Cloudflare issuer (#16)

* fix: Updating helm structure * fix: Updating release process * fix: Adding decommission note for defaultClusterIssuer release
lablabs · Jul 23, 2024 · b940d6e · b940d6e
1 parent 46eca8d
commit b940d6e
Show file tree

Hide file tree

Showing 14 changed files with 327 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -1,3 +1,6 @@
+> [!CAUTION]
+> DEPRECATION NOTICE - `defaultClusterIssuer` helm chart will be discontinued on 1. November 2024. This deprecation will have impact on all existing installations prior to 2.0.0 release where `cluster_issuer_enabled = true`. In order to proceed using this module you have to upgrade to 2.X version.
+
 # AWS EKS Cert Manager Terraform module
 
 [<img src="https://lablabs.io/static/ll-logo.png" width=350px>](https://lablabs.io/)
@@ -185,6 +188,8 @@ No modules.
 | <a name="input_irsa_role_create"></a> [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no |
 | <a name="input_irsa_role_name_prefix"></a> [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for cert-manager | `string` | `"cert-manager-irsa"` | no |
 | <a name="input_irsa_tags"></a> [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no |
+| <a name="input_manifest_target_path"></a> [manifest\_target\_path](#input\_manifest\_target\_path) | Manifest target path in projects repository | `string` | `"helm/clusterIssuer"` | no |
+| <a name="input_manifest_target_revision"></a> [manifest\_target\_revision](#input\_manifest\_target\_revision) | Manifest target revision to deploy from | `string` | `"1.3.0"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The K8s namespace in which the cert manager will be installed | `string` | `"kube-system"` | no |
 | <a name="input_policy_allowed_zone_ids"></a> [policy\_allowed\_zone\_ids](#input\_policy\_allowed\_zone\_ids) | List of the Route53 zone ids for service account IAM role access | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_rbac_create"></a> [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources | `bool` | `true` | no |

diff --git a/default-cluster-issuer.tf b/default-cluster-issuer.tf
@@ -5,8 +5,8 @@ locals {
       "project" : var.argo_project
       "source" : {
         "repoURL" : "https://github.com/lablabs/terraform-aws-eks-cert-manager.git"
-        "path" : "helm/defaultClusterIssuer"
-        "targetRevision" : "main"
+        "path" : var.manifest_target_path
+        "targetRevision" : var.manifest_target_revision
         "helm" : {
           "releaseName" : "${var.helm_release_name}-default-cluster-issuer"
           "parameters" : [for k, v in var.cluster_issuer_settings : tomap({ "forceString" : true, "name" : k, "value" : v })]

diff --git a/helm/clusterIssuer/.helmignore b/helm/clusterIssuer/.helmignore
@@ -0,0 +1 @@
+tests/
diff --git a/helm/clusterIssuer/Chart.yaml b/helm/clusterIssuer/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: clusterIssuer
+description: Default Cert Manager Cluster Issuer
+type: application
+version: 0.1.0
+keywords:
+  - cluster-issuer
+  - cert-manager
+  - acme
+sources:
+  - https://github.com/lablabs/terraform-aws-eks-aws-cert-manager/blob/master/helm/clusterIssuer/values.yaml
+maintainers:
+  - name: dojci
+    email: [email protected]
diff --git a/helm/clusterIssuer/templates/_helpers.tpl b/helm/clusterIssuer/templates/_helpers.tpl
@@ -0,0 +1,42 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "clusterIssuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "clusterIssuer.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "clusterIssuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "clusterIssuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "clusterIssuer.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/helm/clusterIssuer/templates/clusterIssuer-cloudflare.yaml b/helm/clusterIssuer/templates/clusterIssuer-cloudflare.yaml
@@ -0,0 +1,32 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.cloudflare }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .clusterIssuerName }}
+  labels:
+    app: {{ include "clusterIssuer.name" . }}
+    app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "clusterIssuer"
+    helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+spec:
+  acme:
+    {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+    solvers:
+      - dns01:
+          cloudflare:
+            {{- with .clusterIssuerValues.apiTokenSecretRef }}
+            apiTokenSecretRef:
+              {{- toYaml . | nindent 14 }}
+            {{- end -}}
+        {{- with .clusterIssuerValues.dnsZones }}
+        selector:
+          dnsZones:
+            {{- toYaml . | nindent 12 }}
+        {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/clusterIssuer/templates/clusterIssuer-http.yaml b/helm/clusterIssuer/templates/clusterIssuer-http.yaml
@@ -0,0 +1,89 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.http }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .clusterIssuerName }}
+  labels:
+    app: {{ include "clusterIssuer.name" . }}
+    app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "clusterIssuer"
+    helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+spec:
+  acme:
+    {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+    solvers:
+      - http01:
+          ingress:
+            {{- with .clusterIssuerValues.ingressClassName }}
+            ingressClassName: {{ . | quote }}
+            {{- end }}
+            {{- with .clusterIssuerValues.class }}
+            class: {{ . | quote }}
+            {{- end }}
+            {{- with .clusterIssuerValues.ingressName }}
+            name: {{ . | quote }}
+            {{- end }}
+            {{- with .clusterIssuerValues.serviceType }}
+            serviceType: {{ . | quote }}
+            {{- end }}
+            podTemplate:
+              metadata:
+                labels:
+                  app: {{ include "clusterIssuer.name" . }}
+                  app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+                  app.kubernetes.io/instance: {{ .Release.Name }}
+                  app.kubernetes.io/managed-by: {{ .Release.Service }}
+                  app.kubernetes.io/component: "clusterIssuer"
+                  helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+                  {{- with $.commonLabels }}
+                  {{- toYaml . | nindent 18 }}
+                  {{- end }}
+                  {{- with .clusterIssuerValues.podLabels }}
+                  {{- toYaml . | nindent 18 }}
+                  {{- end }}
+                {{- with .clusterIssuerValues.podAnnotations }}
+                annotations:
+                  {{- toYaml . | nindent 18 }}
+                {{- end }}
+              {{- with .clusterIssuerValues.podSpec }}
+              spec:
+                {{- with .nodeSelector }}
+                nodeSelector:
+                  {{- toYaml . | nindent 18 }}
+                {{- end }}
+                {{- with .affinity }}
+                affinity:
+                  {{- toYaml . | nindent 18 }}
+                {{- end }}
+                {{- with .tolerations }}
+                tolerations:
+                  {{- toYaml . | nindent 18 }}
+                {{- end }}
+              {{- end }}
+
+            ingressTemplate:
+              metadata:
+                labels:
+                  app: {{ include "clusterIssuer.name" . }}
+                  app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+                  app.kubernetes.io/instance: {{ .Release.Name }}
+                  app.kubernetes.io/managed-by: {{ .Release.Service }}
+                  app.kubernetes.io/component: "clusterIssuer"
+                  helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+                  {{- with $.commonLabels }}
+                  {{- toYaml . | nindent 18 }}
+                  {{- end }}
+                  {{- with .clusterIssuerValues.ingressLabels }}
+                  {{- toYaml . | nindent 18 }}
+                  {{- end }}
+                {{- with .clusterIssuerValues.ingressAnnotations }}
+                annotations:
+                  {{- toYaml . | nindent 18 }}
+                {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/clusterIssuer/templates/clusterIssuer-route53.yaml b/helm/clusterIssuer/templates/clusterIssuer-route53.yaml
@@ -0,0 +1,37 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.route53 }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .clusterIssuerName }}
+  labels:
+    app: {{ include "clusterIssuer.name" . }}
+    app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "clusterIssuer"
+    helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+spec:
+  acme:
+    {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+    solvers:
+      - dns01:
+          route53:
+            {{- if .clusterIssuerValues.region }}
+            region: {{ .clusterIssuerValues.region }}
+            {{- end }}
+            {{- if .clusterIssuerValues.hostedZoneID }}
+            hostedZoneID: {{ .clusterIssuerValues.hostedZoneID }}
+            {{- end }}
+            {{- if .clusterIssuerValues.roleArn }}
+            role: {{ .clusterIssuerValues.roleArn }}
+            {{- end }}
+        {{- with .clusterIssuerValues.dnsZones }}
+        selector:
+          dnsZones:
+            {{- toYaml . | nindent 12 }}
+        {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/clusterIssuer/values.yaml b/helm/clusterIssuer/values.yaml
@@ -0,0 +1,48 @@
+nameOverride: ""
+fullnameOverride: ""
+
+commonLabels: {}
+
+route53:
+  default:
+    acme:
+      server: https://acme-v02.api.letsencrypt.org/directory
+      email: [email protected]
+      privateKeySecretRef:
+        name: cluster-issuer-secret
+    region: "eu-central-1"
+    #hostedZoneID: DIKER8JEXAMPLE # optional, see policy above
+    #roleArn: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager
+    dnsZones:
+      - "example.com"
+http:
+  http:
+    acme:
+      server: https://acme-v02.api.letsencrypt.org/directory
+      email: [email protected]
+      privateKeySecretRef:
+        name: cluster-issuer-secret
+    # ingressClassName: nginx # supported in cert-manager >= 1.12.0
+    # class: nginx # use only one parameter of [ingressClassName, class, ingressName]
+    # ingressName: acme-http-solver
+
+    serviceType: ClusterIP # optional, if not possible/desired to use `NodePort` as type for the HTTP01 challenge response service
+
+    podLabels: {}
+    podAnnotations: {}
+    podSpec: {} # optional, `nodeSelector`, `tolerations` and `affinity` of solver pods can be set. No other `spec` fields can be edited
+
+    ingressLabels: {}
+    ingressAnnotations: {}
+cloudflare:
+  cloudflare:
+    acme:
+      server: https://acme-v02.api.letsencrypt.org/directory
+      email: [email protected]
+      privateKeySecretRef:
+        name: cluster-issuer-secret
+    apiTokenSecretRef:
+      name: cloudflare-api-token-secret
+      key: api-token
+    dnsZones:
+      - "example.com"
diff --git a/helm/defaultClusterIssuer/templates/clusterIssuer-cloudflare.yaml b/helm/defaultClusterIssuer/templates/clusterIssuer-cloudflare.yaml
@@ -0,0 +1,32 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.cloudflare }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .clusterIssuerName }}
+  labels:
+    app: {{ include "defaultClusterIssuer.name" . }}
+    app.kubernetes.io/name: {{ include "defaultClusterIssuer.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: "clusterIssuer"
+    helm.sh/chart: {{ include "defaultClusterIssuer.chart" . }}
+spec:
+  acme:
+    {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+    solvers:
+      - dns01:
+          cloudflare:
+            {{- with .clusterIssuerValues.apiTokenSecretRef }}
+            apiTokenSecretRef:
+              {{- toYaml . | nindent 14 }}
+            {{- end -}}
+        {{- with .clusterIssuerValues.dnsZones }}
+        selector:
+          dnsZones:
+            {{- toYaml . | nindent 12 }}
+        {{- end }}
+{{- end }}
+{{- end }}
diff --git a/...erIssuer/templates/clusterIssuerHTTP.yaml → ...rIssuer/templates/clusterIssuer-http.yaml b/...erIssuer/templates/clusterIssuerHTTP.yaml → ...rIssuer/templates/clusterIssuer-http.yaml
diff --git a/...ssuer/templates/clusterIssuerRoute53.yaml → ...suer/templates/clusterIssuer-route53.yaml b/...ssuer/templates/clusterIssuerRoute53.yaml → ...suer/templates/clusterIssuer-route53.yaml
diff --git a/helm/defaultClusterIssuer/values.yaml b/helm/defaultClusterIssuer/values.yaml
@@ -16,7 +16,7 @@ route53:
     dnsZones:
       - "example.com"
 http:
-  default-http:
+  http:
     acme:
       server: https://acme-v02.api.letsencrypt.org/directory
       email: [email protected]
@@ -34,3 +34,15 @@ http:
 
     ingressLabels: {}
     ingressAnnotations: {}
+cloudflare:
+  cloudflare:
+    acme:
+      server: https://acme-v02.api.letsencrypt.org/directory
+      email: [email protected]
+      privateKeySecretRef:
+        name: cluster-issuer-secret
+    apiTokenSecretRef:
+      name: cloudflare-api-token-secret
+      key: api-token
+    dnsZones:
+      - "example.com"
diff --git a/variables.tf b/variables.tf
@@ -437,3 +437,15 @@ variable "helm_postrender" {
   default     = {}
   description = "Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents"
 }
+
+variable "manifest_target_revision" {
+  type        = string
+  default     = "1.3.0" #FIXME: update revision before release
+  description = "Manifest target revision to deploy from"
+}
+
+variable "manifest_target_path" {
+  type        = string
+  default     = "helm/clusterIssuer"
+  description = "Manifest target path in projects repository"
+}