From 556a4ba0b2800f96387ae23567f37f50de3dfd12 Mon Sep 17 00:00:00 2001
From: BryanFauble <17128019+BryanFauble@users.noreply.github.com>
Date: Tue, 5 Nov 2024 13:36:42 -0700
Subject: [PATCH] [IBCDPE-1095] Signoz move to lets encrypt (#45)

Move to lets encrypt
---
 deployments/main.tf                           |  8 ++---
 .../stacks/dpe-k8s-deployments/main.tf        |  7 ++--
 .../stacks/dpe-k8s-deployments/variables.tf   |  5 ---
 modules/envoy-gateway/main.tf                 |  9 -----
 .../envoy-gateway/resources/cert-issuer.yaml  | 33 ++++++++-----------
 .../resources/http-to-https-redirect.yaml     | 16 +++++++++
 .../resources/kustomization.yaml              |  2 +-
 .../resources/security-policy.yaml            | 14 --------
 modules/envoy-gateway/variables.tf            |  5 ---
 9 files changed, 35 insertions(+), 64 deletions(-)
 create mode 100644 modules/envoy-gateway/resources/http-to-https-redirect.yaml
 delete mode 100644 modules/envoy-gateway/resources/security-policy.yaml

diff --git a/deployments/main.tf b/deployments/main.tf
index b00e5700..f75f13b1 100644
--- a/deployments/main.tf
+++ b/deployments/main.tf
@@ -69,11 +69,9 @@ module "dpe-sandbox-spacelift-development" {
 
   enable_cluster_ingress = true
   enable_otel_ingress    = true
-  ssl_hostname           = "a09a38cc5a8d6497ea69c6bf6318701b-1974793757.us-east-1.elb.amazonaws.com"
-
-  auth0_jwks_uri = "https://dev-sage-dpe.us.auth0.com/.well-known/jwks.json"
-
-  ses_email_identities = ["aws-dpe-dev@sagebase.org"]
+  ssl_hostname           = "dev.sagedpe.org"
+  auth0_jwks_uri         = "https://dev-sage-dpe.us.auth0.com/.well-known/jwks.json"
+  ses_email_identities   = ["aws-dpe-dev@sagebase.org"]
   # Defines the email address that will be used as the sender of the email alerts
   smtp_from = "aws-dpe-dev@sagebase.org"
 }
diff --git a/deployments/stacks/dpe-k8s-deployments/main.tf b/deployments/stacks/dpe-k8s-deployments/main.tf
index f0cd7088..5db44e36 100644
--- a/deployments/stacks/dpe-k8s-deployments/main.tf
+++ b/deployments/stacks/dpe-k8s-deployments/main.tf
@@ -105,11 +105,8 @@ module "envoy-gateway" {
   git_revision         = var.git_revision
   namespace            = "envoy-gateway"
   argo_deployment_name = "envoy-gateway"
-  cluster_issuer_name  = "selfsigned"
-  # To determine more elegant ways to fill in these values, for example, if we have
-  # a pre-defined DNS name for the cluster (https://sagebionetworks.jira.com/browse/IT-3931)
-  ssl_hostname   = var.ssl_hostname
-  auth0_jwks_uri = var.auth0_jwks_uri
+  cluster_issuer_name  = "lets-encrypt-prod"
+  ssl_hostname         = var.ssl_hostname
 }
 
 module "cert-manager" {
diff --git a/deployments/stacks/dpe-k8s-deployments/variables.tf b/deployments/stacks/dpe-k8s-deployments/variables.tf
index 686cca83..2b9be26a 100644
--- a/deployments/stacks/dpe-k8s-deployments/variables.tf
+++ b/deployments/stacks/dpe-k8s-deployments/variables.tf
@@ -86,11 +86,6 @@ variable "auth0_jwks_uri" {
   type        = string
 }
 
-variable "auth0_domain" {
-  description = "Auth0 domain"
-  type        = string
-}
-
 variable "smtp_user" {
   description = "The SMTP user. Required if smtp_user, smtp_password, and smtp_from are set"
   type        = string
diff --git a/modules/envoy-gateway/main.tf b/modules/envoy-gateway/main.tf
index e35d05e2..25b2c7ff 100644
--- a/modules/envoy-gateway/main.tf
+++ b/modules/envoy-gateway/main.tf
@@ -63,15 +63,6 @@ spec:
           - op: replace
             path: /metadata/name
             value: ${var.cluster_issuer_name}
-      - target:
-          kind: SecurityPolicy
-        patch: |-
-          - op: replace
-            path: /spec/jwt/providers
-            value:
-              - name: auth0
-                remoteJWKS:
-                  uri: ${var.auth0_jwks_uri}
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: ${var.namespace}
diff --git a/modules/envoy-gateway/resources/cert-issuer.yaml b/modules/envoy-gateway/resources/cert-issuer.yaml
index 1d4ebc9a..4608c97a 100644
--- a/modules/envoy-gateway/resources/cert-issuer.yaml
+++ b/modules/envoy-gateway/resources/cert-issuer.yaml
@@ -1,25 +1,18 @@
 # To implement using something like letsencrypt
-# apiVersion: cert-manager.io/v1
-# kind: ClusterIssuer
-# metadata:
-#   name: letsencrypt-staging
-# spec:
-#   acme:
-#     server: https://acme-staging-v02.api.letsencrypt.org/directory
-#     email: "bryan.fauble@sagebase.org"
-#     privateKeySecretRef:
-#       name: letsencrypt-staging-account-key
-#     solvers:
-#     - http01:
-#         gatewayHTTPRoute:
-#           parentRefs:
-#           - kind: Gateway
-#             name: eg
-#             namespace: envoy-gateway
----
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: selfsigned
+  name: lets-encrypt-prod
 spec:
-  selfSigned: {}
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: "dpe@sagebase.org"
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+    - http01:
+        gatewayHTTPRoute:
+          parentRefs:
+          - kind: Gateway
+            name: eg
+            namespace: envoy-gateway
diff --git a/modules/envoy-gateway/resources/http-to-https-redirect.yaml b/modules/envoy-gateway/resources/http-to-https-redirect.yaml
new file mode 100644
index 00000000..73dc9836
--- /dev/null
+++ b/modules/envoy-gateway/resources/http-to-https-redirect.yaml
@@ -0,0 +1,16 @@
+# Upgrades HTTP requests to HTTPS
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: tls-redirect
+spec:
+  parentRefs:
+    - name: eg
+      sectionName: http
+  hostnames:
+    - "*.sagedpe.org"
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
\ No newline at end of file
diff --git a/modules/envoy-gateway/resources/kustomization.yaml b/modules/envoy-gateway/resources/kustomization.yaml
index e72e3f85..cea76074 100644
--- a/modules/envoy-gateway/resources/kustomization.yaml
+++ b/modules/envoy-gateway/resources/kustomization.yaml
@@ -6,4 +6,4 @@ resources:
 - envoy-proxy.yaml
 - gateway.yaml
 - traffic-policy.yaml
-- security-policy.yaml
+- http-to-https-redirect.yaml
diff --git a/modules/envoy-gateway/resources/security-policy.yaml b/modules/envoy-gateway/resources/security-policy.yaml
deleted file mode 100644
index 40f6d384..00000000
--- a/modules/envoy-gateway/resources/security-policy.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: gateway.envoyproxy.io/v1alpha1
-kind: SecurityPolicy
-metadata:
-  name: require-jwt-at-gateway
-spec:
-  targetRef:
-    group: gateway.networking.k8s.io
-    kind: Gateway
-    name: eg
-  jwt:
-    providers: <set_by_kustomize>
-    # - name: auth0
-    #   remoteJWKS:
-    #     uri: <set_by_kustomize>
\ No newline at end of file
diff --git a/modules/envoy-gateway/variables.tf b/modules/envoy-gateway/variables.tf
index 9a006ee8..03f078cd 100644
--- a/modules/envoy-gateway/variables.tf
+++ b/modules/envoy-gateway/variables.tf
@@ -35,8 +35,3 @@ variable "ssl_hostname" {
   description = "The hostname to use for the SSL certificate"
   type        = string
 }
-
-variable "auth0_jwks_uri" {
-  description = "The JWKS URI for Auth0"
-  type        = string
-}
\ No newline at end of file