Update Demo for Hab 1.5 features, set automate password/token & clean-up

[ericcalabretta]

Wanted to get this PR out for visibility, but it's too early to merge.

To Do before merge: -Azure parity -update readme -collapse demo into single Terraform Apply

What's done now: -rollback added as default aka --update-condition track-channel -Set's Automate token from user supplied variable so it's unchanging -Set Automate password from user supplied variable so it's unchanging -Supports chef automate deploy service for chef-server & bldr, default to just Automate

@ChefRycar Any recommendations for handling certs to re-enable NATS encryption? We need to copy the automate cert over to the trusted directory on the demo systems.

Signed-off-by: ericcalabretta eric.calabretta@gmail.com

[NickRycar]

@ericcalabretta If it's just a matter of copying over static but private certs/keys, we could always just have it available for SAs to download, and add it at provision with remote-file (and make sure it's .gitignored!).

That said, what's the full problem we're solving for? Unfamiliar with the NATS encryption issue, but assume we'll also want to turn on https for the apps dashboard (will require changing load balancers, per @jvogt )

[ericcalabretta]

@ChefRycar the HTTPS for Apps dashboard is the NATS encryption issue so we're on the same page!

The reporting doesn't use HTTPS actually it used NATS on port 4422 which is the encryption we had to disable during the beta. It's supported now that it's GA, but does require Automate's cert to be in the supervisors trusted cert list. I played around with it a little bit the other day but got a cert/IP mis-match.

I didn't dig into it further, but thought it'd be good to consult you since you did a lot of the DNS/Cert work originally.

We have a few options to configure it, but all require the cert.

https://automate.chef.io/docs/applications-setup/#authorize-communication-from-chef-habitat-to-chef-automate

[jvogt]

My first preference is to disable TLS if possible, purely for simplicity.

Otherwise, we should migrate the aws cert provisioning to letsencrypt (already done in azure, see example here).

Once this is done, the private key on the automate box will always be trusted, and we won't need to deploy any public cert into the hab sups.

[NickRycar]

The other downside to current setup is that it requires sending data to the IP rather than the hostname. That can be fixed by switching to an elb (am I remembering that right, @jvogt ?)

[jvogt]

Yup, with an ELB you just add another listener (see: https://github.com/jvogt/2019-demo-terraform/blob/master/automate/aws/chef_automate_elb.tf#L14-L19)

Not sure what the pattern is on azure though

[ericcalabretta]

yeah let's just keep the EAS encryption disabled @jvogt. its too much effort after talking about it and not important to the story.

[ericcalabretta]

@jvogt @ChefRycar I think this is ready to merge.

I tested chef-automate in aws and the national-parks in aws/azure.

I started this branch prior to some of our azure fixes last week, so if you test on azure you still need those fixes, but shouldn't matter once we merge, master is good.

This closes out a few open issues, updates to Hab 1.5 features and a bunch of general clean-up.

I'll need another PR to get chef-automate in Azure working. This one is already too large so I want to separate that work into a different branch/pr

[alainlubin]

I can get this to work. Still have to run tfa in 2 dirs for Automate and Hab. Once launched, I can use Builder to toggle which build to show. Usually takes 30 to 45 seconds, sometimes a 404 error will appear when refreshing the page - the update will show after this error. I'm good with this pr.

[ericcalabretta]

@alainlubin You are correct, This PR got big enough I didn't merge the two directories.

I think we can get all the 1.5 and some of the quality of life improvements then revisit merging the directories.

@kenlangdon correct I did not fix chef-automate Azure, But once this gets merged we can start working on fixing chef-automate azure. Trying to avoid a long branch and merge conflicts.

[ericcalabretta]

closes issue https://github.com/chef-cft/national-parks-demo/issues/40

[ericcalabretta]

closes issue https://github.com/chef-cft/national-parks-demo/issues/33