Create an Internet exposed HTTPS Load-Balancer on Volterra with Terraform (Origin handled by a Volterra node)

Problem this snippet solves:

How to create an Internet exposed HTTPS Load-Balancer with VoltMesh where the Origin is reachable through a Volterra node. The Origin is HTTP based but will be exposed on the Internet over HTTPS.

Two steps are needed:

1. Creation of the Origin (1-origin.tf file)
2. Creation of the Load-Balancer (2-https-lb.tf file)

How to use this snippet:

Pre-requirements:

• Have a Volterra API Certificate. Please see this page for the API Certificate generation: https://volterra.io/docs/how-to/user-mgmt/credentials
• Extract the certificate and the key from the .p12:

    openssl pkcs12 -info -in certificate.p12 -out private_key.key -nodes -nocerts
    openssl pkcs12 -info -in certificate.p12 -out certificate.cert -nokeys

• Create a variables.tf Terraform variables file:

    variable "api_cert" {
            type = string
            default = "/<full path to>/certificate.cert"
        }
        
        variable "api_key" {
          type = string
          default = "/<full path to>/private_key.key"
        }
        
        variable "api_url" {
            type = string
            default = "https://<tenant_name>.console.ves.volterra.io/api"
        }

• Create a main.tf Terraform file:

    terraform {
          required_version = ">= 0.12.9, != 0.13.0"
        
          required_providers {
            volterra = {
              source = "volterraedge/volterra"
              version = ">=0.0.6"
            }
          }
        }
        provider "volterra" {
          api_cert = var.api_cert
          api_key = var.api_key
          url   = var.api_url
        }

• Encode in base 64 the public key of the TLS certificate you want to use in the HTTPS load-balancer, From a shell, run:

    base64 publicpart_of_tls_certificate.pem

• Get the Volterra vesctl tool: https://gitlab.com/volterra.io/vesctl/blob/main/README.md
• Then in your home directory, create a .vesconfig file with the following lines:

    server-urls: https://<tenant>.console.ves.volterra.io/api
    key: /<full path to>/private_key.key
    cert: /<full path to>/certificate.cert

• Then in the folder where you have installed vesctl, run:

    ./vesctl.darwin-amd64 request secrets get-public-key > tenant-public-key
    ./vesctl.darwin-amd64 request secrets get-policy-document --namespace shared --name ves-io-allow-volterra > ves-io-allow-volterra-policy
    ./vesctl.darwin-amd64 request secrets encrypt --policy-document ves-io-allow-volterra-policy --public-key tenant-public-key privkey.pem > blindfolded-privkey

Where privkey.pem is the private key of your TLS certificate. The Volterra encrypted TLS key will be available in the blindfolded-privkey file.

In the directory where your terraform files are, run:

terraform init

Then:

terraform apply

Code :

//==========================================================================
//Definition of the Origin, 1-origin.tf
//Start of the TF file
resource "volterra_origin_pool" "sample-https-origin-pool" {
  name                   = "sample-https-origin-pool"
  //Name of the namespace where the origin pool must be deployed
  namespace              = "mynamespace"
 
   origin_servers {

    private_ip {
      ip = "10.17.20.13"

      //From which interface of the node onsite the IP of the service is reachable. Value are inside_network / outside_network or both.
      outside_network = true
     
     //Site definition
      site_locator {
        site {
          name      = "name-of-the-site"
          namespace = "system"
          tenant    = "name-of-the-tenant"
        }
      }
    }

    labels = {
    }
  }

  no_tls = true
  port = "80"
  endpoint_selection     = "LOCALPREFERED"
  loadbalancer_algorithm = "LB_OVERRIDE"
}
//End of the file
//==========================================================================

//==========================================================================
//Definition of the Load-Balancer, 2-https-lb.tf
//Start of the TF file
resource "volterra_http_loadbalancer" "sample-https-lb" {
depends_on = [volterra_origin_pool.sample-https-origin-pool]
//Mandatory "Metadata"
name      = "sample-https-lb"
//Name of the namespace where the origin pool must be deployed
namespace = "mynamespace"
//End of mandatory "Metadata" 

//Mandatory "Basic configuration"
  domains = ["mydomain.internal"]
  https {
    add_hsts = true
    http_redirect = true
    tls_parameters {
      no_mtls = true
      tls_config {
        default_security = true  
      }
      tls_certificates {
        certificate_url = "string:///"
          }
          secret_encoding_type = "EncodingNone"
        }
      }    
    }
  }

default_route_pools {
    pool {
      name = "sample-https-origin-pool"
      namespace = "mynamespace"
    }
    weight = 1
  }

//Mandatory "VIP configuration"
advertise_on_public_default_vip = true
//End of mandatory "VIP configuration"

//Mandatory "Security configuration"
no_service_policies = true
no_challenge = true
disable_rate_limit = true
disable_waf = true
//End of mandatory "Security configuration"

//Mandatory "Load Balancing Control"
source_ip_stickiness = true
//End of mandatory "Load Balancing Control"
  
}
//End of the file
//==========================================================================

Tested this on version: