Certificate on-demand in istio-gateway and new input params gateway h…

…osts and credentialName (#255)
ManagedKube · Feb 18, 2022 · ae7e021 · ae7e021
1 parent bc26507
commit ae7e021
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml b/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml
@@ -13,14 +13,13 @@ spec:
       number: 80
       name: http
       protocol: HTTP
-    hosts:
-    - "*"
+    host: ${gateway_hosts}
   - port:
       number: 443
       name: https
       protocol: HTTPS
     tls:
       mode: SIMPLE
-      credentialName: domain-wildcard # This should match the Certificate secretName
+      credentialName: ${gateway_credentialName} # This should match the Certificate secretName
     hosts:
     - "*" # This should match a DNS name in the Certificate
diff --git a/terraform-modules/aws/istio-networking/main-gateway/main.tf b/terraform-modules/aws/istio-networking/main-gateway/main.tf
@@ -15,6 +15,8 @@ data "template_file" "gateway" {
 
   vars = {
     namespace  = var.namespace
+    gateway_hosts =  "${jsonencode(var.gateway_hosts)}"
+    gateway_credentialName = var.gateway_credentialName
   }
 }
 
@@ -24,6 +26,7 @@ resource "kubectl_manifest" "gateway" {
 
 # file templating
 data "template_file" "certificate" {
+  count    = var.enable_certificate ? 1 : 0
   template = file("${path.module}/certificate.tpl.yaml")
 
   vars = {
@@ -38,5 +41,6 @@ data "template_file" "certificate" {
 }
 
 resource "kubectl_manifest" "certificate" {
-  yaml_body = data.template_file.certificate.rendered
+  count     = var.enable_certificate ? 1 : 0
+  yaml_body = data.template_file.certificate[0].rendered
 }
diff --git a/terraform-modules/aws/istio-networking/main-gateway/variables.tf b/terraform-modules/aws/istio-networking/main-gateway/variables.tf
@@ -28,7 +28,13 @@ variable "cert_dns_name" {
   type = string
   description = "The dns name for the certificate"
 }
-
+
+variable "enable_certificate" {
+  type = bool
+  description = "If set to true, it will create the certificate resource on-demand"
+  default = true
+}
+
 variable "issue_ref_name" {
   default = "letsencrypt-prod-dns01"
 }
@@ -39,4 +45,16 @@ variable "issue_ref_kind" {
 
 variable "issue_ref_group" {
   default = "cert-manager.io"
+}
+
+variable "gateway_hosts" {
+  type    = list(string)
+  description = "the list of hosts available for the gateway"
+  default = ["*"]
+}
+
+variable "gateway_credentialName" {
+  type    = string
+  description = "This is the gateway matches the secretName field in the certificate"
+  default = "domain-wildcard" 
 }