From commits-return-3017-archive-asf-public=cust-asf.ponee.io@dlab.apache.org  Thu Nov 14 10:47:24 2019
Return-Path: <commits-return-3017-archive-asf-public=cust-asf.ponee.io@dlab.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id B1719180607
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 14 Nov 2019 11:47:23 +0100 (CET)
Received: (qmail 14483 invoked by uid 500); 14 Nov 2019 10:47:23 -0000
Mailing-List: contact commits-help@dlab.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@dlab.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@dlab.apache.org>
List-Post: <mailto:commits@dlab.apache.org>
List-Id: <commits.dlab.apache.org>
Reply-To: dev@dlab.apache.org
Delivered-To: mailing list commits@dlab.apache.org
Received: (qmail 14474 invoked by uid 99); 14 Nov 2019 10:47:23 -0000
Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Nov 2019 10:47:23 +0000
Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33)
	id C3EAA81E87; Thu, 14 Nov 2019 10:47:22 +0000 (UTC)
Date: Thu, 14 Nov 2019 10:47:22 +0000
To: "commits@dlab.apache.org" <commits@dlab.apache.org>
Subject: [incubator-dlab] branch DLAB-1158 updated: added step-ca
 certificates; 
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <157372844267.28949.8770069265737288820@gitbox.apache.org>
From: omartushevskyi@apache.org
X-Git-Host: gitbox.apache.org
X-Git-Repo: incubator-dlab
X-Git-Refname: refs/heads/DLAB-1158
X-Git-Reftype: branch
X-Git-Oldrev: f683523598088e11fe34a24b1049b3258d0ae528
X-Git-Newrev: c1ee955e484feec0e3173622f4f29adbd91700c1
X-Git-Rev: c1ee955e484feec0e3173622f4f29adbd91700c1
X-Git-NotificationType: ref_changed_plus_diff
X-Git-Multimail-Version: 1.5.dev
Auto-Submitted: auto-generated

This is an automated email from the ASF dual-hosted git repository.

omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git


The following commit(s) were added to refs/heads/DLAB-1158 by this push:
     new c1ee955  added step-ca certificates;
c1ee955 is described below

commit c1ee955e484feec0e3173622f4f29adbd91700c1
Author: Oleh Martushevskyi <Oleh_Martushevskyi@epam.com>
AuthorDate: Thu Nov 14 12:47:09 2019 +0200

    added step-ca certificates;
---
 .../main/dlab-ui-chart/templates/deployment.yaml   |  2 -
 .../ssn-helm-charts/main/dlab-ui-chart/values.yaml |  1 -
 .../terraform/aws/ssn-helm-charts/main/dlab-ui.tf  |  1 -
 .../terraform/aws/ssn-helm-charts/main/keycloak.tf |  4 +-
 .../aws/ssn-helm-charts/main/variables.tf          |  4 --
 infrastructure-provisioning/terraform/bin/dlab.py  |  9 +--
 .../terraform/gcp/ssn-gke/main/main.tf             |  4 ++
 .../helm_charts/dlab-ui-chart/templates/cert.yaml  | 64 ++++++++++++++++++++++
 .../dlab-ui-chart/templates/configmap-ui-conf.yaml | 10 ++--
 .../dlab-ui-chart/templates/deployment.yaml        |  6 ++
 .../dlab-ui-chart/templates/ingress.yaml           | 22 ++++++--
 .../modules/helm_charts/dlab-ui-chart/values.yaml  | 19 ++++---
 .../ssn-gke/main/modules/helm_charts/dlab-ui.tf    | 19 ++++++-
 .../modules/helm_charts/files/keycloak_values.yaml | 11 +++-
 .../modules/helm_charts/files/mongo_values.yaml    |  2 +-
 .../ssn-gke/main/modules/helm_charts/keycloak.tf   |  4 +-
 .../ssn-gke/main/modules/helm_charts/outputs.tf    | 31 ++++++++---
 .../ssn-gke/main/modules/helm_charts/variables.tf  |  9 +++
 .../terraform/gcp/ssn-gke/main/outputs.tf          | 28 +++++++---
 .../terraform/gcp/ssn-gke/main/variables.tf        | 16 ++++++
 services/self-service/Dockerfile_gcp               | 20 ++++---
 services/self-service/entrypoint_gcp.sh            | 39 ++++++++++---
 22 files changed, 248 insertions(+), 77 deletions(-)

diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml
index 8b359b1..03c469e 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/templates/deployment.yaml
@@ -59,8 +59,6 @@ spec:
                 secretKeyRef:
                   name: keycloak-client-secret
                   key: client_secret
-            - name: SSN_BUCKET_NAME
-              value: {{ .Values.ui.bucketName }}
             - name: KEYCLOAK_AUTH_URL
               value: {{ .Values.ui.keycloak.auth_server_url }}
           ports:
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
index e52dc9a..6d8f903 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
@@ -30,7 +30,6 @@ namespace: ${namespace}
 ui:
   service_base_name: ${service_base_name}
   os: ${os}
-  bucketName: ${ssn_bucket_name}
   image:
     repository: epamdlab/ui
     tag: '0.1-aws'
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
index 92f8677..125460d 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
@@ -36,7 +36,6 @@ data "template_file" "dlab_ui_values" {
       mongo_port             = var.mongo_service_port
       mongo_service_name     = var.mongo_service_name
       ssn_k8s_alb_dns_name   = local.ui_host
-      ssn_bucket_name        = var.ssn_bucket_name
       service_base_name      = var.service_base_name
       os                     = var.env_os
       namespace              = kubernetes_namespace.dlab-namespace.metadata[0].name
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/keycloak.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/keycloak.tf
index b9783eb..53758da 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/keycloak.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/keycloak.tf
@@ -22,7 +22,7 @@
 data "template_file" "configure_keycloak" {
   template = file("./files/configure_keycloak.sh")
   vars     = {
-    ssn_k8s_alb_dns_name   = local.ui_host # data.kubernetes_service.nginx-service.load_balancer_ingress.0.hostname # var.ssn_k8s_alb_dns_name
+    ssn_k8s_alb_dns_name   = local.ui_host
     keycloak_user          = var.keycloak_user
     keycloak_password      = random_string.keycloak_password.result
     keycloak_client_secret = random_uuid.keycloak_client_secret.result
@@ -42,7 +42,7 @@ data "template_file" "keycloak_values" {
   vars = {
     keycloak_user           = var.keycloak_user
     keycloak_password       = random_string.keycloak_password.result
-    ssn_k8s_alb_dns_name    = local.ui_host # data.kubernetes_service.nginx-service.load_balancer_ingress.0.hostname # var.ssn_k8s_alb_dns_name
+    ssn_k8s_alb_dns_name    = local.ui_host
     configure_keycloak_file = data.template_file.configure_keycloak.rendered
     mysql_db_name           = var.mysql_keycloak_db_name
     mysql_user              = var.mysql_keycloak_user
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
index c84637b..d703b6b 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
@@ -104,10 +104,6 @@ variable "ssn_k8s_workers_count" {
     default = "2"
 }
 
-variable "ssn_bucket_name" {
-    default = ""
-}
-
 //variable "endpoint_eip_address" {}
 
 variable "service_base_name" {
diff --git a/infrastructure-provisioning/terraform/bin/dlab.py b/infrastructure-provisioning/terraform/bin/dlab.py
index 8589f80..59d6481 100644
--- a/infrastructure-provisioning/terraform/bin/dlab.py
+++ b/infrastructure-provisioning/terraform/bin/dlab.py
@@ -621,8 +621,6 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
                   group='k8s')
          .add_str('--zone', 'Name of AWS zone', default='a',
                   group=('k8s'))
-         .add_str('--ssn_bucket_name', 'ssn_bucket_name',
-                  group='helm_charts')
          .add_str('--ldap_host', 'ldap host', required=True,
                   group='helm_charts')
          .add_str('--ldap_dn', 'ldap dn', required=True,
@@ -807,9 +805,6 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
         # dns_name = json.loads(
         #     TerraformProvider(self.no_color).output(self.tf_params,
         #                                             '-json nginx_load_balancer_hostname'))
-        ssn_bucket_name = json.loads(
-            TerraformProvider(self.no_color).output(self.tf_params,
-                                                    '-json ssn_bucket_name'))
         ssn_k8s_sg_id = json.loads(
             TerraformProvider(self.no_color).output(self.tf_params,
                                                     '-json ssn_k8s_sg_id'))
@@ -823,12 +818,10 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
         logging.info("""
         DLab SSN K8S cluster has been deployed successfully!
         Summary:
-        Bucket name: {}
         VPC ID: {}
         Subnet ID:  {}
         SG IDs: {}
-        """.format(ssn_bucket_name, ssn_vpc_id,
-                   ssn_subnet, ssn_k8s_sg_id))
+        """.format(ssn_vpc_id, ssn_subnet, ssn_k8s_sg_id))
 
     def fill_args_from_dict(self, output):
         for key, value in output.items():
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf
index 3b59b67..df756d8 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/main.tf
@@ -71,4 +71,8 @@ module "helm_charts" {
   namespace_name             = var.namespace_name
   credentials_file_path      = var.credentials_file_path
   project_id                 = var.project_id
+  custom_certs_enabled       = var.custom_certs_enabled
+  custom_cert_path           = var.custom_cert_path
+  custom_certs_host          = var.custom_certs_host
+  custom_key_path            = var.custom_key_path
 }
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/cert.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/cert.yaml
new file mode 100644
index 0000000..5762e9a
--- /dev/null
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/cert.yaml
@@ -0,0 +1,64 @@
+{{- /*
+# *****************************************************************************
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# ******************************************************************************
+*/ -}}
+
+{{- if not .Values.ui.custom_certs.enabled -}}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: dlab-ui
+  namespace: {{ .Values.namespace }}
+spec:
+  # The secret name to store the signed certificate
+  secretName: {{ include "dlab-ui.fullname" . }}-tls
+  # Common Name
+  commonName: dlab-kubernetes-cluster
+  # DNS SAN
+  dnsNames:
+    - localhost
+    - {{ .Values.ui.ingress.host }}
+  # IP Address SAN
+  ipAddresses:
+    - "127.0.0.1"
+  # Duration of the certificate
+  duration: 24h
+  # Renew 8 hours before the certificate expiration
+  renewBefore: 8h
+  # The reference to the step issuer
+  issuerRef:
+    group: certmanager.step.sm
+    kind: Issuer
+    name: step-issuer
+{{- end }}
+---
+{{- if .Values.ui.custom_certs.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "dlab-ui.fullname" . }}-tls
+  namespace: {{ .Values.namespace }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ .Values.ui.custom_certs.ca }}
+  tls.crt: {{ .Values.ui.custom_certs.crt }}
+  tls.key: {{ .Values.ui.custom_certs.key }}
+{{- end }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/configmap-ui-conf.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/configmap-ui-conf.yaml
index 7cced71..3a3f9bb 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/configmap-ui-conf.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/configmap-ui-conf.yaml
@@ -30,7 +30,7 @@ data:
     <#assign LOG_ROOT_DIR="/var/opt/dlab/log">
     <#assign KEYS_DIR="/root/keys">
     <#assign KEY_STORE_PATH="/root/keys/ssn.keystore.jks">
-    <#assign KEY_STORE_PASSWORD="password">
+    <#assign KEY_STORE_PASSWORD="${SSN_KEYSTORE_PASSWORD}">
     <#assign TRUST_STORE_PATH="/usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts">
     <#assign TRUST_STORE_PASSWORD="changeit">
 
@@ -137,8 +137,8 @@ data:
         port: {{ .Values.ui.service.http_port }}
       - type: https
         port: {{ .Values.ui.service.https_port }}
-        certAlias: dlab
-        validateCerts: true
+        certAlias: ssn
+        validateCerts: false
         keyStorePath: ${KEY_STORE_PATH}
         keyStorePassword: ${KEY_STORE_PASSWORD}
         trustStorePath: ${TRUST_STORE_PATH}
@@ -148,8 +148,8 @@ data:
     #      port: 8081
       - type: https
         port: 8444
-        certAlias: dlab
-        validateCerts: true
+        certAlias: ssn
+        validateCerts: false
         keyStorePath: ${KEY_STORE_PATH}
         keyStorePassword: ${KEY_STORE_PASSWORD}
         trustStorePath: ${TRUST_STORE_PATH}
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/deployment.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/deployment.yaml
index 9c2bad8..03c469e 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/deployment.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/deployment.yaml
@@ -76,6 +76,9 @@ spec:
               mountPath: /root/self-service.yml
               subPath: self-service
               readOnly: true
+            - mountPath: "/root/step-certs"
+              name: ui-tls
+              readOnly: true
       volumes:
         - name: ui-conf
           configMap:
@@ -86,6 +89,9 @@ spec:
                 path: ssn
               - key: self-service.yml
                 path: self-service
+        - name: ui-tls
+          secret:
+            secretName: {{ include "dlab-ui.fullname" . }}-tls
 
       {{- with .Values.nodeSelector }}
       nodeSelector:
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/ingress.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/ingress.yaml
index a6c2c62..d53fb5e 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/ingress.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/templates/ingress.yaml
@@ -36,8 +36,22 @@ metadata:
 {{ toYaml . | indent 4 }}
   {{- end }}
 spec:
-  backend:
-    serviceName: {{ $fullName }}
-    servicePort: {{ $servicePort }}
-  path: /
+{{- if .Values.ui.ingress.tls }}
+  tls:
+  {{- range .Values.ui.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ $host }}
+      http:
+        paths:
+        - backend:
+            serviceName: {{ $fullName }}
+            servicePort: {{ $servicePort }}
+          path: /
 {{- end }}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/values.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/values.yaml
index 3a5e842..e6a805d 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/values.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui-chart/values.yaml
@@ -25,6 +25,7 @@
 
 replicaCount: 1
 labels: {}
+namespace: ${namespace}
 
 ui:
   service_base_name: ${service_base_name}
@@ -43,19 +44,23 @@ ui:
     host: ${ssn_k8s_alb_dns_name}
     annotations:
       kubernetes.io/ingress.class: nginx
-      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
 
-    tls: []
-    #  - secretName: chart-example-tls
-    #    hosts:
-    #      - chart-example.local
+    tls:
+      - secretName: dlab-ui-tls
+        hosts:
+          - ${ssn_k8s_alb_dns_name}
   mongo:
     host: ${mongo_service_name}
     port: ${mongo_port}
     username: ${mongo_user}
     db_name: ${mongo_db_name}
-  provisionService:
-    host: ${provision_service_host}
   keycloak:
     auth_server_url: http://${ssn_k8s_alb_dns_name}/auth
     redirect_uri: http://${ssn_k8s_alb_dns_name}/
+
+  custom_certs:
+    enabled: ${custom_certs_enabled}
+    crt: ${custom_certs_crt}
+    key: ${custom_certs_key}
+    ca: ${step_ca_crt}
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui.tf
index f86ad43..0f0fcb9 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/dlab-ui.tf
@@ -19,6 +19,15 @@
 #
 # ******************************************************************************
 
+locals {
+    custom_certs_enabled = lower(var.custom_certs_enabled)
+    custom_cert_name = local.custom_certs_enabled == "true" ? reverse(split("/", var.custom_cert_path))[0] : "None"
+    custom_key_name = local.custom_certs_enabled == "true" ? reverse(split("/", var.custom_key_path))[0] : "None"
+    custom_cert = local.custom_certs_enabled == "true" ? base64encode(file("/tmp/${local.custom_cert_name}")) : "None"
+    custom_key = local.custom_certs_enabled == "true" ? base64encode(file("/tmp/${local.custom_key_name}")) : "None"
+    ui_host = local.custom_certs_enabled == "true" ? var.custom_certs_host : data.kubernetes_service.nginx_service.load_balancer_ingress.0.ip
+}
+
 data "template_file" "dlab_ui_values" {
   template = file("./modules/helm_charts/dlab-ui-chart/values.yaml")
   vars = {
@@ -26,17 +35,21 @@ data "template_file" "dlab_ui_values" {
       mongo_user             = var.mongo_db_username
       mongo_port             = var.mongo_service_port
       mongo_service_name     = var.mongo_service_name
-      ssn_k8s_alb_dns_name   = data.kubernetes_service.nginx_service.load_balancer_ingress.0.ip
-      provision_service_host = "127.0.0.1" # var.endpoint_eip_address
+      ssn_k8s_alb_dns_name   = local.ui_host
       service_base_name      = var.service_base_name
       os                     = var.env_os
+      namespace              = kubernetes_namespace.dlab-namespace.metadata[0].name
+      custom_certs_enabled   = local.custom_certs_enabled
+      custom_certs_crt       = local.custom_cert
+      custom_certs_key       = local.custom_key
+      step_ca_crt            = lookup(data.external.step-ca-config-values.result, "rootCa")
   }
 }
 
 resource "helm_release" "dlab_ui" {
     name       = "dlab-ui"
     chart      = "./modules/helm_charts/dlab-ui-chart"
-    depends_on = [helm_release.mongodb, kubernetes_secret.mongo_db_password_secret] #, null_resource.step_ca_issuer_delay]
+    depends_on = [helm_release.mongodb, kubernetes_secret.mongo_db_password_secret, null_resource.step_ca_issuer_delay]
     namespace  = kubernetes_namespace.dlab-namespace.metadata[0].name
     wait       = true
 
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/keycloak_values.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/keycloak_values.yaml
index 848f5e1..ce3e5a7 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/keycloak_values.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/keycloak_values.yaml
@@ -38,13 +38,18 @@ keycloak:
     # nodePort: 31088
 
   ingress:
-    enabled: false
-    hosts: []
+    enabled: true
     annotations:
       kubernetes.io/ingress.class: nginx
-      nginx.ingress.kubernetes.io/ssl-redirect: "false"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /auth
     path: /auth
+    hosts:
+      - ${ssn_k8s_alb_dns_name}
+    tls:
+      - hosts:
+          - ${ssn_k8s_alb_dns_name}
+        secretName: dlab-ui-tls
 
   startupScripts:
     mystartup.sh: |
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/mongo_values.yaml b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/mongo_values.yaml
index a435baf..e4bdfb8 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/mongo_values.yaml
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/files/mongo_values.yaml
@@ -34,5 +34,5 @@ persistence:
   enabled: false
 
 service:
-  type: LoadBalancer
+  type: ClusterIP
   port: ${mongo_service_port}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/keycloak.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/keycloak.tf
index 383be72..b0bb049 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/keycloak.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/keycloak.tf
@@ -22,7 +22,7 @@
 data "template_file" "configure_keycloak" {
   template = file("./modules/helm_charts/files/configure_keycloak.sh")
   vars     = {
-    ssn_k8s_alb_dns_name   = data.kubernetes_service.nginx_service.load_balancer_ingress.0.ip
+    ssn_k8s_alb_dns_name   = local.ui_host
     keycloak_user          = var.keycloak_user
     keycloak_password      = random_string.keycloak_password.result
     keycloak_client_secret = random_uuid.keycloak_client_secret.result
@@ -42,7 +42,7 @@ data "template_file" "keycloak_values" {
   vars = {
     keycloak_user           = var.keycloak_user
     keycloak_password       = random_string.keycloak_password.result
-    ssn_k8s_alb_dns_name    = data.kubernetes_service.nginx_service.load_balancer_ingress.0.ip
+    ssn_k8s_alb_dns_name    = local.ui_host
     configure_keycloak_file = data.template_file.configure_keycloak.rendered
     mysql_db_name           = var.mysql_db_name
     mysql_user              = var.mysql_user
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/outputs.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/outputs.tf
index 1611621..0f3acc2 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/outputs.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/outputs.tf
@@ -19,18 +19,31 @@
 #
 # ******************************************************************************
 
-output "mongo_host" {
-  value = data.kubernetes_service.mongo_service.load_balancer_ingress.0.ip
+output "keycloak_client_secret" {
+    value = random_uuid.keycloak_client_secret.result
 }
 
-output "self_service_host" {
-  value = data.kubernetes_service.ui_service.load_balancer_ingress.0.ip
+output "keycloak_client_id" {
+    value = "dlab-ui"
 }
 
-output "ui_host" {
-  value = data.kubernetes_service.nginx_service.load_balancer_ingress.0.ip
+output "ssn_ui_host" {
+    value = local.ui_host
+}
+
+output "step_root_ca" {
+    value = lookup(data.external.step-ca-config-values.result, "rootCa")
+}
+
+output "step_kid" {
+    value = lookup(data.external.step-ca-config-values.result, "kid")
+}
+
+output "step_kid_password" {
+    value = random_string.step_ca_provisioner_password.result
+}
+
+output "step_ca_url" {
+    value = "https://${data.kubernetes_service.nginx_service.load_balancer_ingress.0.ip}:8080"
 }
 
-output "keycloak_client_secret" {
-    value = random_uuid.keycloak_client_secret.result
-}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/variables.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/variables.tf
index ef20a4a..d450d2f 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/variables.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/modules/helm_charts/variables.tf
@@ -74,6 +74,15 @@ variable "env_os" {}
 variable "credentials_file_path" {}
 
 variable "project_id" {}
+
+variable "custom_certs_enabled" {}
+
+variable "custom_cert_path" {}
+
+variable "custom_key_path" {}
+
+variable "custom_certs_host" {}
+
 //variable "nginx_http_port" {
 //    default = "31080"
 //    description = "Sets the nodePort that maps to the Ingress' port 80"
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/outputs.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/outputs.tf
index e593e8e..3c89026 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/outputs.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/outputs.tf
@@ -31,18 +31,30 @@ output "subnet_name" {
   value = module.gke_cluster.subnet_name
 }
 
-output "mongo_host" {
-  value = module.helm_charts.mongo_host
+output "keycloak_client_secret" {
+    value = module.helm_charts.keycloak_client_secret
 }
 
-output "self_service_host" {
-  value = module.helm_charts.self_service_host
+output "keycloak_client_id" {
+    value = module.helm_charts.keycloak_client_id
 }
 
-output "ui_host" {
-  value = module.helm_charts.ui_host
+output "ssn_ui_host" {
+    value = module.helm_charts.ssn_ui_host
 }
 
-output "keycloak_client_secret" {
-    value = module.helm_charts.keycloak_client_secret
+output "step_root_ca" {
+    value = module.helm_charts.step_root_ca
+}
+
+output "step_kid" {
+    value = module.helm_charts.step_kid
+}
+
+output "step_kid_password" {
+    value = module.helm_charts.step_kid_password
+}
+
+output "step_ca_url" {
+    value = module.helm_charts.step_ca_url
 }
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/variables.tf b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/variables.tf
index 43e94f6..eae5137 100644
--- a/infrastructure-provisioning/terraform/gcp/ssn-gke/main/variables.tf
+++ b/infrastructure-provisioning/terraform/gcp/ssn-gke/main/variables.tf
@@ -196,3 +196,19 @@ variable "endpoint_keystore_password" {
 variable "big_query_dataset" {
   default = ""
 }
+
+variable "custom_certs_enabled" {
+    default = "False"
+}
+
+variable "custom_cert_path" {
+    default = ""
+}
+
+variable "custom_key_path" {
+    default = ""
+}
+
+variable "custom_certs_host" {
+    default = ""
+}
diff --git a/services/self-service/Dockerfile_gcp b/services/self-service/Dockerfile_gcp
index 16da950..5f5b521 100644
--- a/services/self-service/Dockerfile_gcp
+++ b/services/self-service/Dockerfile_gcp
@@ -24,14 +24,18 @@ FROM openjdk:8-alpine
 
 USER root
 
-RUN mkdir -p /root/keys/
-COPY endpoint1.crt /root/keys/
-COPY endpoint2.crt /root/keys/
-COPY ssn.crt /root/keys/
-COPY ssn.keystore.jks /root/keys/
+RUN apk add --update \
+    python \
+    python-dev \
+    py-pip \
+    openssl \
+    build-base \
+    && pip install awscli --upgrade \
+    && apk --purge -v del py-pip \
+    && rm -rf /var/cache/apk/*
 
 COPY self-service-2.1.jar /root/
-COPY entrypoint_gcp.sh /
-RUN chmod 755 /entrypoint_gcp.sh
+COPY entrypoint_aws.sh /
+RUN chmod 755 /entrypoint_aws.sh
 
-ENTRYPOINT ["/entrypoint_gcp.sh"]
+ENTRYPOINT ["/entrypoint_aws.sh"]
diff --git a/services/self-service/entrypoint_gcp.sh b/services/self-service/entrypoint_gcp.sh
index c7ec4d3..9315d8c 100644
--- a/services/self-service/entrypoint_gcp.sh
+++ b/services/self-service/entrypoint_gcp.sh
@@ -1,14 +1,35 @@
 #!/bin/sh
 
-#mkdir -p /root/keys
-#/usr/bin/keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass password \
-#  -keypass password -keystore /root/keys/ssn.keystore.jks \
-#  -keysize 2048 -dname "CN=35.237.224.151" -ext SAN=dns:localhost,ip:35.237.224.151
-#/usr/bin/keytool -exportcert -alias dlab -storepass password -file /root/keys/ssn.crt \
-#  -keystore /root/keys/ssn.keystore.jks
+checkfile () {
+if [ -s /root/step-certs/ca.crt ]
+then
+  RUN="true"
+else
+  RUN="false"
+  sleep 5
+fi
+}
 
-/usr/bin/keytool -importcert -trustcacerts -alias dlab -file /root/keys/ssn.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
-/usr/bin/keytool -importcert -trustcacerts -alias endpoint1 -file /root/keys/endpoint1.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
-/usr/bin/keytool -importcert -trustcacerts -alias endpoint2 -file /root/keys/endpoint2.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+/bin/mkdir -p /root/keys
 
+if [ -d "/root/step-certs" ]; then
+  while checkfile
+  do
+    if [ "$RUN" = "false" ];
+    then
+        echo "Waiting..."
+    else
+        echo "CA exist!"
+        break
+    fi
+  done
+  /usr/bin/keytool -importcert -trustcacerts -alias step-ca -file /root/step-certs/ca.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+  /usr/bin/keytool -importcert -trustcacerts -alias step-crt -file /root/step-certs/tls.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+fi
+
+
+
+/usr/bin/openssl pkcs12 -export -in /root/step-certs/tls.crt -inkey /root/step-certs/tls.key -name ssn -out ssn.p12 -password pass:${SSN_KEYSTORE_PASSWORD}
+/usr/bin/keytool -importkeystore -srckeystore ssn.p12 -srcstoretype PKCS12 -alias ssn -destkeystore /root/keys/ssn.keystore.jks -deststorepass "${SSN_KEYSTORE_PASSWORD}" -srcstorepass "${SSN_KEYSTORE_PASSWORD}"
+/usr/bin/keytool -keystore /root/keys/ssn.keystore.jks -alias CARoot -import -file /root/step-certs/ca.crt  -deststorepass "${SSN_KEYSTORE_PASSWORD}" -srcstorepass "${SSN_KEYSTORE_PASSWORD}" -noprompt
 /usr/bin/java -Xmx1024M -jar -Duser.timezone=UTC -Dfile.encoding=UTF-8 -DDLAB_CONF_DIR=/root/ /root/self-service-2.1.jar server /root/self-service.yml
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org