From 68e2e05820da28c66008e8d055bf69670e81a95e Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Tue, 17 Sep 2019 14:58:45 -0400
Subject: [PATCH 1/4] Add in CA plumbing to TF

---
 README.md                             | 1 +
 config.tf                             | 2 ++
 templates/cloud-config-secondary.yaml | 5 +++++
 templates/cloud-config.yaml           | 5 +++++
 variables.tf                          | 6 ++++++
 5 files changed, 19 insertions(+)

diff --git a/README.md b/README.md
index 150c0f96..9e0a01b2 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ Please contact your Technical Account Manager for more information, and support
 | primary\_count | The number of additional cluster master nodes to run | string | n/a | yes |
 | secondary\_count | The number of secondary cluster nodes to run | string | n/a | yes |
 | vpc\_id | AWS VPC id to install into | string | n/a | yes |
+| ca_cert_url | URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections| string | `"none"` | no |
 | airgap\_installer\_url | URL to replicated's airgap installer package | string | `"https://install.terraform.io/installer/replicated-v5.tar.gz"` | no |
 | airgap\_package\_url | signed URL to download the package | string | `""` | no |
 | ami | AMI to launch instance with; defaults to latest Ubuntu Xenial | string | `""` | no |
diff --git a/config.tf b/config.tf
index 7a77d571..2879be13 100644
--- a/config.tf
+++ b/config.tf
@@ -53,6 +53,8 @@ data "template_file" "cloud_config" {
     proxy_url            = "${var.http_proxy_url}"
     installer_url        = "${var.installer_url}"
 
+    ca_cert_url = "${var.ca_cert_url}"
+
     import_key     = "${var.import_key}"
     startup_script = "${base64encode(var.startup_script)}"
 
diff --git a/templates/cloud-config-secondary.yaml b/templates/cloud-config-secondary.yaml
index 9e9c95d1..bf42bd9f 100644
--- a/templates/cloud-config-secondary.yaml
+++ b/templates/cloud-config-secondary.yaml
@@ -40,6 +40,11 @@ write_files:
   permissions: "0400"
   content: "${proxy_url}"
 
+- path: /etc/ptfe/custom-ca-cert-url
+  owner: root:root
+  permissions: "0400"
+  content: "${ca_cert_url}"
+
 - path: /etc/apt/apt.conf.d/00aaa_proxy
   owner: root:root
   permissions: "0400"
diff --git a/templates/cloud-config.yaml b/templates/cloud-config.yaml
index b21d4461..43eb89d9 100644
--- a/templates/cloud-config.yaml
+++ b/templates/cloud-config.yaml
@@ -59,6 +59,11 @@ write_files:
   permissions: "0400"
   content: "${proxy_url}"
 
+- path: /etc/ptfe/custom-ca-cert-url
+  owner: root:root
+  permissions: "0400"
+  content: "${ca_cert_url}"
+
 - path: /etc/profile.d/proxy.sh
   owner: root:root
   permissions: "0755"
diff --git a/variables.tf b/variables.tf
index a54256bf..cee3ad78 100644
--- a/variables.tf
+++ b/variables.tf
@@ -36,6 +36,12 @@ variable "airgap_package_url" {
   default     = ""
 }
 
+variable "ca_cert_url" {
+  type        = "string"
+  description = "URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections"
+  default     = "none"
+}
+
 variable "ami" {
   type        = "string"
   description = "AMI to launch instance with; defaults to latest Ubuntu Xenial"

From ed18181a6482b77f851812499f5efb3dc3982479 Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Tue, 17 Sep 2019 14:58:59 -0400
Subject: [PATCH 2/4] Add in installation and configuration of CA certs

---
 files/install-ptfe.sh | 51 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/files/install-ptfe.sh b/files/install-ptfe.sh
index de7cd7e5..80196548 100644
--- a/files/install-ptfe.sh
+++ b/files/install-ptfe.sh
@@ -47,6 +47,57 @@ export role
 airgap_url_path="/etc/ptfe/airgap-package-url"
 airgap_installer_url_path="/etc/ptfe/airgap-installer-url"
 
+# ------------------------------------------------------------------------------
+# Custom CA certificate download and configuration block
+# ------------------------------------------------------------------------------
+if [[ -n $(< /etc/ptfe/custom-ca-cert-url) && \
+      $(< /etc/ptfe/custom-ca-cert-url) != none ]]; then
+  custom_ca_cert_url=$(cat /etc/ptfe/custom-ca-cert-url)
+  custom_ca_cert_file_name=$(echo "${custom_ca_cert_url}" | awk -F '/' '{ print $NF }')
+  ca_tmp_dir="/tmp/ptfe/customer-certs"
+  replicated_conf_file="replicated-ptfe.conf"
+  local_messages_file="local_messages.log"
+  # Setting up a tmp directory to do this `jq` transform to leave artifacts if anything goes "boom",
+  # since we're trusting user input to be both a working URL and a valid certificate.
+  # These artifacts will live in /tmp/ptfe/customer-certs/{local_messages.log,wget_output.log} files.
+  mkdir -p "${ca_tmp_dir}"
+  pushd "${ca_tmp_dir}"
+  touch ${local_messages_file}
+  if wget --trust-server-files "${custom_ca_cert_url}" >> ./wget_output.log 2>&1;
+  then
+    if [ -f "${ca_tmp_dir}/${custom_ca_cert_file_name}" ];
+    then
+      if openssl x509 -in "${custom_ca_cert_file_name}" -text -noout;
+      then
+        mv "${custom_ca_cert_file_name}" cust-ca-certificates.crt
+        cp /etc/${replicated_conf_file} ./${replicated_conf_file}.original
+        jq ". + { ca_certs: { value: \"$(cat cust-ca-certificates.crt)\" } }" -- ${replicated_conf_file}.original > ${replicated_conf_file}.updated
+        if jq -e . > /dev/null 2>&1 -- ${replicated_conf_file}.updated;
+        then
+          cp ./${replicated_conf_file}.updated /etc/${replicated_conf_file}
+        else
+          echo "The updated ${replicated_conf_file} file is not valid JSON." | tee -a "${local_messages_file}"
+          echo "Review ${ca_tmp_dir}/${replicated_conf_file}.original and ${ca_tmp_dir}/${replicated_conf_file}.updated." | tee -a "${local_messages_file}"
+          echo "" | tee -a "${local_messages_file}"
+        fi
+      else
+        echo "The certificate file wasn't able to validated via openssl" | tee -a "${local_messages_file}"
+        echo "" | tee -a "${local_messages_file}"
+      fi
+    else
+      echo "The filename ${custom_ca_cert_file_name} was not what ${custom_ca_cert_url} downloaded." | tee -a "${local_messages_file}"
+      echo "Inspect the ${ca_tmp_dir} directory to verify the file that was downloaded." | tee -a "${local_messages_file}"
+      echo "" | tee -a "${local_messages_file}"
+    fi
+  else
+    echo "There was an error downloading the file ${custom_ca_cert_file_name} from ${custom_ca_cert_url}." | tee -a "${local_messages_file}"
+    echo "See the ${ca_tmp_dir}/wget_output.log file." | tee -a "${local_messages_file}"
+    echo "" | tee -a "${local_messages_file}"
+  fi
+
+  popd
+fi
+
 ptfe_install_args=(
     -DD
     "--bootstrap-token=$(cat /etc/ptfe/bootstrap-token)" \

From 1f1a003fb33cd4e115bf66884dcd698fcadc73e9 Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Tue, 17 Sep 2019 14:59:16 -0400
Subject: [PATCH 3/4] Run terraform fmt

---
 variables.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index cee3ad78..d360316a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -276,7 +276,6 @@ data "aws_ami" "rhel" {
   }
 }
 
-
 ## random password for the installer dashboard
 resource "random_pet" "console_password" {
   length = 3

From 8059c9df67fe174a89249f10e5c2223a21f33590 Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Mon, 30 Sep 2019 13:16:55 -0400
Subject: [PATCH 4/4] Add in ca_cert_url to secondary config

---
 config.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config.tf b/config.tf
index 2879be13..197520cc 100644
--- a/config.tf
+++ b/config.tf
@@ -88,6 +88,8 @@ data "template_file" "cloud_config_secondary" {
     installer_url        = "${var.installer_url}"
     role                 = "secondary"
 
+    ca_cert_url = "${var.ca_cert_url}"
+
     import_key = "${var.import_key}"
   }
 }