diff --git a/README.md b/README.md
index a7c6040..9c610ad 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,6 @@
+> [!CAUTION]
+> DEPRECATION NOTICE - `defaultClusterIssuer` helm chart will be discontinued on 1. November 2024. This deprecation will have impact on all existing installations prior to 2.0.0 release where `cluster_issuer_enabled = true`. In order to proceed using this module you have to upgrade to 2.X version.
+
# AWS EKS Cert Manager Terraform module
[
](https://lablabs.io/)
@@ -185,6 +188,8 @@ No modules.
| [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no |
| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for cert-manager | `string` | `"cert-manager-irsa"` | no |
| [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no |
+| [manifest\_target\_path](#input\_manifest\_target\_path) | Manifest target path in projects repository | `string` | `"helm/clusterIssuer"` | no |
+| [manifest\_target\_revision](#input\_manifest\_target\_revision) | Manifest target revision to deploy from | `string` | `"1.3.0"` | no |
| [namespace](#input\_namespace) | The K8s namespace in which the cert manager will be installed | `string` | `"kube-system"` | no |
| [policy\_allowed\_zone\_ids](#input\_policy\_allowed\_zone\_ids) | List of the Route53 zone ids for service account IAM role access | `list(string)` | [
"*"
]
| no |
| [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources | `bool` | `true` | no |
diff --git a/default-cluster-issuer.tf b/default-cluster-issuer.tf
index 7309d3e..d76dcda 100644
--- a/default-cluster-issuer.tf
+++ b/default-cluster-issuer.tf
@@ -5,8 +5,8 @@ locals {
"project" : var.argo_project
"source" : {
"repoURL" : "https://github.com/lablabs/terraform-aws-eks-cert-manager.git"
- "path" : "helm/defaultClusterIssuer"
- "targetRevision" : "main"
+ "path" : var.manifest_target_path
+ "targetRevision" : var.manifest_target_revision
"helm" : {
"releaseName" : "${var.helm_release_name}-default-cluster-issuer"
"parameters" : [for k, v in var.cluster_issuer_settings : tomap({ "forceString" : true, "name" : k, "value" : v })]
diff --git a/helm/clusterIssuer/.helmignore b/helm/clusterIssuer/.helmignore
new file mode 100644
index 0000000..2bfa6a4
--- /dev/null
+++ b/helm/clusterIssuer/.helmignore
@@ -0,0 +1 @@
+tests/
diff --git a/helm/clusterIssuer/Chart.yaml b/helm/clusterIssuer/Chart.yaml
new file mode 100644
index 0000000..909e1df
--- /dev/null
+++ b/helm/clusterIssuer/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: clusterIssuer
+description: Default Cert Manager Cluster Issuer
+type: application
+version: 0.1.0
+keywords:
+ - cluster-issuer
+ - cert-manager
+ - acme
+sources:
+ - https://github.com/lablabs/terraform-aws-eks-aws-cert-manager/blob/master/helm/clusterIssuer/values.yaml
+maintainers:
+ - name: dojci
+ email: martin.dojcak@lablabs.io
diff --git a/helm/clusterIssuer/templates/_helpers.tpl b/helm/clusterIssuer/templates/_helpers.tpl
new file mode 100644
index 0000000..26fcb8d
--- /dev/null
+++ b/helm/clusterIssuer/templates/_helpers.tpl
@@ -0,0 +1,42 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "clusterIssuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "clusterIssuer.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "clusterIssuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "clusterIssuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "clusterIssuer.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
diff --git a/helm/clusterIssuer/templates/clusterIssuer-cloudflare.yaml b/helm/clusterIssuer/templates/clusterIssuer-cloudflare.yaml
new file mode 100644
index 0000000..6498109
--- /dev/null
+++ b/helm/clusterIssuer/templates/clusterIssuer-cloudflare.yaml
@@ -0,0 +1,32 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.cloudflare }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: {{ .clusterIssuerName }}
+ labels:
+ app: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/component: "clusterIssuer"
+ helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+spec:
+ acme:
+ {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+ solvers:
+ - dns01:
+ cloudflare:
+ {{- with .clusterIssuerValues.apiTokenSecretRef }}
+ apiTokenSecretRef:
+ {{- toYaml . | nindent 14 }}
+ {{- end -}}
+ {{- with .clusterIssuerValues.dnsZones }}
+ selector:
+ dnsZones:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/clusterIssuer/templates/clusterIssuer-http.yaml b/helm/clusterIssuer/templates/clusterIssuer-http.yaml
new file mode 100644
index 0000000..60c6969
--- /dev/null
+++ b/helm/clusterIssuer/templates/clusterIssuer-http.yaml
@@ -0,0 +1,89 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.http }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: {{ .clusterIssuerName }}
+ labels:
+ app: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/component: "clusterIssuer"
+ helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+spec:
+ acme:
+ {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+ solvers:
+ - http01:
+ ingress:
+ {{- with .clusterIssuerValues.ingressClassName }}
+ ingressClassName: {{ . | quote }}
+ {{- end }}
+ {{- with .clusterIssuerValues.class }}
+ class: {{ . | quote }}
+ {{- end }}
+ {{- with .clusterIssuerValues.ingressName }}
+ name: {{ . | quote }}
+ {{- end }}
+ {{- with .clusterIssuerValues.serviceType }}
+ serviceType: {{ . | quote }}
+ {{- end }}
+ podTemplate:
+ metadata:
+ labels:
+ app: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/component: "clusterIssuer"
+ helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+ {{- with $.commonLabels }}
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .clusterIssuerValues.podLabels }}
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .clusterIssuerValues.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .clusterIssuerValues.podSpec }}
+ spec:
+ {{- with .nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .affinity }}
+ affinity:
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- end }}
+
+ ingressTemplate:
+ metadata:
+ labels:
+ app: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/component: "clusterIssuer"
+ helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+ {{- with $.commonLabels }}
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .clusterIssuerValues.ingressLabels }}
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- with .clusterIssuerValues.ingressAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/clusterIssuer/templates/clusterIssuer-route53.yaml b/helm/clusterIssuer/templates/clusterIssuer-route53.yaml
new file mode 100644
index 0000000..23c1231
--- /dev/null
+++ b/helm/clusterIssuer/templates/clusterIssuer-route53.yaml
@@ -0,0 +1,37 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.route53 }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: {{ .clusterIssuerName }}
+ labels:
+ app: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/name: {{ include "clusterIssuer.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/component: "clusterIssuer"
+ helm.sh/chart: {{ include "clusterIssuer.chart" . }}
+spec:
+ acme:
+ {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+ solvers:
+ - dns01:
+ route53:
+ {{- if .clusterIssuerValues.region }}
+ region: {{ .clusterIssuerValues.region }}
+ {{- end }}
+ {{- if .clusterIssuerValues.hostedZoneID }}
+ hostedZoneID: {{ .clusterIssuerValues.hostedZoneID }}
+ {{- end }}
+ {{- if .clusterIssuerValues.roleArn }}
+ role: {{ .clusterIssuerValues.roleArn }}
+ {{- end }}
+ {{- with .clusterIssuerValues.dnsZones }}
+ selector:
+ dnsZones:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/clusterIssuer/values.yaml b/helm/clusterIssuer/values.yaml
new file mode 100644
index 0000000..1095dc5
--- /dev/null
+++ b/helm/clusterIssuer/values.yaml
@@ -0,0 +1,48 @@
+nameOverride: ""
+fullnameOverride: ""
+
+commonLabels: {}
+
+route53:
+ default:
+ acme:
+ server: https://acme-v02.api.letsencrypt.org/directory
+ email: default@example.com
+ privateKeySecretRef:
+ name: cluster-issuer-secret
+ region: "eu-central-1"
+ #hostedZoneID: DIKER8JEXAMPLE # optional, see policy above
+ #roleArn: arn:aws:iam::YYYYYYYYYYYY:role/dns-manager
+ dnsZones:
+ - "example.com"
+http:
+ http:
+ acme:
+ server: https://acme-v02.api.letsencrypt.org/directory
+ email: default@example.com
+ privateKeySecretRef:
+ name: cluster-issuer-secret
+ # ingressClassName: nginx # supported in cert-manager >= 1.12.0
+ # class: nginx # use only one parameter of [ingressClassName, class, ingressName]
+ # ingressName: acme-http-solver
+
+ serviceType: ClusterIP # optional, if not possible/desired to use `NodePort` as type for the HTTP01 challenge response service
+
+ podLabels: {}
+ podAnnotations: {}
+ podSpec: {} # optional, `nodeSelector`, `tolerations` and `affinity` of solver pods can be set. No other `spec` fields can be edited
+
+ ingressLabels: {}
+ ingressAnnotations: {}
+cloudflare:
+ cloudflare:
+ acme:
+ server: https://acme-v02.api.letsencrypt.org/directory
+ email: default@example.com
+ privateKeySecretRef:
+ name: cluster-issuer-secret
+ apiTokenSecretRef:
+ name: cloudflare-api-token-secret
+ key: api-token
+ dnsZones:
+ - "example.com"
diff --git a/helm/defaultClusterIssuer/templates/clusterIssuer-cloudflare.yaml b/helm/defaultClusterIssuer/templates/clusterIssuer-cloudflare.yaml
new file mode 100644
index 0000000..6ab50c7
--- /dev/null
+++ b/helm/defaultClusterIssuer/templates/clusterIssuer-cloudflare.yaml
@@ -0,0 +1,32 @@
+{{- $outer := . -}}
+{{- range $clusterIssuerName, $clusterIssuerValues := .Values.cloudflare }}
+{{- with (merge (dict "clusterIssuerName" $clusterIssuerName "clusterIssuerValues" $clusterIssuerValues) $outer) }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: {{ .clusterIssuerName }}
+ labels:
+ app: {{ include "defaultClusterIssuer.name" . }}
+ app.kubernetes.io/name: {{ include "defaultClusterIssuer.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/component: "clusterIssuer"
+ helm.sh/chart: {{ include "defaultClusterIssuer.chart" . }}
+spec:
+ acme:
+ {{- toYaml .clusterIssuerValues.acme | nindent 4 }}
+ solvers:
+ - dns01:
+ cloudflare:
+ {{- with .clusterIssuerValues.apiTokenSecretRef }}
+ apiTokenSecretRef:
+ {{- toYaml . | nindent 14 }}
+ {{- end -}}
+ {{- with .clusterIssuerValues.dnsZones }}
+ selector:
+ dnsZones:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/defaultClusterIssuer/templates/clusterIssuerHTTP.yaml b/helm/defaultClusterIssuer/templates/clusterIssuer-http.yaml
similarity index 100%
rename from helm/defaultClusterIssuer/templates/clusterIssuerHTTP.yaml
rename to helm/defaultClusterIssuer/templates/clusterIssuer-http.yaml
diff --git a/helm/defaultClusterIssuer/templates/clusterIssuerRoute53.yaml b/helm/defaultClusterIssuer/templates/clusterIssuer-route53.yaml
similarity index 100%
rename from helm/defaultClusterIssuer/templates/clusterIssuerRoute53.yaml
rename to helm/defaultClusterIssuer/templates/clusterIssuer-route53.yaml
diff --git a/helm/defaultClusterIssuer/values.yaml b/helm/defaultClusterIssuer/values.yaml
index 366a848..1095dc5 100644
--- a/helm/defaultClusterIssuer/values.yaml
+++ b/helm/defaultClusterIssuer/values.yaml
@@ -16,7 +16,7 @@ route53:
dnsZones:
- "example.com"
http:
- default-http:
+ http:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: default@example.com
@@ -34,3 +34,15 @@ http:
ingressLabels: {}
ingressAnnotations: {}
+cloudflare:
+ cloudflare:
+ acme:
+ server: https://acme-v02.api.letsencrypt.org/directory
+ email: default@example.com
+ privateKeySecretRef:
+ name: cluster-issuer-secret
+ apiTokenSecretRef:
+ name: cloudflare-api-token-secret
+ key: api-token
+ dnsZones:
+ - "example.com"
diff --git a/variables.tf b/variables.tf
index e30b220..66f7128 100644
--- a/variables.tf
+++ b/variables.tf
@@ -437,3 +437,15 @@ variable "helm_postrender" {
default = {}
description = "Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents"
}
+
+variable "manifest_target_revision" {
+ type = string
+ default = "1.3.0" #FIXME: update revision before release
+ description = "Manifest target revision to deploy from"
+}
+
+variable "manifest_target_path" {
+ type = string
+ default = "helm/clusterIssuer"
+ description = "Manifest target path in projects repository"
+}