terraform-aws-eks-cert-manager
Terraform module for deploying Kubernetes cert-manager, cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.
Usage
module "cert_manager" {
source = "git::https://github.com/DNXLabs/terraform-aws-eks-cert-manager.git"
enabled = true
cluster_name = module.eks_cluster.cluster_id
cluster_identity_oidc_issuer = module.eks_cluster.cluster_oidc_issuer_url
cluster_identity_oidc_issuer_arn = module.eks_cluster.oidc_provider_arn
dns01 = [
{
name = "letsencrypt-staging"
namespace = "default"
kind = "ClusterIssuer"
dns_zone = "example.com"
region = "us-east-1" # data.aws_region.current.name
secret_key_ref = "letsencrypt-staging"
acme_server = "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_email = "your@email.com"
},
{
name = "letsencrypt-prod"
namespace = "default"
kind = "ClusterIssuer"
dns_zone = "example.com"
region = "us-east-1" # data.aws_region.current.name
secret_key_ref = "letsencrypt-prod"
acme_server = "https://acme-v02.api.letsencrypt.org/directory"
acme_email = "your@email.com"
}
]
# In case you want to use HTTP01 challenge method uncomment this section
# and comment dns01 variable
# http01 = [
# {
# name = "letsencrypt-staging"
# kind = "ClusterIssuer"
# ingress_class = "nginx"
# secret_key_ref = "letsencrypt-staging"
# acme_server = "https://acme-staging-v02.api.letsencrypt.org/directory"
# acme_email = "your@email.com"
# },
# {
# name = "letsencrypt-prod"
# kind = "ClusterIssuer"
# ingress_class = "nginx"
# secret_key_ref = "letsencrypt-prod"
# acme_server = "https://acme-v02.api.letsencrypt.org/directory"
# acme_email = "your@email.com"
# }
# ]
# In case you want to create certificates uncomment this block
# certificates = [
# {
# name = "example-com"
# namespace = "default"
# kind = "ClusterIssuer"
# secret_name = "example-com-tls"
# issuer_ref = "letsencrypt-prod"
# dns_name = "*.example.com"
# }
# ]
}ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod # This should match the ClusterIssuer created
# cert-manager.io/issuer: letsencrypt-prod # In case you choose Issuer instead of ClusterIssuer
labels:
app: app
spec:
rules:
- host: app.example.com
http:
paths:
- path: /*
backend:
serviceName: service
servicePort: 80
tls:
- hosts:
# - "*.example.com" # Example of wildcard
- app.example.com
secretName: app-example-com-prod-tlsDetached Wildcard Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- '*.example.com'Decoding the Secret
You can check for any existing resources with the following command:
kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespacesTo view the contents of the Secret we just created, you can run the following command:
kubectl get secret example-com-tls -o jsonpath='{.data}'Now you can decode the tls.key or tls.crt data:
echo 'MWYyZDFlMmU2N2Rm' | base64 -dRequirements
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.13, < 4.0 |
| helm | >= 1.0, < 3.0 |
| kubectl | >= 1.9.4 |
| kubernetes | >= 1.10.0, < 3.0.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 3.13, < 4.0 |
| helm | >= 1.0, < 3.0 |
| kubectl | >= 1.9.4 |
| kubernetes | >= 1.10.0, < 3.0.0 |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| certificates | n/a | list(object({ |
[] |
no |
| cluster_identity_oidc_issuer | The OIDC Identity issuer for the cluster. | string |
n/a | yes |
| cluster_identity_oidc_issuer_arn | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account. | string |
n/a | yes |
| cluster_name | The name of the cluster | string |
n/a | yes |
| create_namespace | Whether to create Kubernetes namespace with name defined by namespace. |
bool |
true |
no |
| dns01 | n/a | list(object({ |
[] |
no |
| enabled | Variable indicating whether deployment is enabled. | bool |
true |
no |
| helm_chart_name | Cert Manager Helm chart name to be installed | string |
"cert-manager" |
no |
| helm_chart_release_name | Helm release name | string |
"cert-manager" |
no |
| helm_chart_repo | Cert Manager repository name. | string |
"https://charts.jetstack.io" |
no |
| helm_chart_version | Cert Manager Helm chart version. | string |
"1.1.0" |
no |
| http01 | n/a | list(object({ |
[] |
no |
| install_CRDs | To automatically install and manage the CRDs as part of your Helm release. | bool |
true |
no |
| mod_dependency | Dependence variable binds all AWS resources allocated by this module, dependent modules reference this variable. | any |
null |
no |
| namespace | Kubernetes namespace to deploy Cert Manager Helm chart. | string |
"cert-manager" |
no |
| service_account_name | External Secrets service account name | string |
"cert-manager" |
no |
| settings | Additional settings which will be passed to the Helm chart values. | map |
{} |
no |
Outputs
No output.
Authors
Module managed by DNX Solutions.
License
Apache 2 Licensed. See LICENSE for full details.