Skip to content

Latest commit

 

History

History
166 lines (134 loc) · 9 KB

File metadata and controls

166 lines (134 loc) · 9 KB

Project Octal: Cert-Manager

Simplifies the deployment and management of Jetstacks cert-manager on a Kubernetes cluster.

TODO:

  • Add support for the latest version of Cert Manager.

v0.0.4 to v1.0.0 Upgrade Notes

Reconfigure the module to point to the new module in the Terraform public repository

module "cert-manager" {
  source  = "project-octal/cert-manager/kubernetes"
  version = "1.0.0"
  # ...
}

Migrate import the Kubernetes resources into the state and purge the old references to the resources.

###################
## Admission Registration
###################

# Import the mutating webhook configuration
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.cert_manager_webhook.kubernetes_manifest.mutating_webhook_configuration' \
"apiVersion=admissionregistration.k8s.io/v1beta1,kind=MutatingWebhookConfiguration,name=cert-manager-webhook"

# Import the validating webhook configuration
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.cert_manager_webhook.kubernetes_manifest.validating_webhook_configuration' \
"apiVersion=admissionregistration.k8s.io/v1beta1,kind=ValidatingWebhookConfiguration,name=cert-manager-webhook"

###################
## Custom Resource Definitions
###################

# Import the certificaterequests.cert-manager.io CRD
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.custom_resource_definitions.kubernetes_manifest.certificaterequests' \
"apiVersion=apiextensions.k8s.io/v1,kind=CustomResourceDefinition,name=certificaterequests.cert-manager.io"

# Import the certificates.cert-manager.io CRD
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.custom_resource_definitions.kubernetes_manifest.certificates' \
"apiVersion=apiextensions.k8s.io/v1,kind=CustomResourceDefinition,name=certificates.cert-manager.io"

# Import the challenges.cert-manager.io CRD
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.custom_resource_definitions.kubernetes_manifest.challenges' \
"apiVersion=apiextensions.k8s.io/v1,kind=CustomResourceDefinition,name=challenges.acme.cert-manager.io"

# Import the clusterissuers.cert-manager.io CRD
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.custom_resource_definitions.kubernetes_manifest.clusterissuers' \
"apiVersion=apiextensions.k8s.io/v1,kind=CustomResourceDefinition,name=clusterissuers.cert-manager.io"

# Import the issuers.cert-manager.io CRD
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.custom_resource_definitions.kubernetes_manifest.issuers' \
"apiVersion=apiextensions.k8s.io/v1,kind=CustomResourceDefinition,name=issuers.cert-manager.io"

# Import the orders.cert-manager.io CRD
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.custom_resource_definitions.kubernetes_manifest.orders' \
"apiVersion=apiextensions.k8s.io/v1,kind=CustomResourceDefinition,name=orders.acme.cert-manager.io"

###################
## Lets Encrypt Issuer
###################
terraform import -var-file=secrets.tfvars \
'module.cert_manager.module.cert_manager_issuers.module.letsencrypt_issuer[0].kubernetes_manifest.letsencrypt_issuer' \
"apiVersion=cert-manager.io/v1,kind=ClusterIssuer,name=letsencrypt-prod"

# Delete the old Cert-Manager CRD references from the statefile
terraform state rm 'module.cert_manager.module.cert_manager_webhook.k8s_manifest.mutating_webhook_configuration'
terraform state rm 'module.cert_manager.module.cert_manager_webhook.k8s_manifest.validating_webhook_configuration'
terraform state rm 'module.cert_manager.module.custom_resource_definitions.k8s_manifest.certificaterequests'
terraform state rm 'module.cert_manager.module.custom_resource_definitions.k8s_manifest.certificates'
terraform state rm 'module.cert_manager.module.custom_resource_definitions.k8s_manifest.challenges'
terraform state rm 'module.cert_manager.module.custom_resource_definitions.k8s_manifest.clusterissuers'
terraform state rm 'module.cert_manager.module.custom_resource_definitions.k8s_manifest.issuers'
terraform state rm 'module.cert_manager.module.custom_resource_definitions.k8s_manifest.orders'
terraform state rm 'module.cert_manager.module.cert_manager_issuers.module.letsencrypt_issuer[0].k8s_manifest.letsencrypt_issuer'

# Lastly, run a Terraform apply to make sure the states are synced up.
terraform apply -var-file secrets.tfvars

Example

module "cert_manager" {
  source = "github.com/project-octal/terraform-kubernetes-cert-manager"

  certificate_issuers = {
    letsencrypt = {
      name              = "letsencrypt-prod"
      server            = "https://acme-v02.api.letsencrypt.org/directory"
      email             = "[email protected]"
      secret_base64_key = var.letsencrypt_secret_base64_key
      default_issuer : true,
      ingress_class = module.traefik.ingress_class
    }
  }
}

Requirements

Name Version
terraform >= 0.14.8, < 2.0.0

Providers

Name Version
kubernetes 2.8.0
random 3.1.3

Modules

Name Source Version
cert_manager ./cert-manager n/a
cert_manager_cainjector ./cert-manager-cainjector n/a
cert_manager_issuers ./cert-manager-issuers n/a
cert_manager_webhook ./cert-manager-webhook n/a
custom_resource_definitions ./custom-resource-definitions n/a

Resources

Name Type
kubernetes_namespace.namespace resource
random_pet.instance_name resource

Inputs

Name Description Type Default Required
cainjector_image_name n/a string "jetstack/cert-manager-cainjector" no
cainjector_image_tag n/a string "v1.8.1" no
certificate_issuers An object that contains the configuration for all the enabled certificate issuers.
object({
letsencrypt = object({
name : string,
server : string,
email : string,
secret_base64_key : string,
default_issuer : bool,
ingress_class : string
})
# TODO: Add support for another one so this doesnt look so silly
})
{
"letsencrypt": null
}
no
image_pull_policy Determines when the image should be pulled prior to starting the container. Always: Always pull the image. | IfNotPresent: Only pull the image if it does not already exist on the node. | Never: Never pull the image string "Always" no
image_repository The image repository to use when pulling images string null no
labels (optional) A map that consists of any additional labels that should be included with resources created by this module. map(string) {} no
manager_image_name n/a string "jetstack/cert-manager-controller" no
manager_image_tag n/a string "v1.8.1" no
namespace The namespace that Cert-Manager will reside in. string "cert-manager" no
namespace_annotations Additional namespace annotations. map(string) {} no
webhook_image_name n/a string "jetstack/cert-manager-webhook" no
webhook_image_tag n/a string "v1.8.1" no

Outputs

Name Description
cert_issuer n/a