Skip to content

Commit

Permalink
add conversion doc for eks
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Feb 5, 2024
1 parent 8cccccf commit 1f8393f
Show file tree
Hide file tree
Showing 4 changed files with 133 additions and 0 deletions.
56 changes: 56 additions & 0 deletions conversion/eks/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Convert

Work in a git branch.

* copy new file

Copy `cert-manager-issuer.tf` from [here](cert-manager-issuer.tf) or [here](https://github.e.it.census.gov/raw/terraform-modules/aws-eks/tf-upgrade/examples/cert-manager-issuer/cert-manager-issuer.tf) to `common-services/`.

* comment old cert

Comment out `module "cert"` from `cert.tf.

* update `main.tf`

Update `main.tf` helm settings for the intermediate-certificate-issuer

Change the `tls.crt` and `tls.key` settings to the module output values listed below.

```hcl
set {
name = "tls.crt"
+# value = local.tls_crt_b64
value = module.subordinate_ca.certificate_tls_crt
}
set {
name = "tls.key"
+# value = local.tls_key_b64
value = module.subordinate_ca.certificate_tls_key
}
}
```

* apply

`tf-apply`. As there is no ACM certificate here, you should be able to apply without using `-target`.

* remove old key

```script
git-secret remove -c certs/pki*key
```

* remove rest of certs/

```script
git rm -r certs/
```

* commit -a, push and PR

```script
git commit -a
git push
# do PR
```

14 changes: 14 additions & 0 deletions conversion/eks/cert-manager-issuer.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
module "subordinate_ca" {
source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"

cluster_name = var.cluster_name
contact_email = var.contact_email

tags = merge(
local.base_tags,
local.common_tags,
var.account_tags,
var.infrastructure_tags,
var.application_tags,
)
}
25 changes: 25 additions & 0 deletions conversion/eks/main.tf.diffs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
diff --git a/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf b/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
index 29efe14..9f6efc7 100644
--- a/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
+++ b/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
@@ -245,14 +245,17 @@ resource "helm_release" "intermediate-certificate-issuer" {

set {
name = "tls.crt"
- value = local.tls_crt_b64
+# value = local.tls_crt_b64
+ value = module.subordinate_ca.certificate_tls_crt
}
set {
name = "tls.key"
- value = local.tls_key_b64
+# value = local.tls_key_b64
+ value = module.subordinate_ca.certificate_tls_key
}
}

+
# when using vault as a CA is requested
resource "helm_release" "vault-certificate-issuer" {
count = local.vault_ca == true ? 1 : 0

38 changes: 38 additions & 0 deletions conversion/eks/test-cert.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
locals {
vs_cert_name = "test"
}

resource "kubernetes_manifest" "vs_certificate" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"

metadata = {
name = format("%v-cert", local.vs_cert_name)
namespace = "istio-system"
}
spec = {
secretName = format("%v-cert", local.vs_cert_name)
commonName = format("%v.%v.%v", local.vs_cert_name, var.cluster_name, var.vpc_domain_name)
dnsNames = [
format("%v.%v.%v", local.vs_cert_name, var.cluster_name, var.vpc_domain_name),
format("%v.%v", local.vs_cert_name, var.vpc_domain_name),
]
subject = {
countries = ["US"]
organizations = ["U.S. Census Bureau"]
organizationalUnits = ["Services"]
}
usages = [
"digital signature",
"key encipherment",
"server auth",
"client auth",
]
issuerRef = {
kind = "ClusterIssuer"
name = "clusterissuer"
}
}
}
}

0 comments on commit 1f8393f

Please sign in to comment.