Add Secure Memorystore access with TLS from cartservice

Mathieu Benoit · Mathieu Benoit · commit 22d19bd924e1 · 2022-06-21T23:16:16.000-04:00
diff --git a/content/onlineboutique/create-memorystore.md b/content/onlineboutique/create-memorystore.md
@@ -7,13 +7,14 @@ tags: ["kcc", "platform-admin"]
 ![Platform Admin](/images/platform-admin.png)
 _{{< param description >}}_
 
-In this section, you will create a Memorystore (redis) instance for the Online Boutique's `cartservice` app to connect to.
+In this section, you will create a Memorystore (redis) instance for the Online Boutique's `cartservice` app to connect to. We will also create a second Memorystore (redis) with TLS enabled.
 
 Initialize variables:
 ```Bash
 WORK_DIR=~/
 source ${WORK_DIR}acm-workshop-variables.sh
-echo "export REDIS_NAME=cart2" >> ${WORK_DIR}acm-workshop-variables.sh
+echo "export REDIS_NAME=cart" >> ${WORK_DIR}acm-workshop-variables.sh
+echo "export REDIS_TLS_NAME=cart-tls" >> ${WORK_DIR}acm-workshop-variables.sh
 source ${WORK_DIR}acm-workshop-variables.sh
 ```
 
@@ -44,6 +45,29 @@ spec:
 EOF
 ```
 
+## Define Memorystore (redis) with TLS enabled
+
+Define the [Memorystore (redis) resource](https://cloud.google.com/config-connector/docs/reference/resource-docs/redis/redisinstance) with TLS enabled:
+```Bash
+cat <<EOF > ${WORK_DIR}$TENANT_PROJECT_DIR_NAME/$ONLINEBOUTIQUE_NAMESPACE/memorystore-tls.yaml
+apiVersion: redis.cnrm.cloud.google.com/v1beta1
+kind: RedisInstance
+metadata:
+  name: ${REDIS_TLS_NAME}
+  namespace: ${TENANT_PROJECT_ID}
+  annotations:
+    config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/${TENANT_PROJECT_ID}/ComputeNetwork/${GKE_NAME}
+spec:
+  authorizedNetworkRef:
+    name: ${GKE_NAME}
+  memorySizeGb: 1
+  redisVersion: REDIS_6_X
+  region: ${GKE_LOCATION}
+  tier: BASIC
+  transitEncryptionMode: SERVER_AUTHENTICATION
+EOF
+```
+
 ## Deploy Kubernetes manifests
 
 ```Bash
diff --git a/content/onlineboutique/secure-memorystore-access.md b/content/onlineboutique/secure-memorystore-access.md
@@ -3,15 +3,10 @@ title: "Secure Memorystore access"
 weight: 12
 description: "Duration: 10 min | Persona: Apps Operator"
 tags: ["apps-operator", "asm", "security-tips"]
-hidden: true
 ---
 ![Apps Operator](/images/apps-operator.png)
 _{{< param description >}}_
 
-{{% notice warning %}}
-This section is under construction and is not working currently, this page is hidden. Do not use it yet.
-{{% /notice %}}
-
 In this section, you will secure the access by TLS to the Memorystore (redis) instance from the OnlineBoutique's `cartservice` appl, without updating the source code of the app, just with Istio's capabilities.
 
 Initialize variables:
@@ -29,21 +24,20 @@ The `CART_MEMORYSTORE_HOST` has been built in order to explicitly represent the
 
 Get Memorystore (redis) connection information:
 ```Bash
-export REDIS_IP=$(gcloud redis instances describe $REDIS_NAME --region=$GKE_LOCATION --project=$TENANT_PROJECT_ID --format='get(host)')
-export REDIS_PORT=$(gcloud redis instances describe $REDIS_NAME --region=$GKE_LOCATION --project=$TENANT_PROJECT_ID --format='get(port)')
+export REDIS_TLS_IP=$(gcloud redis instances describe $REDIS_TLS_NAME --region=$GKE_LOCATION --project=$TENANT_PROJECT_ID --format='get(host)')
+export REDIS_TLS_PORT=$(gcloud redis instances describe $REDIS_TLS_NAME --region=$GKE_LOCATION --project=$TENANT_PROJECT_ID --format='get(port)')
 export REDIS_TLS_CERT_NAME=redis-cert
-gcloud redis instances describe $REDIS_NAME --region=$GKE_LOCATION --project=$TENANT_PROJECT_ID --format='get(serverCaCerts[0].cert)' > ${WORK_DIR}${REDIS_TLS_CERT_NAME}.pem
+gcloud redis instances describe $REDIS_TLS_NAME --region=$GKE_LOCATION --project=$TENANT_PROJECT_ID --format='get(serverCaCerts[0].cert)' > ${WORK_DIR}${REDIS_TLS_CERT_NAME}.pem
 ```
 
 Update the Online Boutique apps with the new Memorystore (redis) connection information:
 ```Bash
 cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/staging
 cp -r ../upstream/base/for-memorystore/ .
-sed -i "s/REDIS_IP/${REDIS_IP}/g;s/REDIS_PORT/${REDIS_PORT}/g" for-memorystore/kustomization.yaml
-kustomize edit add component for-memorystore
+sed -i "s/REDIS_IP/${REDIS_TLS_IP}/g;s/REDIS_PORT/${REDIS_TLS_PORT}/g" for-memorystore/kustomization.yaml
 ```
 {{% notice info %}}
-This will change the `REDIS_ADDR` environment variable of the `cartservice` to point to the Memorystore (redis) instance as well as removing the `Deployment` and the `Service` of the default in-cluster `redis` database container.
+This will change the `REDIS_ADDR` environment variable of the `cartservice` to point to the Memorystore (redis) instance with TLS enabled.
 {{% /notice %}}
 
 Define the `Secret` with the Certificate Authority:
@@ -68,13 +62,13 @@ spec:
   hosts:
   - ${CART_MEMORYSTORE_HOST}
   addresses:
-  - ${REDIS_IP}/32
+  - ${REDIS_TLS_IP}/32
   endpoints:
-  - address: ${REDIS_IP}
+  - address: ${REDIS_TLS_IP}
   location: MESH_EXTERNAL
   resolution: STATIC
   ports:
-  - number: ${REDIS_PORT}
+  - number: ${REDIS_TLS_PORT}
     name: tcp-redis
     protocol: TCP
 EOF
@@ -116,12 +110,10 @@ patches:
 EOF
 ```
 
-Update the previously deployed `Sidecars`, `NetworkPolicies` and `AuthorizationPolicies`:
+Update the previously deployed `Sidecars`:
 ```Bash
 cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/staging
-kustomize edit add component ../upstream/sidecars/for-memorystore
 cat <<EOF >> kustomization.yaml
-patchesJson6902:
 - target:
     kind: Sidecar
     name: cartservice
@@ -132,18 +124,6 @@ patchesJson6902:
         - "istio-system/*"
         - "./${CART_MEMORYSTORE_HOST}"
 EOF
-cd ${WORK_DIR}$ONLINE_BOUTIQUE_DIR_NAME/base
-cat <<EOF >> network-policies/kustomization.yaml
-patchesStrategicMerge:
-- |-
-  apiVersion: networking.k8s.io/v1
-  kind: NetworkPolicy
-  metadata:
-    name: redis-cart
-  \$patch: delete
-EOF
-kustomize edit add component ../upstream/service-accounts/for-memorystore
-kustomize edit add component ../upstream/authorization-policies/for-memorystore
 ```
 
 ## Deploy Kubernetes manifests
diff --git a/content/service-mesh/set-up-asm-configs.md b/content/service-mesh/set-up-asm-configs.md
@@ -117,12 +117,14 @@ rules:
   - "virtualservices"
   - "authorizationpolicies"
   - "sidecars"
+  - "serviceentries"
+  - "destinationrules"
   verbs:
   - "*"
 EOF
 ```
 {{% notice tip %}}
-Later in this workshop, for each app namespace, we will define a Config Sync's `RepoSync` which will be bound to the `edit` `ClusterRole`. With that new extension, it will allow each namespace to deploy Istio resources such as `Sidecar`, `VirtualService` and `AuthorizationPolicy` while meeting with the least privilege principle requirement.
+Later in this workshop, for each app namespace, we will define a Config Sync's `RepoSync` which will be bound to the `edit` `ClusterRole`. With that new extension, it will allow each namespace to deploy Istio resources such as `Sidecar`, `VirtualService`, `AuthorizationPolicy`, `ServiceEntry` and `DestinationRule` while meeting with the least privilege principle requirement.
 {{% /notice %}}
 
 ## Deploy Kubernetes manifests
