How can I use terraform with the google provider to setup an HTTP/2 load balancer in GCP with MutualTLS Auth enabled?

huangapple go评论73阅读模式
英文:

How can I use terraform with the google provider to setup an HTTP/2 load balancer in GCP with MutualTLS Auth enabled?

问题

I'm hoping someone can point me in the right direction with a question on the google provider.
我希望有人能指导我在Google提供商方面的问题。

I'm trying to setup an HTTPS Load balancer which routes to compute engine MIG running a gRPC endpoint.
我正在尝试设置一个HTTPS负载均衡器,将流量路由到运行gRPC端点的计算引擎MIG。

I've got traffic flowing to the endpoint now, but I can't find a terraform way to implement Mutual TLS.
我现在已经有流量流向端点,但我找不到一种使用Terraform实现双向TLS的方法。

I'm trying to follow this document from Google Cloud, but when I get to the step
Create a TrustConfig Resource I become a bit uncertain. Would that be this one?
我正在尝试按照Google Cloud的此文档进行操作,但当我到达创建TrustConfig资源步骤时,我有些不确定。这是否是这个?

  count       = local.create_grpc_load_balancer
  name        = "${local.grpc_load_balancer_name}-cert"
  description = "Mutual-TLS Enabled Cert"
  scope       = "DEFAULT"
  self_managed {
    pem_certificate = var.tcp_lb_cert
    pem_private_key = var.tcp_lb_private_key
  }
}

Then the next step is Create the Network Security Resources. Here I'm even more uncertain on what the correct resource is. Would google_network_security_client_tls_policy be correct? And if so, what's the correct setup for setting clientValidationMode and clientValidationTrustConfig as detailed in Create the Network Security Resources?
然后下一步是创建网络安全资源。在这里,我对正确的资源更加不确定。google_network_security_client_tls_policy是否正确?如果正确,那么在创建网络安全资源中详细描述的设置clientValidationMode和clientValidationTrustConfig的正确设置是什么?

英文:

I'm hoping someone can point me in the right direction with a question on the google provider.
I'm trying to setup an HTTPS Load balancer which routes to compute engine MIG running a gRPC endpoint.
I've got traffic flowing to the endpoint now, but I can't find a terraform way to implement Mutual TLS.

I'm trying to follow this document from Google Cloud, but when I get to the step
Create a TrustConfig Resource I become a bit uncertain. Would that be this one?

resource "google_certificate_manager_certificate" "default" {
  count       = local.create_grpc_load_balancer
  name        = "${local.grpc_load_balancer_name}-cert"
  description = "Mutual-TLS Enabled Cert"
  scope       = "DEFAULT"
  self_managed {
    pem_certificate = var.tcp_lb_cert
    pem_private_key = var.tcp_lb_private_key
  }
}

Then the next step is Create the Network Security Resources. Here I'm even more uncertain on what the correct resource is. Would google_network_security_client_tls_policy be correct? And if so, what's the correct setup for setting clientValidationMode and clientValidationTrustConfig as detailed in Create the Network Security Resources?

答案1

得分: 1

我从其他地方得到了一个答案:

要为您的HTTPS负载均衡器使用Google Terraform提供程序实施互通TLS(mTLS),google_certificate_manager_certificate 资源是正确的资源。

resource "google_compute_ssl_certificate" "self_signed" {
  name        = "self-signed-certificate"
  private_key = tls_private_key.self_signed.private_key_pem
  certificate = tls_self_signed_cert.self_signed.cert_pem
}

这个配置使用了使用Terraform TLS提供程序生成的自签名证书,然后使用生成的私钥和证书创建了Google Compute Engine SSL证书资源。

至于网络安全资源,您应该使用 google_network_security_client_tls_policy 资源来定义客户端TLS策略,并配置 clientValidationModeclientValidationTrustConfig

这是 google_network_security_client_tls_policy 资源的一个示例配置:

resource "google_network_security_client_tls_policy" "example" {
  name                  = "example-policy"
  description           = "Mutual TLS Policy"
  client_validation_ca  = google_compute_ssl_certificate.self_signed.self_link
  client_validation_crl = null  # 可选项,如果有证书吊销列表(CRL),请指定
    
  # 以下设置控制如何验证客户端
  client_validation_mode = "MODE_MUTUAL"
  
  client_validation_trust_config {
    certificate_provider_instance = "projects/YOUR_PROJECT_ID/locations/YOUR_LOCATION/certificateProviderInstances/YOUR_CERT_PROVIDER_INSTANCE"
  }
}

在此配置中,将 client_validation_ca 参数设置为先前创建的自签名证书。如果需要,还可以指定证书吊销列表(CRL)。

client_validation_trust_config 块是您配置客户端证书信任的地方。您需要指定项目中适当证书提供程序实例的 certificate_provider_instance

请确保用您实际的值替换占位符值(YOUR_PROJECT_ID,YOUR_LOCATION,YOUR_CERT_PROVIDER_INSTANCE)。

记住根据您的具体设置和要求调整这些配置。

最后,要将此策略附加到您的负载均衡器,您可以通过 security_policy 参数在 google_compute_backend_service 资源中提供它,如下所示:

"google_compute_backend_service" "example" {
  name              = "example-backend-service"
  port              = 8080  # 根据您的gRPC端点更新为适当的端口
  protocol          = "GRPC"

  backend {
    group = google_compute_instance_group.example.self_link
  }

  security_policy = google_network_security_client_tls_policy.example.self_link
}
英文:

I got an answer from elsewhere:

To implement Mutual TLS (mTLS) for your HTTPS Load Balancer with the Google Terraform provider, the google_certificate_manager_certificate resource is the correct resource to use.

resource "google_compute_ssl_certificate" "self_signed" {
  name        = "self-signed-certificate"
  private_key = tls_private_key.self_signed.private_key_pem
  certificate = tls_self_signed_cert.self_signed.cert_pem
}

This configuration uses a self-signed certificate generated using the Terraform TLS provider and then creates a Google Compute Engine SSL certificate resource using the generated private key and certificate.

As for the Network Security Resources, you should use the google_network_security_client_tls_policy resource to define the client TLS policy and configure the clientValidationMode and clientValidationTrustConfig.

Here's an example configuration for the google_network_security_client_tls_policy resource:

resource "google_network_security_client_tls_policy" "example" {
  name                  = "example-policy"
  description           = "Mutual TLS Policy"
  client_validation_ca  = google_compute_ssl_certificate.self_signed.self_link
  client_validation_crl = null  # Optional, specify if you have a Certificate Revocation List (CRL)

  # The following settings control how clients are validated
  client_validation_mode = "MODE_MUTUAL"

  client_validation_trust_config {
    certificate_provider_instance = "projects/YOUR_PROJECT_ID/locations/YOUR_LOCATION/certificateProviderInstances/YOUR_CERT_PROVIDER_INSTANCE"
  }
}

In this configuration, you set the client_validation_ca parameter to the self-signed certificate you created earlier. You can also specify a Certificate Revocation List (CRL) if needed.

The client_validation_trust_config block is where you configure the trust for the client certificate. You need to specify the certificate_provider_instance for the appropriate certificate provider instance in your project.

Make sure to replace the placeholder values (YOUR_PROJECT_ID, YOUR_LOCATION, YOUR_CERT_PROVIDER_INSTANCE) with your actual values.

Remember to adjust these configurations to fit your specific setup and requirements.

Last (but not least), to attach this policy to your load balancer, you can provide it via the backend service resource in the security_policy argument like this:

"google_compute_backend_service" "example" {
  name              = "example-backend-service"
  port              = 8080  # Update with the appropriate port for your gRPC endpoint
  protocol          = "GRPC"

  backend {
    group = google_compute_instance_group.example.self_link
  }

  security_policy = google_network_security_client_tls_policy.example.self_link
}

huangapple
  • 本文由 发表于 2023年5月11日 16:47:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/76225748.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定