add cluster issuer

README.md

@@ -51,14 +51,17 @@ sys     0m2.015s
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_efs"></a> [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
+| <a name="module_subordinate_ca"></a> [subordinate\_ca](#module\_subordinate\_ca) | git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [helm_release.clusterissuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_secret.ca_key_pair](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
 | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
@@ -70,7 +73,9 @@ sys     0m2.015s
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cluster_mailing_list"></a> [cluster\_mailing\_list](#input\_cluster\_mailing\_list) | The mailing list for cluster notifications | `string` | `"cluster@example.com"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to deploy cert-manager resources into | `string` | `"cert-manager"` | no |
 | <a name="input_operators_ns"></a> [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |

cert-mgr-cluster-issuer.tf

@@ -0,0 +1,53 @@
+locals {
+  common_tags = {
+    "boc:created_by" = "terraform"
+  }
+}
+
+# Create a subordinate cert for the cert-manager clusterissuer.
+module "subordinate_ca" {
+  # tflint-ignore: terraform_module_pinned_source
+  source = "git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+  cluster_name  = var.cluster_name
+  contact_email = var.cluster_mailing_list
+  validity_days = 30
+
+  tags = merge(
+    local.common_tags,
+  )
+}
+
+resource "kubernetes_secret" "ca_key_pair" {
+  metadata {
+    name = "ca-key-pair"
+    # namespace = var.cluster_issuer_name
+    namespace = var.namespace
+  }
+
+  binary_data = {
+    "tls.key" = module.subordinate_ca.certificate_tls_key
+    "tls.crt" = module.subordinate_ca.certificate_tls_crt
+  }
+}
+
+resource "helm_release" "clusterissuer" {
+  name      = "clusterissuer"
+  chart     = "./clusterissuer"
+  namespace = var.namespace
+
+  set = [
+    {
+      name  = "name"
+      value = "clusterissuer"
+    },
+    {
+      name  = "apiVersion"
+      value = "cert-manager.io/v1"
+    },
+    {
+      name  = "secretName"
+      value = kubernetes_secret.ca_key_pair.metadata[0].name
+    }
+  ]
+}

variables.tf

@@ -135,3 +135,15 @@ variable "tags" {
 #   type        = list(any)
 #   default     = []
 # }
+
+variable "namespace" {
+  description = "The namespace to deploy cert-manager resources into"
+  type        = string
+  default     = "cert-manager"
+}
+
+variable "cluster_mailing_list" {
+  description = "The mailing list for cluster notifications"
+  type        = string
+  default     = "cluster@example.com"
+}