Merge pull request #7 from hashicorp/f-plumb-customer-ca

Add in CA plumbing for custom certificates

README.md

@@ -23,6 +23,7 @@ Please contact your Technical Account Manager for more information, and support
 | primary\_count | The number of additional cluster master nodes to run | string | n/a | yes |
 | secondary\_count | The number of secondary cluster nodes to run | string | n/a | yes |
 | vpc\_id | AWS VPC id to install into | string | n/a | yes |
+| ca_cert_url | URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections| string | `"none"` | no |
 | airgap\_installer\_url | URL to replicated's airgap installer package | string | `"https://install.terraform.io/installer/replicated-v5.tar.gz"` | no |
 | airgap\_package\_url | signed URL to download the package | string | `""` | no |
 | ami | AMI to launch instance with; defaults to latest Ubuntu Xenial | string | `""` | no |

config.tf

@@ -53,6 +53,8 @@ data "template_file" "cloud_config" {
     proxy_url            = "${var.http_proxy_url}"
     installer_url        = "${var.installer_url}"
 
+    ca_cert_url = "${var.ca_cert_url}"
+
     import_key     = "${var.import_key}"
     startup_script = "${base64encode(var.startup_script)}"
 
@@ -86,6 +88,8 @@ data "template_file" "cloud_config_secondary" {
     installer_url        = "${var.installer_url}"
     role                 = "secondary"
 
+    ca_cert_url = "${var.ca_cert_url}"
+
     import_key = "${var.import_key}"
   }
 }

files/install-ptfe.sh

@@ -47,6 +47,57 @@ export role
 airgap_url_path="/etc/ptfe/airgap-package-url"
 airgap_installer_url_path="/etc/ptfe/airgap-installer-url"
 
+# ------------------------------------------------------------------------------
+# Custom CA certificate download and configuration block
+# ------------------------------------------------------------------------------
+if [[ -n $(< /etc/ptfe/custom-ca-cert-url) && \
+      $(< /etc/ptfe/custom-ca-cert-url) != none ]]; then
+  custom_ca_cert_url=$(cat /etc/ptfe/custom-ca-cert-url)
+  custom_ca_cert_file_name=$(echo "${custom_ca_cert_url}" | awk -F '/' '{ print $NF }')
+  ca_tmp_dir="/tmp/ptfe/customer-certs"
+  replicated_conf_file="replicated-ptfe.conf"
+  local_messages_file="local_messages.log"
+  # Setting up a tmp directory to do this `jq` transform to leave artifacts if anything goes "boom",
+  # since we're trusting user input to be both a working URL and a valid certificate.
+  # These artifacts will live in /tmp/ptfe/customer-certs/{local_messages.log,wget_output.log} files.
+  mkdir -p "${ca_tmp_dir}"
+  pushd "${ca_tmp_dir}"
+  touch ${local_messages_file}
+  if wget --trust-server-files "${custom_ca_cert_url}" >> ./wget_output.log 2>&1;
+  then
+    if [ -f "${ca_tmp_dir}/${custom_ca_cert_file_name}" ];
+    then
+      if openssl x509 -in "${custom_ca_cert_file_name}" -text -noout;
+      then
+        mv "${custom_ca_cert_file_name}" cust-ca-certificates.crt
+        cp /etc/${replicated_conf_file} ./${replicated_conf_file}.original
+        jq ". + { ca_certs: { value: \"$(cat cust-ca-certificates.crt)\" } }" -- ${replicated_conf_file}.original > ${replicated_conf_file}.updated
+        if jq -e . > /dev/null 2>&1 -- ${replicated_conf_file}.updated;
+        then
+          cp ./${replicated_conf_file}.updated /etc/${replicated_conf_file}
+        else
+          echo "The updated ${replicated_conf_file} file is not valid JSON." | tee -a "${local_messages_file}"
+          echo "Review ${ca_tmp_dir}/${replicated_conf_file}.original and ${ca_tmp_dir}/${replicated_conf_file}.updated." | tee -a "${local_messages_file}"
+          echo "" | tee -a "${local_messages_file}"
+        fi
+      else
+        echo "The certificate file wasn't able to validated via openssl" | tee -a "${local_messages_file}"
+        echo "" | tee -a "${local_messages_file}"
+      fi
+    else
+      echo "The filename ${custom_ca_cert_file_name} was not what ${custom_ca_cert_url} downloaded." | tee -a "${local_messages_file}"
+      echo "Inspect the ${ca_tmp_dir} directory to verify the file that was downloaded." | tee -a "${local_messages_file}"
+      echo "" | tee -a "${local_messages_file}"
+    fi
+  else
+    echo "There was an error downloading the file ${custom_ca_cert_file_name} from ${custom_ca_cert_url}." | tee -a "${local_messages_file}"
+    echo "See the ${ca_tmp_dir}/wget_output.log file." | tee -a "${local_messages_file}"
+    echo "" | tee -a "${local_messages_file}"
+  fi
+
+  popd
+fi
+
 ptfe_install_args=(
     -DD
     "--bootstrap-token=$(cat /etc/ptfe/bootstrap-token)" \

templates/cloud-config-secondary.yaml

@@ -40,6 +40,11 @@ write_files:
   permissions: "0400"
   content: "${proxy_url}"
 
+- path: /etc/ptfe/custom-ca-cert-url
+  owner: root:root
+  permissions: "0400"
+  content: "${ca_cert_url}"
+
 - path: /etc/apt/apt.conf.d/00aaa_proxy
   owner: root:root
   permissions: "0400"

templates/cloud-config.yaml

@@ -59,6 +59,11 @@ write_files:
   permissions: "0400"
   content: "${proxy_url}"
 
+- path: /etc/ptfe/custom-ca-cert-url
+  owner: root:root
+  permissions: "0400"
+  content: "${ca_cert_url}"
+
 - path: /etc/profile.d/proxy.sh
   owner: root:root
   permissions: "0755"

variables.tf

@@ -42,6 +42,12 @@ variable "airgap_package_url" {
   default     = ""
 }
 
+variable "ca_cert_url" {
+  type        = "string"
+  description = "URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections"
+  default     = "none"
+}
+
 variable "ami" {
   type        = "string"
   description = "AMI to launch instance with; defaults to latest Ubuntu Xenial"
@@ -276,7 +282,6 @@ data "aws_ami" "rhel" {
   }
 }
 
-
 ## random password for the installer dashboard
 resource "random_pet" "console_password" {
   length = 3