Add support for SSL/TLS for Elasticsearch HTTP and Transport layers (#…

…187)

Add support for SSL/TLS for Elasticsearch HTTP and Transport layers

This commit adds support for securing HTTP and Transport layers by specifying parameters with which PKCS#12 archives containing the certificate and key can be supplied. 

To configure TLS for the HTTP layer, a PKCS#12 archive containing the HTTP cert and key or an archive containing the HTTP CA cert and key must be provided. 

When an archive containing the HTTP cert and key is provided, it will take preference, and Kibana will be configured with certificate verification mode. The most likely use case for this is to provide a cert for a CNAME pointing at the external loadbalancer public IP.

When an archive containing the HTTP CA cert and key HTTP certs is provided, the CA certs is used to generate a PKCS#12 archive containing a certificate and key for each node, including the node DNS and IP as Subject Alternative Names, as well as the internal loadbalancer public IP. This allows Kibana to be set to full verification mode when communicating internally. A client
communicating through the external loadbalancer can verify certificates returned from Elasticsearch against the CA. A client communicating through Application Gateway will use the certificate configured for the Application Gateway.

To configure TLS for the Transport layer, a PKCS#12 archive containing the Transport CA cert and key must be provided. The CA cert is used to generate a PKCS#12 archive containing a certificate and key for each node, including the node DNS and IP as Subject Alternative Names. Including the IP allows the cluster to operate in full verification mode for the Transport layer. 

Other changes:

- Use the insecure flag when calling localhost over HTTPS with curl. Since the subject name in certificate used to secure the HTTP layer is most likely not going to match localhost (it's likely to be tied to a public domain name), the --cacert flag for curl cannot be used.

- Update integration tests to use the parameters-file argument to pass the parameters to azure cli.
    Since parameters can now contain base 64 encoded certificates, the input can be longer than the maximum characters allowed in Windows (8192).

- Add generated self-signed certificates for use in integration tests.
- Add --test parameter to be able to filter integration tests
    --test <regexp> with a pattern to match the tests to run
- Configure Application Gateway to work with TLS on backend pool
    Add support for TLS from Application Gateway to the backend pool. Application Gateway communicates with the backend pool through the internal loadbalancer, and the public certificate(s) used by the backend pool must be whitelisted by Application Gateway by providing these details to it.
    This means that for TLS on the HTTP layer in conjunction with Application Gateway,
only the single esHttpCertBlob option can be supported. In the case of esHttpCaCertBlob which is used to generate a cert for HTTP layer for each VM/node in the cluster, the public keys for these certs cannot be automatically added to Application Gateway as part of deployment.

- Pass Elasticsearch HTTP and HTTP CA archives for Kibana configuration
    Pass the Elasticsearch HTTP and HTTP CA PKCS#12 archives to Kibana to configure TLS to Elasticsearch from Kibana. When a CA cert is provided, it is used to configure the certificate authority.
    The presence of an Elasticsearch HTTP archive overrides the presence of a HTTP CA archive. That is, if a HTTP archive is provided, the Certificate Authority will be extracted from this PKCS#12 archive.
If no CA cert is present, The verification mode for TLS with Elasticsearch will be set to none.

- Remove versions less than 5.3.x from the template.
    5.0.x and 5.1.x are now EOL and 5.2.x will be EOL end of July.
    5.2.x is removed now because Kibana Console does not work with self-signed
certs; Kibana itself works, but not console, responding with

    Client request error: unable to verify the first certificate

    Closes #199

- Remove hostname verification in integration tests

    Remove the hostname verification check used by node's request module. Since all certs used are self-signed, hostname verification will fail. Tests still verify the CA.

- Add support for --nodestroy parameter

    Adds a --nodestroy parameter that when passed, does not delete resource groups after integration tests

build/README.md

@@ -6,18 +6,17 @@ Run the following to bring down all the dependencies
 $ npm install
 ```
 
-# Build
+## Build
 
 To build the project call
 
 ```bash
-$ npm run build
+npm run build
 ```
 
 This will patch the templates according to the configured `build/allowedValues.json` and generate the various data node templates as well as doing several sanity checks and assertions.
 
-The result will be a distribution zip under `dist/elasticsearch-marketplace-DATE.zip` ready to be uploaded to the publisher portal.
-
+The result will be a distribution zip under `dist/elasticsearch-marketplace-<date>.zip` ready to be uploaded to the publisher portal.
 
 ## Development
 
@@ -44,42 +43,83 @@ where
 - `<username>` is your github username and `<repo>` is the name of the Azure Marketplace github repository. Defaults to the remote origin repository.
 - `<branch>` is the name of the branch. Defaults to the name of the current branch 
 
-## Test
+## Testing
 
 For this you need to create a [Create a Service Principal - Azure CLI](https://github.com/cloudfoundry-incubator/bosh-azure-cpi-release/blob/master/docs/get-started/create-service-principal.md).
 
-Then copy the `.test.example.json` file and enter your details
+Then copy the `.test.example.json` file and enter the credentials for the Service Principal into `.test.json`
+
+```bash
+cp build/.test.example.json build/.test.json
+```
+
+`.test.json` is git ignored but **always take extra care not to commit this file or make a copy of it**.
+
+Now that the test file is set up, tests can be run with
 
 ```bash
-$ cp build/.test.example.json build/.test.json
+npm run test
 ```
 
-`.test.json` is git ignored but always take extra care not to commit this file or a copy of it.
+Which will login to the Azure account accessible by the Service Principal account and create a
+resource group with the name `test-<machinename>-<scenario>-<date>` and perform online validation
+of the template using the scenarios parameters.
+When done, the command will clean up the resource groups and logout of azure.
 
+Tests use the template checked into the github repository branch, so be sure to push any changes that need to be tested up to GitHub.
+
+### Testing a specific version
+
+By default, tests always use the last version specified in the versions array in `build/allowedValues.json`, but you can specify a version using
 
 ```bash
-$ npm test
+npm run test -- --version 6.2.4
 ```
 
-Will login to azure create resource group in the form of `test-[scenario]-[date]` and do an online validation of the template using the scenario's parameters.
-When done (failures or not) this command will clean up the resource groups and logout of azure.
+A random value from the versions array can also be used
 
 ```bash
-$ npm run deploy-all
+npm run test -- --version random
 ```
 
-Same as `npm test` but will try and deploy all scenarios expected to be valid once all the scenarios have been validated.
-It will do some post install checks on the deployed cluster if it can.
+### Specifying tests to run
+
+All test scenarios in `build/arm-tests` are run by default. Specific tests can be targeted with
 
 ```bash
-$ npm run azure-cleanup
+npm run test -- --test 3d.*
 ```
-Will remove all resource-groups starting with `test-*`
+
+where the `--test` parameter is a regular expression to include tests to run.
+
+### Deploying tests
+
+the `test` command will simply validate that the template parameters are valid, but a deployment can be performed with
+
+```bash
+npm run deploy-all
+```
+
+This is similar to `test` but will try and deploy all scenarios with `isValid:true`, once all the scenarios have been validated.
+Some post install checks are performed on the deployed cluster to assert successful deployment.
+
+**NOTE:** Be sure that you have sufficient core quota in the subscription and location into which you're deploying.
+
+### Cleaning up resource groups
+
+Both `test` and `deploy-all` will attempt to clean up the resource groups created as part of a test run, but sometimes this
+may not happen e.g. testing process stopped part-way through. When this happens, you can run
+
+```bash
+npm run azure-cleanup
+```
+
+to remove all resource-groups starting with `test-*`
 
 ## Automated UI tests
 
 The automated ui tests are not (yet) part of the main test command to run them:
 
 ```bash
-$ npm run headless
+npm run headless
 ```

build/allowedValues.json

@@ -1,8 +1,5 @@
 {
   "versions": [
-    "5.0.2",
-    "5.1.2",
-    "5.2.2",
     "5.3.2",
     "5.4.0",
     "5.4.2",

build/arm-tests/1d-0m-0c-int-kp-yml.json

@@ -0,0 +1,47 @@
+{
+  "description": "1 data node cluster using temp disk, with additional yaml configuration",
+	"isValid" : true,
+	"deploy" : true,
+	"why" : "",
+	"location" : "westeurope",
+	"parameters" : {
+		"loadBalancerType":{"value":"internal"},
+    "kibana":{"value":"Yes"},
+    "kibanaAdditionalYaml":{"value":"server.name: \"My server\"\nserver.defaultRoute: \"/app/kibana\""},
+    "esAdditionalYaml":{"value":"action.auto_create_index: +.*\nindices.queries.cache.size: 5%"},
+		"jumpbox":{"value":"No"},
+		"vmSizeKibana":{"value":"Standard_DS1_v2"},
+		"vmSizeDataNodes":{"value":"Standard_DS1_v2"},
+		"vmDataNodeCount":{"value":1},
+		"vmDataDiskCount":{"value":0},
+		"vmDataDiskSize":{"value":"Small"},
+		"storageAccountType":{"value":"Default"},
+		"dataNodesAreMasterEligible":{"value":"Yes"},
+		"vmSizeMasterNodes":{"value":"Standard_DS2"},
+		"vmClientNodeCount":{"value":0},
+		"vmSizeClientNodes":{"value":"Standard_D1"},
+		"authenticationType":{"value":"password"},
+		"vNetName": {"value": "es-net"},
+		"vNetClusterSubnetName": {"value": "es-subnet"},
+		"vNetAppGatewaySubnetName": {"value": "es-app-gateway"},
+		"vNetLoadBalancerIp": {"value": "10.0.0.4"},
+		"vNetNewOrExisting": {"value":"new"},
+		"vNetExistingResourceGroup": {"value": ""},
+		"vNetNewAddressPrefix": {"value": "10.0.0.0/24"},
+		"vNetNewClusterSubnetAddressPrefix": {"value": "10.0.0.0/25"},
+		"vNetNewAppGatewaySubnetAddressPrefix": {"value": "10.0.0.128/28"},
+		"appGatewayTier": {"value":"Standard"},
+		"appGatewaySku": {"value":"Small"},
+		"appGatewayCount": {"value":1},
+		"appGatewayCertBlob": {"value":""},
+		"appGatewayCertPassword": {"value":""},
+		"appGatewayWafStatus": {"value":"Disabled"},
+		"appGatewayWafMode": {"value":"Detection"},
+		"userCompany": { "value": "" },
+		"userEmail": { "value": "" },
+		"userFirstName": { "value": "" },
+		"userLastName": { "value": "" },
+		"userJobTitle": { "value": "Other" },
+		"userCountry": { "value": "" }
+	}
+}

build/arm-tests/3d-0m-0c-ags-ks.json

@@ -1,6 +1,6 @@
 {
 	"isValid" : true,
-	"deploy" : true,
+	"deploy" : false,
 	"why" : "",
 	"location" : "westeurope",
 	"parameters" : {
@@ -30,7 +30,7 @@
 		"appGatewayTier": {"value":"Standard"},
 		"appGatewaySku": {"value":"Small"},
 		"appGatewayCount": {"value":1},
-		"appGatewayCertBlob": {"value":"MIIKywIBAzCCCocGCSqGSIb3DQEHAaCCCngEggp0MIIKcDCCBg4GCSqGSIb3DQEHAaCCBf8EggX7MIIF9zCCBfMGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjgAqfP6vCkUAICB9AEggTYHtyYvzSKAIBhUpuNaHuFThO1XVqaHGws3btmgQwyhWIJHqiZAquZ1v4M7XYlmN0mqeZblmMO9ZOp8CL6U5Td9CWDHAYJwtmw+lre5mbfk8ES5p8IS6qbsf9G0SmcELzIf0n3xGaufCRuujWklTkRln/U7gA9m0pAxWrIt7dMsGQlori2iKvXn0EFcYVBetswIQGE4LXiEfSNW28ldDiGSvkpmxgI/AiOqD/kCr5xjZ6olSZ4QCV5QjDB8r5nInqKVxXqiTyijzFnWPsQIL+UQH4410rk+fR6idPWt//mQfghqF6w/cOfuCzfAUK23WeHdhVEIQ/+7R0rLBiSWTIzXqB6Yp2AzTATpg1xA9hyYpkEgviC32wSMhY/PMgr99e5Mjf/WHe0hSug9mib0cetaHCZ7mXCOBF3zUTath6svVBL4+7UFuN+Ve6EiN8clo+eMJTKi4z7B844tAZCf2DPK5QVBTZTqj9HdnjAb28ixbVICknWf/ZfYX4T/wk8nuqcbQONEg38dcD7yuXz1beUauffxk7uJAZHAAcCG4c1KiODG0TYO8juGQZQYSdpa3BfwlWmnHLbr+ogoCPRCV7m0i3Q82HODPrfSY53f/gK0ucp2mkedYROLNat3XxYx3mcbmfIpcEMEB8hAyifMX+k8wUsn/aI84OtqFGFywmJF6uGcBBy01Yfk3BOoASkrVcRVWBwfqqC+Evyf4OwTjk/YJUWGqEoa2TbHHeTSn/cWRs/yav+FhUYDq8puwaNgx6CdVBbwshpkgSZNeC31L44UAOAAKe7yhQcc933V4MiYyOaOqr6lq+FT8qLyN27Akcy9SmN8bUrf93OyfqBKg+lURNyzf+YazvcHgnclEgeQQWG4l7GhrVHWyoTDQ62ZAr2w9zxXIeUClAnM+D+SeaVMTI5nFMmXN48k6PSTaVDsVFRH4lH7PWNQDqInrQaZ2j8GzK7ar/8dW1ivEHg+sWcl2gAxbzAil1M9DYRtBnECVASXorU5INZgHnoozzdhX+PecXniJcXgw99i3HQKEZLSZ4qVmUThTik+b4Ppv7rgmE8Z+T4LBlstW1/H6UP3qyUWVCdwDJGmu65arDxnCoM3IH8JExHuuBjGQCtoqdha2b/Id+qguoQhDd46M46pbBI1ObUSureDpb6lGXjo+mwzdjk7CWKRJhuOYePYcATQ8eiiBnE0Q8sOUpLNbYs7qR+dTaDsZpLc1cYt00mlH1UJOJO17MvV39ciIhHaOfD/9n88gIJKv3Bm64O12YHYEmINR57ujOD2UQBDT37DR60pWDXI0ZLNjr3DrC7gZOFYeqzKaG+rnXWDrz7Be/osk8hwzTZ6uFepNOZZxn0o56env5Qp/70V4UC7VcYr3sHE7ElAE1XJOfOgxpTmXDv8QekeiozawdIHcSLqtkvDLuKo42vSR2wfgbbwjdRqOAWXf6Y0J506wGLCPtdUU/ZtGb1jZ2A1LSo0uSOuLRqq4bhneBDowQ476NecyJ+a6BPc96+Icggrd4PCWrAOFwCwxkTelb4ZUV3WilWDpwvMwwBWOyjgP/agFTrueUiXL3LlDCWQseJ1payBgEPquSGiDy6Fc+9tpyHu73oPMzvgdbOk7o67Bg2dkr+60LUNxKrpEE9yCfuqiSn9DGB4TATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAcAAtADkAMABlADYAMQBmADQANwAtADkAZgBmADQALQA0ADMAZgBjAC0AOAAyADkAOAAtADcAOQBmADQAYgBjADgAMwA2ADIAYwA4MGsGCSsGAQQBgjcRATFeHlwATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMDCCBFoGCSqGSIb3DQEHAaCCBEsEggRHMIIEQzCCBD8GCyqGSIb3DQEMCgEDoIIDzjCCA8oGCiqGSIb3DQEJFgGgggO6BIIDtjCCA7IwggKaoAMCAQICEEFH0jQ+h56ESUs2wdvwHo4wDQYJKoZIhvcNAQELBQAwZzErMCkGA1UECwwiQ3JlYXRlZCBieSBodHRwOi8vd3d3LmZpZGRsZXIyLmNvbTEVMBMGA1UECgwMRE9fTk9UX1RSVVNUMSEwHwYDVQQDDBhET19OT1RfVFJVU1RfRmlkZGxlclJvb3QwHhcNMTUxMjA5MTgzMTAyWhcNMjExMjA4MTgzMTAyWjBnMSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMRUwEwYDVQQKDAxET19OT1RfVFJVU1QxITAfBgNVBAMMGERPX05PVF9UUlVTVF9GaWRkbGVyUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALW3ekU9uUDvtw2J8BrXSC+F774WXWLDCo1qt5LHAk7lKTg3gfbo16tuvvHuNJY1vxyZgAqpENIlW6vhn/sKw0LsA2vW85A2srJPcSVvt33DUSy9UY2dzQoAaurun5Gzh51RaXOTZ/rN7T5ipgY0UKBS1FrhWtbCjwMXxeWnxzxXdhSrW1K/FV5wDHqHOViCAgjV9dYSmjHLA7M058mh1cf5AaEJIE3vtFnjQBNKsgGgHypAifKtEptPH2el1n09HL8D7PrAiAtCCaskn86cm4D+vLsOHn0ctCvfSKUMhhSOBK6Gvop+MZxMGwYAO59AlNpwWKTmgPNFk+yCpCoJb6UCAwEAAaNaMFgwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUdUrMGkQhpJJw4VqMgHty4o4NxR8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAX+Fq7DCpH8Fzr+UcmXrIpNcTaeJlGI1JYlqAJPCklXuOmI2/up56WiS1/hI9/dMaaR8VpIA1erixFya0azJQB9ZQJitT2s3wxmijxFbKBxAz5vN7xKWCgN+L6cfkjxz3RUck+r7XYA6v1Pe117rHjaVe9EylxiRcXIpCnkZIl63dJouWnDKcf+7759THEqgbhi4EvGqrUSzjlc5BB4NvxTLET2JE1AU7ixUlDngIprOoh4Mn6DddLOCeJzLnr5oJCVzbxGtYRqYbV+PFn9YjXnIAg3SkaETdAXvd4wcceJggfOallUijbVs+1yO4MHaoxzrbZXu6XilhFdfaK3ip+MV4wEwYJKoZIhvcNAQkVMQYEBAEAAAAwRwYJKoZIhvcNAQkUMToeOABEAE8AXwBOAE8AVABfAFQAUgBVAFMAVABfAEYAaQBkAGQAbABlAHIAUgBvAG8AdAAtAEMARQAAMDswHzAHBgUrDgMCGgQUPernRyuaDz++EY+Nby4dB+OQLfkEFCZ2zsteFj2fhzGNlgM/DEJshB2ZAgIH0A=="},
+		"appGatewayCertBlob": {"value":"cert-with-password.pfx"},
 		"appGatewayCertPassword": {"value":"Password123"},
 		"appGatewayWafStatus": {"value":"Disabled"},
 		"appGatewayWafMode": {"value":"Detection"},

build/arm-tests/3d-0m-0c-ags-tls.json

@@ -0,0 +1,46 @@
+{
+	"isValid" : true,
+	"deploy" : true,
+	"why" : "",
+	"location" : "westeurope",
+	"parameters" : {
+    "loadBalancerType":{"value":"gateway"},
+    "esHttpCertBlob":{"value":"cert-no-password.pfx"},
+    "esTransportCaCertBlob":{"value":"ca-cert-no-password.pfx"},
+		"kibana":{"value":"No"},
+		"jumpbox":{"value":"Yes"},
+		"vmSizeDataNodes":{"value":"Standard_D1"},
+		"vmDataNodeCount":{"value":3},
+		"vmDataDiskCount":{"value":0},
+		"vmDataDiskSize":{"value":"Small"},
+		"storageAccountType":{"value":"Default"},
+		"dataNodesAreMasterEligible":{"value":"Yes"},
+		"vmSizeMasterNodes":{"value":"Standard_DS2"},
+		"vmClientNodeCount":{"value":0},
+		"vmSizeClientNodes":{"value":"Standard_D1"},
+		"authenticationType":{"value":"password"},
+		"vNetName": {"value": "es-net"},
+		"vNetClusterSubnetName": {"value": "es-subnet"},
+		"vNetAppGatewaySubnetName": {"value": "es-app-gateway"},
+		"vNetLoadBalancerIp": {"value": "10.0.0.4"},
+		"vNetNewOrExisting": {"value":"new"},
+		"vNetExistingResourceGroup": {"value": ""},
+		"vNetNewAddressPrefix": {"value": "10.0.0.0/24"},
+		"vNetNewClusterSubnetAddressPrefix": {"value": "10.0.0.0/25"},
+		"vNetNewAppGatewaySubnetAddressPrefix": {"value": "10.0.0.128/28"},
+		"appGatewayTier": {"value":"Standard"},
+		"appGatewaySku": {"value":"Small"},
+		"appGatewayCount": {"value":1},
+		"appGatewayCertBlob": {"value":"cert-with-password.pfx"},
+    "appGatewayCertPassword": {"value":"Password123"},
+    "appGatewayEsHttpCertBlob": {"value":"cert-no-password.crt"},
+		"appGatewayWafStatus": {"value":"Disabled"},
+		"appGatewayWafMode": {"value":"Detection"},
+		"userCompany": { "value": "" },
+		"userEmail": { "value": "" },
+		"userFirstName": { "value": "" },
+		"userLastName": { "value": "" },
+		"userJobTitle": { "value": "Other" },
+		"userCountry": { "value": "" }
+	}
+}

build/arm-tests/3d-0m-0c-agw-ks.json

@@ -30,7 +30,7 @@
 		"appGatewayTier": {"value":"WAF"},
 		"appGatewaySku": {"value":"Medium"},
 		"appGatewayCount": {"value":2},
-		"appGatewayCertBlob": {"value":"MIIKywIBAzCCCocGCSqGSIb3DQEHAaCCCngEggp0MIIKcDCCBg4GCSqGSIb3DQEHAaCCBf8EggX7MIIF9zCCBfMGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjgAqfP6vCkUAICB9AEggTYHtyYvzSKAIBhUpuNaHuFThO1XVqaHGws3btmgQwyhWIJHqiZAquZ1v4M7XYlmN0mqeZblmMO9ZOp8CL6U5Td9CWDHAYJwtmw+lre5mbfk8ES5p8IS6qbsf9G0SmcELzIf0n3xGaufCRuujWklTkRln/U7gA9m0pAxWrIt7dMsGQlori2iKvXn0EFcYVBetswIQGE4LXiEfSNW28ldDiGSvkpmxgI/AiOqD/kCr5xjZ6olSZ4QCV5QjDB8r5nInqKVxXqiTyijzFnWPsQIL+UQH4410rk+fR6idPWt//mQfghqF6w/cOfuCzfAUK23WeHdhVEIQ/+7R0rLBiSWTIzXqB6Yp2AzTATpg1xA9hyYpkEgviC32wSMhY/PMgr99e5Mjf/WHe0hSug9mib0cetaHCZ7mXCOBF3zUTath6svVBL4+7UFuN+Ve6EiN8clo+eMJTKi4z7B844tAZCf2DPK5QVBTZTqj9HdnjAb28ixbVICknWf/ZfYX4T/wk8nuqcbQONEg38dcD7yuXz1beUauffxk7uJAZHAAcCG4c1KiODG0TYO8juGQZQYSdpa3BfwlWmnHLbr+ogoCPRCV7m0i3Q82HODPrfSY53f/gK0ucp2mkedYROLNat3XxYx3mcbmfIpcEMEB8hAyifMX+k8wUsn/aI84OtqFGFywmJF6uGcBBy01Yfk3BOoASkrVcRVWBwfqqC+Evyf4OwTjk/YJUWGqEoa2TbHHeTSn/cWRs/yav+FhUYDq8puwaNgx6CdVBbwshpkgSZNeC31L44UAOAAKe7yhQcc933V4MiYyOaOqr6lq+FT8qLyN27Akcy9SmN8bUrf93OyfqBKg+lURNyzf+YazvcHgnclEgeQQWG4l7GhrVHWyoTDQ62ZAr2w9zxXIeUClAnM+D+SeaVMTI5nFMmXN48k6PSTaVDsVFRH4lH7PWNQDqInrQaZ2j8GzK7ar/8dW1ivEHg+sWcl2gAxbzAil1M9DYRtBnECVASXorU5INZgHnoozzdhX+PecXniJcXgw99i3HQKEZLSZ4qVmUThTik+b4Ppv7rgmE8Z+T4LBlstW1/H6UP3qyUWVCdwDJGmu65arDxnCoM3IH8JExHuuBjGQCtoqdha2b/Id+qguoQhDd46M46pbBI1ObUSureDpb6lGXjo+mwzdjk7CWKRJhuOYePYcATQ8eiiBnE0Q8sOUpLNbYs7qR+dTaDsZpLc1cYt00mlH1UJOJO17MvV39ciIhHaOfD/9n88gIJKv3Bm64O12YHYEmINR57ujOD2UQBDT37DR60pWDXI0ZLNjr3DrC7gZOFYeqzKaG+rnXWDrz7Be/osk8hwzTZ6uFepNOZZxn0o56env5Qp/70V4UC7VcYr3sHE7ElAE1XJOfOgxpTmXDv8QekeiozawdIHcSLqtkvDLuKo42vSR2wfgbbwjdRqOAWXf6Y0J506wGLCPtdUU/ZtGb1jZ2A1LSo0uSOuLRqq4bhneBDowQ476NecyJ+a6BPc96+Icggrd4PCWrAOFwCwxkTelb4ZUV3WilWDpwvMwwBWOyjgP/agFTrueUiXL3LlDCWQseJ1payBgEPquSGiDy6Fc+9tpyHu73oPMzvgdbOk7o67Bg2dkr+60LUNxKrpEE9yCfuqiSn9DGB4TATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAcAAtADkAMABlADYAMQBmADQANwAtADkAZgBmADQALQA0ADMAZgBjAC0AOAAyADkAOAAtADcAOQBmADQAYgBjADgAMwA2ADIAYwA4MGsGCSsGAQQBgjcRATFeHlwATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMDCCBFoGCSqGSIb3DQEHAaCCBEsEggRHMIIEQzCCBD8GCyqGSIb3DQEMCgEDoIIDzjCCA8oGCiqGSIb3DQEJFgGgggO6BIIDtjCCA7IwggKaoAMCAQICEEFH0jQ+h56ESUs2wdvwHo4wDQYJKoZIhvcNAQELBQAwZzErMCkGA1UECwwiQ3JlYXRlZCBieSBodHRwOi8vd3d3LmZpZGRsZXIyLmNvbTEVMBMGA1UECgwMRE9fTk9UX1RSVVNUMSEwHwYDVQQDDBhET19OT1RfVFJVU1RfRmlkZGxlclJvb3QwHhcNMTUxMjA5MTgzMTAyWhcNMjExMjA4MTgzMTAyWjBnMSswKQYDVQQLDCJDcmVhdGVkIGJ5IGh0dHA6Ly93d3cuZmlkZGxlcjIuY29tMRUwEwYDVQQKDAxET19OT1RfVFJVU1QxITAfBgNVBAMMGERPX05PVF9UUlVTVF9GaWRkbGVyUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALW3ekU9uUDvtw2J8BrXSC+F774WXWLDCo1qt5LHAk7lKTg3gfbo16tuvvHuNJY1vxyZgAqpENIlW6vhn/sKw0LsA2vW85A2srJPcSVvt33DUSy9UY2dzQoAaurun5Gzh51RaXOTZ/rN7T5ipgY0UKBS1FrhWtbCjwMXxeWnxzxXdhSrW1K/FV5wDHqHOViCAgjV9dYSmjHLA7M058mh1cf5AaEJIE3vtFnjQBNKsgGgHypAifKtEptPH2el1n09HL8D7PrAiAtCCaskn86cm4D+vLsOHn0ctCvfSKUMhhSOBK6Gvop+MZxMGwYAO59AlNpwWKTmgPNFk+yCpCoJb6UCAwEAAaNaMFgwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUdUrMGkQhpJJw4VqMgHty4o4NxR8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAX+Fq7DCpH8Fzr+UcmXrIpNcTaeJlGI1JYlqAJPCklXuOmI2/up56WiS1/hI9/dMaaR8VpIA1erixFya0azJQB9ZQJitT2s3wxmijxFbKBxAz5vN7xKWCgN+L6cfkjxz3RUck+r7XYA6v1Pe117rHjaVe9EylxiRcXIpCnkZIl63dJouWnDKcf+7759THEqgbhi4EvGqrUSzjlc5BB4NvxTLET2JE1AU7ixUlDngIprOoh4Mn6DddLOCeJzLnr5oJCVzbxGtYRqYbV+PFn9YjXnIAg3SkaETdAXvd4wcceJggfOallUijbVs+1yO4MHaoxzrbZXu6XilhFdfaK3ip+MV4wEwYJKoZIhvcNAQkVMQYEBAEAAAAwRwYJKoZIhvcNAQkUMToeOABEAE8AXwBOAE8AVABfAFQAUgBVAFMAVABfAEYAaQBkAGQAbABlAHIAUgBvAG8AdAAtAEMARQAAMDswHzAHBgUrDgMCGgQUPernRyuaDz++EY+Nby4dB+OQLfkEFCZ2zsteFj2fhzGNlgM/DEJshB2ZAgIH0A=="},
+		"appGatewayCertBlob": {"value":"cert-with-password.pfx"},
 		"appGatewayCertPassword": {"value":"Password123"},
 		"appGatewayWafStatus": {"value":"Enabled"},
 		"appGatewayWafMode": {"value":"Detection"},

build/arm-tests/3d-0m-0c-ext-tls-kp.json

@@ -0,0 +1,48 @@
+{
+	"isValid" : true,
+	"deploy" : true,
+	"why" : "",
+	"location" : "westeurope",
+	"parameters" : {
+    "loadBalancerType":{"value":"external"},
+    "esHttpCertBlob":{"value":"cert-no-password.pfx"},
+    "esTransportCaCertBlob":{"value":"ca-cert-no-password.pfx"},
+    "kibana":{"value":"Yes"},
+    "kibanaCertBlob": {"value":"cert-no-password.crt"},
+    "kibanaKeyBlob": {"value":"cert-no-password.key"},
+		"jumpbox":{"value":"No"},
+		"vmSizeKibana":{"value":"Standard_D1"},
+		"vmSizeDataNodes":{"value":"Standard_D1"},
+		"vmDataNodeCount":{"value":3},
+		"vmDataDiskCount":{"value":40},
+		"vmDataDiskSize":{"value":"Small"},
+		"storageAccountType":{"value":"Default"},
+		"dataNodesAreMasterEligible":{"value":"Yes"},
+		"vmSizeMasterNodes":{"value":"Standard_DS2"},
+		"vmClientNodeCount":{"value":0},
+		"vmSizeClientNodes":{"value":"Standard_D1"},
+		"authenticationType":{"value":"password"},
+		"vNetName": {"value": "es-net"},
+		"vNetClusterSubnetName": {"value": "es-subnet"},
+		"vNetAppGatewaySubnetName": {"value": "es-app-gateway"},
+		"vNetLoadBalancerIp": {"value": "10.0.0.4"},
+		"vNetNewOrExisting": {"value":"new"},
+		"vNetExistingResourceGroup": {"value": ""},
+		"vNetNewAddressPrefix": {"value": "10.0.0.0/24"},
+		"vNetNewClusterSubnetAddressPrefix": {"value": "10.0.0.0/25"},
+		"vNetNewAppGatewaySubnetAddressPrefix": {"value": "10.0.0.128/28"},
+		"appGatewayTier": {"value":"Standard"},
+		"appGatewaySku": {"value":"Small"},
+		"appGatewayCount": {"value":1},
+		"appGatewayCertBlob": {"value":""},
+		"appGatewayCertPassword": {"value":""},
+		"appGatewayWafStatus": {"value":"Disabled"},
+		"appGatewayWafMode": {"value":"Detection"},
+		"userCompany": { "value": "" },
+		"userEmail": { "value": "" },
+		"userFirstName": { "value": "" },
+		"userLastName": { "value": "" },
+		"userJobTitle": { "value": "Other" },
+    "userCountry": { "value": "" }
+	}
+}