added cert-manager release modules #2137
Conversation
wcarlsen
left a comment
wcarlsen
left a comment
There was a problem hiding this comment.
Very good, but there are few things that needs adjustments.
Also I think cert-manager would need an AWS IAM role at some point and that is not present in the current setup. Consider adding one using this module https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts
Really important for DNSChallenge |
I think it will be relevant only when deploying (cluster)issuer(s). so not really needed for the deployment of the cert-manager itself |
Of course with cert-manager you can do self signed certs, but the strength will come from giving it AWS access to Route53. I also think this is the main driver for putting it in, so it makes little sense that it is not there. |
|
cert-manager can run without issuer for now. I can ofcorse deploy the clusterissuer in namespace cert-manager if that what you are talking but I wanted to postpone it until I know how to handle certificate requests in namespaces/or on loadbalancer level |
This is a decent argument. But I guess you could also just test this in your sandbox cluster now right. |
samidbb
added
release:major
| # -------------------------------------------------- | ||
| # Cert-Manager | ||
| # -------------------------------------------------- | ||
| variable "cert_manager_acme_email" { |
There was a problem hiding this comment.
DFDS email supports plus domains, eg. itbuildsourcedevex+${var.cluster_name}@dfds.com, so in my mind this is not a direct requirement.
There was a problem hiding this comment.
to use alias then it would be ${var.cluster_name}+itbuildsourcedevex@dfds.com but I have a slight concern with having hardcoded mail and dns information in modules
compute/k8s-services/main.tf
Outdated
|
|
||
| module "cert_manager_role" { | ||
| source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" | ||
| version = "6.2.3" |
There was a problem hiding this comment.
The newest is "6.3.0" released 8th of January. This is a minor improvement and can be omitted.
| name = "${var.eks_cluster_name}-cert-manager" | ||
| policy_name = "${var.eks_cluster_name}-cert-manager" | ||
| attach_cert_manager_policy = true | ||
| cert_manager_hosted_zone_arns = [ |
There was a problem hiding this comment.
could this just be data.aws_route53_zone.core.arn and not data.aws_route53_zone.core[0].arn, since the previous is already a list?
There was a problem hiding this comment.
it throws an error because there is a count on the data resource
| description = "The domain name to be used by cert-manager" | ||
| } | ||
|
|
||
| variable "acme_email" { |
There was a problem hiding this comment.
If plus domains is used, it can derived from cluster_name, so I think we can remove this variable.
| helm_repo_path = local.helm_repo_path | ||
| prune = var.prune | ||
| domain_name = var.domain_name | ||
| email = var.acme_email |
There was a problem hiding this comment.
pass cluster_name in stead.
| external_dns_traefik_alb_auth_core_alias = ["test3.qa.dfds.cloud"] | ||
| external_dns_traefik_alb_anon_core_alias = ["test4.qa.dfds.cloud"] | ||
|
|
||
| cert_manager_acme_email = "itbuildsourcedevex@dfds.com" |
There was a problem hiding this comment.
This can be removed if we derive it from cluster_name.
wcarlsen
left a comment
wcarlsen
left a comment
There was a problem hiding this comment.
In my mind this is definitely not a major release, since an email can be almost hardcoded and use cluster_name in plus domain, to distinguish between cluster. This means that we pass cluster_name in postBuildSubstitution and define it in platform-apps.
Once we have gone over the comments we need to see if cert-manager should support a single domain or maybe a list of domains, because I think the current implementation only supports one domain. Please correct me if I'm wrong.
This pull request introduces a new Terraform module for managing cert-manager manifests and IAM roles through GitOps, integrating cert-manager into the Kubernetes services deployment pipeline. The changes automate the creation of necessary Kubernetes and Flux CD resources, as well as the required IAM role for DNS01 challenges, and expose new configuration variables for cert-manager.
The most important changes are:
Cert-Manager Module Introduction and Integration
_sub/security/cert-managerto generate cert-manager manifests and manage their deployment via Flux CD, including resources for ClusterRoleBinding and Kustomization. [1] [2] [3]compute/k8s-services/main.tf), including its configuration and dependencies, and created an IAM role for cert-manager with Route53 permissions.Configuration and Variables
_sub/security/cert-manager/vars.tf) and the main services variables file (compute/k8s-services/vars.tf). [1] [2]Supporting Infrastructure and Defaults
_sub/security/cert-manager/versions.tf).compute/k8s-services/dependencies.tf).Repository and Branch Management
_sub/security/cert-manager/dependencies.tf).Issue ticket number and link
Checklist before requesting a review
test/integrationfolder to apply my changes in QA. Read the guide on adding environment variables in QAIs it a new release?
release:(major|minor|patch), following semantic versioning in this guide ornoreleaseif there is no changes to the Terraform code