[terraform-google][helm] Set SSL policy to enforce secure TLS connect…

…ions (#997) * [terraform][google] Set SSL policy to enforce secure TLS connections * Set ssl policy in helm * Address Review comments
interuss · Feb 14, 2024 · 1ea7ebf · 1ea7ebf
1 parent 7579299
commit 1ea7ebf
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 7 deletions.
diff --git a/deploy/infrastructure/dependencies/terraform-commons-dss/main.tf b/deploy/infrastructure/dependencies/terraform-commons-dss/main.tf
@@ -104,9 +104,10 @@ resource "local_file" "helm_chart_values" {
       ]
 
       dssGateway = {
-        ip       = var.ip_gateway
-        subnet   = var.workload_subnet
-        certName = var.gateway_cert_name
+        ip        = var.ip_gateway
+        subnet    = var.workload_subnet
+        certName  = var.gateway_cert_name
+        sslPolicy = var.ssl_policy
       }
     }
 

diff --git a/deploy/infrastructure/dependencies/terraform-commons-dss/variables_internal.tf b/deploy/infrastructure/dependencies/terraform-commons-dss/variables_internal.tf
@@ -55,4 +55,10 @@ variable "workload_subnet" {
   type        = string
   description = "Only required for AWS cloud provider. Subnet where the kubernetes worker nodes is deployed. For AWS, provide the name or the id of the workload_subnet"
   default     = ""
-}
+}
+
+variable "ssl_policy" {
+  type        = string
+  description = "Only required for Google cloud provider. Name of the SSL policy created for the DSS Gateway Ingress."
+  default     = ""
+}
diff --git a/deploy/infrastructure/dependencies/terraform-google-kubernetes/cluster.tf b/deploy/infrastructure/dependencies/terraform-google-kubernetes/cluster.tf
@@ -13,6 +13,7 @@ resource "google_container_cluster" "kubernetes_cluster" {
   }
 
   min_master_version = var.kubernetes_version
+
 }
 
 resource "google_container_node_pool" "dss_pool" {
@@ -62,3 +63,9 @@ resource "google_compute_address" "ip_crdb" {
 locals {
   kubectl_cluster_context_name = format("gke_%s_%s_%s", google_container_cluster.kubernetes_cluster.project, google_container_cluster.kubernetes_cluster.location, google_container_cluster.kubernetes_cluster.name)
 }
+
+resource "google_compute_ssl_policy" "secure" {
+  name            = format("%s-secure-ssl-policy", var.cluster_name)
+  profile         = "RESTRICTED"
+  min_tls_version = "TLS_1_2"
+}
diff --git a/deploy/infrastructure/dependencies/terraform-google-kubernetes/output.tf b/deploy/infrastructure/dependencies/terraform-google-kubernetes/output.tf
@@ -29,11 +29,15 @@ output "ip_gateway" {
   value = google_compute_global_address.ip_gateway.name
 }
 
+output "ssl_policy" {
+  value = google_compute_ssl_policy.secure.name
+}
+
 output "crdb_nodes" {
   value = [
     for i in google_compute_address.ip_crdb : {
       ip  = i.address
       dns = i.description
     }
   ]
-}
+}
diff --git a/deploy/infrastructure/modules/terraform-google-dss/main.tf b/deploy/infrastructure/modules/terraform-google-dss/main.tf
@@ -27,6 +27,7 @@ module "terraform-commons-dss" {
   kubernetes_api_endpoint        = module.terraform-google-kubernetes.kubernetes_api_endpoint
   crdb_internal_nodes            = module.terraform-google-kubernetes.crdb_nodes
   ip_gateway                     = module.terraform-google-kubernetes.ip_gateway
+  ssl_policy                     = module.terraform-google-kubernetes.ssl_policy
   kubernetes_cloud_provider_name = module.terraform-google-kubernetes.kubernetes_cloud_provider_name
   kubernetes_context_name        = module.terraform-google-kubernetes.kubernetes_context_name
   kubernetes_get_credentials_cmd = module.terraform-google-kubernetes.kubernetes_get_credentials_cmd

diff --git a/deploy/services/helm-charts/dss/templates/_networking-google.tpl b/deploy/services/helm-charts/dss/templates/_networking-google.tpl
@@ -9,7 +9,10 @@ loadBalancerIP: {{.ip}}
 kubernetes.io/ingress.allow-http: "false"
 kubernetes.io/ingress.global-static-ip-name: {{.ip}}
 networking.gke.io/managed-certificates: {{.certName}}
+{{- if .frontendConfig }}
+networking.gke.io/v1beta1.FrontendConfig: {{.frontendConfig}}
+{{- end -}}
 {{- end -}}
 
 {{- define "google-ingress-spec" -}}
-{{- end -}}
+{{- end -}}
diff --git a/deploy/services/helm-charts/dss/templates/dss-ingress-google.yaml b/deploy/services/helm-charts/dss/templates/dss-ingress-google.yaml
@@ -28,6 +28,7 @@ metadata:
       (dict
         "certName" (printf "%s-core-service-https-certificate" $.Release.Name)
         "ip" .ip
+        "frontendConfig" (empty .sslPolicy | ternary "" "ssl-frontend-config")
       ) | nindent 4
     }}
   labels:
@@ -56,5 +57,14 @@ spec:
   domains:
     - {{$dssHostname}}
 
+{{ if .sslPolicy }}
+---
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: ssl-frontend-config
+spec:
+  sslPolicy: {{.sslPolicy}}
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/deploy/services/helm-charts/dss/values.schema.json b/deploy/services/helm-charts/dss/values.schema.json
@@ -117,6 +117,10 @@
             "certName": {
               "description": "Optional: ARN of the certificate for AWS only",
               "type": "string"
+            },
+            "sslPolicy": {
+              "description": "For Google only: If provided, this SSL Policy is applied to the DSS Gateway Ingress",
+              "type": "string"
             }
           },
           "required": [
@@ -181,4 +185,4 @@
   ],
   "title": "Values",
   "type": "object"
-}
+}