diff --git a/deployments/main.tf b/deployments/main.tf index b00e5700..f75f13b1 100644 --- a/deployments/main.tf +++ b/deployments/main.tf @@ -69,11 +69,9 @@ module "dpe-sandbox-spacelift-development" { enable_cluster_ingress = true enable_otel_ingress = true - ssl_hostname = "a09a38cc5a8d6497ea69c6bf6318701b-1974793757.us-east-1.elb.amazonaws.com" - - auth0_jwks_uri = "https://dev-sage-dpe.us.auth0.com/.well-known/jwks.json" - - ses_email_identities = ["aws-dpe-dev@sagebase.org"] + ssl_hostname = "dev.sagedpe.org" + auth0_jwks_uri = "https://dev-sage-dpe.us.auth0.com/.well-known/jwks.json" + ses_email_identities = ["aws-dpe-dev@sagebase.org"] # Defines the email address that will be used as the sender of the email alerts smtp_from = "aws-dpe-dev@sagebase.org" } diff --git a/deployments/stacks/dpe-k8s-deployments/main.tf b/deployments/stacks/dpe-k8s-deployments/main.tf index f0cd7088..5db44e36 100644 --- a/deployments/stacks/dpe-k8s-deployments/main.tf +++ b/deployments/stacks/dpe-k8s-deployments/main.tf @@ -105,11 +105,8 @@ module "envoy-gateway" { git_revision = var.git_revision namespace = "envoy-gateway" argo_deployment_name = "envoy-gateway" - cluster_issuer_name = "selfsigned" - # To determine more elegant ways to fill in these values, for example, if we have - # a pre-defined DNS name for the cluster (https://sagebionetworks.jira.com/browse/IT-3931) - ssl_hostname = var.ssl_hostname - auth0_jwks_uri = var.auth0_jwks_uri + cluster_issuer_name = "lets-encrypt-prod" + ssl_hostname = var.ssl_hostname } module "cert-manager" { diff --git a/deployments/stacks/dpe-k8s-deployments/variables.tf b/deployments/stacks/dpe-k8s-deployments/variables.tf index 686cca83..2b9be26a 100644 --- a/deployments/stacks/dpe-k8s-deployments/variables.tf +++ b/deployments/stacks/dpe-k8s-deployments/variables.tf @@ -86,11 +86,6 @@ variable "auth0_jwks_uri" { type = string } -variable "auth0_domain" { - description = "Auth0 domain" - type = string -} - variable "smtp_user" { description = "The SMTP user. Required if smtp_user, smtp_password, and smtp_from are set" type = string diff --git a/modules/envoy-gateway/main.tf b/modules/envoy-gateway/main.tf index e35d05e2..25b2c7ff 100644 --- a/modules/envoy-gateway/main.tf +++ b/modules/envoy-gateway/main.tf @@ -63,15 +63,6 @@ spec: - op: replace path: /metadata/name value: ${var.cluster_issuer_name} - - target: - kind: SecurityPolicy - patch: |- - - op: replace - path: /spec/jwt/providers - value: - - name: auth0 - remoteJWKS: - uri: ${var.auth0_jwks_uri} destination: server: 'https://kubernetes.default.svc' namespace: ${var.namespace} diff --git a/modules/envoy-gateway/resources/cert-issuer.yaml b/modules/envoy-gateway/resources/cert-issuer.yaml index 1d4ebc9a..4608c97a 100644 --- a/modules/envoy-gateway/resources/cert-issuer.yaml +++ b/modules/envoy-gateway/resources/cert-issuer.yaml @@ -1,25 +1,18 @@ # To implement using something like letsencrypt -# apiVersion: cert-manager.io/v1 -# kind: ClusterIssuer -# metadata: -# name: letsencrypt-staging -# spec: -# acme: -# server: https://acme-staging-v02.api.letsencrypt.org/directory -# email: "bryan.fauble@sagebase.org" -# privateKeySecretRef: -# name: letsencrypt-staging-account-key -# solvers: -# - http01: -# gatewayHTTPRoute: -# parentRefs: -# - kind: Gateway -# name: eg -# namespace: envoy-gateway ---- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: selfsigned + name: lets-encrypt-prod spec: - selfSigned: {} + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "dpe@sagebase.org" + privateKeySecretRef: + name: letsencrypt-prod-account-key + solvers: + - http01: + gatewayHTTPRoute: + parentRefs: + - kind: Gateway + name: eg + namespace: envoy-gateway diff --git a/modules/envoy-gateway/resources/http-to-https-redirect.yaml b/modules/envoy-gateway/resources/http-to-https-redirect.yaml new file mode 100644 index 00000000..73dc9836 --- /dev/null +++ b/modules/envoy-gateway/resources/http-to-https-redirect.yaml @@ -0,0 +1,16 @@ +# Upgrades HTTP requests to HTTPS +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: tls-redirect +spec: + parentRefs: + - name: eg + sectionName: http + hostnames: + - "*.sagedpe.org" + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https \ No newline at end of file diff --git a/modules/envoy-gateway/resources/kustomization.yaml b/modules/envoy-gateway/resources/kustomization.yaml index e72e3f85..cea76074 100644 --- a/modules/envoy-gateway/resources/kustomization.yaml +++ b/modules/envoy-gateway/resources/kustomization.yaml @@ -6,4 +6,4 @@ resources: - envoy-proxy.yaml - gateway.yaml - traffic-policy.yaml -- security-policy.yaml +- http-to-https-redirect.yaml diff --git a/modules/envoy-gateway/resources/security-policy.yaml b/modules/envoy-gateway/resources/security-policy.yaml deleted file mode 100644 index 40f6d384..00000000 --- a/modules/envoy-gateway/resources/security-policy.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: SecurityPolicy -metadata: - name: require-jwt-at-gateway -spec: - targetRef: - group: gateway.networking.k8s.io - kind: Gateway - name: eg - jwt: - providers: - # - name: auth0 - # remoteJWKS: - # uri: \ No newline at end of file diff --git a/modules/envoy-gateway/variables.tf b/modules/envoy-gateway/variables.tf index 9a006ee8..03f078cd 100644 --- a/modules/envoy-gateway/variables.tf +++ b/modules/envoy-gateway/variables.tf @@ -35,8 +35,3 @@ variable "ssl_hostname" { description = "The hostname to use for the SSL certificate" type = string } - -variable "auth0_jwks_uri" { - description = "The JWKS URI for Auth0" - type = string -} \ No newline at end of file