-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcertmanager.tf
115 lines (105 loc) · 4.03 KB
/
certmanager.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# (Optional) Get TLS certificates using cert-manager.
resource "kubernetes_namespace" "cert_manager" {
count = var.kubernetes_services.use_cert_manger ? 1 : 0
depends_on = [var.ow_cluster_ready]
metadata { name = "cert-manager" }
}
resource "null_resource" "install_cert_manager" {
count = var.kubernetes_services.use_cert_manger && var.ow_kubectl_ready ? 1 : 0
depends_on = [kubernetes_namespace.cert_manager]
provisioner "local-exec" {
when = create
command = <<EOT
kubectl apply --validate=false \
--filename ${var.kubernetes_services.cert_manager_link}
EOT
}
provisioner "local-exec" {
when = destroy
command = <<EOT
kubectl delete Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges \
--grace-period=0 --all --all-namespaces;
EOT
}
}
resource "null_resource" "clusterissuer_cert_manager" {
count = var.kubernetes_services.use_cert_manger ? 1 : 0
depends_on = [null_resource.install_cert_manager]
provisioner "local-exec" {
when = create
command = <<EOT
sleep 5m && \
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
namespace: default
name: letsencrypt-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ${var.kubernetes_configmap.CERT_ADMIN_EMAIL}
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
name: ${kubernetes_ingress.http_ingress.metadata[0].name}
selector: {}
EOF
EOT
}
}
resource "null_resource" "certificate_cert_manager" {
count = var.kubernetes_services.use_cert_manger ? 1 : 0
depends_on = [null_resource.clusterissuer_cert_manager, kubernetes_ingress.http_ingress]
provisioner "local-exec" {
when = create
command = <<EOT
sleep 10m && \
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
namespace: default
name: openwisp-tls-crt
spec:
secretName: openwisp-tls-secret
renewBefore: 12h
dnsNames:
- ${var.kubernetes_configmap.DASHBOARD_DOMAIN}
- ${var.kubernetes_configmap.CONTROLLER_DOMAIN}
- ${var.kubernetes_configmap.RADIUS_DOMAIN}
- ${var.kubernetes_configmap.TOPOLOGY_DOMAIN}
issuerRef:
name: letsencrypt-issuer
kind: ClusterIssuer
EOF
EOT
}
}
resource "null_resource" "ingress_cert_manager" {
count = var.kubernetes_services.use_cert_manger ? 1 : 0
depends_on = [null_resource.certificate_cert_manager]
provisioner "local-exec" {
when = create
command = <<EOT
sleep 10m && \
kubectl patch ingress/${kubernetes_ingress.http_ingress.metadata[0].name} \
--patch '{
"spec": {
"tls": [
{
"hosts": [
"${var.kubernetes_configmap.DASHBOARD_DOMAIN}",
"${var.kubernetes_configmap.CONTROLLER_DOMAIN}",
"${var.kubernetes_configmap.RADIUS_DOMAIN}",
"${var.kubernetes_configmap.TOPOLOGY_DOMAIN}"
], "secretName": "openwisp-tls-secret"
}
]
}
}'
EOT
}
}