From 1eaf3bebdc7969e4c324154e21571a3ed5c1ed93 Mon Sep 17 00:00:00 2001 From: Parker Barthlome Date: Mon, 31 Oct 2022 12:02:14 -0600 Subject: [PATCH] feat: Add support for `istio-csr` addon (#1100) Co-authored-by: Bryant Biggs --- docs/add-ons/cert-manager-istio-csr.md | 24 +++++++++++ docs/add-ons/nginx.md | 2 +- modules/kubernetes-addons/README.md | 3 ++ .../cert-manager-istio-csr/README.md | 41 +++++++++++++++++++ .../cert-manager-istio-csr/main.tf | 17 ++++++++ .../cert-manager-istio-csr/outputs.tf | 4 ++ .../cert-manager-istio-csr/variables.tf | 28 +++++++++++++ .../cert-manager-istio-csr/versions.tf | 3 ++ modules/kubernetes-addons/main.tf | 8 ++++ modules/kubernetes-addons/variables.tf | 12 ++++++ 10 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 docs/add-ons/cert-manager-istio-csr.md create mode 100644 modules/kubernetes-addons/cert-manager-istio-csr/README.md create mode 100644 modules/kubernetes-addons/cert-manager-istio-csr/main.tf create mode 100644 modules/kubernetes-addons/cert-manager-istio-csr/outputs.tf create mode 100644 modules/kubernetes-addons/cert-manager-istio-csr/variables.tf create mode 100644 modules/kubernetes-addons/cert-manager-istio-csr/versions.tf diff --git a/docs/add-ons/cert-manager-istio-csr.md b/docs/add-ons/cert-manager-istio-csr.md new file mode 100644 index 0000000000..8050c93976 --- /dev/null +++ b/docs/add-ons/cert-manager-istio-csr.md @@ -0,0 +1,24 @@ +# cert-manager-istio-csr + +istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager. + +For complete project documentation, please visit the [cert-manager documentation site](https://cert-manager.io/docs/usage/istio/). + +## Usage + +cert-manger-istio-csr can be deployed by enabling the add-on via the following. + +```hcl +enable_cert_manager_istio_csr = true +``` + +### GitOps Configuration + +The following properties are made available for use when managing the add-on via GitOps. + +``` + +certManagerIstioCsr = { + enable = true +} +``` diff --git a/docs/add-ons/nginx.md b/docs/add-ons/nginx.md index 39ef23a76e..db7b101e81 100644 --- a/docs/add-ons/nginx.md +++ b/docs/add-ons/nginx.md @@ -41,7 +41,7 @@ You can optionally customize the Helm chart that deploys `nginx` via the followi The following properties are made available for use when managing the add-on via GitOps. -Refer to [locals.tf](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/ingress-nginx/locals.tf) for latest config. GitOps with ArgoCD Add-on repo is located [here](https://github.com/aws-samples/eks-blueprints-add-ons/blob/main/chart/values.yaml) +Refer to [main.tf](https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/ingress-nginx/main.tf) for latest config. GitOps with ArgoCD Add-on repo is located [here](https://github.com/aws-samples/eks-blueprints-add-ons/blob/main/chart/values.yaml) ``` hcl argocd_gitops_config = { diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md index 767dc9ff61..27bc4ea898 100644 --- a/modules/kubernetes-addons/README.md +++ b/modules/kubernetes-addons/README.md @@ -44,6 +44,7 @@ | [calico](#module\_calico) | ./calico | n/a | | [cert\_manager](#module\_cert\_manager) | ./cert-manager | n/a | | [cert\_manager\_csi\_driver](#module\_cert\_manager\_csi\_driver) | ./cert-manager-csi-driver | n/a | +| [cert\_manager\_istio\_csr](#module\_cert\_manager\_istio\_csr) | ./cert-manager-istio-csr | n/a | | [chaos\_mesh](#module\_chaos\_mesh) | ./chaos-mesh | n/a | | [cilium](#module\_cilium) | ./cilium | n/a | | [cluster\_autoscaler](#module\_cluster\_autoscaler) | ./cluster-autoscaler | n/a | @@ -143,6 +144,7 @@ | [cert\_manager\_helm\_config](#input\_cert\_manager\_helm\_config) | Cert Manager Helm Chart config | `any` | `{}` | no | | [cert\_manager\_install\_letsencrypt\_issuers](#input\_cert\_manager\_install\_letsencrypt\_issuers) | Install Let's Encrypt Cluster Issuers | `bool` | `true` | no | | [cert\_manager\_irsa\_policies](#input\_cert\_manager\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no | +| [cert\_manager\_istio\_csr\_helm\_config](#input\_cert\_manager\_istio\_csr\_helm\_config) | Cert Manager Istio CSR Helm Chart config | `any` | `{}` | no | | [cert\_manager\_kubernetes\_svc\_image\_pull\_secrets](#input\_cert\_manager\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no | | [cert\_manager\_letsencrypt\_email](#input\_cert\_manager\_letsencrypt\_email) | Email address for expiration emails from Let's Encrypt | `string` | `""` | no | | [chaos\_mesh\_helm\_config](#input\_chaos\_mesh\_helm\_config) | Chaos Mesh Helm Chart config | `any` | `{}` | no | @@ -189,6 +191,7 @@ | [enable\_calico](#input\_enable\_calico) | Enable Calico add-on | `bool` | `false` | no | | [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable Cert Manager add-on | `bool` | `false` | no | | [enable\_cert\_manager\_csi\_driver](#input\_enable\_cert\_manager\_csi\_driver) | Enable Cert Manager CSI Driver add-on | `bool` | `false` | no | +| [enable\_cert\_manager\_istio\_csr](#input\_enable\_cert\_manager\_istio\_csr) | Enable Cert Manager istio-csr add-on | `bool` | `false` | no | | [enable\_chaos\_mesh](#input\_enable\_chaos\_mesh) | Enable Chaos Mesh add-on | `bool` | `false` | no | | [enable\_cilium](#input\_enable\_cilium) | Enable Cilium add-on | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | diff --git a/modules/kubernetes-addons/cert-manager-istio-csr/README.md b/modules/kubernetes-addons/cert-manager-istio-csr/README.md new file mode 100644 index 0000000000..c59cb7c40e --- /dev/null +++ b/modules/kubernetes-addons/cert-manager-istio-csr/README.md @@ -0,0 +1,41 @@ +# Cert-manager-istio-csr Helm Chart + +istio-csr enables the use of cert-manager for issuing certificates in Istio service meshes + +For more details checkout [cert-manager-istio-csr](https://github.com/cert-manager/istio-csr) on GitHub + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
    irsa_iam_role_path             = string
    irsa_iam_permissions_boundary  = string
  })
| n/a | yes | +| [helm\_config](#input\_helm\_config) | Helm Config for istio-csr. | `any` | `{}` | no | +| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | + diff --git a/modules/kubernetes-addons/cert-manager-istio-csr/main.tf b/modules/kubernetes-addons/cert-manager-istio-csr/main.tf new file mode 100644 index 0000000000..839ec59f05 --- /dev/null +++ b/modules/kubernetes-addons/cert-manager-istio-csr/main.tf @@ -0,0 +1,17 @@ +module "helm_addon" { + source = "../helm-addon" + helm_config = merge( + { + name = "cert-manager-istio-csr" + chart = "cert-manager-istio-csr" + repository = "https://charts.jetstack.io" + version = "v0.5.0" + namespace = "cert-manager" + create_namespace = false + description = "Cert-manager-istio-csr Helm Chart deployment configuration" + }, + var.helm_config + ) + manage_via_gitops = var.manage_via_gitops + addon_context = var.addon_context +} diff --git a/modules/kubernetes-addons/cert-manager-istio-csr/outputs.tf b/modules/kubernetes-addons/cert-manager-istio-csr/outputs.tf new file mode 100644 index 0000000000..b5d714acb4 --- /dev/null +++ b/modules/kubernetes-addons/cert-manager-istio-csr/outputs.tf @@ -0,0 +1,4 @@ +output "argocd_gitops_config" { + description = "Configuration used for managing the add-on with ArgoCD" + value = var.manage_via_gitops ? { enable = true } : null +} diff --git a/modules/kubernetes-addons/cert-manager-istio-csr/variables.tf b/modules/kubernetes-addons/cert-manager-istio-csr/variables.tf new file mode 100644 index 0000000000..522fb21a45 --- /dev/null +++ b/modules/kubernetes-addons/cert-manager-istio-csr/variables.tf @@ -0,0 +1,28 @@ +variable "helm_config" { + description = "Helm Config for istio-csr." + type = any + default = {} +} + +variable "manage_via_gitops" { + description = "Determines if the add-on should be managed via GitOps." + type = bool + default = false +} + +variable "addon_context" { + description = "Input configuration for the addon" + type = object({ + aws_caller_identity_account_id = string + aws_caller_identity_arn = string + aws_eks_cluster_endpoint = string + aws_partition_id = string + aws_region_name = string + eks_cluster_id = string + eks_oidc_issuer_url = string + eks_oidc_provider_arn = string + tags = map(string) + irsa_iam_role_path = string + irsa_iam_permissions_boundary = string + }) +} diff --git a/modules/kubernetes-addons/cert-manager-istio-csr/versions.tf b/modules/kubernetes-addons/cert-manager-istio-csr/versions.tf new file mode 100644 index 0000000000..429c0b36d0 --- /dev/null +++ b/modules/kubernetes-addons/cert-manager-istio-csr/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 1.0.0" +} diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf index 4d7088d9cf..6ec562636e 100644 --- a/modules/kubernetes-addons/main.tf +++ b/modules/kubernetes-addons/main.tf @@ -215,6 +215,14 @@ module "cert_manager_csi_driver" { addon_context = local.addon_context } +module "cert_manager_istio_csr" { + count = var.enable_cert_manager_istio_csr ? 1 : 0 + source = "./cert-manager-istio-csr" + helm_config = var.cert_manager_istio_csr_helm_config + manage_via_gitops = var.argocd_manage_add_ons + addon_context = local.addon_context +} + module "cluster_autoscaler" { source = "./cluster-autoscaler" diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf index dc84a60670..96bf132e10 100644 --- a/modules/kubernetes-addons/variables.tf +++ b/modules/kubernetes-addons/variables.tf @@ -742,6 +742,18 @@ variable "cert_manager_kubernetes_svc_image_pull_secrets" { default = [] } +variable "enable_cert_manager_istio_csr" { + description = "Enable Cert Manager istio-csr add-on" + type = bool + default = false +} + +variable "cert_manager_istio_csr_helm_config" { + description = "Cert Manager Istio CSR Helm Chart config" + type = any + default = {} +} + #-----------Argo Rollouts ADDON------------- variable "enable_argo_rollouts" { description = "Enable Argo Rollouts add-on"