Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Nexus Docker Hub) [Spike] Generate Letsencrypt SSL cert #1480

Closed
4 tasks
Tracked by #1089
jjgriff93 opened this issue Mar 10, 2022 · 6 comments
Closed
4 tasks
Tracked by #1089

(Nexus Docker Hub) [Spike] Generate Letsencrypt SSL cert #1480

jjgriff93 opened this issue Mar 10, 2022 · 6 comments
Assignees
@oliver7598
Labels
story Stories are the smallest unit of work to be done for a project.
Milestone
Release 0.4

Comments

@jjgriff93
Copy link
Collaborator

jjgriff93 commented Mar 10, 2022
edited
Loading

As part of solution to #1089, we need to generate an SSL certificate for consumption by Nexus (as it will no longer be hosted on App Service due to #1479 and thus won't have an included cert) so that it can proxy Docker Hub over https.

An approach outlined by @marrobi can potentially address this:

 ┌──────────────────────────────────────────┐    ┌────────────────────────────────┐
 │                                          │    │                                │
 │ Public IP: mytre123.uksouth.cloudapp.net │    │  Storage static site           │
 │                                          ├───►│                                │
 │                                          │    │                                │
 └──────────────────────────────────────────┘    └────────────────────────────────┘
                                                        ▲
                                                        │
                                                        │
                                                        │
                                                        │
                                                        │
 ┌──────────────────────────────────┐                   │
 │                                  ├───────────────────┘
 │  Letsencrypt cert                │
 │  processor (run on schedule)     ├────────────────────┐
 │                                  │                    │
 └──────────────────────────────────┘                    │
                                                         │       ▼
                                                         │
                                                         │
                                                         │
                                                 ┌───────▼────────────────────────┐
                                                 │                                │
                                                 │  Key Vault                     │
                                                 │                                │
                                                 └────────────────────────────────┘
                                                         ▲
                                                         │
                                                         │
                                                         │
                          ┌──────────────────────────────┼────────────────────────────────────┐
                          │                              │                                    │
                          │   VNET                       │                                    │
                          │                              │                                    │
                          │                              │                                    │
                          │                      ┌───────┴─────────────────────────────┐      │
                          │                      │                                     │      │
                          │                      │ VM                                  │      │
                          │                      │                                     │      │
                          │                      │                                     │      │
                          │                      └─────────────────────────────────────┘      │
                          │                                                                   │
                          │                                                                   │
                          │                                                                   │
                          │                      ┌─────────────────────────────────────┐      │
                          │                      │                                     │      │
                          │                      │  Private DNS Zone:                  │      │
                          │                      │  map mytre123.uksouth.cloudapp.net  │      │
                          │                      │         to VM IP address            │      │
                          │                      │                                     │      │
                          │                      │                                     │      │
                          │                      │                                     │      │
                          │                      └─────────────────────────────────────┘      │
                          │                                                                   │
                          │                                                                   │
                          │                                                                   │
                          └───────────────────────────────────────────────────────────────────┘

This will involve the below steps:

  • Get a domain name through Azure (i.e. azure-tre.io)
  • Set up a storage account with the DNS configured to map the above domain name to its public IP
  • Use LetsEncrypt to get a wildcard cert by validating with the above storage account
  • Push this cert into a shared KeyVault
@jjgriff93 jjgriff93 changed the title (Nexus Docker Hub) Generate Letsencrypt wildcard SSL cert and consume from Nexus (Nexus Docker Hub) [Spike] Generate Letsencrypt wildcard SSL cert and consume from Nexus Mar 10, 2022
@jjgriff93
Copy link
Collaborator Author

@marrobi can you update anything in the above description that I've mis-translated please

@jjgriff93 jjgriff93 added the story Stories are the smallest unit of work to be done for a project. label Mar 10, 2022
@jjgriff93 jjgriff93 added this to the Release 0.3 milestone Mar 10, 2022
@marrobi
Copy link
Member

marrobi commented Mar 10, 2022
edited
Loading

I think:

  • Set up private DNS zone to map domain name to Nexus VM private IP
  • Configure Nexus Repository Manager to consume SSL certificate from KeyVault

Should be in #1479

@jjgriff93
Copy link
Collaborator Author

Makes sense, will move

@jjgriff93 jjgriff93 changed the title (Nexus Docker Hub) [Spike] Generate Letsencrypt wildcard SSL cert and consume from Nexus (Nexus Docker Hub) [Spike] Generate Letsencrypt wildcard SSL cert Mar 10, 2022
This was referenced Mar 10, 2022
Closed
Closed
@jjgriff93 jjgriff93 moved this from Triage to In Progress in AzureTRE - Crew Rock Mar 11, 2022
@oliver7598
Copy link
Contributor

Assign this to me

@oliver7598 oliver7598 mentioned this issue Mar 15, 2022
Closed
@daltskin daltskin moved this from In Progress to PR in AzureTRE - Crew Rock Mar 18, 2022
@daltskin daltskin mentioned this issue Mar 18, 2022
Closed
4 tasks
@ross-p-smith ross-p-smith changed the title (Nexus Docker Hub) [Spike] Generate Letsencrypt wildcard SSL cert (Nexus Docker Hub) [Spike] Generate Letsencrypt SSL cert Mar 21, 2022
@jjgriff93 jjgriff93 mentioned this issue Mar 24, 2022
Merged
2 tasks
@martinpeck martinpeck moved this from PR to Done in AzureTRE - Crew Rock Apr 5, 2022
@marrobi
Copy link
Member

marrobi commented May 26, 2022

@jjgriff93 good to close this one?

@martinpeck
Copy link
Member

I'm going to close it. Please reopen if closed in error @jjgriff93

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oliver7598 oliver7598

Labels
story Stories are the smallest unit of work to be done for a project.
Projects
No open projects
AzureTRE - Crew Rock
Status: Done
Milestone
Release 0.4
Development

No branches or pull requests
4 participants
@martinpeck @oliver7598 @marrobi @jjgriff93