open-nomad/e2e/terraform/tls_client.tf

# tls_client.tf defines the mTLS certs that'll be used by the E2E test
# runner

resource "tls_private_key" "api_client" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P384"
}

resource "tls_cert_request" "api_client" {
  key_algorithm   = "ECDSA"
  private_key_pem = tls_private_key.api_client.private_key_pem

  subject {
    common_name = "${local.random_name} api client"
  }
}

resource "tls_locally_signed_cert" "api_client" {
  cert_request_pem   = tls_cert_request.api_client.cert_request_pem
  ca_key_algorithm   = tls_private_key.ca.algorithm
  ca_private_key_pem = tls_private_key.ca.private_key_pem
  ca_cert_pem        = tls_self_signed_cert.ca.cert_pem

  validity_period_hours = 720

  # Reasonable set of uses for a server SSL certificate.
  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "client_auth",
  ]
}

resource "local_file" "api_client_key" {
  sensitive_content = tls_private_key.api_client.private_key_pem
  filename          = "keys/tls_api_client.key"
}

resource "local_file" "api_client_cert" {
  sensitive_content = tls_locally_signed_cert.api_client.cert_pem
  filename          = "keys/tls_api_client.crt"
}
E2E with HCP Consul/Vault (#12267) Use HCP Consul and HCP Vault for the Consul and Vault clusters used in E2E testing. This has the following benefits: * Without the need to support mTLS bootstrapping for Consul and Vault, we can simplify the mTLS configuration by leaning on Terraform instead of janky bash shell scripting. * Vault bootstrapping is no longer required, so we can eliminate even more janky shell scripting * Our E2E exercises HCP, which is important to us as an organization * With the reduction in configurability, we can simplify the Terraform configuration and drop the complicated `provision.sh`/`provision.ps1` scripts we were using previously. We can template Nomad configuration files and upload them with the `file` provisioner. * Packer builds for Linux and Windows become much simpler. tl;dr way less janky shell scripting! 2022-03-18 13:27:28 +00:00			`# tls_client.tf defines the mTLS certs that'll be used by the E2E test`
			`# runner`

			`resource "tls_private_key" "api_client" {`
			`algorithm = "ECDSA"`
			`ecdsa_curve = "P384"`
			`}`

			`resource "tls_cert_request" "api_client" {`
			`key_algorithm = "ECDSA"`
			`private_key_pem = tls_private_key.api_client.private_key_pem`

			`subject {`
			`common_name = "${local.random_name} api client"`
			`}`
			`}`

			`resource "tls_locally_signed_cert" "api_client" {`
			`cert_request_pem = tls_cert_request.api_client.cert_request_pem`
			`ca_key_algorithm = tls_private_key.ca.algorithm`
			`ca_private_key_pem = tls_private_key.ca.private_key_pem`
			`ca_cert_pem = tls_self_signed_cert.ca.cert_pem`

			`validity_period_hours = 720`

			`# Reasonable set of uses for a server SSL certificate.`
			`allowed_uses = [`
			`"key_encipherment",`
			`"digital_signature",`
			`"client_auth",`
			`]`
			`}`

			`resource "local_file" "api_client_key" {`
			`sensitive_content = tls_private_key.api_client.private_key_pem`
			`filename = "keys/tls_api_client.key"`
			`}`

			`resource "local_file" "api_client_cert" {`
			`sensitive_content = tls_locally_signed_cert.api_client.cert_pem`
			`filename = "keys/tls_api_client.crt"`
			`}`