From 3affcbddfafd9dacbe5846380533febe0ff294e5 Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Wed, 28 Aug 2019 09:49:06 -0400
Subject: [PATCH 1/5] Run tf fmt on the repo

---
 modules/configs/templates/replicated/replicated-ptfe.conf | 4 ++--
 modules/configs/variables.tf                              | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/configs/templates/replicated/replicated-ptfe.conf b/modules/configs/templates/replicated/replicated-ptfe.conf
index aef10385..dcbb1853 100644
--- a/modules/configs/templates/replicated/replicated-ptfe.conf
+++ b/modules/configs/templates/replicated/replicated-ptfe.conf
@@ -39,7 +39,7 @@
     },
     "azure_container": {
         "value": "${azure_container}"
-    
+
 %{ endif }
     },
     "iact_subnet_list": {
@@ -48,4 +48,4 @@
     "iact_subnet_time_limit": {
         "value": "${iact_subnet_time_limit}"
     }
-}
\ No newline at end of file
+}
diff --git a/modules/configs/variables.tf b/modules/configs/variables.tf
index 3a9d756f..05ebd025 100644
--- a/modules/configs/variables.tf
+++ b/modules/configs/variables.tf
@@ -15,7 +15,7 @@ variable cluster_endpoint {
 }
 
 variable "cluster_api_endpoint" {
-   type        = "string"
+  type        = "string"
   description = "URI to the cluster api"
 }
 

From bdea45782002e250daee36a949c2065b351ee94f Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Tue, 17 Sep 2019 14:46:04 -0400
Subject: [PATCH 2/5] Add CA plumbing for custom certificates

---
 README.md                                     |  1 +
 main.tf                                       |  1 +
 modules/configs/README.md                     |  1 +
 modules/configs/files/install-ptfe.sh         | 51 +++++++++++++++++++
 .../templates/cloud-init/cloud-config.yaml    |  5 ++
 modules/configs/variables.tf                  |  6 +++
 variables.tf                                  |  6 +++
 7 files changed, 71 insertions(+)

diff --git a/README.md b/README.md
index b8203da6..470c4515 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ Please see the examples directory for more extensive examples.
 | tls\_pfx\_certificate\_password | The password for the associated SSL certificate. | string | n/a | yes |
 | virtual\_network\_name | An existing Azure Virtual Network to deploy into | string | n/a | yes |
 | resource\_prefix | Prefix name for resources created by this module | string| tfe | no |
+| ca_cert_url | URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections| string | `"none"` | no |
 | airgap\_installer\_url | URL to replicated's airgap installer package | string | `"https://install.terraform.io/installer/replicated-v5.tar.gz"` | no |
 | airgap\_mode\_enable | install in airgap mode | string | `"False"` | no |
 | airgap\_package\_url | Signed URL to download the package | string | `""` | no |
diff --git a/main.tf b/main.tf
index a5303b88..c6982d68 100644
--- a/main.tf
+++ b/main.tf
@@ -55,6 +55,7 @@ module "configs" {
   http_proxy_url       = "${var.http_proxy_url}"
   installer_url        = "${var.installer_url}"
   import_key           = "${var.import_key}"
+  ca_cert_url          = "${var.ca_cert_url}"
 
   iact = {
     subnet_list       = "${var.iact_subnet_list}"
diff --git a/modules/configs/README.md b/modules/configs/README.md
index 9855e9db..a41653de 100644
--- a/modules/configs/README.md
+++ b/modules/configs/README.md
@@ -19,6 +19,7 @@
 | license\_file | Path to license file for the application | string | n/a | yes |
 | postgresql | Expects keys: [user, password, address, database, extra_params] | map | n/a | yes |
 | primary\_count | The count of primary instances being created. | string | n/a | yes |
+| ca_cert_url | URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections| string | `"none"` | no |
 
 ## Outputs
 
diff --git a/modules/configs/files/install-ptfe.sh b/modules/configs/files/install-ptfe.sh
index edade382..5d30495c 100644
--- a/modules/configs/files/install-ptfe.sh
+++ b/modules/configs/files/install-ptfe.sh
@@ -62,6 +62,57 @@ public_ip=$(curl -H Metadata:true "http://169.254.169.254/metadata/instance/netw
 airgap_url_path="/etc/ptfe/airgap-package-url"
 airgap_installer_url_path="/etc/ptfe/airgap-installer-url"
 
+# ------------------------------------------------------------------------------
+# Custom CA certificate download and configuration block
+# ------------------------------------------------------------------------------
+if [[ -n $(< /etc/ptfe/custom-ca-cert-url) && \
+      $(< /etc/ptfe/custom-ca-cert-url) != none ]]; then
+  custom_ca_cert_url=$(cat /etc/ptfe/custom-ca-cert-url)
+  custom_ca_cert_file_name=$(echo "${custom_ca_cert_url}" | awk -F '/' '{ print $NF }')
+  ca_tmp_dir="/tmp/ptfe/customer-certs"
+  replicated_conf_file="replicated-ptfe.conf"
+  local_messages_file="local_messages.log"
+  # Setting up a tmp directory to do this `jq` transform to leave artifacts if anything goes "boom",
+  # since we're trusting user input to be both a working URL and a valid certificate.
+  # These artifacts will live in /tmp/ptfe/customer-certs/{local_messages.log,wget_output.log} files.
+  mkdir -p "${ca_tmp_dir}"
+  pushd "${ca_tmp_dir}"
+  touch ${local_messages_file}
+  if wget --trust-server-files "${custom_ca_cert_url}" >> ./wget_output.log 2>&1;
+  then
+    if [ -f "${ca_tmp_dir}/${custom_ca_cert_file_name}" ];
+    then
+      if openssl x509 -in "${custom_ca_cert_file_name}" -text -noout;
+      then
+        mv "${custom_ca_cert_file_name}" cust-ca-certificates.crt
+        cp /etc/${replicated_conf_file} ./${replicated_conf_file}.original
+        jq ". + { ca_certs: { value: \"$(cat cust-ca-certificates.crt)\" } }" -- ${replicated_conf_file}.original > ${replicated_conf_file}.updated
+        if jq -e . > /dev/null 2>&1 -- ${replicated_conf_file}.updated;
+        then
+          cp ./${replicated_conf_file}.updated /etc/${replicated_conf_file}
+        else
+          echo "The updated ${replicated_conf_file} file is not valid JSON." | tee -a "${local_messages_file}"
+          echo "Review ${ca_tmp_dir}/${replicated_conf_file}.original and ${ca_tmp_dir}/${replicated_conf_file}.updated." | tee -a "${local_messages_file}"
+          echo "" | tee -a "${local_messages_file}"
+        fi
+      else
+        echo "The certificate file wasn't able to validated via openssl" | tee -a "${local_messages_file}"
+        echo "" | tee -a "${local_messages_file}"
+      fi
+    else
+      echo "The filename ${custom_ca_cert_file_name} was not what ${custom_ca_cert_url} downloaded." | tee -a "${local_messages_file}"
+      echo "Inspect the ${ca_tmp_dir} directory to verify the file that was downloaded." | tee -a "${local_messages_file}"
+      echo "" | tee -a "${local_messages_file}"
+    fi
+  else
+    echo "There was an error downloading the file ${custom_ca_cert_file_name} from ${custom_ca_cert_url}." | tee -a "${local_messages_file}"
+    echo "See the ${ca_tmp_dir}/wget_output.log file." | tee -a "${local_messages_file}"
+    echo "" | tee -a "${local_messages_file}"
+  fi
+
+  popd
+fi
+
 ptfe_install_args=(
     -DD
     "--bootstrap-token=$(cat /etc/ptfe/bootstrap-token)" \
diff --git a/modules/configs/templates/cloud-init/cloud-config.yaml b/modules/configs/templates/cloud-init/cloud-config.yaml
index b383daf6..11b9a226 100644
--- a/modules/configs/templates/cloud-init/cloud-config.yaml
+++ b/modules/configs/templates/cloud-init/cloud-config.yaml
@@ -42,6 +42,11 @@ write_files:
   permissions: "0400"
   content: "${proxy_url}"
 
+- path: /etc/ptfe/custom-ca-cert-url
+  owner: root:root
+  permissions: "0400"
+  content: "${ca_cert_url}"
+
 %{~ if role != "secondary" ~}
 - path: /etc/ptfe/setup-token
   owner: root:root
diff --git a/modules/configs/variables.tf b/modules/configs/variables.tf
index 05ebd025..8c89ffd9 100644
--- a/modules/configs/variables.tf
+++ b/modules/configs/variables.tf
@@ -75,6 +75,12 @@ variable "airgap" {
 
 # === Optional
 
+variable "ca_cert_url" {
+  type        = "string"
+  description = "URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections"
+  default     = "none"
+}
+
 # === Misc
 
 locals {
diff --git a/variables.tf b/variables.tf
index d55f78c1..45afb023 100644
--- a/variables.tf
+++ b/variables.tf
@@ -66,6 +66,12 @@ variable "airgap_package_url" {
   default     = ""
 }
 
+variable "ca_cert_url" {
+  type        = "string"
+  description = "URL to CA certificate file used for the internal `ptfe-proxy` used for outgoing connections"
+  default     = "none"
+}
+
 variable "azure_es_account_key" {
   type        = "string"
   description = "The Azure account key for external services"

From cb7ff7f73968b21cfa223b3e1abd59f1cc5c6031 Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Tue, 17 Sep 2019 14:46:30 -0400
Subject: [PATCH 3/5] Clean up whitespace

---
 modules/configs/templates/cloud-init/cloud-config.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/configs/templates/cloud-init/cloud-config.yaml b/modules/configs/templates/cloud-init/cloud-config.yaml
index 11b9a226..f816fc4f 100644
--- a/modules/configs/templates/cloud-init/cloud-config.yaml
+++ b/modules/configs/templates/cloud-init/cloud-config.yaml
@@ -68,7 +68,7 @@ write_files:
   permissions: "0755"
   encoding: b64
   content: ${proxy_b64}
-    
+
 %{~ endif ~}
 
 %{~ if role == "main" ~}
@@ -116,7 +116,7 @@ write_files:
   permissions: "0400"
   encoding: b64
   content: ${aaa_proxy_b64}
-    
+
 %{ endif ~}
 
 %{ if distro == "ubuntu" ~}

From febbeaa56c3046835d85098c7a65584d9f5b9028 Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Tue, 17 Sep 2019 16:07:57 -0400
Subject: [PATCH 4/5] Add in variable to config module too

---
 modules/configs/cloud-init.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/configs/cloud-init.tf b/modules/configs/cloud-init.tf
index 1f74160f..fbd235a7 100644
--- a/modules/configs/cloud-init.tf
+++ b/modules/configs/cloud-init.tf
@@ -76,6 +76,7 @@ data "template_file" "cloud_config" {
     primary_pki_url      = "http://${var.cluster_api_endpoint}:${var.assistant_port}/api/v1/pki-download?token=${random_string.setup_token.result}"
     health_url           = "http://${var.cluster_api_endpoint}:${var.assistant_port}/healthz"
     cert_thumbprint      = "${var.cert_thumbprint}"
+    ca_cert_url          = "${var.ca_cert_url}"
   }
 }
 

From cd60bde47eff3fb5cc38e674091eaeebeff2991a Mon Sep 17 00:00:00 2001
From: Roger Steve Ruiz <rruiz@hashicorp.com>
Date: Thu, 26 Sep 2019 11:11:21 -0400
Subject: [PATCH 5/5] Add ca_cert_url to secondaries too

---
 modules/configs/cloud-init.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/configs/cloud-init.tf b/modules/configs/cloud-init.tf
index fbd235a7..4c26384b 100644
--- a/modules/configs/cloud-init.tf
+++ b/modules/configs/cloud-init.tf
@@ -106,6 +106,7 @@ data "template_file" "cloud_config_secondary" {
     distro               = "${var.distribution}"
     aaa_proxy_b64        = "${base64encode(data.template_file.aaa_proxy_b64.rendered)}"
     proxy_b64            = "${base64encode(data.template_file.proxy_sh.rendered)}"
+    ca_cert_url          = "${var.ca_cert_url}"
   }
 }