updates for new certificate method

examples/full-cluster-tf-upgrade/1.28/README.md

@@ -78,6 +78,7 @@ cluster_name           = "org-project-env"
 cluster_version        = "1.28"
 region                 = "us-gov-east-1"
 domain                 = "org-project-env.env.domain.census.gov"
+contact_email          = "org-project-env-group-mailing-list@census.gov"
 eks_instance_disk_size = 40
 eks_vpc_name           = "vpc_full_name"
 eks_instance_type      = "t3.xlarge"
@@ -92,7 +93,8 @@ You need to change these values:
 * cluster_name: put in the proper org, project, and environment.  Cluster names should not be replicated across the environment.
 These are tracked in the repo [cloud-information/aws/documentation/containers/](https://github.e.it.census.gov/terraform/cloud-information/blob/master/documentation/dns.md).
 * region: include the correct region. This really is a duplicate of the `region` variable, so it may be removed in the future.
-* domain: this is the domain name of the clsuter, consisting of the cluster name and the proper domain name for the environment/VPC.
+* domain: this is the domain name of the cluster, consisting of the cluster name and the proper domain name for the environment/VPC.
+* contact_email: put in an email addres of a group responsible for this cluster.
 * eks_instance_disk_size: this should be default to 40Gb for most use-cases; only change this if you have special requirement and have exception approval.
 * eks_vpc_name: replace *vpc_full_name* with the appropriate vpc full name. This is used to find the vpc ID.
 * subnets_name: replace *subnet_label* with the label of the subnets allocated to providing ENIs for the cluster node group and containers; often as `container` or `task`

examples/full-cluster-tf-upgrade/1.28/common-services/main.tf

@@ -184,139 +184,140 @@ resource "time_sleep" "let_cert-manager-webhook_boot" {
   create_duration = "19s"
 }
 
-locals {
-  tls_crt_file     = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt"
-  tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents
-  tls_crt_b64      = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64
-
-  tls_key_file     = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key"
-  tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents
-  tls_key_b64      = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64
-
-  intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0)
-
-  vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file
-  vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ?
-    file(local.vault_ca_bundle_pem_file)
-  : var.vault_ca_bundle_pem)
-  vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ?
-    base64encode(local.vault_ca_bundle_pem)
-  : var.vault_ca_bundle_pem_b64)
-
-  vault_ca = !local.intermediate_ca && length(var.vault_url) > 0
-
-  self_signed_ca = !local.intermediate_ca && !local.vault_ca
-
-  defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0)
-}
-
+## strip out all code for various certificate options and use only the subordinate_ca module (intermediate-certificate-issuer)
+## locals {
+##   tls_crt_file     = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt"
+##   tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents
+##   tls_crt_b64      = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64
+## 
+##   tls_key_file     = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key"
+##   tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents
+##   tls_key_b64      = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64
+## 
+##   intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0)
+## 
+##   vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file
+##   vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ?
+##     file(local.vault_ca_bundle_pem_file)
+##   : var.vault_ca_bundle_pem)
+##   vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ?
+##     base64encode(local.vault_ca_bundle_pem)
+##   : var.vault_ca_bundle_pem_b64)
+## 
+##   vault_ca = !local.intermediate_ca && length(var.vault_url) > 0
+## 
+##   self_signed_ca = !local.intermediate_ca && !local.vault_ca
+## 
+##   defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0)
+## }
+## 
 # configure the certificate issuer. 
-
-# when self-signed certs requested
-resource "helm_release" "self-signed-certificate-issuer" {
-  count = local.self_signed_ca == true ? 1 : 0
-
-  chart      = "self-signed-certificate-issuer"
-  name       = "certificate-issuer"
-  namespace  = kubernetes_namespace.cert-manager.metadata[0].name
-  repository = "${path.module}/charts/"
-
-  depends_on = [time_sleep.let_cert-manager-webhook_boot]
-
-  # Required because the chart creates "non-standard" kubernetes resources
-  # that use the cert-manager CRDs.
-  disable_openapi_validation = true
-}
+## # when self-signed certs requested
+## resource "helm_release" "self-signed-certificate-issuer" {
+##   count = local.self_signed_ca == true ? 1 : 0
+## 
+##   chart      = "self-signed-certificate-issuer"
+##   name       = "certificate-issuer"
+##   namespace  = kubernetes_namespace.cert-manager.metadata[0].name
+##   repository = "${path.module}/charts/"
+## 
+##   depends_on = [time_sleep.let_cert-manager-webhook_boot]
+## 
+##   # Required because the chart creates "non-standard" kubernetes resources
+##   # that use the cert-manager CRDs.
+##   disable_openapi_validation = true
+## }
 
 # when using an internediate CA is requested
 resource "helm_release" "intermediate-certificate-issuer" {
-  count = local.intermediate_ca == true ? 1 : 0
+  ##  count = local.intermediate_ca == true ? 1 : 0
 
   chart      = "intermediate-certificate-issuer"
   name       = "certificate-issuer"
   namespace  = kubernetes_namespace.cert-manager.metadata[0].name
   repository = "${path.module}/charts/"
 
-  depends_on = [time_sleep.let_cert-manager-webhook_boot]
+  depends_on = [time_sleep.let_cert-manager-webhook_boot, module.subordinate_ca]
 
   # Required because the chart creates "non-standard" kubernetes resources
   # that use the cert-manager CRDs.
   disable_openapi_validation = true
 
   set {
     name  = "tls.crt"
-    value = local.tls_crt_b64
+    value = module.subordinate_ca.certificate_tls_crt
   }
   set {
     name  = "tls.key"
-    value = local.tls_key_b64
+    value = module.subordinate_ca.certificate_tls_key
   }
 }
 
-# when using vault as a CA is requested
-resource "helm_release" "vault-certificate-issuer" {
-  count = local.vault_ca == true ? 1 : 0
-
-  chart      = "vault-certificate-issuer"
-  name       = "certificate-issuer"
-  namespace  = kubernetes_namespace.cert-manager.metadata[0].name
-  repository = "${path.module}/charts/"
-
-  depends_on = [time_sleep.let_cert-manager-webhook_boot]
-
-  # Required because the chart creates "non-standard" kubernetes resources
-  # that use the cert-manager CRDs.
-  disable_openapi_validation = true
-
-  set {
-    name  = "vault.url"
-    value = var.vault_url
-  }
-  set {
-    name  = "vault.path"
-    value = var.vault_path
-  }
-  set {
-    name  = "vault.ca_bundle"
-    value = local.vault_ca_bundle_pem_b64
-  }
-  set {
-    name  = "vault.authentication_type"
-    value = var.vault_authentication
-  }
-
-  set {
-    name  = "approle.secret_id"
-    value = var.vault_approle_secret_id
-  }
-  set {
-    name  = "approle.role_id"
-    value = var.vault_approle_secret_id
-  }
-  set {
-    name  = "approle.role_path"
-    value = var.vault_approle_role_path
-  }
-
-  set {
-    name  = "token.token"
-    value = var.vault_token
-  }
 
-  set {
-    name  = "serviceAccount.serviceAccount"
-    value = var.vault_serviceaccount_sa
-  }
-
-  set {
-    name  = "serviceAccount.role"
-    value = var.vault_serviceaccount_role
-  }
-  set {
-    name  = "serviceAccount.mountPath"
-    value = var.vault_serviceaccount_mountpath
-  }
-}
+## # when using vault as a CA is requested
+## resource "helm_release" "vault-certificate-issuer" {
+##   count = local.vault_ca == true ? 1 : 0
+## 
+##   chart      = "vault-certificate-issuer"
+##   name       = "certificate-issuer"
+##   namespace  = kubernetes_namespace.cert-manager.metadata[0].name
+##   repository = "${path.module}/charts/"
+## 
+##   depends_on = [time_sleep.let_cert-manager-webhook_boot]
+## 
+##   # Required because the chart creates "non-standard" kubernetes resources
+##   # that use the cert-manager CRDs.
+##   disable_openapi_validation = true
+## 
+##   set {
+##     name  = "vault.url"
+##     value = var.vault_url
+##   }
+##   set {
+##     name  = "vault.path"
+##     value = var.vault_path
+##   }
+##   set {
+##     name  = "vault.ca_bundle"
+##     value = local.vault_ca_bundle_pem_b64
+##   }
+##   set {
+##     name  = "vault.authentication_type"
+##     value = var.vault_authentication
+##   }
+## 
+##   set {
+##     name  = "approle.secret_id"
+##     value = var.vault_approle_secret_id
+##   }
+##   set {
+##     name  = "approle.role_id"
+##     value = var.vault_approle_secret_id
+##   }
+##   set {
+##     name  = "approle.role_path"
+##     value = var.vault_approle_role_path
+##   }
+## 
+##   set {
+##     name  = "token.token"
+##     value = var.vault_token
+##   }
+## 
+##   set {
+##     name  = "serviceAccount.serviceAccount"
+##     value = var.vault_serviceaccount_sa
+##   }
+## 
+##   set {
+##     name  = "serviceAccount.role"
+##     value = var.vault_serviceaccount_role
+##   }
+##   set {
+##     name  = "serviceAccount.mountPath"
+##     value = var.vault_serviceaccount_mountpath
+##   }
+## }
 
 # installs the istio-operator that will listen for profile configurations to
 # install / configure modify the istio components.
@@ -401,16 +402,16 @@ resource "helm_release" "istio-peer-authentication" {
   depends_on = [time_sleep.let_istio-operator_install_istio]
 }
 
-resource "null_resource" "certificate-issuers" {
-  triggers = {
-    self_signed_ca  = join(",", helm_release.self-signed-certificate-issuer[*].id)
-    intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id)
-    vault_ca        = join(",", helm_release.vault-certificate-issuer[*].id)
-  }
-  provisioner "local-exec" {
-    command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi"
-  }
-}
+## resource "null_resource" "certificate-issuers" {
+##   triggers = {
+##     self_signed_ca  = join(",", helm_release.self-signed-certificate-issuer[*].id)
+##     intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id)
+##     vault_ca        = join(",", helm_release.vault-certificate-issuer[*].id)
+##   }
+##   provisioner "local-exec" {
+##     command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi"
+##   }
+## }
 
 ## 
 ##     name       = "cert-manager"

examples/full-cluster-tf-upgrade/1.28/settings.auto.tfvars.example

@@ -5,6 +5,7 @@
 cluster_name           = "{org}-{project}-{env}"
 cluster_version        = "1.28"
 region                 = "us-gov-east-1"
+contact_email          = "{group-email-address}"
 domain		       = "NAME"  ## set to correct domain if using a shared vpc
 eks_instance_disk_size = 40
 eks_vpc_name           = "{vpc_full_name}"

examples/full-cluster-tf-upgrade/1.28/variables.eks.tf

@@ -67,3 +67,8 @@ variable "domain" {
   type        = string
   default     = null
 }
+
+variable "contact_email" {
+  description = "Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address."
+  type        = string
+}