Skip to content

terraform-iaac/terraform-kubernetes-cert-manager

Repository files navigation

Terraform module for Kubernetes Cert Manager

Terraform module used to create Cert Manager in Kubernetes, with auto http validation issuer. With simple syntax.

Usage

You should to add into your terraform, kubectl & helm provider configuration:

provider "kubectl" {
  # Same config as in kubernetes provider
}
provider "helm" {
  kubernetes {
    # Same config as in kubernetes provider
  }
}
provider "kubernetes" {
  # configuration
}
terraform {
  required_providers {
    kubectl = {
      source  = "alekc/kubectl"
      version = ">= 2.0.2"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "2.5.0"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "2.0.1"
    }
  }
}

To activate TLS auto generation, please add this annotation to ingress:

cert-manager.io/cluster-issuer = module.cert_manager.cluster_issuer_name

Terraform example

module "cert_manager" {
  source        = "terraform-iaac/cert-manager/kubernetes"

  cluster_issuer_email                   = "[email protected]"
  cluster_issuer_name                    = "cert-manager-global"
  cluster_issuer_private_key_secret_name = "cert-manager-private-key"
}

Inputs

Name Description Type Default - Required
namespace_name Name of created namespace string cert-manager no
chart_version HELM Chart Version for cert-manager ( It is not recommended to change ) string 1.11.0 no
create_namespace Create namespace or use exist bool true no
cluster_issuer_server The ACME server URL string https://acme-v02.api.letsencrypt.org/directory no
cluster_issuer_preferred_chain Preferred chain for ClusterIssuer string ISRG Root X1 no
cluster_issuer_email Email address used for ACME registration string n/a yes
cluster_issuer_private_key_secret_name Name of a secret used to store the ACME account private key string cert-manager-private-key no
cluster_issuer_name Cluster Issuer Name, used for annotations string cert-manager no
cluster_issuer_create Create Cluster Issuer? Note: you should create your own issuer if value false bool true no
cluster_issuer_yaml Create Cluster Issuer with your yaml. NOTE: some variables stop to work in case when you using this parameter string null no
additional_set Additional sets to Helm
list(object({
name = string
value = string
type = string // Optional
}))
[] no
solvers Alternate way of providing just the solvers section of the cluster issuer list[object(any)]
- http01:
ingress:
class: nginx
no
certificates List of certificates any refer to "Certificates" no

Solvers

An example of a complex solver that uses different methods http01 and DNS01 as well as selectors for different domains would be

solvers = [
  {
    dns01 = {
      route53 = {
        region  = "us-east-1"
        ambient = "true"
      }
    },
    selector = {
      dnsZones = [
        "internal.example.com"
      ]
    }
  },
  {
    dns01 = {
      cloudflare = {
        email = "[email protected]"
        apiKeySecretRef = {
          name = "cloudflare-api-key-secret"
          key  = "API"
        }
      },
    },
    selector = {
      dnsZones = [
        "public.example.com"
      ]
    }
  },
  {
    http01 = {
      ingress = {
        class = "nginx"
      }
    }
  }
]

Certificates

module "cert_manager" {
  ...
  certificates = {
    "my_certificate" = {
      dns_names = ["my.example.com"]
    }
  }
}
Name Description Type Default Required
namespace certificate resource namespace string uses var.namespace_name of this module no
labels certificate resource labels map(string) {} no
secret_name certificate secret name. Note: for AKS/AGIC ensure cert and secret have the same name string ${Certificate Name}-tls no
secret_annotations certificate secret annotations map(string) {} no
secret_labels certificate secret labels map(string) {} no
duration certificate validity period map(string) "2160h" no
renew_before It will reissue the certificate before this date from the due date string "360h" no
organizations Organization of issuing certificate list(string) [] no
is_ca Whether the certificate is a CA or not bool false no
private_key_algorithm It will generate a private key with this algorithm string "RSA" no
private_key_encoding It will generate a private key with this encoding string "PKCS1" no
private_key_size It will generate a private key of this lengh number 2048 no
usages certificate usages list(string) ["server auth", "client auth"] no
dns_names Domain names for which the certificate is intended list(string) n/a yes
uris certificate URIs list(string) [] no
ip_addresses certificate ip address list(string) [] no
issuer_name issuer name. string Default is the name of the ClusterIssuer created by this module no
issuer_kind issuer kind string "ClusterIssuer" no
issuer_group issuer group string "" no

Outputs

Name Description
namespace Namespace used by cert manager
cluster_issuer_name Created cluster issuer
cluster_issuer_server ACME Server used by Cluster Issuer
cluster_issuer_private_key_name Name of secrets, where cert manager stores private key
certificates[*].map Certificate settings applied to k8s
certificates[*].secret_name Secret name of the certificate

Terraform Requirements

Name Version
terraform >= 1.0.0
kubernetes >= 2.0.1
helm >= 2.5.0
alekc/kubectl >= 2.0.2

Cert Manager Version: v1.11.0

Source: https://github.com/jetstack/cert-manager

Tutorials: https://cert-manager.io/docs/