Skip to content

Commit

Permalink
Add doc on rotating full RP env VPN certs (#3544)
Browse files Browse the repository at this point in the history 
* Add doc on rotating full RP env VPN certs

* remove ./ from source commands

* use ./ when sourcing the hack script
  • Loading branch information
@cadenmarchese
cadenmarchese authored Jul 15, 2024
1 parent 31af734 commit 3006121
Showing 1 changed file with 34 additions and 0 deletions.
34 changes: 34 additions & 0 deletions docs/deploy-full-rp-service-in-dev.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,3 +411,37 @@

> __NOTE:__ The `az aro` CLI extension must be registered in order to run `az aro` commands against a local or tunneled RP. The usual hack script used to create clusters does not work due to keyvault mirroring requirements. The name of the cluster depends on the DNS zone that was created in an earlier step.

## Recover VPN access

Since setting up your own VPN in an earlier step will overwrite your local secrets, you will lose access to the vpn / vnet gateway that you provisioned in an earlier step if you run `make secrets`. If you don't have a secrets/* backup, you can recover your access using the following steps. Please note that this action will _**OVER WRITE**_ the `secrets/vpn-$LOCATION.ovpn` on your local machine. **DO NOT** run `make secrets-update` after doing this, as you will overwrite the shared secrets for all users.
1. Source all environment variables from earlier, and run the VPN configuration step again:
```bash
. ./env
. ./env-int
source ./hack/devtools/deploy-shared-env.sh
vpn_configuration
```
1. Create new VPN certificates locally:
```bash
go run ./hack/genkey -ca vpn-ca
mv vpn-ca.* secrets
go run ./hack/genkey -client -keyFile secrets/vpn-ca.key -certFile secrets/vpn-ca.crt vpn-client
mv vpn-client.* secrets
```
1. Update the VPN configuration locally:
- Add the new cert and key created above (located in `secrets/vpn-client.pem`) to `secrets/vpn-eastus.ovpn`, replacing the existing configuration.
1. Add the newly created secrets to the `dev-vpn` vnet gateway in `$USER-aro-$LOCATION` resource group:
- In portal, navigate to `dev-vpn`, Point-to-site configuration > Root certificates.
- Add the new `secrets/vpn-ca.pem` data created above to this configuration.
1. Connect to the VPN:
```bash
sudo openvpn secrets/vpn-$LOCATION.ovpn
```

0 comments on commit 3006121

Please sign in to comment.