Feature request: Ability to disable SSL on Helix Core

[henrykie]

Use case

Users may want to deploy Helix Core using plaintext communication for a number of reasons. We should provide a flag on the Helix Core module that enables or disables this feature.

Solution/User Experience

module "helix_core" {
  source = "cloud-game-development-toolkit/modules/perforce/helix-core"
  ...
  ssl = true # or some equivalent variable definition

This should result in clients being able to connect to the Helix Core server using plaintext. If the Helix Core sits in a private subnet we can now front it with an NLB that handles TLS termination.

Alternative solutions

No response

[henrykie]

A proposed implementation would require the following changes:

Add support for passing a TLS enablement flag to the Helix Core server on startup

• Add a variable to the module to control this behavior
• Add a flag to the p4_configure script inputs
• Conditionally pass said flag to the p4_configure script invoked in instance user data based on the TF variable

Update the p4_configure script to correctly set the TLS settings

• Based on the flag specified above, we will need to update mkdirs.cfg - this file is referred to as SDP_Setup_Script_Config in the p4_configure.sh script. See this line for details. We update multiple fields in this file prior to running mkdirs.sh using sed. Please consult the mkdirs.cfg documentation for information about where the TLS behavior can be set. (hint: see line 100)

Make adjustments to p4_configure script

• We do not need to generate self-signed SSL certificates if TLS is disabled.
• P4PORT should be set appropriately for remaining configurations. Currently it defaults to using ssl:1666, but when TLS is disabled this will fail. There are multiple lines where this is relevant (473, 484).

[GrzesiekO]

This will be addressed as part of a larger PR that is in the works. First getting rid of p4_configure.sh in favor of Ansible playbook. During this transition this will be addressed. The variables will be passed by the ssm association (run command from SSM) that Ansible will take.
Current plan is to keep the SSL disabled by default as TLS terminations should happen on NLB.

[henrykie]

@GrzesiekO We really ought to split some of these issues out into smaller adjustments. I need to be able to disable self-signed cert creation now to progress on NLB work. I'll own this issue, and the refactor you are working on can adjust from there.