Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cert-manager root certificate #337

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add cert-manager root certificate #337

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f664a53
Add cert-manager root certificate
brettcurtis Feb 1, 2025
470563c
Update cert-manager module to include self-signed certificate outputs…
brettcurtis Feb 2, 2025
3b99264
Add remote bucket configurations for Istio CSR in multiple environments
brettcurtis Feb 2, 2025
31c6664
Update Istio module references to use 'ecdsa' version
brettcurtis Feb 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ repos:
- id: check-symlinks

- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.97.0
rev: v1.97.1
hooks:
- id: terraform_fmt

Expand All @@ -33,12 +33,12 @@ repos:
- --hook-config=--create-file-if-not-exist=false

- repo: https://github.com/bridgecrewio/checkov.git
rev: 3.2.357
rev: 3.2.360
hooks:
- id: checkov
verbose: true
args:
- --download-external-modules=true
- --skip-check
- "CKV_TF_1"
- "CKV_TF_1,CKV_TF_2"
- --quiet
45 changes: 32 additions & 13 deletions .terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,9 @@ No providers.
|------|--------|---------|
| <a name="module_datadog"></a> [datadog](#module\_datadog) | github.com/osinfra-io/terraform-datadog-google-integration | v0.3.0 |
| <a name="module_helpers"></a> [helpers](#module\_helpers) | github.com/osinfra-io/terraform-core-helpers//root | v0.1.2 |
| <a name="module_kubernetes_cert_manager"></a> [kubernetes\_cert\_manager](#module\_kubernetes\_cert\_manager) | github.com/osinfra-io/terraform-kubernetes-cert-manager | tls |
| <a name="module_kubernetes_engine"></a> [kubernetes\_engine](#module\_kubernetes\_engine) | github.com/osinfra-io/terraform-google-kubernetes-engine | v0.2.2 |
| <a name="module_kubernetes_istio"></a> [kubernetes\_istio](#module\_kubernetes\_istio) | github.com/osinfra-io/terraform-kubernetes-istio | v0.1.7 |
| <a name="module_kubernetes_istio"></a> [kubernetes\_istio](#module\_kubernetes\_istio) | github.com/osinfra-io/terraform-kubernetes-istio | ecdsa |
| <a name="module_project"></a> [project](#module\_project) | github.com/osinfra-io/terraform-google-project | v0.4.5 |

#### Resources
Expand All @@ -83,6 +84,8 @@ No resources.

| Name | Description |
|------|-------------|
| <a name="output_kubernetes_cert_manager_tls_self_signed_cert_cert_manager_root_cert"></a> [kubernetes\_cert\_manager\_tls\_self\_signed\_cert\_cert\_manager\_root\_cert](#output\_kubernetes\_cert\_manager\_tls\_self\_signed\_cert\_cert\_manager\_root\_cert) | The self-signed certificate for the cert-manager root certificate |
| <a name="output_kubernetes_cert_manager_tls_self_signed_cert_cert_manager_root_key"></a> [kubernetes\_cert\_manager\_tls\_self\_signed\_cert\_cert\_manager\_root\_key](#output\_kubernetes\_cert\_manager\_tls\_self\_signed\_cert\_cert\_manager\_root\_key) | The private key for the cert-manager root certificate |
Comment on lines +87 to +88
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

New Outputs for cert-manager Root Certificate Information

Two new outputs have been added for the cert-manager root certificate, including the private key. Security Notice: Ensure that the output for the private key is marked as sensitive in your Terraform output definitions to avoid accidental exposure of sensitive material.

| <a name="output_kubernetes_engine_container_deployer_service_accounts"></a> [kubernetes\_engine\_container\_deployer\_service\_accounts](#output\_kubernetes\_engine\_container\_deployer\_service\_accounts) | The service accounts for the container deployer |
| <a name="output_kubernetes_engine_workload_identity_service_account_emails"></a> [kubernetes\_engine\_workload\_identity\_service\_account\_emails](#output\_kubernetes\_engine\_workload\_identity\_service\_account\_emails) | The email addresses of the service accounts for the Kubernetes namespace workload identity |
| <a name="output_kubernetes_istio_gateway_mci_global_address"></a> [kubernetes\_istio\_gateway\_mci\_global\_address](#output\_kubernetes\_istio\_gateway\_mci\_global\_address) | The IP address for the Istio Gateway multi-cluster ingress |
Expand Down
49 changes: 28 additions & 21 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,34 @@ module "datadog" {
project = module.project.id
}

# Kubernetes cert-manager Module (osinfra.io)
# https://github.com/osinfra-io/terraform-kubernetes-cert-manager

module "kubernetes_cert_manager" {
source = "github.com/osinfra-io/terraform-kubernetes-cert-manager?ref=tls"
}

Comment on lines +15 to +21
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

⚠️ Potential issue

Module "kubernetes_cert_manager": Validate module source versioning.

The module source is defined as

source = "github.com/osinfra-io/terraform-kubernetes-cert-manager?ref=tls"

which uses the reference tls rather than a semantic version number. This could lead to unexpected changes if the branch is updated. Consider pinning to a specific release tag to ensure stability.

🧰 Tools
🪛 Checkov (3.2.334)

[HIGH] 18-20: Ensure Terraform module sources use a tag with a version number

(CKV_TF_2)

# Google Kubernetes Engine Module (osinfra.io)
# https://github.com/osinfra-io/terraform-google-kubernetes-engine

module "kubernetes_engine" {
source = "github.com/osinfra-io/terraform-google-kubernetes-engine?ref=v0.2.2"

namespaces = var.kubernetes_engine_namespaces
project = module.project.id
}

# Kubernetes Istio Module (osinfra.io)
# https://github.com/osinfra-io/terraform-kubernetes-istio

module "kubernetes_istio" {
source = "github.com/osinfra-io/terraform-kubernetes-istio?ref=ecdsa"

gateway_dns = var.kubernetes_istio_gateway_dns
labels = module.helpers.labels
project = module.project.id
}

# Google Project Module (osinfra.io)
# https://github.com/osinfra-io/terraform-google-project

Expand Down Expand Up @@ -48,24 +76,3 @@ module "project" {
"trafficdirector.googleapis.com"
]
}

# Google Kubernetes Engine Module (osinfra.io)
# https://github.com/osinfra-io/terraform-google-kubernetes-engine

module "kubernetes_engine" {
source = "github.com/osinfra-io/terraform-google-kubernetes-engine?ref=v0.2.2"

namespaces = var.kubernetes_engine_namespaces
project = module.project.id
}

# Kubernetes Istio Module (osinfra.io)
# https://github.com/osinfra-io/terraform-kubernetes-istio

module "kubernetes_istio" {
source = "github.com/osinfra-io/terraform-kubernetes-istio?ref=v0.1.7"

gateway_dns = var.kubernetes_istio_gateway_dns
labels = module.helpers.labels
project = module.project.id
}
11 changes: 11 additions & 0 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,17 @@ output "kubernetes_engine_workload_identity_service_account_emails" {
value = module.kubernetes_engine.workload_identity_service_account_emails
}

output "kubernetes_cert_manager_tls_self_signed_cert_cert_manager_root_cert" {
description = "The self-signed certificate for the cert-manager root certificate"
value = module.kubernetes_cert_manager.tls_self_signed_cert_cert_manager_root_cert
}

output "kubernetes_cert_manager_tls_self_signed_cert_cert_manager_root_key" {
description = "The private key for the cert-manager root certificate"
value = module.kubernetes_cert_manager.tls_self_signed_cert_cert_manager_root_key
sensitive = true
}

output "kubernetes_istio_gateway_mci_global_address" {
description = "The IP address for the Istio Gateway multi-cluster ingress"
value = module.kubernetes_istio.gateway_mci_global_address
Expand Down
26 changes: 13 additions & 13 deletions regional/cert-manager/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion regional/cert-manager/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ No requirements.

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | 6.17.0 |
| <a name="provider_google"></a> [google](#provider\_google) | 6.18.1 |

## Modules

Expand Down
29 changes: 13 additions & 16 deletions regional/cert-manager/istio-csr/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 7 additions & 3 deletions regional/cert-manager/istio-csr/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,15 @@ No requirements.

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | 6.17.0 |
| <a name="provider_google"></a> [google](#provider\_google) | 6.18.1 |
| <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_helpers"></a> [helpers](#module\_helpers) | github.com/osinfra-io/terraform-core-helpers//root | v0.1.2 |
| <a name="module_kubernetes_cert_manager_istio_csr"></a> [kubernetes\_cert\_manager\_istio\_csr](#module\_kubernetes\_cert\_manager\_istio\_csr) | github.com/osinfra-io/terraform-kubernetes-cert-manager//regional/istio-csr | v0.1.4 |
| <a name="module_kubernetes_cert_manager_istio_csr"></a> [kubernetes\_cert\_manager\_istio\_csr](#module\_kubernetes\_cert\_manager\_istio\_csr) | github.com/osinfra-io/terraform-kubernetes-cert-manager//regional/istio-csr | tls |

## Resources

Expand All @@ -26,10 +27,13 @@ No requirements.
| [google_container_cluster.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_cluster) | data source |
| [google_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
| [google_projects.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects) | data source |
| [terraform_remote_state.main](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |

## Inputs

No inputs.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_remote_bucket"></a> [remote\_bucket](#input\_remote\_bucket) | The remote bucket the `terraform_remote_state` data source retrieves the state from | `string` | n/a | yes |

## Outputs

Expand Down
6 changes: 6 additions & 0 deletions regional/cert-manager/istio-csr/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Local Values
# https://www.terraform.io/docs/language/values/locals.html

locals {
main = data.terraform_remote_state.main.outputs
}
22 changes: 19 additions & 3 deletions regional/cert-manager/istio-csr/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
# Terraform Remote State Datasource
# https://www.terraform.io/docs/language/state/remote-state-data.html

data "terraform_remote_state" "main" {
backend = "gcs"

config = {
bucket = var.remote_bucket
prefix = module.helpers.repository
}

workspace = "main-${module.helpers.environment}"
}

# Kubernetes cert-manager Module (osinfra.io)
# https://github.com/osinfra-io/terraform-kubernetes-cert-manager

module "kubernetes_cert_manager_istio_csr" {
source = "github.com/osinfra-io/terraform-kubernetes-cert-manager//regional/istio-csr?ref=v0.1.4"
source = "github.com/osinfra-io/terraform-kubernetes-cert-manager//regional/istio-csr?ref=tls"

artifact_registry = "us-docker.pkg.dev/plt-lz-services-tf79-prod/plt-docker-virtual"
cluster_prefix = "plt"
artifact_registry = "us-docker.pkg.dev/plt-lz-services-tf79-prod/plt-docker-virtual"
cluster_prefix = "plt"
tls_self_signed_cert_cert_manager_root_cert = local.main.kubernetes_cert_manager_tls_self_signed_cert_cert_manager_root_cert
tls_self_signed_cert_cert_manager_root_key = local.main.kubernetes_cert_manager_tls_self_signed_cert_cert_manager_root_key
}
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-b-non-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-ae26-nonprod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-b-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-53a5-prod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-b-sandbox.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-4312-sb"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-c-non-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-ae26-nonprod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-c-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-53a5-prod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-c-sandbox.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-4312-sb"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-d-non-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-ae26-nonprod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-d-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-53a5-prod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east1-d-sandbox.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-4312-sb"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-a-non-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-ae26-nonprod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-a-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-53a5-prod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-a-sandbox.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-4312-sb"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-b-non-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-ae26-nonprod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-b-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-53a5-prod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-b-sandbox.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-4312-sb"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-c-non-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-ae26-nonprod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-c-production.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-53a5-prod"
1 change: 1 addition & 0 deletions regional/cert-manager/istio-csr/tfvars/us-east4-c-sandbox.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
remote_bucket = "plt-k8s-4312-sb"
7 changes: 7 additions & 0 deletions regional/cert-manager/istio-csr/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Input Variables
# https://www.terraform.io/language/values/variables

variable "remote_bucket" {
type = string
description = "The remote bucket the `terraform_remote_state` data source retrieves the state from"
}
Loading