Merge pull request #370 from sap-contributions/cert_renewal_jobs_wg_ci
Automatic certificate regeneration for capi load balancer certificates
2 parents 217fe41 + e231635 commit d0e4f8c

File tree

5 files changed

+86
-3
lines changed

5 files changed

+86
-3
lines changed

docs/concourse/certificate_regeneration.md

+5-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ The automated regeneration is provided as separate Terragrunt module which must
66

77
## Prerequisites
88

9-
The certificate's CA must be stored in CredHub, and they must be correctly linked.
9+
The certificate's CA must be stored in CredHub, and the certificate must be correctly linked to the CA.
1010

1111
## Configuration and deployment
1212

@@ -46,6 +46,10 @@ value: <redacted>
4646
version_created_at: "2024-05-07T12:23:43Z"
4747
(...)
4848
```
49+
Afterward, you should delete the job with:
50+
```
51+
kubectl -n concourse delete job cert-regen-job
52+
```
4953

5054
## Limitations
5155

docs/concourse/concourse-architecture.drawio.svg

+2-2
Loading

terragrunt/concourse-wg-ci/automatic_certificate_regeneration/.terraform.lock.hcl

+40
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

terragrunt/concourse-wg-ci/automatic_certificate_regeneration/cert_regen.hcl

+34
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
locals {
2+
config = yamldecode(file("../config.yaml"))
3+
}
4+
5+
remote_state {
6+
backend = "gcs"
7+
generate = {
8+
path = "backend.tf"
9+
if_exists = "overwrite"
10+
}
11+
config = {
12+
bucket = "${local.config.gcs_bucket}"
13+
prefix = "${local.config.gcs_prefix}/automatic-certificate-regeneration"
14+
project = "${local.config.project}"
15+
location = "${local.config.region}"
16+
# use for uniform bucket-level access
17+
# (https://cloud.google.com/storage/docs/uniform-bucket-level-access)
18+
enable_bucket_policy_only = false
19+
}
20+
}
21+
22+
terraform {
23+
source = local.config.tf_modules.automatic_certificate_regeneration
24+
}
25+
26+
inputs = {
27+
project = local.config.project
28+
region = local.config.region
29+
zone = local.config.zone
30+
31+
gke_name = local.config.gke_name
32+
33+
certificates_to_regenerate = local.config.certificates_to_regenerate
34+
}

terragrunt/concourse-wg-ci/config.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ tf_modules:
3434
dr_create: "../../..//terraform-modules/concourse/dr_create"
3535
dr_restore: "../../..//terraform-modules/concourse/dr_restore"
3636
secret_rotation_postgresql: "../../..//terraform-modules/concourse/secret_rotation_postgresql"
37+
automatic_certificate_regeneration: "../../..//terraform-modules/concourse/automatic_certificate_regeneration"
3738

3839

3940

@@ -110,3 +111,7 @@ wg_ci_cnrm_service_account_permissions: [
110111
"cloudsql.databases.list",
111112
"cloudsql.databases.update"
112113
]
114+
115+
# list of certificates that shall be automatically renewed every month
116+
# enter as one string with a comma-separated list of CredHub certificate names
117+
certificates_to_regenerate: "/concourse/capi-team/kiki_lb,/concourse/capi-team/scar_lb,/concourse/capi-team/elsa_lb,/concourse/capi-team/asha_lb"

0 commit comments

Comments
 (0)