install trust-manager

rgl · May 12, 2024 · 8c150bf · 8c150bf
1 parent 3829a96
commit 8c150bf
Show file tree

Hide file tree

Showing 13 changed files with 394 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -12,6 +12,10 @@ This will:
   * Enable the [AWS Distro for OpenTelemetry (ADOT) Operator add-on](https://docs.aws.amazon.com/eks/latest/userguide/opentelemetry.html).
   * Create the [AWS Distro for OpenTelemetry (ADOT) Collector Deployment and `adot-collector` Service](https://aws-otel.github.io).
     * Forwarding OpenTelemetry telemetry signals to [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/).
+  * Install [trust-manager](https://github.com/cert-manager/trust-manager).
+    * Manages TLS CA certificate bundles.
+  * Install [reloader](https://github.com/stakater/reloader).
+    * Reloads (restarts) pods when their configmaps or secrets change.
 * Create the Elastic Container Registry (ECR) repositories declared on the
   [`source_images` global variable](config.tm.hcl), and upload the corresponding container
   images.

diff --git a/stacks/eks-trust-manager/.terraform.lock.hcl b/stacks/eks-trust-manager/.terraform.lock.hcl
diff --git a/stacks/eks-trust-manager/.tflint.hcl b/stacks/eks-trust-manager/.tflint.hcl
@@ -0,0 +1,7 @@
+// TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
+
+plugin "aws" {
+  enabled = true
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+  version = "0.31.0"
+}
diff --git a/stacks/eks-trust-manager/_backend.tf b/stacks/eks-trust-manager/_backend.tf
@@ -0,0 +1,6 @@
+// TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
+
+terraform {
+  backend "local" {
+  }
+}
diff --git a/stacks/eks-trust-manager/_inputs.auto.tfvars b/stacks/eks-trust-manager/_inputs.auto.tfvars
@@ -0,0 +1,7 @@
+// TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
+
+cluster_name = "aws-eks-example-dev"
+environment  = "dev"
+project      = "aws-eks-example"
+region       = "eu-west-1"
+stack        = "bf383f1e-c966-4e72-8973-c419877e53f2"
diff --git a/stacks/eks-trust-manager/_providers.tf b/stacks/eks-trust-manager/_providers.tf
@@ -0,0 +1,45 @@
+// TERRAMATE: GENERATED AUTOMATICALLY DO NOT EDIT
+
+terraform {
+  required_version = "1.8.3"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.49.0"
+    }
+    cloudinit = {
+      source  = "hashicorp/cloudinit"
+      version = "2.3.4"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.13.2"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.30.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.5.1"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.1"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+}
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = {
+      Project     = var.project
+      Environment = var.environment
+      Stack       = var.stack
+    }
+  }
+}
diff --git a/stacks/eks-trust-manager/inputs.tf b/stacks/eks-trust-manager/inputs.tf
@@ -0,0 +1,36 @@
+variable "stack" {
+  type = string
+}
+
+# get the available locations with: aws ec2 describe-regions | jq -r '.Regions[].RegionName' | sort
+variable "region" {
+  type    = string
+  default = "eu-west-1"
+}
+
+variable "project" {
+  type    = string
+  default = "aws-eks-example"
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9-]+$", var.project))
+    error_message = "Invalid project."
+  }
+}
+
+variable "environment" {
+  type    = string
+  default = "dev"
+  validation {
+    condition     = contains(["dev", "stg", "prd"], var.environment)
+    error_message = "Invalid environment."
+  }
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "EKS cluster name"
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9-]+$", var.cluster_name))
+    error_message = "Invalid cluster name."
+  }
+}
diff --git a/stacks/eks-trust-manager/inputs.tm.hcl b/stacks/eks-trust-manager/inputs.tm.hcl
@@ -0,0 +1,9 @@
+generate_hcl "_inputs.auto.tfvars" {
+  content {
+    stack        = terramate.stack.id
+    region       = global.region
+    project      = global.project
+    environment  = global.environment
+    cluster_name = global.cluster_name
+  }
+}
diff --git a/stacks/eks-trust-manager/main.tf b/stacks/eks-trust-manager/main.tf
@@ -0,0 +1,46 @@
+# see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster
+data "aws_eks_cluster" "eks" {
+  name = var.cluster_name
+}
+
+# install trust-manager.
+# see https://cert-manager.io/docs/tutorials/getting-started-with-trust-manager/
+# see https://github.com/cert-manager/trust-manager
+# see https://github.com/golang/go/blob/go1.22.3/src/crypto/x509/root_linux.go
+# see https://artifacthub.io/packages/helm/cert-manager/trust-manager
+# see https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release
+resource "helm_release" "trust_manager" {
+  namespace  = "cert-manager"
+  name       = "trust-manager"
+  repository = "https://charts.jetstack.io"
+  chart      = "trust-manager"
+  version    = "0.9.2"
+  values = [yamlencode({
+    secretTargets = {
+      enabled              = true
+      authorizedSecretsAll = true
+    }
+  })]
+}
+
+# install reloader.
+# NB tls libraries typically load the certificates from ca-certificates.crt
+#    file once, when they are started, and they never reload the file again.
+#    reloader will automatically restart them when their configmap/secret
+#    changes.
+# see https://cert-manager.io/docs/tutorials/getting-started-with-trust-manager/
+# see https://github.com/stakater/reloader
+# see https://artifacthub.io/packages/helm/stakater/reloader
+# see https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release
+resource "helm_release" "reloader" {
+  namespace  = "kube-system"
+  name       = "reloader"
+  repository = "https://stakater.github.io/stakater-charts"
+  chart      = "reloader"
+  version    = "1.0.95"
+  values = [yamlencode({
+    reloader = {
+      autoReloadAll = true
+    }
+  })]
+}
diff --git a/stacks/eks-trust-manager/providers.tf b/stacks/eks-trust-manager/providers.tf
@@ -0,0 +1,21 @@
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.eks.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    args        = ["eks", "get-token", "--cluster-name", data.aws_eks_cluster.eks.name]
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_eks_cluster.eks.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      args        = ["eks", "get-token", "--cluster-name", data.aws_eks_cluster.eks.name]
+    }
+  }
+}