Add HTTPS support
SSL termination happen on the Load Balancer.
An SSL Certificate in AWS Certificate Manager is a prerequisite
for this to work.
Issue: Feature 12470
Change-Id: I9361d2f4b120fb6ae422ec7a46075b9026d0d5ee
diff --git a/single-master/Makefile b/single-master/Makefile
index da8ecc5..65729b7 100644
--- a/single-master/Makefile
+++ b/single-master/Makefile
@@ -32,7 +32,8 @@
ParameterKey=ClusterStackName,ParameterValue=$(CLUSTER_STACK_NAME) \
ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME) \
ParameterKey=Subdomain,ParameterValue=$(SUBDOMAIN) \
- ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI)
+ ParameterKey=DockerRegistryUrl,ParameterValue=$(DOCKER_REGISTRY_URI) \
+ ParameterKey=CertificateArn,ParameterValue=$(SSL_CERTIFICATE_ARN)
dns-routing:
$(AWS_FC_COMMAND) create-stack \
@@ -41,7 +42,7 @@
--template-body file://`pwd`/$(DNS_ROUTING_TEMPLATE) \
--region $(AWS_REGION) \
--parameters \
- ParameterKey=ServiceStackName,ParameterValue=$(SERVICE_STACK_NAME) \
+ ParameterKey=ServiceStackName,ParameterValue=$(SERVICE_STACK_NAME)
wait-for-cluster-creation:
@echo "*** Wait for cluster stack '$(CLUSTER_STACK_NAME)' creation"
diff --git a/single-master/README.md b/single-master/README.md
index c3453c8..5e2ea26 100644
--- a/single-master/README.md
+++ b/single-master/README.md
@@ -22,6 +22,7 @@
* SSH on port 29418
* 1 Internet Gateway
* 1 type A alias DNS entry
+* A SSL certificate available in [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/)
### Data persistency
@@ -58,6 +59,7 @@
* `DOCKER_REGISTRY_URI`: Mandatory. URI of the Docker registry. See the
[prerequisites](#prerequisites) section for more details.
+* `SSL_CERTIFICATE_ARN`: Mandatory. ARN of the SSL Certificate.
* `CLUSTER_STACK_NAME`: Optional. Name of the cluster stack. `gerrit-cluster` by default.
* `SERVICE_STACK_NAME`: Optional. Name of the service stack. `gerrit-service` by default.
* `DNS_ROUTING_STACK_NAME`: Optional. Name of the DNS routing stack. `gerrit-dns-routing` by default.
@@ -73,6 +75,8 @@
Gerrit configuration
* to [add Gerrit secrets](#add-gerrit-secrets-in-aws-secret-manager) in AWS Secret
Manager
+* an SSL Certificate in AWS Certificate Manager (you can find more information on
+ how to create and handle certificates in AWS [here](https://aws.amazon.com/certificate-manager/getting-started/)
### Add Gerrit Secrets in AWS Secret Manager
diff --git a/single-master/cf-service.yml b/single-master/cf-service.yml
index bfb20bb..75d652f 100644
--- a/single-master/cf-service.yml
+++ b/single-master/cf-service.yml
@@ -27,10 +27,17 @@
Description: Gerrit HTTP port
Type: Number
Default: 8080
+ HTTPSPort:
+ Description: Gerrit HTTPS port
+ Type: Number
+ Default: 443
SSHPort:
Description: Gerrit SSH port
Type: Number
Default: 29418
+ CertificateArn:
+ Description: SSL Certificates ARN
+ Type: String
HostedZoneName:
Description: The route53 HostedZoneName.
Type: String
@@ -92,7 +99,9 @@
Image: !Sub '${DockerRegistryUrl}/${DockerImage}'
Environment:
- Name: CANONICAL_WEB_URL
- Value: !Join [ '', [ 'http://', !Ref 'Subdomain', '.', !Ref 'HostedZoneName' ] ]
+ Value: !Sub 'https://${Subdomain}.${HostedZoneName}'
+ - Name: HTTPD_LISTEN_URL
+ Value: !Sub 'proxy-https://*:${HTTPPort}/'
- Name: AWS_REGION
Value: !Ref AWS::Region
MountPoints:
@@ -189,12 +198,14 @@
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn: LoadBalancer
Properties:
+ Certificates:
+ - CertificateArn: !Ref CertificateArn
DefaultActions:
- Type: forward
TargetGroupArn: !Ref HTTPTargetGroup
LoadBalancerArn: !Ref LoadBalancer
- Port: !Ref HTTPPort
- Protocol: TCP
+ Port: !Ref HTTPSPort
+ Protocol: TLS
SSHTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
@@ -278,3 +289,8 @@
Value: !Ref Subdomain
Export:
Name: !Join [ ':', [ !Ref 'AWS::StackName', 'Subdomain' ] ]
+ CanonicalWebUrl:
+ Description: Canonical Web URL
+ Value: !Sub 'https://${Subdomain}.${HostedZoneName}'
+ Export:
+ Name: !Join [ ':', [ !Ref 'AWS::StackName', 'CanonicalWebUrl' ] ]
diff --git a/single-master/setup.env.template b/single-master/setup.env.template
index cb57a12..63a6891 100644
--- a/single-master/setup.env.template
+++ b/single-master/setup.env.template
@@ -5,3 +5,4 @@
SUBDOMAIN:=gerrit-master-demo
AWS_REGION:=us-east-2
DOCKER_REGISTRY_URI:=<your_aws_account_number>.dkr.ecr.us-east-2.amazonaws.com
+SSL_CERTIFICATE_ARN=arn:aws:acm:us-east-2:<your_aws_account_number>:certificate/41eb8e52-c82b-420e-a5b2-d79107f3e5e1