Ingress Nginx for Kubernetes

Module deploys Ingress Nginx and Cert Manager into a Kubernetes cluster via Helm. Creates Let's Encrypt ClusterIssuers for ACME servers:

staging - to test Let's Encrypt cert generation via Staging server of LE
production - uses production Let's Encrypt CA server (with limited rate of certificate generation requests)
selfsigned - optional deployment of selfsigned cluster issuer

$550

Dependencies included: $250

tf-k8s-cert-manager	$200
tf-k8s-crd	$50

BUY

913

License

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_k8s_ingress_nginx" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 4.0.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 4.0 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "4.0.0"

v4.0.0 released 1 year, 6 months ago

New version approx. every 6 weeks

Upgrade Notes

Changelog

All notable changes to this project are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

v5.4.0 - 2025-04-10

Added

option to configure Ingress Class name by means of ingress_nginx.ingress_class_name variable
validation for the ingress_nginx.version variable (compatible chart version is 4.12.0 and newer)

Changed

Ingress Nginx Helm chart version (from 4.6.1 to 4.12.1) to align with latest fixes of Ingress Nginx vulnerabilities

Fixed

Ingress Class name definition and its reference for the ingress_class output

v5.3.2 - 2025-03-28

Fixed

incorrect naming of Ingress Controller Service in the data source making the module return an incorrect external IP address in the output

v5.3.1 - 2025-03-11

Removed

validation for the k8s_flavor variable

v5.3.0 - 2025-02-05

Added

output with ingressClass name (ingress_class)

v5.2.0 - 2024-12-12

Changed

ingress_nginx_ip output to ingress_ip
ingress_nginx_hostname output to ingress_hostname

Deprecated

ingress_nginx_ip in favour of ingress_ip and will be deleted in v6.0
ingress_nginx_hostname in favour of ingress_hostname and will be deleted in v6.0

v5.1.0 - 2024-12-10

Added

helm_timeout parameter for ingress_nginx variable to configure deployment timeout of its Helm release

v5.0.0 - 2024-11-25

BREAKING CHANGE: now cert-manager setup is managed by the child module and Ingress Nginx deployment is mandatory

Added

acme_email variable for cert-manager configuration

Changed

management of cert-manager resources from in-module resources to the child module
optional Ingress Nginx deployment to mandatory

Removed

var.ingress_nginx.enabled parameter

v4.1.0 - 2024-09-04

Added

togglable real IP detection

v4.0.1 - 2024-07-10

Changed

updated version of tf-k8s-crd module dependency to ~> 2.0
Ingress Nginx Helm chart (from 4.0.18 to 4.6.1) version

v4.0.0 - 2023-10-19

BREAKING CHANGE: now all custom_values are declared as lists of objects which aren't compatible with previous version

NOTE: After module upgrade to v4.0 all custom_values definitions must be updated, see Upgrade Notes section

Added

possibility to declare a type of the custom values for Ingress Nginx and cert-manager

Changed

definitions of custom values for Ingress Nginx and cert-manager releases rollout from maps to list of objects

v3.1.1 - 2023-07-27

Changed

strict order of creation of resources to avoid race conditions

v3.1 - 2023-06-27

Added

an option to set ingress annotation of the load balancer health checks for AKS cluster by means of k8s_flavor variable

v3.0.0 - 2023-01-13

BREAKING CHANGE: now all kubernetes provider resources use versioned resources which aren't compatible with previous version

NOTE: After module upgrade to v3.0 all kubernetes provider resources and other resources that depend on them will be recreated, or they can be reimported to TF state manually, see Upgrade Notes section

Added

tf-k8s-crd module dependency

Changed

use versioned Kubernetes provider resources instead of standard ones in order to satisfy requirements of future updates of providers
updated main inputs that describe Ingress Nginx and cert-manager parameters
definitions of ClusterIssuer custom resources use CRD TF module
declare default values of ingress_nginx variable
code formatting

Removed

gavinbunney/kubectl provider dependency
obsolete template of kubernetes manifest for cert-manager cluster issuer

v2.1.0 - 2022-12-23

Added

an option to manage replicas' number for Ingress Nginx

Changed

Ingress Nginx controller deploys with 2 replicas by default

v2.0.0 - 2022-10-12

BREAKING CHANGE: now module inputs and resources management have fundamentally new concept which isn't compatible with previous version

Added

moved blocks to ensure reverse compatibility

Changed

bump terraform version to 1.3
combined all ingress_* and certmanager_* separate variables into two ingress and cert-manager object variables that contain all related elements
combined three kubernetes_manifest calls for each cluser issuer into one
improve cluster issuer template. Made it unified for any of cluster issuer types

Fixed

letsencrypt production template call in letsencrypt staging terraform resource

v1.5.0 - 2022-09-28

Added

optional deployment of selfsigned cluster issuer (disabled by default)

v1.4.0 - 2022-09-23

Added

use configurable Ingress Class definition for cert-manager deployment instead of predefined hardcoded value

v1.3.0 - 2022-09-12

Added

make Ingress Nginx deployment optional

v1.2.2 - 2022-08-17

Fixed

bumped Terraform version in the code

v1.2.1 - 2022-08-02

Fixed

formatted Nginx metrics annotations and set accurate type

v1.2.0 - 2022-08-01

Added

namespaces are handled by means of kubernetes provider resources
helm release can be deployed into a custom namespace

Changed

pinned minor provider versions
Helm release deployments are atomic now
templatefile function is used instead of template data sources
standardized documentation and changelog

Removed

dependency on template provider

v1.1 - 2022-07-28

Added

ingress Nginx LB hostname output

v1.0.2 - 2022-07-07

Fixed

expose Nginx metrics with proper annotations

v1.0.1 - 2022-05-18

Added

extra notes about purpose of two Let's Encrypt ClusterIssuers usage

v1.0 - 2022-04-18

Added

deploy ingress nginx
deploy cert-manager
create let's encrypt cluster issuers

From `v2.x` to `v3.x`

Now all kubernetes provider resources use versioned resources. According to kubernetes provider's suggestions the simplest, non-destructive way to do this is to remove the old resource from state and import the resource as a version one. If Kubernetes namespaces were managed by the module, they must be re-imported, like so:

 bashterraform state rm module.ingress.kubernetes_namespace.ingress_namespace[0] module.ingress.kubernetes_namespace.certmanager_namespace[0]
terraform import module.ingress.kubernetes_namespace_v1.ingress_namespace[0] ingress-nginx
terraform import module.ingress.kubernetes_namespace_v1.certmanager_namespace[0] cert-manager
terraform state mv 'module.ingress.kubectl_manifest.cluster_issuer["letsencrypt"]' 'module.ingress.module.cluster_issuer["letsencrypt"].kubectl_manifest.crd'
terraform state mv 'module.ingress.kubectl_manifest.cluster_issuer["letsencrypt-staging"]' 'module.ingress.module.cluster_issuer["letsencrypt-staging"].kubectl_manifest.crd'
terraform state mv 'module.ingress.kubectl_manifest.cluster_issuer["selfsigned"]' 'module.ingress.module.cluster_issuer["selfsigned"].kubectl_manifest.crd'

From `v3.x` to `v4.x`

Now all custom_values are declared as lists of objects. In case if there were already declared custom_values in the module inputs, then they must be updated:

 hcl    # Old definition                        |     # New definition 
    custom_values = {                       |     custom_values = [
      "controller.containerPort" = 8080     |       {
    }                                       |         name  = "controller.containerPort"
                                            |         value = 8080
                                            |       },
                                            |     ]

If there weren't any custom_values declared (neither for Ingress Nginx nor cert-manager), no actions are needed.

From `v4.x` to `v5.x`

Now cert-manager setup is managed by the child module. Cert-manager resource addresses will be moved automatically with moved blocks. Ingress Nginx deployment is mandatory now. Manual removal of the input variable var.ingress_nginx.enabled is mandatory. Variable var.cert_manager.acme_email must be changed to the var.acme_email.

Deploy only Cert Manager (in case of another Ingress usage) and selfsigned cluster issuer:

 hclmodule "cert_manager" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 4.0"

  cert_manager = {
    acme_email      = "[email protected]"
    ingress_classes = ["contour"]
  }

  ingress_nginx = {
    enabled          = false
    create_namespace = false
  }
}

NOTE: Values of annotations and labels must always be passed as strings regardless of their actual type.

Deploy Ingress Nginx with Cert Manager:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 4.0"

  cert_manager = {
    acme_email = "[email protected]"
  }

  # Example of complex value name syntax. 
  ingress_nginx = {
    custom_values = [
      {
        name  = "controller.metrics.serviceMonitor.additionalLabels\\.app\\.kubernetes\\.io/name"
        value = "ingress"
      },
    ]
  }
}

Deploy Ingress Nginx and Cert Manager with letsencrypt and selfsigned cluster issuers for nginx and contour ingresses:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 4.0"

  cert_manager = {
    acme_email      = "[email protected]"
    ingress_classes = ["nginx", "contour"]
    issuer_names    = ["letsencrypt", "selfsigned"]
  }
}

Variable	Description	Type	Default	Required	Sensitive
`cert_manager`	Cert Manager parameters	`object`		yes	no
`k8s_flavor`	Name of managed Kubernetes to enable cloud-specific adjustments	`string`		yes	no
`cert_manager.acme_email`	E-mail that Let's Encrypt cluster issuer will use to request certificates	`string`		yes	no
`cert_manager.create_namespace`	Indicates creation of dedicated namespace for Cert Manager deployment	`bool`	`true`	no	no
`cert_manager.custom_values`	A list of custom values for Cert Manager Helm Chart	`list(object)`	`[]`	no	no
`cert_manager.custom_values[*].name`	Full name of the custom value to be set	`string`		yes	no
`cert_manager.custom_values[*].type`	Type of the value to be set (valid options are `auto` and `string`)	`string`	`auto`	no	no
`cert_manager.custom_values[*].value`	Value of the custom value to be set	`any`		yes	no
`cert_manager.enable_metrics`	Enable Prometheus metrics of Cert Manager	`bool`	`true`	no	no
`cert_manager.ingress_classes`	A list of Ingress Classes definition for Cert Manager deployment	`list(string)`	`['nginx']`	no	no
`cert_manager.issuer_names`	A list of issuers to be created. The list of possible values are: `letsencrypt`, `letsencrypt-staging`, `selfsigned`	`list(string)`	`['letsencrypt', 'letsencrypt-staging']`	no	no
`cert_manager.name`	Name to override Cert Manager release name	`string`	`cert-manager`	no	no
`cert_manager.namespace`	Namespace to install Cert Manager into	`string`	`cert-manager`	no	no
`cert_manager.version`	Version of Cert Manager Helm chart	`string`	`1.7.1`	no	no
`ingress_nginx`	Ingress Nginx parameters	`object`		no	no
`ingress_nginx.create_namespace`	Indicates creation of dedicated namespace for Ingress Nginx deployment	`bool`	`true`	no	no
`ingress_nginx.custom_values`	A list of custom values for Ingress Nginx Helm Chart	`list(object)`		no	no
`ingress_nginx.custom_values[*].name`	Full name of the custom value to be set	`string`		yes	no
`ingress_nginx.custom_values[*].type`	Type of the value to be set (valid options are `auto` and `string`)	`string`	`auto`	no	no
`ingress_nginx.custom_values[*].value`	Value of the custom value to be set	`any`		yes	no
`ingress_nginx.enable_metrics`	Enable Prometheus metrics of Ingress Nginx	`bool`	`true`	no	no
`ingress_nginx.enabled`	Enable/disable Ingress Nginx deployment	`bool`	`true`	no	no
`ingress_nginx.name`	Name to override Ingress Nginx release name	`string`	`ingress-nginx`	no	no
`ingress_nginx.namespace`	Namespace to install Ingress Nginx into	`string`	`ingress-nginx`	no	no
`ingress_nginx.replicas`	Number of Ingress Nginx controller replicas	`number`	`2`	no	no
`ingress_nginx.version`	Version of Ingress Nginx Helm chart	`string`	`4.0.18`	no	no

Output	Description	Type	Sensitive
`ingress_nginx_hostname`	Hostname of Ingress Nginx	`computed`	no
`ingress_nginx_ip`	External IP of Ingress Nginx	`computed`	no

Dependency	Version	Kind
`terraform`	`>= 1.3`	CLI
`hashicorp/helm`	`~> 2.5`	provider
`hashicorp/kubernetes`	`~> 2.9`	provider
`tf-k8s-crd`	`~> 1.0`	module

References

AWS Kubernetes Cluster management

1 week, 2 days ago 95

Azure Kubernetes Cluster management

1 month, 1 week ago 57

DigitalOcean Kubernetes Cluster management

1 month ago 669

GCP Kubernetes Cluster management

1 week, 3 days ago 325

Docker-based Bitbucket Runner for Kubernetes

1 year, 4 months ago 2

Cert Manager setup in a Kubernetes cluster

1 week, 3 days ago 847

Ingress Nginx for Kubernetes

v5.4.0 - 2025-04-10

Added

Changed

Fixed

v5.3.2 - 2025-03-28

Fixed

v5.3.1 - 2025-03-11

Removed

v5.3.0 - 2025-02-05

Added

v5.2.0 - 2024-12-12

Changed

Deprecated

v5.1.0 - 2024-12-10

Added

v5.0.0 - 2024-11-25

Added

Changed

Removed

v4.1.0 - 2024-09-04

Added

v4.0.1 - 2024-07-10

Changed

v4.0.0 - 2023-10-19

Added

Changed

v3.1.1 - 2023-07-27

Changed

v3.1 - 2023-06-27

Added

v3.0.0 - 2023-01-13

Added

Changed

Removed

v2.1.0 - 2022-12-23

Added

Changed

v2.0.0 - 2022-10-12

Added

Changed

Fixed

v1.5.0 - 2022-09-28

Added

v1.4.0 - 2022-09-23

Added

v1.3.0 - 2022-09-12

Added

v1.2.2 - 2022-08-17

Fixed

v1.2.1 - 2022-08-02

Fixed

v1.2.0 - 2022-08-01

Added

Changed

Removed

v1.1 - 2022-07-28

Added

v1.0.2 - 2022-07-07

Fixed

v1.0.1 - 2022-05-18

Added

v1.0 - 2022-04-18

Added

From v2.x to v3.x

From v3.x to v4.x

From v4.x to v5.x

References

Not sure where to start?Let's find your perfect match.

From `v2.x` to `v3.x`

From `v3.x` to `v4.x`

From `v4.x` to `v5.x`

Not sure where to start?
Let's find your perfect match.