From 30061211bc6a913bca29d5f91ce319177d5c2da4 Mon Sep 17 00:00:00 2001
From: Caden Marchese <56140267+cadenmarchese@users.noreply.github.com>
Date: Mon, 15 Jul 2024 07:44:43 -0700
Subject: [PATCH] Add doc on rotating full RP env VPN certs (#3544)

* Add doc on rotating full RP env VPN certs

* remove ./ from source commands

* use ./ when sourcing the hack script
---
 docs/deploy-full-rp-service-in-dev.md | 34 +++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/docs/deploy-full-rp-service-in-dev.md b/docs/deploy-full-rp-service-in-dev.md
index 0fa6834fa99..4ccede045b7 100644
--- a/docs/deploy-full-rp-service-in-dev.md
+++ b/docs/deploy-full-rp-service-in-dev.md
@@ -411,3 +411,37 @@
 
     > __NOTE:__ The `az aro` CLI extension must be registered in order to run `az aro` commands against a local or tunneled RP. The usual hack script used to create clusters does not work due to keyvault mirroring requirements. The name of the cluster depends on the DNS zone that was created in an earlier step.
 
+## Recover VPN access
+
+Since setting up your own VPN in an earlier step will overwrite your local secrets, you will lose access to the vpn / vnet gateway that you provisioned in an earlier step if you run `make secrets`. If you don't have a secrets/* backup, you can recover your access using the following steps. Please note that this action will _**OVER WRITE**_ the `secrets/vpn-$LOCATION.ovpn` on your local machine. **DO NOT** run `make secrets-update` after doing this, as you will overwrite the shared secrets for all users.
+
+1. Source all environment variables from earlier, and run the VPN configuration step again:
+
+    ```bash
+    . ./env
+    . ./env-int
+
+    source ./hack/devtools/deploy-shared-env.sh
+    vpn_configuration
+    ```
+
+1. Create new VPN certificates locally:
+
+    ```bash
+    go run ./hack/genkey -ca vpn-ca
+    mv vpn-ca.* secrets
+    go run ./hack/genkey -client -keyFile secrets/vpn-ca.key -certFile secrets/vpn-ca.crt vpn-client
+    mv vpn-client.* secrets
+    ```
+
+1. Update the VPN configuration locally:
+    - Add the new cert and key created above (located in `secrets/vpn-client.pem`) to `secrets/vpn-eastus.ovpn`, replacing the existing configuration.
+
+1. Add the newly created secrets to the `dev-vpn` vnet gateway in `$USER-aro-$LOCATION` resource group:
+    - In portal, navigate to `dev-vpn`, Point-to-site configuration > Root certificates.
+    - Add the new `secrets/vpn-ca.pem` data created above to this configuration.
+
+1. Connect to the VPN:
+    ```bash
+    sudo openvpn secrets/vpn-$LOCATION.ovpn
+    ```