diff --git a/.gitignore b/.gitignore index 17763e3..40258dd 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ logs common/README.md OLD/ +X +Y diff --git a/CHANGELOG.md b/CHANGELOG.md index d271958..1e953f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,3 +17,8 @@ - 1.25: - add eks_instance_volume_type allowing gp2 and gp3, default gp3 - remove link details from README.md + +* 2.0.3 -- 2024-01-10 + - change common-services to use cert-manager-issuer which uses the new acmpca-eks-cert-manager module + - remove extraneous helm charts for non-issuer ca + - add contact_email variable diff --git a/common/version.tf b/common/version.tf index 100daf2..4ab7a1f 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.0.1" + _module_version = "2.0.3" } diff --git a/examples/cert-manager-issuer/cert-manager-issuer.tf b/examples/cert-manager-issuer/cert-manager-issuer.tf index e607dc7..65d1abd 100644 --- a/examples/cert-manager-issuer/cert-manager-issuer.tf +++ b/examples/cert-manager-issuer/cert-manager-issuer.tf @@ -1,75 +1,14 @@ -data "aws_ssm_parameter" "subordinate_ca" { - name = "/enterprise/pki/ca1" -} - -locals { - subordinate_ca_settings = jsondecode(data.aws_ssm_parameter.subordinate_ca.value) -} - -resource "tls_private_key" "subordinate_ca" { - algorithm = "RSA" - rsa_bits = 2048 -} +module "subordinate_ca" { + source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager" -resource "tls_cert_request" "subordinate_ca" { - private_key_pem = tls_private_key.subordinate_ca.private_key_pem - dns_names = local.ca_cert_san + cluster_name = var.cluster_name + contact_email = var.contact_email - subject { - common_name = local.ca_dns_name - country = "US" - organization = "U.S. Census Bureau" - organizational_unit = format("PKI-EKS %v", var.cluster_name) - } + tags = merge( + local.base_tags, + local.common_tags, + var.account_tags, + var.infrastructure_tags, + var.application_tags, + ) } - -resource "aws_acmpca_certificate" "subordinate_ca" { - certificate_authority_arn = local.subordinate_ca_settings.arn - certificate_signing_request = tls_cert_request.subordinate_ca.cert_request_pem - signing_algorithm = "SHA384WITHRSA" - validity { - type = "DAYS" - value = 365 - } - template_arn = local.subordinate_ca_settings.template_arns["SubordinateCACertificate_PathLen0/V1"] - lifecycle { - create_before_destroy = true - } -} - -locals { - subordinate_ca_tls_key = base64encode(tls_private_key.subordinate_ca.private_key_pem) - subordinate_ca_chain = replace(aws_acmpca_certificate.subordinate_ca.certificate_chain, "/\r/", "") - subordinate_ca_crt = aws_acmpca_certificate.subordinate_ca.certificate - subordinate_ca_tls_crt = base64encode(join("\n", [local.subordinate_ca_crt, local.subordinate_ca_chain])) -} - -## resource "local_sensitive_file" "subordinate_ca_key" { -## filename = "certs/subordinate_ca.key" -## file_permission = "0644" -## directory_permission = "0755" -## content = tls_private_key.subordinate_ca.private_key_pem -## } -## -## resource "local_sensitive_file" "subordinate_ca_csr" { -## filename = "certs/subordinate_ca.csr" -## file_permission = "0644" -## directory_permission = "0755" -## content = tls_cert_request.subordinate_ca.cert_request_pem -## } -## -## resource "local_sensitive_file" "subordinate_ca_cert" { -## filename = "certs/subordinate_ca.crt" -## file_permission = "0644" -## directory_permission = "0755" -## content = aws_acmpca_certificate.subordinate_ca.certificate -## } -## -## resource "local_sensitive_file" "subordinate_ca_cert_chain" { -## filename = "certs/subordinate_ca.bundle.crt" -## file_permission = "0644" -## directory_permission = "0755" -## #content = aws_acmpca_certificate.subordinate_ca.certificate_chain -## content = replace(aws_acmpca_certificate.subordinate_ca.certificate_chain,"/\r/","") -## } -## diff --git a/examples/cert-manager-issuer/main.tf.diffs b/examples/cert-manager-issuer/main.tf.diffs index 2099431..967af59 100644 --- a/examples/cert-manager-issuer/main.tf.diffs +++ b/examples/cert-manager-issuer/main.tf.diffs @@ -8,13 +8,13 @@ index 29efe14..9f6efc7 100644 name = "tls.crt" - value = local.tls_crt_b64 +# value = local.tls_crt_b64 -+ value = local.subordinate_ca_tls_crt ++ value = module.subordinate_ca.certificate_tls_crt } set { name = "tls.key" - value = local.tls_key_b64 +# value = local.tls_key_b64 -+ value = local.subordinate_ca_tls_key ++ value = module.subordinate_ca.certificate_tls_key } } @@ -22,3 +22,4 @@ index 29efe14..9f6efc7 100644 # when using vault as a CA is requested resource "helm_release" "vault-certificate-issuer" { count = local.vault_ca == true ? 1 : 0 + diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cert-manager-issuer.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cert-manager-issuer.tf new file mode 100644 index 0000000..65d1abd --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cert-manager-issuer.tf @@ -0,0 +1,14 @@ +module "subordinate_ca" { + source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager" + + cluster_name = var.cluster_name + contact_email = var.contact_email + + tags = merge( + local.base_tags, + local.common_tags, + var.account_tags, + var.infrastructure_tags, + var.application_tags, + ) +} diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cert.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cert.tf.old similarity index 100% rename from examples/full-cluster-tf-upgrade/1.25/common-services/cert.tf rename to examples/full-cluster-tf-upgrade/1.25/common-services/cert.tf.old diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf index 29efe14..f67ee9c 100644 --- a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf @@ -184,60 +184,60 @@ resource "time_sleep" "let_cert-manager-webhook_boot" { create_duration = "19s" } -locals { - tls_crt_file = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt" - tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents - tls_crt_b64 = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64 - - tls_key_file = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key" - tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents - tls_key_b64 = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64 - - intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0) - - vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file - vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ? - file(local.vault_ca_bundle_pem_file) - : var.vault_ca_bundle_pem) - vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ? - base64encode(local.vault_ca_bundle_pem) - : var.vault_ca_bundle_pem_b64) - - vault_ca = !local.intermediate_ca && length(var.vault_url) > 0 - - self_signed_ca = !local.intermediate_ca && !local.vault_ca - - defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0) -} - +## strip out all code for various certificate options and use only the subordinate_ca module (intermediate-certificate-issuer) +## locals { +## tls_crt_file = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt" +## tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents +## tls_crt_b64 = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64 +## +## tls_key_file = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key" +## tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents +## tls_key_b64 = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64 +## +## intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0) +## +## vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file +## vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ? +## file(local.vault_ca_bundle_pem_file) +## : var.vault_ca_bundle_pem) +## vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ? +## base64encode(local.vault_ca_bundle_pem) +## : var.vault_ca_bundle_pem_b64) +## +## vault_ca = !local.intermediate_ca && length(var.vault_url) > 0 +## +## self_signed_ca = !local.intermediate_ca && !local.vault_ca +## +## defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0) +## } +## # configure the certificate issuer. - -# when self-signed certs requested -resource "helm_release" "self-signed-certificate-issuer" { - count = local.self_signed_ca == true ? 1 : 0 - - chart = "self-signed-certificate-issuer" - name = "certificate-issuer" - namespace = kubernetes_namespace.cert-manager.metadata[0].name - repository = "${path.module}/charts/" - - depends_on = [time_sleep.let_cert-manager-webhook_boot] - - # Required because the chart creates "non-standard" kubernetes resources - # that use the cert-manager CRDs. - disable_openapi_validation = true -} +## # when self-signed certs requested +## resource "helm_release" "self-signed-certificate-issuer" { +## count = local.self_signed_ca == true ? 1 : 0 +## +## chart = "self-signed-certificate-issuer" +## name = "certificate-issuer" +## namespace = kubernetes_namespace.cert-manager.metadata[0].name +## repository = "${path.module}/charts/" +## +## depends_on = [time_sleep.let_cert-manager-webhook_boot] +## +## # Required because the chart creates "non-standard" kubernetes resources +## # that use the cert-manager CRDs. +## disable_openapi_validation = true +## } # when using an internediate CA is requested resource "helm_release" "intermediate-certificate-issuer" { - count = local.intermediate_ca == true ? 1 : 0 + ## count = local.intermediate_ca == true ? 1 : 0 chart = "intermediate-certificate-issuer" name = "certificate-issuer" namespace = kubernetes_namespace.cert-manager.metadata[0].name repository = "${path.module}/charts/" - depends_on = [time_sleep.let_cert-manager-webhook_boot] + depends_on = [time_sleep.let_cert-manager-webhook_boot, module.subordinate_ca] # Required because the chart creates "non-standard" kubernetes resources # that use the cert-manager CRDs. @@ -245,78 +245,79 @@ resource "helm_release" "intermediate-certificate-issuer" { set { name = "tls.crt" - value = local.tls_crt_b64 + value = module.subordinate_ca.certificate_tls_crt } set { name = "tls.key" - value = local.tls_key_b64 + value = module.subordinate_ca.certificate_tls_key } } -# when using vault as a CA is requested -resource "helm_release" "vault-certificate-issuer" { - count = local.vault_ca == true ? 1 : 0 - - chart = "vault-certificate-issuer" - name = "certificate-issuer" - namespace = kubernetes_namespace.cert-manager.metadata[0].name - repository = "${path.module}/charts/" - - depends_on = [time_sleep.let_cert-manager-webhook_boot] - - # Required because the chart creates "non-standard" kubernetes resources - # that use the cert-manager CRDs. - disable_openapi_validation = true - - set { - name = "vault.url" - value = var.vault_url - } - set { - name = "vault.path" - value = var.vault_path - } - set { - name = "vault.ca_bundle" - value = local.vault_ca_bundle_pem_b64 - } - set { - name = "vault.authentication_type" - value = var.vault_authentication - } - - set { - name = "approle.secret_id" - value = var.vault_approle_secret_id - } - set { - name = "approle.role_id" - value = var.vault_approle_secret_id - } - set { - name = "approle.role_path" - value = var.vault_approle_role_path - } - - set { - name = "token.token" - value = var.vault_token - } - set { - name = "serviceAccount.serviceAccount" - value = var.vault_serviceaccount_sa - } - - set { - name = "serviceAccount.role" - value = var.vault_serviceaccount_role - } - set { - name = "serviceAccount.mountPath" - value = var.vault_serviceaccount_mountpath - } -} +## # when using vault as a CA is requested +## resource "helm_release" "vault-certificate-issuer" { +## count = local.vault_ca == true ? 1 : 0 +## +## chart = "vault-certificate-issuer" +## name = "certificate-issuer" +## namespace = kubernetes_namespace.cert-manager.metadata[0].name +## repository = "${path.module}/charts/" +## +## depends_on = [time_sleep.let_cert-manager-webhook_boot] +## +## # Required because the chart creates "non-standard" kubernetes resources +## # that use the cert-manager CRDs. +## disable_openapi_validation = true +## +## set { +## name = "vault.url" +## value = var.vault_url +## } +## set { +## name = "vault.path" +## value = var.vault_path +## } +## set { +## name = "vault.ca_bundle" +## value = local.vault_ca_bundle_pem_b64 +## } +## set { +## name = "vault.authentication_type" +## value = var.vault_authentication +## } +## +## set { +## name = "approle.secret_id" +## value = var.vault_approle_secret_id +## } +## set { +## name = "approle.role_id" +## value = var.vault_approle_secret_id +## } +## set { +## name = "approle.role_path" +## value = var.vault_approle_role_path +## } +## +## set { +## name = "token.token" +## value = var.vault_token +## } +## +## set { +## name = "serviceAccount.serviceAccount" +## value = var.vault_serviceaccount_sa +## } +## +## set { +## name = "serviceAccount.role" +## value = var.vault_serviceaccount_role +## } +## set { +## name = "serviceAccount.mountPath" +## value = var.vault_serviceaccount_mountpath +## } +## } # installs the istio-operator that will listen for profile configurations to # install / configure modify the istio components. @@ -401,16 +402,16 @@ resource "helm_release" "istio-peer-authentication" { depends_on = [time_sleep.let_istio-operator_install_istio] } -resource "null_resource" "certificate-issuers" { - triggers = { - self_signed_ca = join(",", helm_release.self-signed-certificate-issuer[*].id) - intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id) - vault_ca = join(",", helm_release.vault-certificate-issuer[*].id) - } - provisioner "local-exec" { - command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi" - } -} +## resource "null_resource" "certificate-issuers" { +## triggers = { +## self_signed_ca = join(",", helm_release.self-signed-certificate-issuer[*].id) +## intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id) +## vault_ca = join(",", helm_release.vault-certificate-issuer[*].id) +## } +## provisioner "local-exec" { +## command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi" +## } +## } ## ## name = "cert-manager" diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf.old b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf.old new file mode 100644 index 0000000..29efe14 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf.old @@ -0,0 +1,469 @@ +resource "kubernetes_namespace" "cert-manager" { + metadata { + name = "cert-manager" + } +} + +resource "kubernetes_namespace" "istio-system" { + metadata { + name = "istio-system" + } +} + +# Install Metrics-Server +resource "helm_release" "metrics-server" { + chart = "metrics-server" + name = "metrics-server" + namespace = "kube-system" + repository = local.charts["metrics-server"].use_remote ? local.charts["metrics-server"].repository : "${path.module}/charts" + version = local.charts["metrics-server"].use_remote ? local.charts["metrics-server"].version : null + + # depends_on = [null_resource.copy_images] + depends_on = [module.images] + set { + name = "extraArgs[0]" + value = "--kubelet-preferred-address-types=InternalIP" + } + set { + name = "apiService.create" + value = "true" + } + set { + name = "extraArgs[1]" + value = "--cert-dir=/tmp" + } + set { + name = "extraArgs[2]" + value = "--kubelet-use-node-status-port" + } + set { + name = "extraArgs[3]" + value = "--metric-resolution=15s" + } + # set { + # name = "extraArgs[4]" + # value = "--kubelet-insecure-tls=true" + # } + set { + name = "image.registry" + # value = local.account_ecr_registry + value = local.image_output["metrics-server"].dest_registry + } + set { + name = "image.repository" + # value = format("%v/%v", local.repo_parent_name, local.images["metric-server"].name) + # value = local.image_map["metrics-server"].repository + value = local.image_output["metrics-server"].dest_repository + } + + set { + name = "image.tag" + # value = var.metrics_server_tag + value = local.image_output["metrics-server"].tag + } + + timeout = 300 +} + +##-- +## move to cluster-autoscaler.tf +##-- +## resource "helm_release" "cluster-autoscaler" { +## chart = "cluster-autoscaler" +## name = "cluster-autoscaler" +## namespace = "kube-system" +## # repository = "${path.module}/charts/" +## repository = local.charts["cluster-autoscaler"].use_remote ? local.charts["cluster-autoscaler"].repository : "${path.module}/charts" +## version = local.charts["cluster-autoscaler"].use_remote ? local.charts["cluster-autoscaler"].version : null +## # depends_on = [null_resource.copy_images] +## +## depends_on = [module.images] +## set { +## name = "image.repository" +## # value = local.image_repos["cluster-autoscaler"] +## value = split(":", local.image_output["cluster-autoscaler"].dest_full_path)[0] +## } +## set { +## name = "image.tag" +## # value = var.cluster_autoscaler_tag +## value = local.image_output["cluster-autoscaler"].tag +## } +## set { +## name = "autoDiscovery.clusterName" +## value = var.cluster_name +## } +## set { +## name = "awsRegion" +## value = local.region +## } +## set { +## name = "rbac.serviceAccount.create" +## value = "false" +## } +## } + +# Install cert-manager +# https://cert-manager.io/docs/installation/helm/ +# https://artifacthub.io/packages/helm/cert-manager/cert-manager +resource "helm_release" "cert-manager" { + chart = "cert-manager" + name = "cert-manager" + namespace = kubernetes_namespace.cert-manager.metadata[0].name + repository = local.charts["cert-manager"].use_remote ? local.charts["cert-manager"].repository : "${path.module}/charts" + version = local.charts["cert-manager"].use_remote ? local.charts["cert-manager"].version : null + + # depends_on = [null_resource.copy_images] + depends_on = [module.images] + + set { + name = "installCRDs" + value = "true" + } + set { + name = "extraArgs" + value = "{--enable-certificate-owner-ref=true}" + } + + set { + name = "image.repository" + # value = local.image_repos["cert-manager-controller"] + value = split(":", local.image_output["cert-manager-controller"].dest_full_path)[0] + } + set { + name = "image.tag" + # value = var.cert_manager_controller_tag + value = local.image_output["cert-manager-controller"].tag + } + + set { + name = "cainjector.image.repository" + # value = local.image_repos["cert-manager-cainjector"] + value = split(":", local.image_output["cert-manager-cainjector"].dest_full_path)[0] + } + set { + name = "cainjector.image.tag" + # value = var.cert_manager_cainjector_tag + value = local.image_output["cert-manager-cainjector"].tag + } + + set { + name = "webhook.image.repository" + # value = local.image_repos["cert-manager-webhook"] + value = split(":", local.image_output["cert-manager-webhook"].dest_full_path)[0] + } + set { + name = "webhook.image.tag" + # value = var.cert_manager_webhook_tag + value = local.image_output["cert-manager-webhook"].tag + } + # set { + # name = "startupapicheck.enabled" + # value = "false" + # } + set { + name = "startupapicheck.image.repository" + value = split(":", local.image_output["cert-manager-ctl"].dest_full_path)[0] + } + set { + name = "startupapicheck.image.tag" + value = local.image_output["cert-manager-ctl"].tag + } + + # timeout = 180 + timeout = 600 +} + +# cert-manager reports ready before the cert-manager-webhook pod +# has completely started and is ready to process requests. This sleep +# is set for a completely arbitrary time to allow cert-manager-webhook +# to finish starting. On slow systems, this may not be long enough, +# but on t3.xlarge, it works fine. +resource "time_sleep" "let_cert-manager-webhook_boot" { + depends_on = [helm_release.cert-manager] + + create_duration = "19s" +} + +locals { + tls_crt_file = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt" + tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents + tls_crt_b64 = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64 + + tls_key_file = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key" + tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents + tls_key_b64 = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64 + + intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0) + + vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file + vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ? + file(local.vault_ca_bundle_pem_file) + : var.vault_ca_bundle_pem) + vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ? + base64encode(local.vault_ca_bundle_pem) + : var.vault_ca_bundle_pem_b64) + + vault_ca = !local.intermediate_ca && length(var.vault_url) > 0 + + self_signed_ca = !local.intermediate_ca && !local.vault_ca + + defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0) +} + +# configure the certificate issuer. + +# when self-signed certs requested +resource "helm_release" "self-signed-certificate-issuer" { + count = local.self_signed_ca == true ? 1 : 0 + + chart = "self-signed-certificate-issuer" + name = "certificate-issuer" + namespace = kubernetes_namespace.cert-manager.metadata[0].name + repository = "${path.module}/charts/" + + depends_on = [time_sleep.let_cert-manager-webhook_boot] + + # Required because the chart creates "non-standard" kubernetes resources + # that use the cert-manager CRDs. + disable_openapi_validation = true +} + +# when using an internediate CA is requested +resource "helm_release" "intermediate-certificate-issuer" { + count = local.intermediate_ca == true ? 1 : 0 + + chart = "intermediate-certificate-issuer" + name = "certificate-issuer" + namespace = kubernetes_namespace.cert-manager.metadata[0].name + repository = "${path.module}/charts/" + + depends_on = [time_sleep.let_cert-manager-webhook_boot] + + # Required because the chart creates "non-standard" kubernetes resources + # that use the cert-manager CRDs. + disable_openapi_validation = true + + set { + name = "tls.crt" + value = local.tls_crt_b64 + } + set { + name = "tls.key" + value = local.tls_key_b64 + } +} + +# when using vault as a CA is requested +resource "helm_release" "vault-certificate-issuer" { + count = local.vault_ca == true ? 1 : 0 + + chart = "vault-certificate-issuer" + name = "certificate-issuer" + namespace = kubernetes_namespace.cert-manager.metadata[0].name + repository = "${path.module}/charts/" + + depends_on = [time_sleep.let_cert-manager-webhook_boot] + + # Required because the chart creates "non-standard" kubernetes resources + # that use the cert-manager CRDs. + disable_openapi_validation = true + + set { + name = "vault.url" + value = var.vault_url + } + set { + name = "vault.path" + value = var.vault_path + } + set { + name = "vault.ca_bundle" + value = local.vault_ca_bundle_pem_b64 + } + set { + name = "vault.authentication_type" + value = var.vault_authentication + } + + set { + name = "approle.secret_id" + value = var.vault_approle_secret_id + } + set { + name = "approle.role_id" + value = var.vault_approle_secret_id + } + set { + name = "approle.role_path" + value = var.vault_approle_role_path + } + + set { + name = "token.token" + value = var.vault_token + } + + set { + name = "serviceAccount.serviceAccount" + value = var.vault_serviceaccount_sa + } + + set { + name = "serviceAccount.role" + value = var.vault_serviceaccount_role + } + set { + name = "serviceAccount.mountPath" + value = var.vault_serviceaccount_mountpath + } +} + +# installs the istio-operator that will listen for profile configurations to +# install / configure modify the istio components. +resource "helm_release" "istio-operator" { + chart = "istio-operator" + name = "istio-operator" + namespace = kubernetes_namespace.istio-system.metadata[0].name + repository = "${path.module}/charts/" + + depends_on = [helm_release.cert-manager] + + set { + name = "hub" + # value = format("%v/%v", local.account_ecr, "istio") + value = format("%v/eks/%v/%v", local.image_output["istio/operator"].dest_registry, var.cluster_name, "istio") + } + set { + name = "tag" + # value = var.istio_tag + value = local.image_output["istio/operator"].tag + } + set { + name = "operatorNamespace" + value = "operators" + } + set { + name = "watchedNamespaces" + value = kubernetes_namespace.istio-system.metadata[0].name + } + + timeout = 180 +} + +# Need to access the IP address of the apiserver for the next step. +data "kubernetes_service" "apiserver" { + metadata { + name = "kubernetes" + } +} + +# sets up service mesh +resource "helm_release" "istio-profile" { + chart = "istio-profile" + name = "istio-profile" + namespace = kubernetes_namespace.istio-system.metadata[0].name + repository = "${path.module}/charts/" + + depends_on = [helm_release.istio-operator, null_resource.certificate-issuers] + + set { + name = "hub" + # value = format("%v/%v", local.account_ecr, "istio") + value = format("%v/eks/%v/%v", local.image_output["istio/operator"].dest_registry, var.cluster_name, "istio") + } + set { + name = "tag" + value = var.istio_tag + } + # Passes in the API server so it can be excluded from requiring mTLS from + # pods that are protected by istio. It already implements SSL. + set { + name = "apiserver" + value = "${data.kubernetes_service.apiserver.spec[0].cluster_ip}/32" + } +} + +# Creating the istio profile is very quick. Time is needed to allow +# istio-operator to install the CRDs and deploy istio. +resource "time_sleep" "let_istio-operator_install_istio" { + depends_on = [helm_release.istio-profile] + + create_duration = "19s" +} + +# Require all pods in the service mesh to use mTLS +resource "helm_release" "istio-peer-authentication" { + chart = "istio-peerauthentication" + name = "istio-peerauthentication" + namespace = kubernetes_namespace.istio-system.metadata[0].name + repository = "${path.module}/charts/" + + depends_on = [time_sleep.let_istio-operator_install_istio] +} + +resource "null_resource" "certificate-issuers" { + triggers = { + self_signed_ca = join(",", helm_release.self-signed-certificate-issuer[*].id) + intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id) + vault_ca = join(",", helm_release.vault-certificate-issuer[*].id) + } + provisioner "local-exec" { + command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi" + } +} + +## +## name = "cert-manager" +## name = "metrics-server" +## name = "cert-manager-controller" +## name = "cert-manager-cainjector" +## name = "cert-manager-webhook" +## name = "cluster-autoscaler" +## name = "metrics-server" +## name = "istio/operator" +## name = "istio/pilot" +## name = "istio/proxyv2" +## +## +## local.image_output[name]. +## +## ## "fluent/fluentd-kubernetes-daemonset#v1.13.3-debian-elasticsearch7-1.2" = { +## ## "dest_full_path" = "817869416306.dkr.ecr.us-gov-east-1.amazonaws.com/eks/test-cluster-name/fluent/fluentd-kubernetes-daemonset:v1.13.3-debian-elasticsearch7-1.2" +## ## "dest_registry" = "817869416306.dkr.ecr.us-gov-east-1.amazonaws.com" +## ## "dest_repository" = "eks/test-cluster-name/fluent/fluentd-kubernetes-daemonset" +## ## "enabled" = true +## ## "key" = "fluent/fluentd-kubernetes-daemonset#v1.13.3-debian-elasticsearch7-1.2" +## ## "name" = "fluent/fluentd-kubernetes-daemonset" +## ## "source_full_path" = "docker.io/fluent/fluentd-kubernetes-daemonset:v1.13.3-debian-elasticsearch7-1.2" +## ## "source_image" = "fluent/fluentd-kubernetes-daemonset" +## ## "source_registry" = "docker.io" +## ## "tag" = "v1.13.3-debian-elasticsearch7-1.2" +## ## } +## +## +## +## > local.image_map +## { +## "cert-manager-cainjector" = { +## "enabled" = true +## "full_path" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/cert-manager-cainjector" +## "image" = "quay.io/jetstack/cert-manager-cainjector" +## "name" = "cert-manager-cainjector" +## "registry" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com" +## "repository" = "eks/ditd-gppsys-ite/cert-manager-cainjector" +## "tag" = "v1.4.3" +## } +## +## +## > local.image_repos +## { +## "cert-manager-cainjector" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/cert-manager-cainjector" +## "cert-manager-controller" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/cert-manager-controller" +## "cert-manager-webhook" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/cert-manager-webhook" +## "cluster-autoscaler" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/cluster-autoscaler" +## "istio/operator" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/istio/operator" +## "istio/pilot" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/istio/pilot" +## "istio/proxyv2" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/istio/proxyv2" +## "metrics-server" = "247901282001.dkr.ecr.us-gov-west-1.amazonaws.com/eks/ditd-gppsys-ite/metrics-server" +## } +## diff --git a/examples/full-cluster-tf-upgrade/1.25/settings.auto.tfvars.example b/examples/full-cluster-tf-upgrade/1.25/settings.auto.tfvars.example index c0171f3..dd74cad 100644 --- a/examples/full-cluster-tf-upgrade/1.25/settings.auto.tfvars.example +++ b/examples/full-cluster-tf-upgrade/1.25/settings.auto.tfvars.example @@ -4,6 +4,7 @@ cluster_name = "{org}-{project}-{env}" cluster_version = "1.25" +contact_email = "{group-email-address}" region = "us-gov-east-1" domain = "NAME" ## set to correct domain if using a shared vpc eks_instance_disk_size = 40 diff --git a/examples/full-cluster-tf-upgrade/1.25/variables.eks.tf b/examples/full-cluster-tf-upgrade/1.25/variables.eks.tf index de7e2bf..b75706c 100644 --- a/examples/full-cluster-tf-upgrade/1.25/variables.eks.tf +++ b/examples/full-cluster-tf-upgrade/1.25/variables.eks.tf @@ -67,3 +67,8 @@ variable "domain" { type = string default = null } + +variable "contact_email" { + description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address." + type = string +}