Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cert-manager resources for Istio CA and TLS certificates #22

Merged
merged 8 commits into from
Oct 12, 2024
Merged

Add cert-manager resources for Istio CA and TLS certificates #22

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
47d8400
Add cert-manager resources for Istio CA and TLS certificates
brettcurtis Oct 11, 2024
5cfb80c
Remove deprecated Istio CA and issuer resources from main.tf
brettcurtis Oct 12, 2024
4368574
Add conditional resource creation for Istio gateway components
brettcurtis Oct 12, 2024
a5326a4
Remove unused comment for Istio gateway CA certificate in main.tf
brettcurtis Oct 12, 2024
c993a4b
Add zone variable and update related configurations in regional module
brettcurtis Oct 12, 2024
1d01a5c
Update regional/main.tf
brettcurtis Oct 12, 2024
3f5c468
Update regional/main.tf
brettcurtis Oct 12, 2024
5b1484e
Update regional/main.tf
brettcurtis Oct 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions regional/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,14 @@ No modules.
| [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_ingress_v1.istio_gateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
| [kubernetes_manifest.istio_gateway_backendconfig](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_ca_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_ca_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_frontendconfig](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_managed_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_mci](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_mcs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_selfsigned_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_manifest.istio_gateway_tls](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |

## Inputs

Expand Down Expand Up @@ -67,6 +71,7 @@ No modules.
| <a name="input_proxy_memory_limits"></a> [proxy\_memory\_limits](#input\_proxy\_memory\_limits) | The memory limit for the Istio proxy | `string` | `"64Mi"` | no |
| <a name="input_proxy_memory_requests"></a> [proxy\_memory\_requests](#input\_proxy\_memory\_requests) | The memory request for the Istio proxy | `string` | `"32Mi"` | no |
| <a name="input_region"></a> [region](#input\_region) | The region in which the resource belongs | `string` | n/a | yes |
| <a name="input_zone"></a> [zone](#input\_zone) | The zone to deploy the resources to | `string` | n/a | yes |

## Outputs

Expand Down
2 changes: 1 addition & 1 deletion regional/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,5 @@ locals {
EOF

gateway_domains = keys(var.gateway_dns)
multi_cluster_name = "${var.cluster_prefix}-${var.region}-${local.env}"
multi_cluster_name = "${var.cluster_prefix}-${var.region}-${var.zone}-${local.env}"
}
103 changes: 103 additions & 0 deletions regional/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,3 +401,106 @@ resource "kubernetes_manifest" "istio_gateway_mci" {
}
}
}

resource "kubernetes_manifest" "istio_gateway_ca_certificate" {
count = var.enable_istio_gateway ? 1 : 0

manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"

metadata = {
name = "istio-gateway-ca"
namespace = "istio-ingress"
}

spec = {
commonName = "istio-gateway-ca"
duration = "2160h"
isCA = true

issuerRef = {
name = "selfsigned"
kind = "Issuer"
group = "cert-manager.io"
}

secretName = "istio-gateway-ca"

subject = {
organizations = ["istio.osinfra.io"]
}
}
}
}
brettcurtis marked this conversation as resolved.
Show resolved Hide resolved

resource "kubernetes_manifest" "istio_gateway_ca_issuer" {
count = var.enable_istio_gateway ? 1 : 0
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"

metadata = {
name = "istio-gateway-ca"
namespace = "istio-ingress"
}

spec = {
ca = {
secretName = "istio-gateway-ca"
}
}
}
}
brettcurtis marked this conversation as resolved.
Show resolved Hide resolved

resource "kubernetes_manifest" "istio_gateway_tls" {
count = var.enable_istio_gateway ? 1 : 0
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"

metadata = {
name = "istio-gateway-tls"
namespace = "istio-ingress"
}

spec = {
commonName = "istio-gateway.osinfra.io"
dnsNames = ["*"]
brettcurtis marked this conversation as resolved.
Show resolved Hide resolved
duration = "2160h"
isCA = false

issuerRef = {
name = "istio-gateway-ca"
kind = "Issuer"
group = "cert-manager.io"
}

renewBefore = "360h"
secretName = "istio-gateway-tls"

usages = [
"client auth",
"server auth"
]
}
}
}
brettcurtis marked this conversation as resolved.
Show resolved Hide resolved

resource "kubernetes_manifest" "istio_gateway_selfsigned_issuer" {
count = var.enable_istio_gateway ? 1 : 0

manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"

metadata = {
name = "selfsigned"
namespace = "istio-ingress"
}

spec = {
selfSigned = {}
}
}
}
5 changes: 5 additions & 0 deletions regional/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,3 +175,8 @@ variable "region" {
description = "The region in which the resource belongs"
type = string
}

variable "zone" {
description = "The zone to deploy the resources to"
type = string
}
3 changes: 2 additions & 1 deletion tests/default.tftest.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ run "default_regional" {
}
}

region = "mock-region-a"
region = "mock-region"
zone = "mock-zone"
}
}

Expand Down
1 change: 1 addition & 0 deletions tests/fixtures/default/regional/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,4 +78,5 @@ module "test" {

project = var.project
region = var.region
zone = var.zone
}
4 changes: 4 additions & 0 deletions tests/fixtures/default/regional/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,7 @@ variable "project" {
variable "region" {
type = string
}

variable "zone" {
type = string
}