diff --git a/deploy/infrastructure/dependencies/terraform-commons-dss/main.tf b/deploy/infrastructure/dependencies/terraform-commons-dss/main.tf index 09f3cc2d6..13e0721b7 100644 --- a/deploy/infrastructure/dependencies/terraform-commons-dss/main.tf +++ b/deploy/infrastructure/dependencies/terraform-commons-dss/main.tf @@ -104,9 +104,10 @@ resource "local_file" "helm_chart_values" { ] dssGateway = { - ip = var.ip_gateway - subnet = var.workload_subnet - certName = var.gateway_cert_name + ip = var.ip_gateway + subnet = var.workload_subnet + certName = var.gateway_cert_name + sslPolicy = var.ssl_policy } } diff --git a/deploy/infrastructure/dependencies/terraform-commons-dss/variables_internal.tf b/deploy/infrastructure/dependencies/terraform-commons-dss/variables_internal.tf index ff6d2eabc..0c6b28b3e 100644 --- a/deploy/infrastructure/dependencies/terraform-commons-dss/variables_internal.tf +++ b/deploy/infrastructure/dependencies/terraform-commons-dss/variables_internal.tf @@ -55,4 +55,10 @@ variable "workload_subnet" { type = string description = "Only required for AWS cloud provider. Subnet where the kubernetes worker nodes is deployed. For AWS, provide the name or the id of the workload_subnet" default = "" -} \ No newline at end of file +} + +variable "ssl_policy" { + type = string + description = "Only required for Google cloud provider. Name of the SSL policy created for the DSS Gateway Ingress." + default = "" +} diff --git a/deploy/infrastructure/dependencies/terraform-google-kubernetes/cluster.tf b/deploy/infrastructure/dependencies/terraform-google-kubernetes/cluster.tf index 88939d97e..7c89103ef 100644 --- a/deploy/infrastructure/dependencies/terraform-google-kubernetes/cluster.tf +++ b/deploy/infrastructure/dependencies/terraform-google-kubernetes/cluster.tf @@ -13,6 +13,7 @@ resource "google_container_cluster" "kubernetes_cluster" { } min_master_version = var.kubernetes_version + } resource "google_container_node_pool" "dss_pool" { @@ -58,3 +59,9 @@ resource "google_compute_address" "ip_crdb" { locals { kubectl_cluster_context_name = format("gke_%s_%s_%s", google_container_cluster.kubernetes_cluster.project, google_container_cluster.kubernetes_cluster.location, google_container_cluster.kubernetes_cluster.name) } + +resource "google_compute_ssl_policy" "secure" { + name = format("%s-secure-ssl-policy", var.cluster_name) + profile = "RESTRICTED" + min_tls_version = "TLS_1_2" +} diff --git a/deploy/infrastructure/dependencies/terraform-google-kubernetes/output.tf b/deploy/infrastructure/dependencies/terraform-google-kubernetes/output.tf index 6d278e287..aa2a27cda 100644 --- a/deploy/infrastructure/dependencies/terraform-google-kubernetes/output.tf +++ b/deploy/infrastructure/dependencies/terraform-google-kubernetes/output.tf @@ -29,6 +29,10 @@ output "ip_gateway" { value = google_compute_global_address.ip_gateway.name } +output "ssl_policy" { + value = google_compute_ssl_policy.secure.name +} + output "crdb_nodes" { value = [ for i in google_compute_address.ip_crdb : { @@ -36,4 +40,4 @@ output "crdb_nodes" { dns = i.description } ] -} \ No newline at end of file +} diff --git a/deploy/infrastructure/modules/terraform-google-dss/main.tf b/deploy/infrastructure/modules/terraform-google-dss/main.tf index b21b7c4b8..cfddfea38 100644 --- a/deploy/infrastructure/modules/terraform-google-dss/main.tf +++ b/deploy/infrastructure/modules/terraform-google-dss/main.tf @@ -27,6 +27,7 @@ module "terraform-commons-dss" { kubernetes_api_endpoint = module.terraform-google-kubernetes.kubernetes_api_endpoint crdb_internal_nodes = module.terraform-google-kubernetes.crdb_nodes ip_gateway = module.terraform-google-kubernetes.ip_gateway + ssl_policy = module.terraform-google-kubernetes.ssl_policy kubernetes_cloud_provider_name = module.terraform-google-kubernetes.kubernetes_cloud_provider_name kubernetes_context_name = module.terraform-google-kubernetes.kubernetes_context_name kubernetes_get_credentials_cmd = module.terraform-google-kubernetes.kubernetes_get_credentials_cmd diff --git a/deploy/services/helm-charts/dss/templates/_networking-google.tpl b/deploy/services/helm-charts/dss/templates/_networking-google.tpl index 4b476efd5..27d345309 100644 --- a/deploy/services/helm-charts/dss/templates/_networking-google.tpl +++ b/deploy/services/helm-charts/dss/templates/_networking-google.tpl @@ -9,7 +9,10 @@ loadBalancerIP: {{.ip}} kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.global-static-ip-name: {{.ip}} networking.gke.io/managed-certificates: {{.certName}} +{{- if .frontendConfig }} +networking.gke.io/v1beta1.FrontendConfig: {{.frontendConfig}} +{{- end -}} {{- end -}} {{- define "google-ingress-spec" -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/deploy/services/helm-charts/dss/templates/dss-ingress-google.yaml b/deploy/services/helm-charts/dss/templates/dss-ingress-google.yaml index 988ec007f..46dacaae1 100644 --- a/deploy/services/helm-charts/dss/templates/dss-ingress-google.yaml +++ b/deploy/services/helm-charts/dss/templates/dss-ingress-google.yaml @@ -28,6 +28,7 @@ metadata: (dict "certName" (printf "%s-core-service-https-certificate" $.Release.Name) "ip" .ip + "frontendConfig" (empty .sslPolicy | ternary "" "ssl-frontend-config") ) | nindent 4 }} labels: @@ -56,5 +57,14 @@ spec: domains: - {{$dssHostname}} +{{ if .sslPolicy }} +--- +apiVersion: networking.gke.io/v1beta1 +kind: FrontendConfig +metadata: + name: ssl-frontend-config +spec: + sslPolicy: {{.sslPolicy}} +{{- end }} {{- end }} {{- end }} diff --git a/deploy/services/helm-charts/dss/values.schema.json b/deploy/services/helm-charts/dss/values.schema.json index 58dcc3d3a..829f67180 100644 --- a/deploy/services/helm-charts/dss/values.schema.json +++ b/deploy/services/helm-charts/dss/values.schema.json @@ -117,6 +117,10 @@ "certName": { "description": "Optional: ARN of the certificate for AWS only", "type": "string" + }, + "sslPolicy": { + "description": "For Google only: If provided, this SSL Policy is applied to the DSS Gateway Ingress", + "type": "string" } }, "required": [ @@ -181,4 +185,4 @@ ], "title": "Values", "type": "object" -} \ No newline at end of file +}