Terraform module used to create Cert Manager in Kubernetes, with auto http validation issuer. With simple syntax.
provider "kubectl" {
# Same config as in kubernetes provider
}
provider "helm" {
kubernetes {
# Same config as in kubernetes provider
}
}
provider "kubernetes" {
# configuration
}
terraform {
required_providers {
kubectl = {
source = "alekc/kubectl"
version = ">= 2.0.2"
}
helm = {
source = "hashicorp/helm"
version = "2.5.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.0.1"
}
}
}
cert-manager.io/cluster-issuer = module.cert_manager.cluster_issuer_name
module "cert_manager" {
source = "terraform-iaac/cert-manager/kubernetes"
cluster_issuer_email = "[email protected]"
cluster_issuer_name = "cert-manager-global"
cluster_issuer_private_key_secret_name = "cert-manager-private-key"
}
Name | Description | Type | Default - | Required |
---|---|---|---|---|
namespace_name | Name of created namespace | string |
cert-manager |
no |
chart_version | HELM Chart Version for cert-manager ( It is not recommended to change ) | string |
1.11.0 |
no |
create_namespace | Create namespace or use exist | bool |
true |
no |
cluster_issuer_server | The ACME server URL | string |
https://acme-v02.api.letsencrypt.org/directory |
no |
cluster_issuer_preferred_chain | Preferred chain for ClusterIssuer | string |
ISRG Root X1 |
no |
cluster_issuer_email | Email address used for ACME registration | string |
n/a | yes |
cluster_issuer_private_key_secret_name | Name of a secret used to store the ACME account private key | string |
cert-manager-private-key |
no |
cluster_issuer_name | Cluster Issuer Name, used for annotations | string |
cert-manager |
no |
cluster_issuer_create | Create Cluster Issuer? Note: you should create your own issuer if value false |
bool |
true |
no |
cluster_issuer_yaml | Create Cluster Issuer with your yaml. NOTE: some variables stop to work in case when you using this parameter | string |
null |
no |
additional_set | Additional sets to Helm | list(object({ |
[] |
no |
solvers | Alternate way of providing just the solvers section of the cluster issuer | list[object(any)] |
- http01: |
no |
certificates | List of certificates | any |
refer to "Certificates" | no |
An example of a complex solver that uses different methods http01
and DNS01
as well as selectors for different domains would be
solvers = [
{
dns01 = {
route53 = {
region = "us-east-1"
ambient = "true"
}
},
selector = {
dnsZones = [
"internal.example.com"
]
}
},
{
dns01 = {
cloudflare = {
email = "[email protected]"
apiKeySecretRef = {
name = "cloudflare-api-key-secret"
key = "API"
}
},
},
selector = {
dnsZones = [
"public.example.com"
]
}
},
{
http01 = {
ingress = {
class = "nginx"
}
}
}
]
module "cert_manager" {
...
certificates = {
"my_certificate" = {
dns_names = ["my.example.com"]
}
}
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
namespace | certificate resource namespace | string | uses var.namespace_name of this module | no |
labels | certificate resource labels | map(string) | {} | no |
secret_name | certificate secret name. Note: for AKS/AGIC ensure cert and secret have the same name | string | ${Certificate Name}-tls | no |
secret_annotations | certificate secret annotations | map(string) | {} | no |
secret_labels | certificate secret labels | map(string) | {} | no |
duration | certificate validity period | map(string) | "2160h" | no |
renew_before | It will reissue the certificate before this date from the due date | string | "360h" | no |
organizations | Organization of issuing certificate | list(string) | [] | no |
is_ca | Whether the certificate is a CA or not | bool | false | no |
private_key_algorithm | It will generate a private key with this algorithm | string | "RSA" | no |
private_key_encoding | It will generate a private key with this encoding | string | "PKCS1" | no |
private_key_size | It will generate a private key of this lengh | number | 2048 | no |
usages | certificate usages | list(string) | ["server auth", "client auth"] | no |
dns_names | Domain names for which the certificate is intended | list(string) | n/a | yes |
uris | certificate URIs | list(string) | [] | no |
ip_addresses | certificate ip address | list(string) | [] | no |
issuer_name | issuer name. | string | Default is the name of the ClusterIssuer created by this module | no |
issuer_kind | issuer kind | string | "ClusterIssuer" | no |
issuer_group | issuer group | string | "" | no |
Name | Description |
---|---|
namespace | Namespace used by cert manager |
cluster_issuer_name | Created cluster issuer |
cluster_issuer_server | ACME Server used by Cluster Issuer |
cluster_issuer_private_key_name | Name of secrets, where cert manager stores private key |
certificates[*].map | Certificate settings applied to k8s |
certificates[*].secret_name | Secret name of the certificate |
Name | Version |
---|---|
terraform | >= 1.0.0 |
kubernetes | >= 2.0.1 |
helm | >= 2.5.0 |
alekc/kubectl | >= 2.0.2 |
Cert Manager Version: v1.11.0
Source: https://github.com/jetstack/cert-manager
Tutorials: https://cert-manager.io/docs/