feat(aws): add HTTP01 and DNS01 cluster issuer

Signed-off-by: Kevin Lefevre <[email protected]>
particuleio · Nov 26, 2020 · ce3b1e0 · ce3b1e0
1 parent 92fb3b1
commit ce3b1e0
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 19 deletions.
diff --git a/modules/aws/cert-manager.tf b/modules/aws/cert-manager.tf
@@ -3,20 +3,22 @@ locals {
   cert-manager = merge(
     local.helm_defaults,
     {
-      name                           = "cert-manager"
-      namespace                      = "cert-manager"
-      chart                          = "cert-manager"
-      repository                     = "https://charts.jetstack.io"
-      service_account_name           = "cert-manager"
-      create_iam_resources_irsa      = true
-      enabled                        = false
-      chart_version                  = "v1.0.4"
-      version                        = "v1.0.4"
-      iam_policy_override            = null
-      default_network_policy         = true
-      acme_email                     = "[email protected]"
-      enable_default_cluster_issuers = false
-      allowed_cidrs                  = ["0.0.0.0/0"]
+      name                      = "cert-manager"
+      namespace                 = "cert-manager"
+      chart                     = "cert-manager"
+      repository                = "https://charts.jetstack.io"
+      service_account_name      = "cert-manager"
+      create_iam_resources_irsa = true
+      enabled                   = false
+      chart_version             = "v1.0.4"
+      version                   = "v1.0.4"
+      iam_policy_override       = null
+      default_network_policy    = true
+      acme_email                = "[email protected]"
+      acme_http01_enabled       = true
+      acme_http01_ingress_class = ""
+      acme_dns01_enabled        = true
+      allowed_cidrs             = ["0.0.0.0/0"]
     },
     var.cert-manager
   )
@@ -145,10 +147,13 @@ resource "helm_release" "cert-manager" {
 }
 
 data "kubectl_path_documents" "cert-manager_cluster_issuers" {
-  pattern = "./templates/cert-manager-cluster-issuers.yaml"
+  pattern = "./templates/cert-manager-cluster-issuers.yaml.tpl"
   vars = {
-    acme_email = local.cert-manager["acme_email"]
-    aws_region = data.aws_region.current.name
+    aws_region                = data.aws_region.current.name
+    acme_email                = local.cert-manager["acme_email"]
+    acme_http01_enabled       = local.cert-manager["acme_http01_enabled"]
+    acme_http01_ingress_class = local.cert-manager["acme_http01_ingress_class"]
+    acme_dns01_enabled        = local.cert-manager["acme_dns01_enabled"]
   }
 }
 
@@ -158,7 +163,7 @@ resource "time_sleep" "cert-manager_sleep" {
 }
 
 resource "kubectl_manifest" "cert-manager_cluster_issuers" {
-  count     = local.cert-manager["enabled"] && local.cert-manager["enable_default_cluster_issuers"] ? length(data.kubectl_path_documents.cert-manager_cluster_issuers.documents) : 0
+  count     = local.cert-manager["enabled"] && (local.cert-manager["acme_http01_enabled"] || local.cert-manager["acme_dns01_enabled"]) ? length(data.kubectl_path_documents.cert-manager_cluster_issuers.documents) : 0
   yaml_body = element(data.kubectl_path_documents.cert-manager_cluster_issuers.documents, count.index)
   depends_on = [
     helm_release.cert-manager,

diff --git a/modules/aws/cni-metrics-helper.tf b/modules/aws/cni-metrics-helper.tf
@@ -42,7 +42,7 @@ data "aws_iam_policy_document" "cni-metrics-helper" {
 
 resource "kubectl_manifest" "cni-metrics-helper" {
   count = local.cni-metrics-helper["enabled"] ? 1 : 0
-  yaml_body = templatefile("${path.module}/templates/cni-metrics-helper.yaml", {
+  yaml_body = templatefile("${path.module}/templates/cni-metrics-helper.yaml.tpl", {
     cni-metrics-helper_role_arn_irsa = local.cni-metrics-helper["create_iam_resources_irsa"] ? module.iam_assumable_role_cni-metrics-helper.this_iam_role_arn : ""
     cni-metrics-helper_version       = local.cni-metrics-helper["version"]
   })

diff --git a/...mplates/cert-manager-cluster-issuers.yaml → ...tes/cert-manager-cluster-issuers.yaml.tpl b/...mplates/cert-manager-cluster-issuers.yaml → ...tes/cert-manager-cluster-issuers.yaml.tpl
@@ -10,9 +10,21 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging
     solvers:
+    %{ if acme_dns01_enabled }
     - dns01:
         route53:
           region: '${aws_region}'
+    %{ endif }
+    %{ if acme_http01_enabled }
+    - http01:
+        ingress:
+          class: '${acme_http01_ingress_class}'
+      %{ if acme_dns01_enabled}
+      selector:
+        matchLabels:
+          "use-http01-solver": "true"
+      %{ endif }
+    %{ endif }
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@@ -25,6 +37,18 @@ spec:
     privateKeySecretRef:
       name: letsencrypt
     solvers:
+    %{ if acme_dns01_enabled }
     - dns01:
         route53:
           region: '${aws_region}'
+    %{ endif }
+    %{ if acme_http01_enabled }
+    - http01:
+        ingress:
+          class: '${acme_http01_ingress_class}'
+      %{ if acme_dns01_enabled}
+      selector:
+        matchLabels:
+          "use-http01-solver": "true"
+      %{ endif }
+    %{ endif }
diff --git a/...les/aws/templates/cni-metrics-helper.yaml → ...aws/templates/cni-metrics-helper.yaml.tpl b/...les/aws/templates/cni-metrics-helper.yaml → ...aws/templates/cni-metrics-helper.yaml.tpl