Skip to content

Commit 52ff6e0

Browse files
bmonkmanbmonkman
authored
Merge pull request #13 from commitdev/add-cert-manager-clusterissuer
Forgot to add clusterissuer for cert-manager
2 parents db35c0a + 2b0cf23 commit 52ff6e0

6 files changed

Lines changed: 87 additions & 2 deletions

File tree

kubernetes/terraform/environments/development/main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,4 +20,7 @@ module "kubernetes" {
2020

2121
external_dns_zone = "<% index .Params `stagingHost` %>"
2222
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
23+
24+
# Registration email for LetsEncrypt
25+
cert_manager_acme_registration_email = "devops@<% index .Params `stagingHost` %>"
2326
}

kubernetes/terraform/environments/production/main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,4 +20,7 @@ module "kubernetes" {
2020

2121
external_dns_zone = "<% index .Params `productionHost` %>"
2222
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
23+
24+
# Registration email for LetsEncrypt
25+
cert_manager_acme_registration_email = "devops@<% index .Params `productionHost` %>"
2326
}

kubernetes/terraform/environments/staging/main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,7 @@ module "kubernetes" {
2424

2525
external_dns_zone = "<% index .Params `stagingHost` %>"
2626
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
27+
28+
# Registration email for LetsEncrypt
29+
cert_manager_acme_registration_email = "devops@<% index .Params `stagingHost` %>"
2730
}

kubernetes/terraform/modules/kubernetes/cert_manager.tf

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
locals {
2-
cert_manager_namespace = "kube-system"
3-
cert_manager_version = "0.14.2"
2+
cert_manager_namespace = "kube-system"
3+
cert_manager_version = "0.14.2"
4+
cluster_issuer_name = var.cert_manager_use_production_acme_environment ? "clusterissuer-letsencrypt-production" : "clusterissuer-letsencrypt-production"
5+
cert_manager_acme_server = var.cert_manager_use_production_acme_environment ? "https://acme-v02.api.letsencrypt.org/directory" : "https://acme-staging-v02.api.letsencrypt.org/directory"
46
}
57

68
# Reference an existing route53 zone
@@ -24,6 +26,32 @@ resource "null_resource" "cert_manager" {
2426
}
2527
}
2628

29+
30+
# Cert-manager issuer manifest
31+
data "template_file" "cert_manager_issuer" {
32+
template = "${file("${path.module}/files/cert_manager_issuer.yaml.tpl")}"
33+
vars = {
34+
name = local.cluster_issuer_name
35+
environment = var.environment
36+
acme_registration_email = var.cert_manager_acme_registration_email
37+
acme_server = local.cert_manager_acme_server
38+
region = var.region
39+
hosted_zone_id = data.aws_route53_zone.public.zone_id
40+
}
41+
}
42+
43+
# Manually kubectl apply the cert-manager issuer, as the kubernetes terraform provider
44+
# does not have support for custom resources.
45+
resource "null_resource" "cert_manager_issuer" {
46+
triggers = {
47+
manifest_sha1 = "${sha1("${data.template_file.cert_manager_issuer.rendered}")}"
48+
}
49+
provisioner "local-exec" {
50+
command = "kubectl apply -f - <<EOF\n${data.template_file.cert_manager_issuer.rendered}\nEOF"
51+
}
52+
depends_on = [null_resource.cert_manager]
53+
}
54+
2755
data "helm_repository" "jetstack" {
2856
name = "jetstack"
2957
url = "https://charts.jetstack.io"

kubernetes/terraform/modules/kubernetes/files/cert_manager_issuer.yaml.tpl

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
apiVersion: cert-manager.io/v1alpha2
2+
kind: ClusterIssuer
3+
metadata:
4+
name: "${name}"
5+
spec:
6+
acme:
7+
server: "${acme_server}"
8+
# Email address used for ACME registration
9+
email: "${acme_registration_email}"
10+
# Name of a secret used to store the ACME account private key
11+
privateKeySecretRef:
12+
name: clusterissuer-letsencrypt-${environment}-secret
13+
# Enable the HTTP-01 challenge provider
14+
solvers:
15+
- http01:
16+
ingress:
17+
class: nginx
18+
19+
---
20+
21+
apiVersion: cert-manager.io/v1alpha2
22+
kind: ClusterIssuer
23+
metadata:
24+
name: "${name}-dns"
25+
spec:
26+
acme:
27+
server: "${acme_server}"
28+
# Email address used for ACME registration
29+
email: "${acme_registration_email}"
30+
# Name of a secret used to store the ACME account private key
31+
privateKeySecretRef:
32+
name: clusterissuer-letsencrypt-${environment}-secret
33+
# Enable the DNS-01 challenge provider
34+
solvers:
35+
- dns01:
36+
route53:
37+
region: ${region}
38+
hostedZoneID: ${hosted_zone_id}

kubernetes/terraform/modules/kubernetes/variables.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,13 @@ variable "external_dns_zone" {
1717
variable "external_dns_owner_id" {
1818
description = "Unique id of the TXT record that external-dns will use to store state (can just be a uuid)"
1919
}
20+
21+
variable "cert_manager_use_production_acme_environment" {
22+
description = "ACME (LetsEncrypt) Environment - only production creates valid certificates but it has lower rate limits than staging"
23+
type = bool
24+
default = true
25+
}
26+
27+
variable "cert_manager_acme_registration_email" {
28+
description = "Email to associate with ACME account when registering with LetsEncrypt"
29+
}

0 commit comments

Comments
 (0)