Merge pull request #2086 from bcgov/cert-process

Cert process
bcgov · Aug 14, 2023 · ebd2ccd · ebd2ccd
2 parents 5a4ce84 + 5a93569
commit ebd2ccd
Show file tree

Hide file tree

Showing 7 changed files with 65 additions and 42 deletions.
diff --git a/.github/actions/app/action.yaml b/.github/actions/app/action.yaml
@@ -65,6 +65,15 @@ inputs:
   metabase_embed_secret:
     description: 'Metabase embed secret key'
     required: true
+  cert:
+    description: 'Certificate for secure route'
+    required: true
+  cert_key:
+    description: 'Certificate key for secure route'
+    required: true
+  cert_ca:
+    description: 'Certificate CA for secure route'
+    required: true
 
 runs:
   using: composite
@@ -86,7 +95,9 @@ runs:
         aws_clam_s3_bucket: ${{ inputs.aws_clam_s3_bucket }}
         metabase_site_url: ${{ inputs.metabase_site_url }}
         metabase_embed_secret: ${{ inputs.metabase_embed_secret }}
-
+        cert: ${{ inputs.cert }}
+        cert_key: ${{ inputs.cert_key }}
+        cert_ca: ${{ inputs.cert_ca }}
         insecure_skip_tls_verify: true
     - run: |
         chmod +x ./lib/app_deploy.sh
@@ -110,6 +121,9 @@ runs:
           --set certbot.certbot.email=${{ inputs.certbot_email }} \
           --set certbot.certbot.server=${{ inputs.certbot_server }} \
           --set loadTest.enable=${{ inputs.enable_load_test }} \
+          --set cert.cert="${{ inputs.cert }}" \
+          --set cert.key="${{ inputs.cert_key }}" \
+          --set cert.ca="${{ inputs.cert_ca }}" \
           --values values-${{ inputs.environment }}.yaml
 
       shell: bash
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -21,6 +21,9 @@ on:
       CERTBOT_SERVER: { required: true }
       METABASE_SITE_URL: { required: true }
       METABASE_EMBED_SECRET: { required: true }
+      CERT: { required: true }
+      CERT_KEY: { required: true }
+      CERT_CA: { required: true }
 
 env:
   TAG: sha-${{ github.sha }}
@@ -71,6 +74,9 @@ jobs:
           certbot_server: ${{ secrets.CERTBOT_SERVER }}
           metabase_site_url: ${{ secrets.METABASE_SITE_URL }}
           metabase_embed_secret: ${{ secrets.METABASE_EMBED_SECRET }}
+          cert: ${{ secrets.CERT }}
+          cert_key: ${{ secrets.CERT_KEY }}
+          cert_ca: ${{ secrets.CERT_CA }}
           environment: dev
 
   ensure-sqitch-plan-ends-with-tag:
@@ -118,6 +124,9 @@ jobs:
           certbot_server: ${{ secrets.CERTBOT_SERVER }}
           metabase_site_url: ${{ secrets.METABASE_SITE_URL }}
           metabase_embed_secret: ${{ secrets.METABASE_EMBED_SECRET }}
+          cert: ${{ secrets.CERT }}
+          cert_key: ${{ secrets.CERT_KEY }}
+          cert_ca: ${{ secrets.CERT_CA }}
           environment: test
 
   deploy-to-openshift-production:
@@ -156,6 +165,9 @@ jobs:
           certbot_server: ${{ secrets.CERTBOT_SERVER }}
           metabase_site_url: ${{ secrets.METABASE_SITE_URL }}
           metabase_embed_secret: ${{ secrets.METABASE_EMBED_SECRET }}
+          cert: ${{ secrets.CERT }}
+          cert_key: ${{ secrets.CERT_KEY }}
+          cert_ca: ${{ secrets.CERT_CA }}
           environment: prod
 
   create-release:

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -118,3 +118,6 @@ jobs:
       AWS_CLAM_S3_BUCKET: ${{ secrets.AWS_CLAM_S3_BUCKET }}
       METABASE_EMBED_SECRET: ${{ secrets.METABASE_EMBED_SECRET }}
       METABASE_SITE_URL: ${{ secrets.METABASE_SITE_URL }}
+      CERT: ${{ secrets.CERT }}
+      CERT_KEY: ${{ secrets.CERT_KEY }}
+      CERT_CA: ${{ secrets.CERT_CA }}
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@
 - [Deploying the project](#deploying-the-project)
 - [Disaster recovery information](#disaster-recovery-documentation)
 - [CronJobs](#cronjobs)
+- [Certificates] (#certificates)
 
 ## Setting up a local development environment
 
@@ -219,8 +220,6 @@ To deploy the project into a a new namespace or to deploy another instance of th
    - AWS_S3_KEY
    - AWS_S3_REGION
    - AWS_S3_SECRET_KEY
-   - CERTBOT_EMAIL
-   - CERTBOT_SERVER
    - CLIENT_SECRET
      - SSO Client Secret
    - NEXT_PUBLIC_GROWTHBOOK_API_KEY
@@ -232,6 +231,9 @@ To deploy the project into a a new namespace or to deploy another instance of th
    - OPENSHIFT_ROUTE
    - OPENSHIFT_SECURE_ROUTE
    - OPENSHIFT_TOKEN
+   - CERT
+   - CERT_KEY
+   - CERT_CA
 
 3. Create any updated values as needed for your new deployment under `helm/app`. For example, if you named your environment `foo` you will create a file named `values-foo.yaml`
 4. Add an extra step to `.github/workflows/deploy.yaml` with updated job and environment name.
@@ -257,10 +259,6 @@ Managed by the PostgresCluster Operator (CrunchyDB), performs an incremental dat
 
 As above managed by CrunchyDB. Performs a full backup of the database everyday at 1:00AM Pacific Time.
 
-#### Certbot
-
-As the name implies; a job that uses certbot to keep the TLS certificate up to date. Runs everyday at 5:00PM Pacific Time.
-
 #### Receive applications
 
 Marks all applications for a specific intake as received on the database. Runs twice a day at 10:00 AM and 10:00PM Pacific time.
@@ -280,3 +278,18 @@ To run any of the CronJobs above manually:
 3. Once ran you should see `job.batch/[YOUR JOB NAME]` created
 
 Note that you cannot run a job with the same name twice, if you need to rerun a job either delete the old job and re run the command from step 2, or use a different name.
+
+### Certificates
+
+Certificates are generated using the standard BC Government process:
+
+Certificates are generated using the standard BC Government process:
+
+1. Create a submission for certificates through MySC.
+2. Generate a CSR or use one already generated and provide it when requested. If a new one is needed, you can use the following command:
+   `openssl req -new -newkey rsa:2048 -nodes -out domain.ca.csr -keyout domain.ca.key -subj "/C=CA/ST=British Columbia/L=Victoria/O=Government of the Province of British Columbia/OU=NetworkBC/CN=domain.ca"` replace `domain.ca` with the domain you are generating a certificate for.
+
+3. The step above will give you two files, `domain.ca.csr` and `domain.ca.key`. You will _only_ need to share the CSR; the key will be saved in a secret as listed above during deployment.
+4. Once complete, you will receive a certificate and a chain. Use them in the `CERT` and `CERT_CA` fields, respectively. You might also need to update `CERT_KEY` if a new CSR was used.
+5. Repeat this process for any other certificates you need to renew (e.g., dev, test, etc.).
+6. Finally, to update the certificates run the deploy action for each environment that needs updating.
diff --git a/helm/app/Chart.yaml b/helm/app/Chart.yaml
@@ -24,9 +24,6 @@ version: 0.1.0
 appVersion: '1.16.0'
 
 dependencies:
-  - name: certbot
-    version: 0.1.3
-    repository: https://bcdevops.github.io/certbot
   - name: crunchy-postgres
     version: 0.4.0
     repository: https://bcgov.github.io/crunchy-postgres/
diff --git a/helm/app/templates/routes/secureRoute.yaml b/helm/app/templates/routes/secureRoute.yaml
@@ -1,19 +1,8 @@
-{{- $route := (lookup "route.openshift.io/v1" "Route" .Release.Namespace "ccbc-secure") }}
-{{- $certificate := "" }}
-{{- $key := "" }}
-{{- $caCertificate := "" }}
-{{- if $route }}
-{{- $certificate = $route.spec.tls.certificate }}
-{{- $key = $route.spec.tls.key }}
-{{- $caCertificate = $route.spec.tls.caCertificate }}
-{{- end -}}
-
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
   name: ccbc-secure
   labels: {{ include "ccbc.labels" . | nindent 4 }}
-    certbot-managed: "true"
   annotations:
     haproxy.router.openshift.io/balance: roundrobin
     haproxy.router.openshift.io/timeout: 1800s
@@ -26,18 +15,16 @@ spec:
   tls:
     termination: edge
     insecureEdgeTerminationPolicy: Redirect
-    {{- if $route }}
-    certificate: {{ $certificate | quote }}
-    key: {{ $key | quote }}
-    caCertificate: {{ $caCertificate | quote }}
-    {{- end }}
+    certificate: {{ .Values.cert.cert | quote }}
+    key: {{ .Values.cert.key | quote }}
+    caCertificate: {{ .Values.cert.ca | quote }}
   to:
     kind: Service
     name: {{ template "ccbc.fullname" . }}
     weight: 100
   wildcardPolicy: None
 
-{{- if .Values.secureRoute.wwwRoute.enable }}
+{{- if .Values.secureRoute.wwwRoute.enable | quote }}
 ---
 # The www route isn't managed by certbot to avoid duplicate certificate requests
 # It will need a redeploy to fetch the new cert from the route above
@@ -53,11 +40,9 @@ spec:
   tls:
     termination: edge
     insecureEdgeTerminationPolicy: Redirect
-    {{- if $route }}
-    certificate: {{ $certificate | quote }}
-    key: {{ $key | quote }}
-    caCertificate: {{ $caCertificate | quote }}
-    {{- end }}
+    certificate: {{ .Values.cert.cert | quote }}
+    key: {{ .Values.cert.key | quote }}
+    caCertificate: {{ .Values.cert.ca | quote }}
   to:
     kind: Service
     name: {{ template "ccbc.fullname" . }}

diff --git a/helm/app/values.yaml b/helm/app/values.yaml
@@ -67,6 +67,15 @@ objectStorage:
   awsS3SecretKey: '' # The value must be passed in via the deploy script
   awsRoleArn: '' # The value must be passed in via the deploy script
 
+# Must be passed via the deploy script
+cert:
+  cert: |
+    ''
+  key: |
+    ''
+  ca: |
+    ''
+
 db:
   name: ccbc
   appUser: ccbc_app
@@ -90,16 +99,6 @@ metabase:
   prodIngress:
     enable: false
 
-certbot:
-  image:
-    tag: 1.0.2
-    pullPolicy: IfNotPresent
-  certbot:
-    email: '' # The value must be passed in via the deploy script
-    server: '' # The value must be passed in via the deploy script
-  cron:
-    suspend: false # The certs have been issued in all environments
-
 loadTest:
   # if true, this will start the app with ENABLE_MOCK_AUTH=true, and deploy the data located in `db/data/perf`
   # These settings enable load testing, which is triggered in a separate helm chart