diff --git a/regional/README.md b/regional/README.md
index 6166540..795c675 100644
--- a/regional/README.md
+++ b/regional/README.md
@@ -30,10 +30,14 @@ No modules.
| [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_ingress_v1.istio_gateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
| [kubernetes_manifest.istio_gateway_backendconfig](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.istio_gateway_ca_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.istio_gateway_ca_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_frontendconfig](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_managed_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_mci](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_mcs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.istio_gateway_selfsigned_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.istio_gateway_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
## Inputs
@@ -67,6 +71,7 @@ No modules.
| [proxy\_memory\_limits](#input\_proxy\_memory\_limits) | The memory limit for the Istio proxy | `string` | `"64Mi"` | no |
| [proxy\_memory\_requests](#input\_proxy\_memory\_requests) | The memory request for the Istio proxy | `string` | `"32Mi"` | no |
| [region](#input\_region) | The region in which the resource belongs | `string` | n/a | yes |
+| [zone](#input\_zone) | The zone to deploy the resources to | `string` | n/a | yes |
## Outputs
diff --git a/regional/locals.tf b/regional/locals.tf
index 3c421c3..9ad46e2 100644
--- a/regional/locals.tf
+++ b/regional/locals.tf
@@ -24,5 +24,5 @@ locals {
EOF
gateway_domains = keys(var.gateway_dns)
- multi_cluster_name = "${var.cluster_prefix}-${var.region}-${local.env}"
+ multi_cluster_name = "${var.cluster_prefix}-${var.region}-${var.zone}-${local.env}"
}
diff --git a/regional/main.tf b/regional/main.tf
index 0042059..f77e59e 100644
--- a/regional/main.tf
+++ b/regional/main.tf
@@ -401,3 +401,118 @@ resource "kubernetes_manifest" "istio_gateway_mci" {
}
}
}
+
+resource "kubernetes_manifest" "istio_gateway_ca_certificate" {
+ count = var.enable_istio_gateway ? 1 : 0
+
+ manifest = {
+ apiVersion = "cert-manager.io/v1"
+ kind = "Certificate"
+
+ metadata = {
+ name = "istio-gateway-ca"
+ namespace = "istio-ingress"
+ }
+
+ spec = {
+ commonName = "istio-gateway-ca"
+ duration = "2160h"
+ isCA = true
+
+ issuerRef = {
+ name = "selfsigned"
+ kind = "Issuer"
+ group = "cert-manager.io"
+ }
+
+ secretName = "istio-gateway-ca"
+
+ subject = {
+ organizations = ["istio.osinfra.io"]
+ }
+ }
+ }
+
+ depends_on = [
+ kubernetes_manifest.istio_gateway_selfsigned_issuer
+ ]
+}
+
+resource "kubernetes_manifest" "istio_gateway_ca_issuer" {
+ count = var.enable_istio_gateway ? 1 : 0
+ manifest = {
+ apiVersion = "cert-manager.io/v1"
+ kind = "Issuer"
+
+ metadata = {
+ name = "istio-gateway-ca"
+ namespace = "istio-ingress"
+ }
+
+ spec = {
+ ca = {
+ secretName = "istio-gateway-ca"
+ }
+ }
+ }
+
+ depends_on = [
+ kubernetes_manifest.istio_gateway_ca_certificate
+ ]
+}
+
+resource "kubernetes_manifest" "istio_gateway_tls" {
+ count = var.enable_istio_gateway ? 1 : 0
+ manifest = {
+ apiVersion = "cert-manager.io/v1"
+ kind = "Certificate"
+
+ metadata = {
+ name = "istio-gateway-tls"
+ namespace = "istio-ingress"
+ }
+
+ spec = {
+ commonName = "istio-gateway.osinfra.io"
+ dnsNames = ["*"]
+ duration = "2160h"
+ isCA = false
+
+ issuerRef = {
+ name = "istio-gateway-ca"
+ kind = "Issuer"
+ group = "cert-manager.io"
+ }
+
+ renewBefore = "360h"
+ secretName = "istio-gateway-tls"
+
+ usages = [
+ "client auth",
+ "server auth"
+ ]
+ }
+ }
+
+ depends_on = [
+ kubernetes_manifest.istio_gateway_ca_issuer
+ ]
+}
+
+resource "kubernetes_manifest" "istio_gateway_selfsigned_issuer" {
+ count = var.enable_istio_gateway ? 1 : 0
+
+ manifest = {
+ apiVersion = "cert-manager.io/v1"
+ kind = "Issuer"
+
+ metadata = {
+ name = "selfsigned"
+ namespace = "istio-ingress"
+ }
+
+ spec = {
+ selfSigned = {}
+ }
+ }
+}
diff --git a/regional/variables.tf b/regional/variables.tf
index 294f756..472135b 100644
--- a/regional/variables.tf
+++ b/regional/variables.tf
@@ -175,3 +175,8 @@ variable "region" {
description = "The region in which the resource belongs"
type = string
}
+
+variable "zone" {
+ description = "The zone to deploy the resources to"
+ type = string
+}
diff --git a/tests/default.tftest.hcl b/tests/default.tftest.hcl
index e6edb6f..528b54c 100644
--- a/tests/default.tftest.hcl
+++ b/tests/default.tftest.hcl
@@ -51,7 +51,8 @@ run "default_regional" {
}
}
- region = "mock-region-a"
+ region = "mock-region"
+ zone = "mock-zone"
}
}
diff --git a/tests/fixtures/default/regional/main.tf b/tests/fixtures/default/regional/main.tf
index 6db5149..8169392 100644
--- a/tests/fixtures/default/regional/main.tf
+++ b/tests/fixtures/default/regional/main.tf
@@ -78,4 +78,5 @@ module "test" {
project = var.project
region = var.region
+ zone = var.zone
}
diff --git a/tests/fixtures/default/regional/variables.tf b/tests/fixtures/default/regional/variables.tf
index 78db396..7aa5ef2 100644
--- a/tests/fixtures/default/regional/variables.tf
+++ b/tests/fixtures/default/regional/variables.tf
@@ -19,3 +19,7 @@ variable "project" {
variable "region" {
type = string
}
+
+variable "zone" {
+ type = string
+}