Add cert-manager

2025-08-12 13:59:09 +02:00 · 2024-03-17 13:01:08 +01:00
parent 9bb0b53a0b
commit 32f2087cea
8 changed files with 150 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ You need to provide values for the following variables:
 - ```cloudflare_origin_certificate_key: Private key associated with Cloudflare origin certificate.```
 - ```my_domain: Your domain name.```
 - ```install_argocd: Boolean flag indicating whether to install ArgoCD.```
+- ```install_cert_manager: Boolean flag indicating whether to install cert-manager.```
 - ```region: OCI region where resources will be created.```
 - ```public_key_path: File path to the SSH public key.```
 - ```node_pool_size: Number of worker nodes in the Kubernetes cluster.```
@@ -51,7 +52,9 @@ This module provisions a traefik2 Network Load Balancer for the cluster.
 #### ArgoCD

 This module installs and configures ArgoCD on the cluster, if enabled.
-Usage
+#### Cert-Manager
+
+This module if enabled installs cert-manager on the cluster and sets up a ClusterIssuer self signed certificate issuer for pod to pod communication.

 ### How to run
 Ensure you have set up your Terraform environment and configured the necessary variables.
--- a/oci-managed/argocd/argocd.tf
+++ b/oci-managed/argocd/argocd.tf
--- a/oci-managed/certmanager/cluster_issuer.tfpl.yaml
+++ b/oci-managed/certmanager/cluster_issuer.tfpl.yaml
@@ -0,0 +1,45 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: trust-manager-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cluster-root-certificate
+  namespace: ${namespace}
+spec:
+  isCA: true
+  commonName: cluster-root-certificate-ca
+  secretName: cluster-root-certificate-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: trust-manager-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: default-cluster-ca-issuer
+spec:
+  ca:
+    secretName: cluster-root-certificate-ca-secret
+---
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: in-cluster-trust-bundle
+spec:
+  sources:
+  - useDefaultCAs: true
+  - secret:
+      name: "cluster-root-certificate-ca-secret"
+      key: "tls.crt"
+  target:
+    configMap:
+      key: "trust-bundle.pem"
--- a/oci-managed/certmanager/main.tf
+++ b/oci-managed/certmanager/main.tf
@@ -0,0 +1,43 @@
+resource "helm_release" "cert-manager" {
+  namespace        = var.namespace
+  create_namespace = true
+  name             = "cert-manager"
+  repository       = "https://charts.jetstack.io"
+  chart            = "cert-manager"
+  version          = var.cert_manager_chart_version
+  cleanup_on_fail  = true
+
+  # Helm chart deployment can sometimes take longer than the default 5 minutes
+  timeout = var.timeout_seconds
+
+  set {
+    name  = "installCRDs"
+    value = "true"
+  }
+}
+
+resource "helm_release" "trust-manager" {
+  depends_on = [helm_release.cert-manager]
+
+  namespace        = var.namespace
+  create_namespace = true
+  name             = "trust-manager"
+  repository       = "https://charts.jetstack.io"
+  chart            = "trust-manager"
+  version          = var.trust_manager_chart_version
+  cleanup_on_fail  = true
+
+  # Helm chart deployment can sometimes take longer than the default 5 minutes
+  timeout = var.timeout_seconds
+}
+
+resource "kubectl_manifest" "cert-manager-cluster-issuer" {
+  depends_on = [helm_release.cert-manager, helm_release.trust-manager]
+
+  force_new = true
+  server_side_apply = true
+
+  yaml_body = templatefile("${path.module}/cluster_issuer.tfpl.yaml", {
+    namespace = var.namespace,
+  })
+}
--- a/oci-managed/certmanager/provider.tf
+++ b/oci-managed/certmanager/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.12.1"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14.0"
+    }
+  }
+}
--- a/oci-managed/certmanager/variables.tf
+++ b/oci-managed/certmanager/variables.tf
@@ -0,0 +1,32 @@
+variable "compartment_ocid" {}
+variable "environment" {
+  default = "prod"
+}
+variable "cluster_ocid" {
+  type = string
+}
+
+variable "namespace" {
+  description = "Namespace to install cert-manager chart into"
+  type        = string
+  default     = "cert-manager"
+}
+
+variable "cert_manager_chart_version" {
+  description = "Version of argocd chart to install"
+  type        = string
+  default     = "1.14.4" # See https://artifacthub.io/packages/helm/argo/argo-cd for latest version(s)
+}
+
+variable "trust_manager_chart_version" {
+  description = "Version of argocd chart to install"
+  type        = string
+  default     = "0.9.1" # See https://artifacthub.io/packages/helm/argo/argo-cd for latest version(s)
+}
+
+# Helm chart deployment can sometimes take longer than the default 5 minutes
+variable "timeout_seconds" {
+  type        = number
+  description = "Helm chart deployment can sometimes take longer than the default 5 minutes. Set a custom timeout here."
+  default     = 800 # 10 minutes
+}
--- a/oci-managed/main.tf
+++ b/oci-managed/main.tf
@@ -63,6 +63,15 @@ module "nlb" {
  depends_on = [ module.oke ]
 }

+module "cert-manager" {
+  compartment_ocid = var.compartment_ocid
+  cluster_ocid     = module.oke.cluster_ocid
+  count = var.install_cert_manager ? 1 : 0
+  source = "./certmanager"
+
+  depends_on = [ module.oke ]
+}
+
 module "argocd" {
  compartment_ocid = var.compartment_ocid
  cluster_ocid     = module.oke.cluster_ocid
--- a/oci-managed/variables.tf
+++ b/oci-managed/variables.tf
@@ -28,6 +28,11 @@ variable "install_argocd" {
  default = true
 }

+variable "install_cert_manager" {
+  type = bool
+  default = true
+}
+
 variable "region" {}
 variable "public_key_path" {}