We value your privacy
Deploys Cert Manager into a Kubernetes cluster via Helm. Creates Let's Encrypt ClusterIssuers with HTTP-01 challenge for ACME servers:
staging - to test Let's Encrypt cert generation via staging server of LEproduction - uses production Let's Encrypt CA server (with limited rate of certificate generation requests)selfsigned - to deploy self-signed cluster issuerAdditional ClusterIssuers with DNS-01 challenges can be configured via corresponding environment variable that contains the name of the cloud DNS service (see examples).
| tf-k8s-crd | $50 |
Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:
shellterraform login solutions.corewide.com
Initialize mandatory providers:
Copy and paste into your Terraform configuration and insert the variables:
hclmodule "tf_k8s_cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1.0"
# specify module inputs here or try one of the examples below
...
}
Initialize the setup:
shellterraform init
Corewide DevOps team strictly follows Semantic Versioning
Specification
to
provide our clients with products that have predictable upgrades between versions. We
recommend
pinning
patch versions of our modules using pessimistic
constraint operator (~>) to prevent breaking changes during upgrades.
To get new features during the upgrades (without breaking compatibility), use
~> 1.1 and run
terraform init -upgrade
For the safest setup, use strict pinning with version = "1.1.0"
All notable changes to this project are documented here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
dns_solver_config variable for DNS-01 ACME challenge configuration for ClusterIssuers resourcesservice_account_annotations variable for adding annotations to controller's ServiceAccountservice_account_labels variable for adding labels to controller's ServiceAccountpod_labels variable for adding labels to controller's Poddefault_issuer_name variable to overwrite default Cert Manager ClusterIssuer name1.7.1 to 1.17.1k8s_flavor variableFirst stable version
Setup with custom parameters for Helm Chart version, values and release name:
hclmodule "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
name = "cert-manager-example"
acme_email = "[email protected]"
chart_version = "1.10.0"
enable_metrics = false
ingress_classes = ["nginx"]
issuer_names = ["letsencrypt-staging"]
custom_values = [
{
name = "image.pullPolicy"
value = "Always"
},
{
name = "global.commonLabels.project"
value = "example"
},
]
}
AWS Route53 integration for DNS-01 challenge with Nginx Ingress Class:
hclmodule "aws_cert_manager" {
source = "solutions.corewide.com/aws/tf-k8s-cert-manager-dns-aws/aws"
version = "~> 1.0"
region = "us-east-1"
hosted_zone_id = "FOO"
oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/BAR"
oidc_provider_url = "oidc.eks.us-east-1.amazonaws.com/id/BAR"
}
module "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
acme_email = "[email protected]"
ingress_classes = ["nginx"]
dns_solver_config = module.aws_cert_manager.issuer_spec
service_account_annotations = module.aws_cert_manager.service_account_annotation
}
Google Cloud DNS integration for DNS-01 challenge with Nginx Ingress Class:
hclmodule "gcp_cert_manager" {
source = "solutions.corewide.com/google-cloud/tf-k8s-cert-manager-dns-gcp/google"
version = "~> 1.0"
}
module "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
acme_email = "[email protected]"
ingress_classes = ["nginx"]
service_account_annotations = module.gcp_cert_manager.service_account_annotation
dns_solver_config = module.gcp_cert_manager.issuer_spec
}
Azure DNS integration for DNS-01 challenge with Nginx Ingress Class:
hclmodule "azure_cert_manager" {
source = "solutions.corewide.com/azure/tf-k8s-cert-manager-dns-azure/azurerm"
version = "~> 1.0"
resource_group_name = azurerm_resource_group.main.name
region = azurerm_resource_group.main.location
hosted_zone_name = "example.com"
oidc_provider_url = "https://westus2.bar.azure.com/foo/bar/"
}
module "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
acme_email = "[email protected]"
ingress_classes = ["nginx"]
dns_solver_config = module.azure_cert_manager.issuer_spec
service_account_labels = module.azure_cert_manager.service_account_label
pod_labels = module.azure_cert_manager.pod_label
}
Minimal setup with default parameters:
hclmodule "cert_manager" {
source = "solutions.corewide.com/kubernetes/tf-k8s-cert-manager/helm"
version = "~> 1.1"
acme_email = "[email protected]"
ingress_classes = ["nginx"]
}
| Variable | Description | Type | Default | Required | Sensitive |
|---|---|---|---|---|---|
acme_email |
E-mail for Let's Encrypt cluster issuer to request certificates | string |
yes | no | |
default_issuer_name |
Cert Manager default ClusterIssuer name to use for ingress resources |
string |
yes | no | |
ingress_classes |
A list of Ingress Classes definition for Cert Manager deployment | list(string) |
yes | no | |
k8s_flavor |
Name of managed Kubernetes to enable cloud-specific adjustments. Applicable value is: eks |
string |
yes | no | |
chart_version |
Version of Cert Manager Helm chart | string |
1.17.1 |
no | no |
create_namespace |
Enable dedicated namespace creation for Cert Manager deployment | bool |
true |
no | no |
custom_values |
A list of custom values for Cert Manager Helm Chart | list(object) |
[] |
no | no |
custom_values[*].name |
Full name of the custom value to be set | string |
yes | no | |
custom_values[*].type |
Type of the value to be set (valid options are auto and string) |
string |
auto |
no | no |
custom_values[*].value |
Value of the custom value to be set | any |
yes | no | |
dns_solver_config |
DNS-01 ACME challenge provider configuration parameters. Supported challenge providers are: route53, cloudDNS, azureDNS |
any |
{} |
no | no |
enable_metrics |
Enable Prometheus metrics of Cert Manager | bool |
true |
no | no |
issuer_names |
A list of issuers to be created. Possible values are: letsencrypt, letsencrypt-staging, selfsigned |
list(string) |
no | no | |
name |
Name to override Cert Manager release name | string |
cert-manager |
no | no |
namespace |
Namespace to install Cert Manager into | string |
cert-manager |
no | no |
pod_labels |
Labels to add to the Cert Manager controller's Pod |
map(string) |
{} |
no | no |
service_account_annotations |
Annotations to add to the Cert Manager controller's ServiceAccount |
map(string) |
{} |
no | no |
service_account_labels |
Labels to add to the Cert Manager controller's ServiceAccount |
map(string) |
{} |
no | no |
| Dependency | Version | Kind |
|---|---|---|
terraform |
>= 1.3 |
CLI |
hashicorp/helm |
~> 2.5 |
provider |
hashicorp/kubernetes |
~> 2.9 |
provider |
tf-k8s-crd |
~> 2.0 |
module |