modularization of the cert-manager

Signed-off-by: junior <junior@users.noreply.github.com>

Author: junior

module-cluster-tools.tf

@@ -6,9 +6,9 @@ module "cluster-tools" {
   source = "./modules/cluster-tools"
 
   # Oracle Cloud Infrastructure Tenancy and Compartment OCID
-  tenancy_ocid     = var.tenancy_ocid
-  compartment_ocid = var.compartment_ocid
-  region           = var.region
+  tenancy_ocid = var.tenancy_ocid
+  # compartment_ocid = var.compartment_ocid
+  region = var.region
 
   # Deployment Tags + Freeform Tags
   freeform_deployment_tags = local.freeform_deployment_tags

modules/cluster-tools/cert-manager.tf

@@ -8,85 +8,14 @@ variable "cert_manager_enabled" {
   description = "Enable x509 Certificate Management"
 }
 
-# Cert Manager Helm chart
-## https://github.com/jetstack/cert-manager/blob/master/README.md
-## https://artifacthub.io/packages/helm/cert-manager/cert-manager
-resource "helm_release" "cert_manager" {
-  name       = "cert-manager"
-  repository = local.helm_repository.jetstack
-  chart      = "cert-manager"
-  version    = local.helm_repository.jetstack_version
-  namespace  = kubernetes_namespace.cluster_tools.id
-  wait       = true # wait to allow the webhook be properly configured
-
-  set {
-    name  = "installCRDs"
-    value = true
-  }
-
-  set {
-    name  = "webhook.timeoutSeconds"
-    value = "30"
-  }
-
-  count = var.cert_manager_enabled ? 1 : 0
-}
-
-resource "kubernetes_manifest" "clusterissuer_letsencrypt_prod" {
-  manifest = {
-    "apiVersion" = "cert-manager.io/v1"
-    "kind"       = "ClusterIssuer"
-    "metadata" = {
-      "name" = "letsencrypt-prod"
-    }
-    "spec" = {
-      "acme" = {
-        "email" = "${var.ingress_email_issuer}"
-        "privateKeySecretRef" = {
-          "name" = "letsencrypt-prod"
-        }
-        "server" = "https://acme-v02.api.letsencrypt.org/directory"
-        "solvers" = [
-          {
-            "http01" = {
-              "ingress" = {
-                "class" = "nginx"
-              }
-            }
-          },
-        ]
-      }
-    }
-  }
-
-  count = var.cert_manager_enabled ? 1 : 0
-}
-resource "kubernetes_manifest" "clusterissuer_letsencrypt_staging" {
-  manifest = {
-    "apiVersion" = "cert-manager.io/v1"
-    "kind"       = "ClusterIssuer"
-    "metadata" = {
-      "name" = "letsencrypt-staging"
-    }
-    "spec" = {
-      "acme" = {
-        "email" = "${var.ingress_email_issuer}"
-        "privateKeySecretRef" = {
-          "name" = "letsencrypt-staging"
-        }
-        "server" = "https://acme-staging-v02.api.letsencrypt.org/directory"
-        "solvers" = [
-          {
-            "http01" = {
-              "ingress" = {
-                "class" = "nginx"
-              }
-            }
-          },
-        ]
-      }
-    }
-  }
+module "cert-manager" {
+  source = "./modules/cert-manager"
+
+  # Helm Release variables
+  chart_namespace      = kubernetes_namespace.cluster_tools.id
+  chart_repository     = local.helm_repository.jetstack
+  chart_version        = local.helm_repository.jetstack_version
+  ingress_email_issuer = var.ingress_email_issuer
 
   count = var.cert_manager_enabled ? 1 : 0
 }

modules/cluster-tools/modules/cert-manager/issuers/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

modules/cluster-tools/modules/cert-manager/issuers/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: issuers
+description: cert-manager ClusterIssuer and Issuer resources, simplified for use with terraform helm provider
+
+type: application
+version: 0.1.0
+appVersion: "1"

modules/cluster-tools/modules/cert-manager/issuers/templates/NOTES.txt

@@ -0,0 +1,3 @@
+#
+
+Stuff

modules/cluster-tools/modules/cert-manager/issuers/templates/_helpers.tpl

@@ -0,0 +1,3 @@
+{{/*
+Return the name of an Issuer or ClusterIssuer
+*/}}

modules/cluster-tools/modules/cert-manager/issuers/templates/clusterissuers.yaml

@@ -0,0 +1,46 @@
+{{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME production api URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.issuer.email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME staging api URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.issuer.email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
+{{ else -}}
+{{ fail "cert-manager.io/v1 CRD not available" -}}
+{{- end -}}

modules/cluster-tools/modules/cert-manager/issuers/values.yaml

@@ -0,0 +1,4 @@
+issuer:
+
+  # Used for ACME registration (if TLS is set)
+  email: "no-reply@ateam-oracle.com"

modules/cluster-tools/modules/cert-manager/main.tf

@@ -0,0 +1,102 @@
+# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+# 
+
+# Cert Manager Helm chart
+## https://github.com/jetstack/cert-manager/blob/master/README.md
+## https://artifacthub.io/packages/helm/cert-manager/cert-manager
+resource "helm_release" "cert_manager" {
+  name       = "cert-manager"
+  repository = var.chart_repository
+  chart      = "cert-manager"
+  version    = var.chart_version
+  namespace  = var.chart_namespace
+  wait       = true # wait to allow the webhook be properly configured
+
+  set {
+    name  = "installCRDs"
+    value = true
+  }
+
+  set {
+    name  = "webhook.timeoutSeconds"
+    value = "30"
+  }
+
+}
+
+resource "helm_release" "cluster_issuers" {
+  name      = "cert-manager-cluster-issuers"
+  chart     = "${path.module}/issuers"
+  namespace = var.chart_namespace
+
+  set {
+    name  = "issuer.email"
+    value = var.ingress_email_issuer
+  }
+
+  depends_on = [helm_release.cert_manager]
+}
+
+# resource "kubernetes_manifest" "clusterissuer_letsencrypt_prod" {
+#   manifest = {
+#     "apiVersion" = "cert-manager.io/v1"
+#     "kind"       = "ClusterIssuer"
+#     "metadata" = {
+#       "name" = "letsencrypt-prod"
+#     }
+#     "spec" = {
+#       "acme" = {
+#         "email" = "${var.ingress_email_issuer}"
+#         "privateKeySecretRef" = {
+#           "name" = "letsencrypt-prod"
+#         }
+#         "server" = "https://acme-v02.api.letsencrypt.org/directory"
+#         "solvers" = [
+#           {
+#             "http01" = {
+#               "ingress" = {
+#                 "class" = "nginx"
+#               }
+#             }
+#           },
+#         ]
+#       }
+#     }
+#   }
+
+#   depends_on = [helm_release.cert_manager]
+
+#   count = var.cert_manager_enabled ? 1 : 0
+# }
+# resource "kubernetes_manifest" "clusterissuer_letsencrypt_staging" {
+#   manifest = {
+#     "apiVersion" = "cert-manager.io/v1"
+#     "kind"       = "ClusterIssuer"
+#     "metadata" = {
+#       "name" = "letsencrypt-staging"
+#     }
+#     "spec" = {
+#       "acme" = {
+#         "email" = "${var.ingress_email_issuer}"
+#         "privateKeySecretRef" = {
+#           "name" = "letsencrypt-staging"
+#         }
+#         "server" = "https://acme-staging-v02.api.letsencrypt.org/directory"
+#         "solvers" = [
+#           {
+#             "http01" = {
+#               "ingress" = {
+#                 "class" = "nginx"
+#               }
+#             }
+#           },
+#         ]
+#       }
+#     }
+#   }
+
+#   depends_on = [helm_release.cert_manager]
+
+#   count = var.cert_manager_enabled ? 1 : 0
+# }

modules/cluster-tools/modules/cert-manager/providers.tf

@@ -0,0 +1,24 @@
+# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+# 
+
+terraform {
+  required_version = ">= 1.1"
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2"
+      # https://registry.terraform.io/providers/hashicorp/helm/
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4"
+      # https://registry.terraform.io/providers/hashicorp/tls/
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2"
+      # https://registry.terraform.io/providers/hashicorp/local/
+    }
+  }
+}