From e5c360452cc0892f07aedb434d0c9adc77acd5d0 Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Fri, 2 Aug 2019 07:42:20 -0400
Subject: [PATCH] Add SSL/TLS config for staging sites.

This presumes the existence of TLS kubernetes secrets available in both
clusters. It adds NGINX config for SSL termination and the necessary k8s
config to write the certificate and private key to the NGINX container.
---
 k8s/aws/atst-nginx-configmap.yml   | 50 ++++++++++--------------------
 k8s/aws/aws.yml                    | 18 +++++++++--
 k8s/azure/atst-nginx-configmap.yml | 50 ++++++++++--------------------
 k8s/azure/azure.yml                | 18 +++++++++--
 4 files changed, 66 insertions(+), 70 deletions(-)

diff --git a/k8s/aws/atst-nginx-configmap.yml b/k8s/aws/atst-nginx-configmap.yml
index cd0d051e..2818ff2d 100644
--- a/k8s/aws/atst-nginx-configmap.yml
+++ b/k8s/aws/atst-nginx-configmap.yml
@@ -9,11 +9,10 @@ data:
     server {
         server_name aws.atat.code.mil;
         # access_log /var/log/nginx/access.log json;
-        listen 8442;
-        listen [::]:8442 ipv6only=on;
-        # if ($http_x_forwarded_proto != 'https') {
-        #     return 301 https://$host$request_uri;
-        # }
+        listen 8442 ssl;
+        listen [::]:8442 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         location /login-redirect {
             return 301 https://auth-aws.atat.code.mil$request_uri;
         }
@@ -39,29 +38,14 @@ data:
     server {
         # access_log /var/log/nginx/access.log json;
         server_name auth-aws.atat.code.mil;
-        listen 8443;
-        listen [::]:8443 ipv6only=on;
-        # SSL server certificate and private key
-        # ssl_certificate /etc/ssl/private/auth.atat.crt;
-        # ssl_certificate_key /etc/ssl/private/auth.atat.key;
-        # Set SSL protocols, ciphers, and related options
-        # ssl_protocols TLSv1.3 TLSv1.2;
-        # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-        # ssl_prefer_server_ciphers on;
-        # ssl_ecdh_curve secp384r1;
-        # ssl_dhparam /etc/ssl/dhparam.pem;
-        # SSL session options
-        # ssl_session_timeout 4h;
-        # ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
-        # ssl_session_tickets off;
-        # OCSP Stapling
-        # ssl_stapling on;
-        # ssl_stapling_verify on;
-        # resolver 8.8.8.8 8.8.4.4;
+        listen 8443 ssl;
+        listen [::]:8443 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         # Request and validate client certificate
-        # ssl_verify_client on;
-        # ssl_verify_depth 10;
-        # ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
+        ssl_verify_client on;
+        ssl_verify_depth 10;
+        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
         # Guard against HTTPS -> HTTP downgrade
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
         location / {
@@ -73,12 +57,12 @@ data:
         location @app {
             include uwsgi_params;
             uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
-            # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
-            # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
+            uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
             uwsgi_param HTTP_X_REQUEST_ID $request_id;
         }
     }
diff --git a/k8s/aws/aws.yml b/k8s/aws/aws.yml
index a5ab4588..ceaa8993 100644
--- a/k8s/aws/aws.yml
+++ b/k8s/aws/aws.yml
@@ -60,6 +60,10 @@ spec:
             - name: nginx-htpasswd
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
+            - name: tls
+              mountPath: "/etc/ssl/private"
+            - name: nginx-client-ca-bundle
+              mountPath: "/etc/ssl/"
       volumes:
         - name: atst-config
           secret:
@@ -91,6 +95,16 @@ spec:
             - key: htpasswd
               path: .htpasswd
               mode: 0640
+        - name: tls
+          secret:
+            secretName: aws-atat-code-mil-tls
+            items:
+            - key: tls.crt
+              path: atat.crt
+              mode: 0644
+            - key: tls.key
+              path: atat.key
+              mode: 0640
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -155,7 +169,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
 spec:
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8442
   selector:
     role: web
@@ -172,7 +186,7 @@ metadata:
     service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
 spec:
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8443
   selector:
     role: web
diff --git a/k8s/azure/atst-nginx-configmap.yml b/k8s/azure/atst-nginx-configmap.yml
index 77f69e5f..c4b55d7a 100644
--- a/k8s/azure/atst-nginx-configmap.yml
+++ b/k8s/azure/atst-nginx-configmap.yml
@@ -9,11 +9,10 @@ data:
     server {
         server_name azure.atat.code.mil;
         # access_log /var/log/nginx/access.log json;
-        listen 8442;
-        listen [::]:8442 ipv6only=on;
-        # if ($http_x_forwarded_proto != 'https') {
-        #     return 301 https://$host$request_uri;
-        # }
+        listen 8442 ssl;
+        listen [::]:8442 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         location /login-redirect {
             return 301 https://auth-azure.atat.code.mil$request_uri;
         }
@@ -39,29 +38,14 @@ data:
     server {
         # access_log /var/log/nginx/access.log json;
         server_name auth-azure.atat.code.mil;
-        listen 8443;
-        listen [::]:8443 ipv6only=on;
-        # SSL server certificate and private key
-        # ssl_certificate /etc/ssl/private/auth.atat.crt;
-        # ssl_certificate_key /etc/ssl/private/auth.atat.key;
-        # Set SSL protocols, ciphers, and related options
-        # ssl_protocols TLSv1.3 TLSv1.2;
-        # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-        # ssl_prefer_server_ciphers on;
-        # ssl_ecdh_curve secp384r1;
-        # ssl_dhparam /etc/ssl/dhparam.pem;
-        # SSL session options
-        # ssl_session_timeout 4h;
-        # ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
-        # ssl_session_tickets off;
-        # OCSP Stapling
-        # ssl_stapling on;
-        # ssl_stapling_verify on;
-        # resolver 8.8.8.8 8.8.4.4;
+        listen 8443 ssl;
+        listen [::]:8443 ssl ipv6only=on;
+        ssl_certificate /etc/ssl/private/atat.crt;
+        ssl_certificate_key /etc/ssl/private/atat.key;
         # Request and validate client certificate
-        # ssl_verify_client on;
-        # ssl_verify_depth 10;
-        # ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
+        ssl_verify_client on;
+        ssl_verify_depth 10;
+        ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
         # Guard against HTTPS -> HTTP downgrade
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
         location / {
@@ -73,12 +57,12 @@ data:
         location @app {
             include uwsgi_params;
             uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
-            # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
-            # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
-            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
+            uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
             uwsgi_param HTTP_X_REQUEST_ID $request_id;
         }
     }
diff --git a/k8s/azure/azure.yml b/k8s/azure/azure.yml
index 8fc03623..a3854665 100644
--- a/k8s/azure/azure.yml
+++ b/k8s/azure/azure.yml
@@ -60,6 +60,10 @@ spec:
             - name: nginx-htpasswd
               mountPath: "/etc/nginx/.htpasswd"
               subPath: .htpasswd
+            - name: tls
+              mountPath: "/etc/ssl/private"
+            - name: nginx-client-ca-bundle
+              mountPath: "/etc/ssl/"
       volumes:
         - name: atst-config
           secret:
@@ -91,6 +95,16 @@ spec:
             - key: htpasswd
               path: .htpasswd
               mode: 0640
+        - name: tls
+          secret:
+            secretName: azure-atat-code-mil-tls
+            items:
+            - key: tls.crt
+              path: atat.crt
+              mode: 0644
+            - key: tls.key
+              path: atat.key
+              mode: 0640
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -154,7 +168,7 @@ metadata:
 spec:
   loadBalancerIP: 13.92.235.6
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8442
   selector:
     role: web
@@ -170,7 +184,7 @@ metadata:
 spec:
   loadBalancerIP: 23.100.24.41
   ports:
-  - port: 80
+  - port: 443
     targetPort: 8443
   selector:
     role: web