Cert manager (#200)

ManagedKube · Oct 8, 2021 · 5cdcf34 · 5cdcf34
1 parent ab535b5
commit 5cdcf34
Show file tree

Hide file tree

Showing 5 changed files with 294 additions and 0 deletions.
diff --git a/terraform-modules/aws/helm/cert-manager/dns01-cluster-issuer.tpl.yaml b/terraform-modules/aws/helm/cert-manager/dns01-cluster-issuer.tpl.yaml
@@ -0,0 +1,40 @@
+# doc: https://cert-manager.io/docs/configuration/acme/dns01/route53/
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod-dns01
+spec:
+  acme:
+    server: ${letsEncryptServer}
+    email: ${emailAddress}
+    privateKeySecretRef:
+      name: dns01-issuer-account-key
+    solvers:
+
+    # example: cross-account zone management for example.com
+    # this solver uses ambient credentials (i.e. inferred from the environment or EC2 Metadata Service)
+    # to assume a role in a different account
+    - selector:
+        dnsZones:
+          - "${domainName}"
+      dns01:
+        route53:
+          region: ${awsRegion}
+          hostedZoneID: ${dnsZhostedZoneIDone} # optional, see policy above
+          # role: "arn:aws:iam::${awsAccountID}:role/${chartName}-${clusterName}"
+
+    # this solver handles example.org challenges
+    # and uses explicit credentials
+    # - selector:
+    #     dnsZones:
+    #       - "example.org"
+    #   dns01:
+    #     route53:
+    #       region: eu-central-1
+    #       accessKeyID: AKIAIOSFODNN7EXAMPLE
+    #       secretAccessKeySecretRef:
+    #         name: prod-route53-credentials-secret
+    #         key: secret-access-key
+    #       # you can also assume a role with these credentials
+    #       role: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager
diff --git a/terraform-modules/aws/helm/cert-manager/helm_values.tpl.yaml b/terraform-modules/aws/helm/cert-manager/helm_values.tpl.yaml
@@ -0,0 +1,6 @@
+---
+installCRDs: true
+
+serviceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/${chartName}-${clusterName}"
diff --git a/terraform-modules/aws/helm/cert-manager/http01-cluster-issuer.tpl.yaml b/terraform-modules/aws/helm/cert-manager/http01-cluster-issuer.tpl.yaml
@@ -0,0 +1,16 @@
+# doc: https://cert-manager.io/docs/configuration/acme/http01/
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod-http01
+spec:
+  acme:
+    server: ${letsEncryptServer}
+    email: ${emailAddress}
+    privateKeySecretRef:
+      name: http01-issuer-account-key
+    solvers:
+    - http01:
+       ingress:
+         class: ${ingressClass}
diff --git a/terraform-modules/aws/helm/cert-manager/main.tf b/terraform-modules/aws/helm/cert-manager/main.tf
@@ -0,0 +1,147 @@
+locals {
+  helm_repository     = "https://charts.jetstack.io"
+  official_chart_name = "cert-manager"
+}
+
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}
+
+module "iam_assumable_role_admin" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.6.0"
+  create_role                   = true
+  role_name                     = "${local.official_chart_name}-${var.cluster_name}"
+  provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns              = [aws_iam_policy.iam_policy.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${local.official_chart_name}"]
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  name_prefix = "${local.official_chart_name}-${var.cluster_name}"
+  description = "EKS ${local.official_chart_name} policy for cluster ${var.eks_cluster_id}"
+  policy      = data.aws_iam_policy_document.iam_policy_document.json
+}
+
+# IAM Role policy doc: https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role
+data "aws_iam_policy_document" "iam_policy_document" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "route53:GetChange",
+    ]
+
+    resources = ["arn:aws:route53:::change/*"]
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "route53:ChangeResourceRecordSets",
+      "route53:ListResourceRecordSets",
+    ]
+
+    resources = ["arn:aws:route53:::hostedzone/${var.route53_hosted_zones}"]
+  }
+
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "route53:ListHostedZonesByName",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+#
+# Helm values
+#
+data "template_file" "helm_values" {
+  template = file("${path.module}/helm_values.tpl.yaml")
+  vars = {
+    awsAccountID       = data.aws_caller_identity.current.account_id
+    clusterName        = var.cluster_name
+    serviceAccountName = local.official_chart_name
+    chartName          = local.official_chart_name
+  }
+}
+
+module "cert-manager" {
+  source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.27"
+
+  repository          = local.helm_repository
+  official_chart_name = local.official_chart_name
+  user_chart_name     = var.user_chart_name
+  helm_version        = var.helm_chart_version
+  namespace           = var.k8s_namespace
+  helm_values         = data.template_file.helm_values.rendered
+  helm_values_2       = var.helm_values_2
+
+  depends_on = [
+    module.iam_assumable_role_admin
+  ]
+}
+
+#############################
+# cert-manager DNS01 cluster-issuer
+# https://cert-manager.io/docs/configuration/acme/dns01/route53/#creating-an-issuer-or-clusterissuer
+#############################
+# file templating
+data "template_file" "dns01_cluster_issuer_yaml" {
+  template = file("${path.module}/dns01-cluster-issuer.tpl.yaml")
+
+  vars = {
+    awsRegion           = var.aws_region
+    letsEncryptServer   = var.lets_encrypt_server
+    emailAddress        = var.lets_encrypt_email
+    dnsZhostedZoneIDone = var.route53_hosted_zones
+    domainName          = var.domain_name
+    awsAccountID        = data.aws_caller_identity.current.account_id
+    clusterName         = var.cluster_name
+    chartName           = local.official_chart_name
+  }
+}
+
+resource "kubectl_manifest" "dns01_cluster_issuer" {
+  count     = var.enable_dns01_cluster_issuer
+  yaml_body = data.template_file.dns01_cluster_issuer_yaml.rendered
+
+  depends_on = [
+    module.cert-manager
+  ]
+}
+
+#############################
+# cert-manager HTTP01 cluster-issuer
+# https://cert-manager.io/docs/configuration/acme/http01/#configuring-the-http01-ingress-solver
+#############################
+# file templating
+data "template_file" "http01_cluster_issuer_yaml" {
+  template = file("${path.module}/http01-cluster-issuer.tpl.yaml")
+
+  vars = {
+    emailAddress      = var.lets_encrypt_email
+    letsEncryptServer = var.lets_encrypt_server
+    ingressClass      = var.ingress_class
+  }
+}
+
+resource "kubectl_manifest" "http01_cluster_issuer" {
+  count     = var.enable_http01_cluster_issuer
+  yaml_body = data.template_file.http01_cluster_issuer_yaml.rendered
+
+  depends_on = [
+    module.cert-manager
+  ]
+}
diff --git a/terraform-modules/aws/helm/cert-manager/variables.tf b/terraform-modules/aws/helm/cert-manager/variables.tf
@@ -0,0 +1,85 @@
+variable "helm_chart_version" {
+  default     = "1.5.4"
+  description = "The version of this helm chart to use"
+}
+
+variable "aws_region" {
+  type        = string
+  default     = "us-east-1"
+  description = "AWS region"
+}
+
+variable "cluster_name" {
+  type        = string
+  default     = "cluster"
+  description = "EKS cluster name"
+}
+
+variable "eks_cluster_id" {
+  type        = string
+  default     = ""
+  description = "EKS cluster ID"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  default     = ""
+  description = "EKS cluster oidc issuer url"
+}
+
+variable "user_chart_name" {
+  default     = "cert-manager"
+  description = "The Helm name to install this chart under"
+}
+
+variable "k8s_namespace" {
+  default = "cert-manager"
+}
+
+variable "helm_values_2" {
+  type        = string
+  default     = ""
+  description = "Helm values that will overwrite the helm chart defaults and this modules default for further user customization"
+}
+
+variable "route53_hosted_zones" {
+  type        = string
+  default     = "*"
+  description = "The hosted zone permissions granted to: arn:aws:route53:::hostedzone/<route53_hosted_zones ID"
+}
+
+variable "ingress_class" {
+  type        = string
+  default     = "nginx-external"
+  description = "The ingress class that will be used for the http01 resolver to put the inbound check onto"
+}
+
+variable "enable_http01_cluster_issuer" {
+  type        = number
+  default     = 1
+  description = "Enable an http01 cluster issuer"
+}
+
+variable "enable_dns01_cluster_issuer" {
+  type        = number
+  default     = 1
+  description = "Enable an dns01 cluster issuer"
+}
+
+variable "lets_encrypt_server" {
+  type        = string
+  default     = "https://acme-v02.api.letsencrypt.org/directory"
+  description = "The Lets Encrypt validation server to go to.  The default is the live one."
+}
+
+variable "lets_encrypt_email" {
+  type        = string
+  default     = ""
+  description = "An email address for cert administration purposes"
+}
+
+variable "domain_name" {
+  type        = string
+  default     = "example.com"
+  description = "The domain name for DNS01 to resolve for"
+}