From 4319d8bf11d5a0f66a4f9682b33328065d8357e9 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Thu, 2 Dec 2021 09:27:30 -0800 Subject: [PATCH] Istio Main Gateway (#220) --- .../istio-networking/main-gateway/README.md | 43 +++++++++++++++++++ .../main-gateway/certificate.tpl.yaml | 19 ++++++++ .../main-gateway/gateway.tpl.yaml | 26 +++++++++++ .../aws/istio-networking/main-gateway/main.tf | 42 ++++++++++++++++++ .../main-gateway/variables.tf | 42 ++++++++++++++++++ 5 files changed, 172 insertions(+) create mode 100644 terraform-modules/aws/istio-networking/main-gateway/README.md create mode 100644 terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml create mode 100644 terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml create mode 100644 terraform-modules/aws/istio-networking/main-gateway/main.tf create mode 100644 terraform-modules/aws/istio-networking/main-gateway/variables.tf diff --git a/terraform-modules/aws/istio-networking/main-gateway/README.md b/terraform-modules/aws/istio-networking/main-gateway/README.md new file mode 100644 index 000000000..6de278549 --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/README.md @@ -0,0 +1,43 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [kubectl](#provider\_kubectl) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [kubectl_manifest.certificate](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.gateway](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [template_file.certificate](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | +| [template_file.gateway](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cert\_common\_name](#input\_cert\_common\_name) | The common name for the certificate | `string` | n/a | yes | +| [cert\_dns\_name](#input\_cert\_dns\_name) | The dns name for the certificate | `string` | n/a | yes | +| [cluster\_ca\_certificate](#input\_cluster\_ca\_certificate) | The eks kubernetes cluster\_ca\_certificate | `string` | n/a | yes | +| [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | n/a | yes | +| [issue\_ref\_group](#input\_issue\_ref\_group) | n/a | `string` | `"cert-manager.io"` | no | +| [issue\_ref\_kind](#input\_issue\_ref\_kind) | n/a | `string` | `"ClusterIssuer"` | no | +| [issue\_ref\_name](#input\_issue\_ref\_name) | n/a | `string` | `"letsencrypt-prod-dns01"` | no | +| [kubernetes\_api\_host](#input\_kubernetes\_api\_host) | The eks kubernetes api host endpoint | `string` | n/a | yes | +| [namespace](#input\_namespace) | The kubernetes namespace to deploy into | `string` | `"istio-system"` | no | + +## Outputs + +No outputs. diff --git a/terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml b/terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml new file mode 100644 index 000000000..e2eb4dfe4 --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml @@ -0,0 +1,19 @@ +# This certificate created in this namespace and the nginx-ingress uses it +# This requires a functioning cert-manager +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: domain-wildcard + namespace: ${namespace} +spec: + secretName: domain-wildcard # use this secret name in the nginx-ingress definition + commonName: "${cert_common_name}" + dnsNames: + - "${cert_dns_name}" + issuerRef: + name: ${issue_ref_name} + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: ${issue_ref_kind} + group: ${issue_ref_group} diff --git a/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml b/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml new file mode 100644 index 000000000..3673e544c --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: main-gateway + namespace: ${namespace} +spec: + selector: + # use Istio default gateway implementation + app: istio-ingressgateway + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: domain-wildcard # This should match the Certificate secretName + hosts: + - "*" # This should match a DNS name in the Certificate diff --git a/terraform-modules/aws/istio-networking/main-gateway/main.tf b/terraform-modules/aws/istio-networking/main-gateway/main.tf new file mode 100644 index 000000000..d9b19484e --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/main.tf @@ -0,0 +1,42 @@ +data "aws_eks_cluster_auth" "main" { + name = var.cluster_name +} + +provider "kubectl" { + host = var.kubernetes_api_host + cluster_ca_certificate = base64decode(var.cluster_ca_certificate) + token = data.aws_eks_cluster_auth.main.token + load_config_file = false +} + +# file templating +data "template_file" "gateway" { + template = file("${path.module}/gateway.tpl.yaml") + + vars = { + namespace = var.namespace + } +} + +resource "kubectl_manifest" "gateway" { + yaml_body = data.template_file.gateway.rendered +} + +# file templating +data "template_file" "certificate" { + template = file("${path.module}/certificate.tpl.yaml") + + vars = { + namespace = var.namespace + cert_common_name = var.cert_common_name + cert_dns_name = var.cert_dns_name + issue_ref_name = var.issue_ref_name + issue_ref_name = var.issue_ref_name + issue_ref_kind = var.issue_ref_kind + issue_ref_group = var.issue_ref_group + } +} + +resource "kubectl_manifest" "certificate" { + yaml_body = data.template_file.certificate.rendered +} diff --git a/terraform-modules/aws/istio-networking/main-gateway/variables.tf b/terraform-modules/aws/istio-networking/main-gateway/variables.tf new file mode 100644 index 000000000..8b123e7d0 --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/variables.tf @@ -0,0 +1,42 @@ +variable "cluster_name" { + type = string + description = "The name of the EKS cluster" +} + +variable "kubernetes_api_host" { + type = string + description = "The eks kubernetes api host endpoint" +} + +variable "cluster_ca_certificate" { + type = string + description = "The eks kubernetes cluster_ca_certificate" +} + +variable "namespace" { + type = string + description = "The kubernetes namespace to deploy into" + default = "istio-system" +} + +variable "cert_common_name" { + type = string + description = "The common name for the certificate" +} + +variable "cert_dns_name" { + type = string + description = "The dns name for the certificate" +} + +variable "issue_ref_name" { + default = "letsencrypt-prod-dns01" +} + +variable "issue_ref_kind" { + default = "ClusterIssuer" +} + +variable "issue_ref_group" { + default = "cert-manager.io" +} \ No newline at end of file