diff --git a/_examples/basic/main.tf b/_examples/basic/main.tf
index d87dd17..8f39049 100644
--- a/_examples/basic/main.tf
+++ b/_examples/basic/main.tf
@@ -166,13 +166,15 @@ module "addons" {
aws_node_termination_handler = true
aws_efs_csi_driver = true
aws_ebs_csi_driver = true
- karpenter = false
- calico_tigera = false
+ kube_state_metrics = true
+ karpenter = false # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
+ calico_tigera = true
+ new_relic = true
kubeclarity = true
ingress_nginx = true
fluent_bit = true
- velero = true
keda = true
+ certification_manager = true
# -- Addons with mandatory variable
istio_ingress = true
@@ -180,7 +182,9 @@ module "addons" {
kiali_server = true
kiali_manifests = var.kiali_manifests
external_secrets = true
+ velero = true
+ velero_extra_configs = {
+ bucket_name = "velero-addons"
+ }
- # -- Extra helm_release attributes
- velero_extra_configs = var.velero_extra_configs
}
diff --git a/_examples/basic/variables.tf b/_examples/basic/variables.tf
index d2c333f..267b127 100644
--- a/_examples/basic/variables.tf
+++ b/_examples/basic/variables.tf
@@ -22,14 +22,4 @@ variable "kiali_manifests" {
kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml"
}
description = "Path to VirtualService manifest for kiali-dashboard"
-}
-
-#------------ EXTRA CONFIGS -----------
-variable "velero_extra_configs" {
- type = any
- default = {
- timeout = 300
- atomic = true
- bucket_name = "velero-addons"
- }
}
\ No newline at end of file
diff --git a/_examples/complete/config/external-secret/external-secret.yaml b/_examples/complete/config/external-secret/external-secret.yaml
index a614a1f..edc6218 100644
--- a/_examples/complete/config/external-secret/external-secret.yaml
+++ b/_examples/complete/config/external-secret/external-secret.yaml
@@ -9,10 +9,10 @@ spec:
name: external-secrets-store # -- Provide previously created secret store name
kind: SecretStore
target:
- name: externalsecret-data # -- Name of secret which will contain data specified below
+ name: externalsecret-data # -- Name of Kubernetes secret which will contain data specified below
creationPolicy: Owner
data:
- - secretKey: do_not_delete_this_key # -- AWS Secret-Manager secret key
+ - secretKey: external_secret_key # -- Kubernetes Secret `externalsecret-data` KEY name
remoteRef:
- key: external_secrets # -- Same as 'externalsecrets_manifest["secret_manager_name"]
- property: do_not_delete_this_key # -- AWS Secret-Manager secret key
\ No newline at end of file
+ key: external_secrets_addon # -- AWS Secret Name, same as `var.external_secrets_extra_configs.secret_manager_name`
+ property: external_secret # -- AWS Secret-Manager secret key
\ No newline at end of file
diff --git a/_examples/complete/config/override-certification-manager.yaml b/_examples/complete/config/override-certification-manager.yaml
new file mode 100644
index 0000000..3874dd0
--- /dev/null
+++ b/_examples/complete/config/override-certification-manager.yaml
@@ -0,0 +1,21 @@
+## Node affinity for particular node in which labels key is "Infra-Services" and value is "true"
+
+affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: "eks.amazonaws.com/nodegroup"
+ operator: In
+ values:
+ - "critical"
+
+resources:
+ limits:
+ cpu: 200m
+ memory: 250Mi
+ requests:
+ cpu: 50m
+ memory: 150Mi
+
+installCRDs: true
diff --git a/_examples/complete/custom-iam-policies/external-secrets.json b/_examples/complete/custom-iam-policies/external-secrets.json
new file mode 100644
index 0000000..6ecfff9
--- /dev/null
+++ b/_examples/complete/custom-iam-policies/external-secrets.json
@@ -0,0 +1,14 @@
+{
+ "Statement": [
+ {
+ "Action": [
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:DescribeSecret"
+ ],
+ "Effect": "Allow",
+ "Resource": "*",
+ "Sid": "ExternalSecretsDefault"
+ }
+ ],
+ "Version": "2012-10-17"
+}
\ No newline at end of file
diff --git a/_examples/complete/main.tf b/_examples/complete/main.tf
index d95af57..89b11f2 100644
--- a/_examples/complete/main.tf
+++ b/_examples/complete/main.tf
@@ -167,7 +167,8 @@ module "addons" {
fluent_bit = true
velero = true
keda = true
- filebeat = true
+ certification_manager = true
+ filebeat = true
# -- Addons with mandatory variable
istio_ingress = true
@@ -195,6 +196,7 @@ module "addons" {
new_relic_helm_config = { values = [file("./config/override-new-relic.yaml")] }
kube_state_metrics_helm_config = { values = [file("./config/override-kube-state-matrics.yaml")] }
keda_helm_config = { values = [file("./config/keda/override-keda.yaml")] }
+ certification_manager_helm_config = { values = [file("./config/override-certification-manager.yaml")] }
filebeat_helm_config = { values = [file("./config/override-filebeat.yaml")] }
# -- Override Helm Release attributes
@@ -216,30 +218,12 @@ module "addons" {
kube_state_metrics_extra_configs = var.kube_state_metrics_extra_configs
keda_extra_configs = var.keda_extra_configs
filebeat_extra_configs = var.filebeat_extra_configs
-
- external_secrets_extra_configs = {
- irsa_assume_role_policy = jsonencode({
- "Version" : "2012-10-17",
- "Statement" : [
- {
- "Effect" : "Allow",
- "Principal" : {
- "Federated" : module.eks.oidc_provider_arn
- },
- "Action" : "sts:AssumeRoleWithWebIdentity",
- "Condition" : {
- "StringLike" : {
- "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
- }
- }
- }
- ]
- })
- secret_manager_name = "external_secrets_addon"
- }
+ certification_manager_extra_configs = var.certification_manager_extra_configs
+ external_secrets_extra_configs = var.external_secrets_extra_configs
# -- Custom IAM Policy Json for Addon's ServiceAccount
cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
+ external_secrets_iampolicy_json_content = file("./custom-iam-policies/external-secrets.json")
}
module "addons-internal" {
diff --git a/_examples/complete/outputs.tf b/_examples/complete/outputs.tf
index 16df25d..aaa8146 100644
--- a/_examples/complete/outputs.tf
+++ b/_examples/complete/outputs.tf
@@ -15,4 +15,8 @@ output "update_kubeconfig" {
output "velero_post_installation" {
value = indent(2, "Once velero server is up and running you need the client before you can use it - \n 1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz \n 2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client")
+}
+
+output "istio-ingress" {
+ value = indent(2, "Istio does not support the installation of istio-helmchart in a namespace other than istio-system. We have provided a namespace feature in case Istio-helmchart maintainers fix this issue.")
}
\ No newline at end of file
diff --git a/_examples/complete/variables.tf b/_examples/complete/variables.tf
index 5461dd9..81a6e69 100644
--- a/_examples/complete/variables.tf
+++ b/_examples/complete/variables.tf
@@ -99,6 +99,13 @@ variable "keda_extra_configs" {
default = {}
}
+# ------------------ CERTIFICATION-MANAGER -----------------------------------------------------
+variable "certification_manager_extra_configs" {
+ type = any
+ default = {}
+}
+
+
# ------------------ ISTIO INGRESS ---------------------------------------------
# -- INTERNET FACING --------------
variable "istio_manifests" {
@@ -138,13 +145,11 @@ variable "istio_manifests_internal" {
variable "istio_ingress_extra_configs_internal" {
type = any
default = {
- name = "istio-ingress-internal"
- namespace = "istio-system"
- istiobase_release_name = "base-internal"
- istiod_release_name = "istiod-internal"
- create_namespace = true
- install_istiobase = false
- install_istiod = false
+ name = "istio-ingress-internal"
+ namespace = "istio-system"
+ create_namespace = false
+ install_istiobase = false
+ install_istiod = false
}
}
@@ -163,6 +168,14 @@ variable "kiali_server_extra_configs" {
default = {}
}
+# ------------------ EXTERNAL SECRETS ------------------------------------------
+variable "external_secrets_extra_configs" {
+ type = any
+ default = {
+ secret_manager_name = "external_secrets_addon"
+ }
+}
+
# ------------------ FILEBEAT -------------------------------------------------
variable "filebeat_extra_configs" {
type = any
diff --git a/addons/aws-ebs-csi-driver/locals.tf b/addons/aws-ebs-csi-driver/locals.tf
index 0b7d0a8..f11d937 100644
--- a/addons/aws-ebs-csi-driver/locals.tf
+++ b/addons/aws-ebs-csi-driver/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.aws_ebs_csi_driver_extra_configs.lint, "false")
repository_key_file = try(var.aws_ebs_csi_driver_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_ebs_csi_driver_extra_configs.repository_cert_file, "")
- repository_username = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "")
+ repository_username = try(var.aws_ebs_csi_driver_extra_configs.repository_username, "")
repository_password = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "")
verify = try(var.aws_ebs_csi_driver_extra_configs.verify, "false")
keyring = try(var.aws_ebs_csi_driver_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.aws_ebs_csi_driver_extra_configs.replace, "false")
}
- aws_ebs_csi_driver_extra_configs = var.aws_ebs_csi_driver_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.aws_ebs_csi_driver_extra_configs
)
}
diff --git a/addons/aws-ebs-csi-driver/main.tf b/addons/aws-ebs-csi-driver/main.tf
index 2c4b451..9aaba35 100644
--- a/addons/aws-ebs-csi-driver/main.tf
+++ b/addons/aws-ebs-csi-driver/main.tf
@@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context
- depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "controller.serviceAccount.create"
@@ -59,12 +58,4 @@ resource "aws_iam_policy" "policy" {
]
}
EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
-}
+}
\ No newline at end of file
diff --git a/addons/aws-efs-csi-driver/locals.tf b/addons/aws-efs-csi-driver/locals.tf
index 2d87f9c..300af00 100644
--- a/addons/aws-efs-csi-driver/locals.tf
+++ b/addons/aws-efs-csi-driver/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.aws_efs_csi_driver_extra_configs.lint, "false")
repository_key_file = try(var.aws_efs_csi_driver_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_efs_csi_driver_extra_configs.repository_cert_file, "")
- repository_username = try(var.aws_efs_csi_driver_extra_configs.repository_password, "")
+ repository_username = try(var.aws_efs_csi_driver_extra_configs.repository_username, "")
repository_password = try(var.aws_efs_csi_driver_extra_configs.repository_password, "")
verify = try(var.aws_efs_csi_driver_extra_configs.verify, "false")
keyring = try(var.aws_efs_csi_driver_extra_configs.keyring, "")
diff --git a/addons/aws-efs-csi-driver/main.tf b/addons/aws-efs-csi-driver/main.tf
index 905822e..36a236f 100644
--- a/addons/aws-efs-csi-driver/main.tf
+++ b/addons/aws-efs-csi-driver/main.tf
@@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context
- depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "image.repository"
@@ -93,12 +92,4 @@ resource "aws_iam_policy" "policy" {
]
}
EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
-}
+}
\ No newline at end of file
diff --git a/addons/aws-load-balancer-controller/locals.tf b/addons/aws-load-balancer-controller/locals.tf
index 5f057a9..4e95e0f 100644
--- a/addons/aws-load-balancer-controller/locals.tf
+++ b/addons/aws-load-balancer-controller/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.aws_load_balancer_controller_extra_configs.lint, "false")
repository_key_file = try(var.aws_load_balancer_controller_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_load_balancer_controller_extra_configs.repository_cert_file, "")
- repository_username = try(var.aws_load_balancer_controller_extra_configs.repository_password, "")
+ repository_username = try(var.aws_load_balancer_controller_extra_configs.repository_username, "")
repository_password = try(var.aws_load_balancer_controller_extra_configs.repository_password, "")
verify = try(var.aws_load_balancer_controller_extra_configs.verify, "false")
keyring = try(var.aws_load_balancer_controller_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.aws_load_balancer_controller_extra_configs.replace, "false")
}
- aws_load_balancer_controller_extra_configs = var.aws_load_balancer_controller_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.aws_load_balancer_controller_extra_configs
)
}
diff --git a/addons/aws-load-balancer-controller/main.tf b/addons/aws-load-balancer-controller/main.tf
index 83b168e..e82364c 100644
--- a/addons/aws-load-balancer-controller/main.tf
+++ b/addons/aws-load-balancer-controller/main.tf
@@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context
- depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "clusterName"
@@ -289,12 +288,4 @@ resource "aws_iam_policy" "policy" {
]
}
EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
-}
+}
\ No newline at end of file
diff --git a/addons/aws-node-termination-handler/locals.tf b/addons/aws-node-termination-handler/locals.tf
index 7078b1b..8aef89d 100644
--- a/addons/aws-node-termination-handler/locals.tf
+++ b/addons/aws-node-termination-handler/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.aws_node_termination_handler_extra_configs.lint, "false")
repository_key_file = try(var.aws_node_termination_handler_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_node_termination_handler_extra_configs.repository_cert_file, "")
- repository_username = try(var.aws_node_termination_handler_extra_configs.repository_password, "")
+ repository_username = try(var.aws_node_termination_handler_extra_configs.repository_username, "")
repository_password = try(var.aws_node_termination_handler_extra_configs.repository_password, "")
verify = try(var.aws_node_termination_handler_extra_configs.verify, "false")
keyring = try(var.aws_node_termination_handler_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.aws_node_termination_handler_extra_configs.replace, "false")
}
- aws_node_termination_handler_extra_configs = var.aws_node_termination_handler_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.aws_node_termination_handler_extra_configs
)
}
diff --git a/addons/aws-node-termination-handler/main.tf b/addons/aws-node-termination-handler/main.tf
index ff859df..7c7af3d 100644
--- a/addons/aws-node-termination-handler/main.tf
+++ b/addons/aws-node-termination-handler/main.tf
@@ -4,14 +4,4 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context
-
- depends_on = [kubernetes_namespace_v1.this]
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
}
diff --git a/addons/calico-tigera/locals.tf b/addons/calico-tigera/locals.tf
index af782ae..3ecfbf2 100644
--- a/addons/calico-tigera/locals.tf
+++ b/addons/calico-tigera/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.calico_tigera_extra_configs.lint, "false")
repository_key_file = try(var.calico_tigera_extra_configs.repository_key_file, "")
repository_cert_file = try(var.calico_tigera_extra_configs.repository_cert_file, "")
- repository_username = try(var.calico_tigera_extra_configs.repository_password, "")
+ repository_username = try(var.calico_tigera_extra_configs.repository_username, "")
repository_password = try(var.calico_tigera_extra_configs.repository_password, "")
verify = try(var.calico_tigera_extra_configs.verify, "false")
keyring = try(var.calico_tigera_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
replace = try(var.calico_tigera_extra_configs.replace, "false")
}
- calico_tigera_extra_configs = var.calico_tigera_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.calico_tigera_extra_configs
)
}
\ No newline at end of file
diff --git a/addons/calico-tigera/main.tf b/addons/calico-tigera/main.tf
index dab205d..ff73b9f 100644
--- a/addons/calico-tigera/main.tf
+++ b/addons/calico-tigera/main.tf
@@ -4,17 +4,6 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context
-
- depends_on = [kubernetes_namespace.this]
-
-}
-
-resource "kubernetes_namespace" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
}
resource "kubectl_manifest" "calico_node" {
diff --git a/addons/cert-manager/README.md b/addons/cert-manager/README.md
new file mode 100644
index 0000000..81e85de
--- /dev/null
+++ b/addons/cert-manager/README.md
@@ -0,0 +1,62 @@
+# Certification Manager Helm Chart
+
+Certification Manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources.
+It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry..
+
+## Installation
+Below terraform script shows how to use Certification Manager Terraform Addon, A complete example is also given [here](https://github.com/clouddrove/terraform-helm-eks-addons/blob/master/_examples/complete/main.tf).
+```hcl
+module "addons" {
+ source = "clouddrove/eks-addons/aws"
+ version = "0.1.0"
+
+ depends_on = [module.eks]
+ eks_cluster_name = module.eks.cluster_name
+
+ certification_manager = true
+}
+```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0.0 |
+| [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [kubernetes](#provider\_kubernetes) | >= 2.10 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [helm\_addon](#module\_helm\_addon) | ../helm | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_namespace_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [addon\_context](#input\_addon\_context) | Input configuration for the addon | object({
aws_caller_identity_account_id = string
aws_caller_identity_arn = string
aws_eks_cluster_endpoint = string
aws_partition_id = string
aws_region_name = string
eks_cluster_id = string
eks_oidc_issuer_url = string
eks_oidc_provider_arn = string
tags = map(string)
}) | n/a | yes |
+| [helm\_config](#input\_helm\_config) | Helm provider config for Certification Manager | `any` | `{}` | no |
+| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no |
+| [certification_manager\_extra\_configs](#input\certification_manager\_extra\_configs) | Override attributes of helm\_release terraform resource | `any` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [chart\_version](#output\_chart\_version) | n/a |
+| [namespace](#output\_namespace) | n/a |
+| [repository](#output\_repository) | n/a |
+
diff --git a/addons/cert-manager/config/certification_manager.yaml b/addons/cert-manager/config/certification_manager.yaml
new file mode 100644
index 0000000..2d47d71
--- /dev/null
+++ b/addons/cert-manager/config/certification_manager.yaml
@@ -0,0 +1,737 @@
+# Default values for cert-manager.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+global:
+ # Reference to one or more secrets to be used when pulling images
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ imagePullSecrets: []
+ # - name: "image-pull-secret"
+
+ # Labels to apply to all resources
+ # Please note that this does not add labels to the resources created dynamically by the controllers.
+ # For these resources, you have to add the labels in the template in the cert-manager custom resource:
+ # eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
+ # ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
+ # eg. secretTemplate in CertificateSpec
+ # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+ commonLabels: {}
+ # team_name: dev
+
+ # Optional priority class to be used for the cert-manager pods
+ priorityClassName: ""
+ rbac:
+ create: true
+ # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+ aggregateClusterRoles: true
+
+ podSecurityPolicy:
+ enabled: false
+ useAppArmor: true
+
+ # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
+ logLevel: 2
+
+ leaderElection:
+ # Override the namespace used for the leader election lease
+ namespace: "kube-system"
+
+ # The duration that non-leader candidates will wait after observing a
+ # leadership renewal until attempting to acquire leadership of a led but
+ # unrenewed leader slot. This is effectively the maximum duration that a
+ # leader can be stopped before it is replaced by another candidate.
+ # leaseDuration: 60s
+
+ # The interval between attempts by the acting master to renew a leadership
+ # slot before it stops leading. This must be less than or equal to the
+ # lease duration.
+ # renewDeadline: 40s
+
+ # The duration the clients should wait between attempting acquisition and
+ # renewal of a leadership.
+ # retryPeriod: 15s
+
+installCRDs: false
+
+replicaCount: 1
+
+strategy: {}
+ # type: RollingUpdate
+ # rollingUpdate:
+ # maxSurge: 0
+ # maxUnavailable: 1
+
+podDisruptionBudget:
+ enabled: false
+
+ # minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
+ # or a percentage value (e.g. 25%)
+ # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1`
+ # minAvailable: 1
+ # maxUnavailable: 1
+
+# Comma separated list of feature gates that should be enabled on the
+# controller pod.
+featureGates: ""
+
+# The maximum number of challenges that can be scheduled as 'processing' at once
+maxConcurrentChallenges: 60
+
+image:
+ repository: quay.io/jetstack/cert-manager-controller
+ # You can manage a registry with
+ # registry: quay.io
+ # repository: jetstack/cert-manager-controller
+
+ # Override the image tag to deploy by setting this variable.
+ # If no value is set, the chart's appVersion will be used.
+ # tag: canary
+
+ # Setting a digest will override any tag
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+ pullPolicy: IfNotPresent
+
+# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
+# resources. By default, the same namespace as cert-manager is deployed within is
+# used. This namespace will not be automatically created by the Helm chart.
+clusterResourceNamespace: ""
+
+# This namespace allows you to define where the services will be installed into
+# if not set then they will use the namespace of the release
+# This is helpful when installing cert manager as a chart dependency (sub chart)
+namespace: ""
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ # name: ""
+ # Optional additional annotations to add to the controller's ServiceAccount
+ # annotations: {}
+ # Automount API credentials for a Service Account.
+ # Optional additional labels to add to the controller's ServiceAccount
+ # labels: {}
+ automountServiceAccountToken: true
+
+# Automounting API credentials for a particular pod
+# automountServiceAccountToken: true
+
+# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
+enableCertificateOwnerRef: false
+
+# Used to configure options for the controller pod.
+# This allows setting options that'd usually be provided via flags.
+# An APIVersion and Kind must be specified in your values.yaml file.
+# Flags will override options that are set here.
+config:
+# apiVersion: controller.config.cert-manager.io/v1alpha1
+# kind: ControllerConfiguration
+# logging:
+# verbosity: 2
+# format: text
+# leaderElectionConfig:
+# namespace: kube-system
+# kubernetesAPIQPS: 9000
+# kubernetesAPIBurst: 9000
+# numberOfConcurrentWorkers: 200
+# featureGates:
+# additionalCertificateOutputFormats: true
+# experimentalCertificateSigningRequestControllers: true
+# experimentalGatewayAPISupport: true
+# serverSideApply: true
+# literalCertificateSubject: true
+# useCertificateRequestBasicConstraints: true
+
+# Setting Nameservers for DNS01 Self Check
+# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
+
+# Comma separated string with host and port of the recursive nameservers cert-manager should query
+dns01RecursiveNameservers: ""
+
+# Forces cert-manager to only use the recursive nameservers for verification.
+# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
+dns01RecursiveNameserversOnly: false
+
+# Additional command line flags to pass to cert-manager controller binary.
+# To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help
+extraArgs: []
+ # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver
+ # - --controllers=*,-certificaterequests-approver
+
+extraEnv: []
+# - name: SOME_VAR
+# value: 'some value'
+
+resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+# Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+# Container Security Context to be set on the controller component container
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+
+
+volumes: []
+
+volumeMounts: []
+
+# Optional additional annotations to add to the controller Deployment
+# deploymentAnnotations: {}
+
+# Optional additional annotations to add to the controller Pods
+# podAnnotations: {}
+
+podLabels: {}
+
+# Optional annotations to add to the controller Service
+# serviceAnnotations: {}
+
+# Optional additional labels to add to the controller Service
+# serviceLabels: {}
+
+# Optional DNS settings, useful if you have a public and private DNS zone for
+# the same domain on Route 53. What follows is an example of ensuring
+# cert-manager can access an ingress or DNS TXT records at all times.
+# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
+# the cluster to work.
+# podDnsPolicy: "None"
+# podDnsConfig:
+# nameservers:
+# - "1.1.1.1"
+# - "8.8.8.8"
+
+nodeSelector:
+ kubernetes.io/os: linux
+
+ingressShim: {}
+ # defaultIssuerName: ""
+ # defaultIssuerKind: ""
+ # defaultIssuerGroup: ""
+
+prometheus:
+ enabled: true
+ servicemonitor:
+ enabled: false
+ prometheusInstance: default
+ targetPort: 9402
+ path: /metrics
+ interval: 60s
+ scrapeTimeout: 30s
+ labels: {}
+ annotations: {}
+ honorLabels: false
+ endpointAdditionalProperties: {}
+
+# Use these variables to configure the HTTP_PROXY environment variables
+# http_proxy: "http://proxy:8080"
+# https_proxy: "https://proxy:8080"
+# no_proxy: 127.0.0.1,localhost
+
+# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
+# for example:
+# affinity:
+# nodeAffinity:
+# requiredDuringSchedulingIgnoredDuringExecution:
+# nodeSelectorTerms:
+# - matchExpressions:
+# - key: foo.bar.com/role
+# operator: In
+# values:
+# - master
+affinity: {}
+
+# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
+# for example:
+# tolerations:
+# - key: foo.bar.com/role
+# operator: Equal
+# value: master
+# effect: NoSchedule
+tolerations: []
+
+# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
+# for example:
+# topologySpreadConstraints:
+# - maxSkew: 2
+# topologyKey: topology.kubernetes.io/zone
+# whenUnsatisfiable: ScheduleAnyway
+# labelSelector:
+# matchLabels:
+# app.kubernetes.io/instance: cert-manager
+# app.kubernetes.io/component: controller
+topologySpreadConstraints: []
+
+# LivenessProbe settings for the controller container of the controller Pod.
+#
+# Disabled by default, because the controller has a leader election mechanism
+# which should cause it to exit if it is unable to renew its leader election
+# record.
+# LivenessProbe durations and thresholds are based on those used for the Kubernetes
+# controller-manager. See:
+# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
+livenessProbe:
+ enabled: false
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 15
+ successThreshold: 1
+ failureThreshold: 8
+
+# enableServiceLinks indicates whether information about services should be
+# injected into pod's environment variables, matching the syntax of Docker
+# links.
+enableServiceLinks: false
+
+webhook:
+ replicaCount: 1
+ timeoutSeconds: 10
+
+ # Used to configure options for the webhook pod.
+ # This allows setting options that'd usually be provided via flags.
+ # An APIVersion and Kind must be specified in your values.yaml file.
+ # Flags will override options that are set here.
+ config:
+ # apiVersion: webhook.config.cert-manager.io/v1alpha1
+ # kind: WebhookConfiguration
+
+ # The port that the webhook should listen on for requests.
+ # In GKE private clusters, by default kubernetes apiservers are allowed to
+ # talk to the cluster nodes only on 443 and 10250. so configuring
+ # securePort: 10250, will work out of the box without needing to add firewall
+ # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
+ # This should be uncommented and set as a default by the chart once we graduate
+ # the apiVersion of WebhookConfiguration past v1alpha1.
+ # securePort: 10250
+
+ strategy: {}
+ # type: RollingUpdate
+ # rollingUpdate:
+ # maxSurge: 0
+ # maxUnavailable: 1
+
+ # Pod Security Context to be set on the webhook component Pod
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+ podDisruptionBudget:
+ enabled: false
+
+ # minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
+ # or a percentage value (e.g. 25%)
+ # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1`
+ # minAvailable: 1
+ # maxUnavailable: 1
+
+ # Container Security Context to be set on the webhook component container
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+
+ # Optional additional annotations to add to the webhook Deployment
+ # deploymentAnnotations: {}
+
+ # Optional additional annotations to add to the webhook Pods
+ # podAnnotations: {}
+
+ # Optional additional annotations to add to the webhook Service
+ # serviceAnnotations: {}
+
+ # Optional additional annotations to add to the webhook MutatingWebhookConfiguration
+ # mutatingWebhookConfigurationAnnotations: {}
+
+ # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
+ # validatingWebhookConfigurationAnnotations: {}
+
+ # Additional command line flags to pass to cert-manager webhook binary.
+ # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help
+ extraArgs: []
+ # Path to a file containing a WebhookConfiguration object used to configure the webhook
+ # - --config=
+
+ # Comma separated list of feature gates that should be enabled on the
+ # webhook pod.
+ featureGates: ""
+
+ resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+ ## Liveness and readiness probe values
+ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+ ##
+ livenessProbe:
+ failureThreshold: 3
+ initialDelaySeconds: 60
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+
+ nodeSelector:
+ kubernetes.io/os: linux
+
+ affinity: {}
+
+ tolerations: []
+
+ topologySpreadConstraints: []
+
+ # Optional additional labels to add to the Webhook Pods
+ podLabels: {}
+
+ # Optional additional labels to add to the Webhook Service
+ serviceLabels: {}
+
+ image:
+ repository: quay.io/jetstack/cert-manager-webhook
+ # You can manage a registry with
+ # registry: quay.io
+ # repository: jetstack/cert-manager-webhook
+
+ # Override the image tag to deploy by setting this variable.
+ # If no value is set, the chart's appVersion will be used.
+ # tag: canary
+
+ # Setting a digest will override any tag
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+ pullPolicy: IfNotPresent
+
+ serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ # name: ""
+ # Optional additional annotations to add to the controller's ServiceAccount
+ # annotations: {}
+ # Optional additional labels to add to the webhook's ServiceAccount
+ # labels: {}
+ # Automount API credentials for a Service Account.
+ automountServiceAccountToken: true
+
+ # Automounting API credentials for a particular pod
+ # automountServiceAccountToken: true
+
+ # The port that the webhook should listen on for requests.
+ # In GKE private clusters, by default kubernetes apiservers are allowed to
+ # talk to the cluster nodes only on 443 and 10250. so configuring
+ # securePort: 10250, will work out of the box without needing to add firewall
+ # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
+ securePort: 10250
+
+ # Specifies if the webhook should be started in hostNetwork mode.
+ #
+ # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
+ # CNI (such as calico), because control-plane managed by AWS cannot communicate
+ # with pods' IP CIDR and admission webhooks are not working
+ #
+ # Since the default port for the webhook conflicts with kubelet on the host
+ # network, `webhook.securePort` should be changed to an available port if
+ # running in hostNetwork mode.
+ hostNetwork: false
+
+ # Specifies how the service should be handled. Useful if you want to expose the
+ # webhook to outside of the cluster. In some cases, the control plane cannot
+ # reach internal services.
+ serviceType: ClusterIP
+ # loadBalancerIP:
+
+ # Overrides the mutating webhook and validating webhook so they reach the webhook
+ # service using the `url` field instead of a service.
+ url: {}
+ # host:
+
+ # Enables default network policies for webhooks.
+ networkPolicy:
+ enabled: false
+ ingress:
+ - from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ egress:
+ - ports:
+ - port: 80
+ protocol: TCP
+ - port: 443
+ protocol: TCP
+ - port: 53
+ protocol: TCP
+ - port: 53
+ protocol: UDP
+ # On OpenShift and OKD, the Kubernetes API server listens on
+ # port 6443.
+ - port: 6443
+ protocol: TCP
+ to:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+ volumes: []
+ volumeMounts: []
+
+ # enableServiceLinks indicates whether information about services should be
+ # injected into pod's environment variables, matching the syntax of Docker
+ # links.
+ enableServiceLinks: false
+
+cainjector:
+ enabled: true
+ replicaCount: 1
+
+ strategy: {}
+ # type: RollingUpdate
+ # rollingUpdate:
+ # maxSurge: 0
+ # maxUnavailable: 1
+
+ # Pod Security Context to be set on the cainjector component Pod
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+ podDisruptionBudget:
+ enabled: false
+
+ # minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
+ # or a percentage value (e.g. 25%)
+ # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1`
+ # minAvailable: 1
+ # maxUnavailable: 1
+
+ # Container Security Context to be set on the cainjector component container
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+
+
+ # Optional additional annotations to add to the cainjector Deployment
+ # deploymentAnnotations: {}
+
+ # Optional additional annotations to add to the cainjector Pods
+ # podAnnotations: {}
+
+ # Additional command line flags to pass to cert-manager cainjector binary.
+ # To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help
+ extraArgs: []
+ # Enable profiling for cainjector
+ # - --enable-profiling=true
+
+ resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+ nodeSelector:
+ kubernetes.io/os: linux
+
+ affinity: {}
+
+ tolerations: []
+
+ topologySpreadConstraints: []
+
+ # Optional additional labels to add to the CA Injector Pods
+ podLabels: {}
+
+ image:
+ repository: quay.io/jetstack/cert-manager-cainjector
+ # You can manage a registry with
+ # registry: quay.io
+ # repository: jetstack/cert-manager-cainjector
+
+ # Override the image tag to deploy by setting this variable.
+ # If no value is set, the chart's appVersion will be used.
+ # tag: canary
+
+ # Setting a digest will override any tag
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+ pullPolicy: IfNotPresent
+
+ serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ # name: ""
+ # Optional additional annotations to add to the controller's ServiceAccount
+ # annotations: {}
+ # Automount API credentials for a Service Account.
+ # Optional additional labels to add to the cainjector's ServiceAccount
+ # labels: {}
+ automountServiceAccountToken: true
+
+ # Automounting API credentials for a particular pod
+ # automountServiceAccountToken: true
+
+ volumes: []
+ volumeMounts: []
+
+ # enableServiceLinks indicates whether information about services should be
+ # injected into pod's environment variables, matching the syntax of Docker
+ # links.
+ enableServiceLinks: false
+
+acmesolver:
+ image:
+ repository: quay.io/jetstack/cert-manager-acmesolver
+ # You can manage a registry with
+ # registry: quay.io
+ # repository: jetstack/cert-manager-acmesolver
+
+ # Override the image tag to deploy by setting this variable.
+ # If no value is set, the chart's appVersion will be used.
+ # tag: canary
+
+ # Setting a digest will override any tag
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+# This startupapicheck is a Helm post-install hook that waits for the webhook
+# endpoints to become available.
+# The check is implemented using a Kubernetes Job- if you are injecting mesh
+# sidecar proxies into cert-manager pods, you probably want to ensure that they
+# are not injected into this Job's pod. Otherwise the installation may time out
+# due to the Job never being completed because the sidecar proxy does not exit.
+# See https://github.com/cert-manager/cert-manager/pull/4414 for context.
+startupapicheck:
+ enabled: true
+
+ # Pod Security Context to be set on the startupapicheck component Pod
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
+ # Container Security Context to be set on the controller component container
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ containerSecurityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+
+ # Timeout for 'kubectl check api' command
+ timeout: 1m
+
+ # Job backoffLimit
+ backoffLimit: 4
+
+ # Optional additional annotations to add to the startupapicheck Job
+ jobAnnotations:
+ helm.sh/hook: post-install
+ helm.sh/hook-weight: "1"
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
+ # Optional additional annotations to add to the startupapicheck Pods
+ # podAnnotations: {}
+
+ # Additional command line flags to pass to startupapicheck binary.
+ # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help
+ extraArgs: []
+
+ resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+ nodeSelector:
+ kubernetes.io/os: linux
+
+ affinity: {}
+
+ tolerations: []
+
+ # Optional additional labels to add to the startupapicheck Pods
+ podLabels: {}
+
+ image:
+ repository: quay.io/jetstack/cert-manager-ctl
+ # You can manage a registry with
+ # registry: quay.io
+ # repository: jetstack/cert-manager-ctl
+
+ # Override the image tag to deploy by setting this variable.
+ # If no value is set, the chart's appVersion will be used.
+ # tag: canary
+
+ # Setting a digest will override any tag
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+ pullPolicy: IfNotPresent
+
+ rbac:
+ # annotations for the startup API Check job RBAC and PSP resources
+ annotations:
+ helm.sh/hook: post-install
+ helm.sh/hook-weight: "-5"
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
+ # Automounting API credentials for a particular pod
+ # automountServiceAccountToken: true
+
+ serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ # name: ""
+
+ # Optional additional annotations to add to the Job's ServiceAccount
+ annotations:
+ helm.sh/hook: post-install
+ helm.sh/hook-weight: "-5"
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
+ # Automount API credentials for a Service Account.
+ automountServiceAccountToken: true
+
+ # Optional additional labels to add to the startupapicheck's ServiceAccount
+ # labels: {}
+
+ volumes: []
+ volumeMounts: []
+
+ # enableServiceLinks indicates whether information about services should be
+ # injected into pod's environment variables, matching the syntax of Docker
+ # links.
+ enableServiceLinks: false
diff --git a/addons/cert-manager/locals.tf b/addons/cert-manager/locals.tf
new file mode 100644
index 0000000..bd2261e
--- /dev/null
+++ b/addons/cert-manager/locals.tf
@@ -0,0 +1,41 @@
+locals {
+ name = "cert-manager"
+
+ default_helm_config = {
+ name = try(var.certification_manager_extra_configs.name, local.name)
+ chart = try(var.certification_manager_extra_configs.chart, local.name)
+ repository = try(var.certification_manager_extra_configs.repository, "https://charts.jetstack.io")
+ version = try(var.certification_manager_extra_configs.version, "1.13.1")
+ namespace = try(var.certification_manager_extra_configs.namespace, "cert-manager")
+ create_namespace = try(var.certification_manager_extra_configs.create_namespace, true)
+ description = "Certification manager helm Chart deployment configuration"
+ timeout = try(var.certification_manager_extra_configs.timeout, "600")
+ lint = try(var.certification_manager_extra_configs.lint, "false")
+ repository_key_file = try(var.certification_manager_extra_configs.repository_key_file, "")
+ repository_cert_file = try(var.certification_manager_extra_configs.repository_cert_file, "")
+ repository_username = try(var.certification_manager_extra_configs.repository_username, "")
+ repository_password = try(var.certification_manager_extra_configs.repository_password, "")
+ verify = try(var.certification_manager_extra_configs.verify, "false")
+ keyring = try(var.certification_manager_extra_configs.keyring, "")
+ disable_webhooks = try(var.certification_manager_extra_configs.disable_webhooks, "false")
+ reuse_values = try(var.certification_manager_extra_configs.reuse_values, "false")
+ reset_values = try(var.certification_manager_extra_configs.reset_values, "false")
+ force_update = try(var.certification_manager_extra_configs.force_update, "false")
+ recreate_pods = try(var.certification_manager_extra_configs.recreate_pods, "false")
+ cleanup_on_fail = try(var.certification_manager_extra_configs.cleanup_on_fail, "false")
+ max_history = try(var.certification_manager_extra_configs.max_history, "0")
+ atomic = try(var.certification_manager_extra_configs.atomic, "false")
+ skip_crds = try(var.certification_manager_extra_configs.skip_crds, "false")
+ render_subchart_notes = try(var.certification_manager_extra_configs.render_subchart_notes, "true")
+ disable_openapi_validation = try(var.certification_manager_extra_configs.disable_openapi_validation, "false")
+ wait = try(var.certification_manager_extra_configs.wait, "true")
+ wait_for_jobs = try(var.certification_manager_extra_configs.wait_for_jobs, "false")
+ dependency_update = try(var.certification_manager_extra_configs.dependency_update, "false")
+ replace = try(var.certification_manager_extra_configs.replace, "false")
+ }
+
+ helm_config = merge(
+ local.default_helm_config,
+ var.helm_config
+ )
+}
diff --git a/addons/cert-manager/main.tf b/addons/cert-manager/main.tf
new file mode 100644
index 0000000..1c7f1a8
--- /dev/null
+++ b/addons/cert-manager/main.tf
@@ -0,0 +1,7 @@
+module "helm_addon" {
+ source = "../helm"
+
+ manage_via_gitops = var.manage_via_gitops
+ helm_config = local.helm_config
+ addon_context = var.addon_context
+}
\ No newline at end of file
diff --git a/addons/cert-manager/outputs.tf b/addons/cert-manager/outputs.tf
new file mode 100644
index 0000000..a3832b1
--- /dev/null
+++ b/addons/cert-manager/outputs.tf
@@ -0,0 +1,11 @@
+output "namespace" {
+ value = local.default_helm_config.namespace
+}
+
+output "chart_version" {
+ value = local.default_helm_config.version
+}
+
+output "repository" {
+ value = local.default_helm_config.repository
+}
\ No newline at end of file
diff --git a/addons/cert-manager/variables.tf b/addons/cert-manager/variables.tf
new file mode 100644
index 0000000..69eec4f
--- /dev/null
+++ b/addons/cert-manager/variables.tf
@@ -0,0 +1,32 @@
+variable "helm_config" {
+ description = "Helm provider config for Certification Manager"
+ type = any
+ default = {}
+}
+
+variable "manage_via_gitops" {
+ description = "Determines if the add-on should be managed via GitOps"
+ type = bool
+ default = false
+}
+
+variable "addon_context" {
+ description = "Input configuration for the addon"
+ type = object({
+ aws_caller_identity_account_id = string
+ aws_caller_identity_arn = string
+ aws_eks_cluster_endpoint = string
+ aws_partition_id = string
+ aws_region_name = string
+ eks_cluster_id = string
+ eks_oidc_issuer_url = string
+ eks_oidc_provider_arn = string
+ tags = map(string)
+ })
+}
+
+variable "certification_manager_extra_configs" {
+ description = "Override attributes of helm_release terraform resource"
+ type = any
+ default = {}
+}
\ No newline at end of file
diff --git a/addons/cert-manager/versions.tf b/addons/cert-manager/versions.tf
new file mode 100644
index 0000000..55fba73
--- /dev/null
+++ b/addons/cert-manager/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0.0"
+
+ required_providers {
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = ">= 2.10"
+ }
+ }
+}
diff --git a/addons/cluster-autoscaler/locals.tf b/addons/cluster-autoscaler/locals.tf
index 142004b..5232fcc 100644
--- a/addons/cluster-autoscaler/locals.tf
+++ b/addons/cluster-autoscaler/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.cluster_autoscaler_extra_configs.lint, "false")
repository_key_file = try(var.cluster_autoscaler_extra_configs.repository_key_file, "")
repository_cert_file = try(var.cluster_autoscaler_extra_configs.repository_cert_file, "")
- repository_username = try(var.cluster_autoscaler_extra_configs.repository_password, "")
+ repository_username = try(var.cluster_autoscaler_extra_configs.repository_username, "")
repository_password = try(var.cluster_autoscaler_extra_configs.repository_password, "")
verify = try(var.cluster_autoscaler_extra_configs.verify, "false")
keyring = try(var.cluster_autoscaler_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.cluster_autoscaler_extra_configs.replace, "false")
}
- cluster_autoscaler_extra_configs = var.cluster_autoscaler_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.cluster_autoscaler_extra_configs
)
}
diff --git a/addons/cluster-autoscaler/main.tf b/addons/cluster-autoscaler/main.tf
index 1e008bd..e006b8a 100644
--- a/addons/cluster-autoscaler/main.tf
+++ b/addons/cluster-autoscaler/main.tf
@@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context
- depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "awsRegion"
@@ -59,12 +58,4 @@ resource "aws_iam_policy" "policy" {
"Version": "2012-10-17"
}
EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
}
\ No newline at end of file
diff --git a/addons/external-secrets/data.tf b/addons/external-secrets/data.tf
index ed47092..05809aa 100644
--- a/addons/external-secrets/data.tf
+++ b/addons/external-secrets/data.tf
@@ -1,6 +1,5 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
data "aws_eks_cluster" "eks_cluster" {
- # this makes downstream resources wait for data plane to be ready
name = var.eks_cluster_name
-}
-
-data "aws_region" "current" {}
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/addons/external-secrets/locals.tf b/addons/external-secrets/locals.tf
index f25113e..78f7700 100644
--- a/addons/external-secrets/locals.tf
+++ b/addons/external-secrets/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.external_secrets_extra_configs.lint, "false")
repository_key_file = try(var.external_secrets_extra_configs.repository_key_file, "")
repository_cert_file = try(var.external_secrets_extra_configs.repository_cert_file, "")
- repository_username = try(var.external_secrets_extra_configs.repository_password, "")
+ repository_username = try(var.external_secrets_extra_configs.repository_username, "")
repository_password = try(var.external_secrets_extra_configs.repository_password, "")
verify = try(var.external_secrets_extra_configs.verify, "false")
keyring = try(var.external_secrets_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
replace = try(var.external_secrets_extra_configs.replace, "false")
}
- external_secrets_extra_configs = var.external_secrets_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.external_secrets_extra_configs
)
}
diff --git a/addons/external-secrets/main.tf b/addons/external-secrets/main.tf
index bf27916..e15e036 100644
--- a/addons/external-secrets/main.tf
+++ b/addons/external-secrets/main.tf
@@ -44,31 +44,45 @@ module "helm_addon" {
account_id = var.account_id
}
- irsa_assume_role_policy = var.external_secrets_extra_configs.irsa_assume_role_policy
-
+ irsa_assume_role_policy = jsonencode({
+ "Version" : "2012-10-17",
+ "Statement" : [
+ {
+ "Effect" : "Allow",
+ "Principal" : {
+ "Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")}"
+ },
+ "Action" : "sts:AssumeRoleWithWebIdentity",
+ "Condition" : {
+ "StringLike" : {
+ "${replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")}:aud" : "sts.amazonaws.com"
+ }
+ }
+ }
+ ]
+ })
}
resource "aws_iam_policy" "policy" {
name = "${local.name}-${var.eks_cluster_name}"
path = "/"
description = "IAM Policy used by ${local.name}-${var.eks_cluster_name} IAM Role"
- policy = data.aws_iam_policy_document.iam-policy.json
-}
-
-data "aws_iam_policy_document" "iam-policy" {
- version = "2012-10-17"
-
- statement {
- sid = "VisualEditor0"
- effect = "Allow"
- actions = [
- "secretsmanager:GetSecretValue",
- "secretsmanager:DescribeSecret",
- ]
- resources = [
- "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${var.external_secrets_extra_configs.secret_manager_name}*",
- ]
- }
+ policy = var.iampolicy_json_content != null ? var.iampolicy_json_content : <<-EOT
+{
+ "Statement": [
+ {
+ "Action": [
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:DescribeSecret"
+ ],
+ "Effect": "Allow",
+ "Resource": "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:${try(var.external_secrets_extra_configs.secret_manager_name, "external_secrets_addon")}*",
+ "Sid": "ExternalSecretsDefault"
+ }
+ ],
+ "Version": "2012-10-17"
+}
+ EOT
}
module "secrets_manager" {
@@ -79,10 +93,10 @@ module "secrets_manager" {
name = "secrets-manager"
secrets = [
{
- name = try(var.external_secrets_extra_configs.secret_manager_name, "external_secret")
+ name = try(var.external_secrets_extra_configs.secret_manager_name, "external_secrets_addon")
description = try(var.external_secrets_extra_configs.secret_manager_description, "AWS EKS external-secrets helm addon.")
secret_key_value = {
- external_secret = "external_secret_addon"
+ external_secret = "external_secret_addon_data"
}
recovery_window_in_days = try(var.external_secrets_extra_configs.recovery_window_in_days, 7)
}
diff --git a/addons/external-secrets/variables.tf b/addons/external-secrets/variables.tf
index 9ea9bb7..a591b4e 100644
--- a/addons/external-secrets/variables.tf
+++ b/addons/external-secrets/variables.tf
@@ -39,4 +39,10 @@ variable "external_secrets_extra_configs" {
description = "Override attributes of helm_release terraform resource"
type = any
default = {}
+}
+
+variable "iampolicy_json_content" {
+ description = "Custom IAM Policy for External-Secrets IRSA"
+ type = string
+ default = null
}
\ No newline at end of file
diff --git a/addons/fluent-bit/locals.tf b/addons/fluent-bit/locals.tf
index f9329a1..82d7d1c 100644
--- a/addons/fluent-bit/locals.tf
+++ b/addons/fluent-bit/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.fluent_bit_extra_configs.lint, "false")
repository_key_file = try(var.fluent_bit_extra_configs.repository_key_file, "")
repository_cert_file = try(var.fluent_bit_extra_configs.repository_cert_file, "")
- repository_username = try(var.fluent_bit_extra_configs.repository_password, "")
+ repository_username = try(var.fluent_bit_extra_configs.repository_username, "")
repository_password = try(var.fluent_bit_extra_configs.repository_password, "")
verify = try(var.fluent_bit_extra_configs.verify, "false")
keyring = try(var.fluent_bit_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
replace = try(var.fluent_bit_extra_configs.replace, "false")
}
- fluent_bit_extra_configs = var.fluent_bit_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.fluent_bit_extra_configs
)
}
diff --git a/addons/ingress-nginx/locals.tf b/addons/ingress-nginx/locals.tf
index 66cdc12..d5f7350 100644
--- a/addons/ingress-nginx/locals.tf
+++ b/addons/ingress-nginx/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.ingress_nginx_extra_configs.lint, "false")
repository_key_file = try(var.ingress_nginx_extra_configs.repository_key_file, "")
repository_cert_file = try(var.ingress_nginx_extra_configs.repository_cert_file, "")
- repository_username = try(var.ingress_nginx_extra_configs.repository_password, "")
+ repository_username = try(var.ingress_nginx_extra_configs.repository_username, "")
repository_password = try(var.ingress_nginx_extra_configs.repository_password, "")
verify = try(var.ingress_nginx_extra_configs.verify, "false")
keyring = try(var.ingress_nginx_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.ingress_nginx_extra_configs.replace, "false")
}
- ingress_nginx_extra_configs = var.ingress_nginx_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.ingress_nginx_extra_configs
)
}
\ No newline at end of file
diff --git a/addons/ingress-nginx/main.tf b/addons/ingress-nginx/main.tf
index 09896d6..1c7f1a8 100644
--- a/addons/ingress-nginx/main.tf
+++ b/addons/ingress-nginx/main.tf
@@ -4,14 +4,4 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context
-
- depends_on = [kubernetes_namespace_v1.this]
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
}
\ No newline at end of file
diff --git a/addons/istio-ingress/locals.tf b/addons/istio-ingress/locals.tf
index 8ca4f96..d35883c 100644
--- a/addons/istio-ingress/locals.tf
+++ b/addons/istio-ingress/locals.tf
@@ -35,7 +35,7 @@ locals {
lint = try(var.istio_ingress_extra_configs.lint, "false")
repository_key_file = try(var.istio_ingress_extra_configs.repository_key_file, "")
repository_cert_file = try(var.istio_ingress_extra_configs.repository_cert_file, "")
- repository_username = try(var.istio_ingress_extra_configs.repository_password, "")
+ repository_username = try(var.istio_ingress_extra_configs.repository_username, "")
repository_password = try(var.istio_ingress_extra_configs.repository_password, "")
verify = try(var.istio_ingress_extra_configs.verify, "false")
keyring = try(var.istio_ingress_extra_configs.keyring, "")
@@ -56,11 +56,8 @@ locals {
replace = try(var.istio_ingress_extra_configs.replace, "false")
}
- istio_ingress_extra_configs = var.istio_ingress_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.istio_ingress_extra_configs
)
}
diff --git a/addons/karpenter/locals.tf b/addons/karpenter/locals.tf
index fab7de1..81e2d79 100644
--- a/addons/karpenter/locals.tf
+++ b/addons/karpenter/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.karpenter_extra_configs.lint, "false")
repository_key_file = try(var.karpenter_extra_configs.repository_key_file, "")
repository_cert_file = try(var.karpenter_extra_configs.repository_cert_file, "")
- repository_username = try(var.karpenter_extra_configs.repository_password, "")
+ repository_username = try(var.karpenter_extra_configs.repository_username, "")
repository_password = try(var.karpenter_extra_configs.repository_password, "")
verify = try(var.karpenter_extra_configs.verify, "false")
keyring = try(var.karpenter_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.karpenter_extra_configs.replace, "false")
}
- karpenter_extra_configs = var.karpenter_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.karpenter_extra_configs
)
}
diff --git a/addons/karpenter/main.tf b/addons/karpenter/main.tf
index 7cd29c1..cbad60a 100644
--- a/addons/karpenter/main.tf
+++ b/addons/karpenter/main.tf
@@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context
- depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "serviceAccount.create"
@@ -83,12 +82,4 @@ resource "aws_iam_policy" "policy" {
"Version": "2012-10-17"
}
EOT
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
-}
+}
\ No newline at end of file
diff --git a/addons/keda/main.tf b/addons/keda/main.tf
index d9d1876..1c7f1a8 100644
--- a/addons/keda/main.tf
+++ b/addons/keda/main.tf
@@ -4,5 +4,4 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context
-
}
\ No newline at end of file
diff --git a/addons/kiali-server/locals.tf b/addons/kiali-server/locals.tf
index 3d541fe..6c4d6c5 100644
--- a/addons/kiali-server/locals.tf
+++ b/addons/kiali-server/locals.tf
@@ -12,7 +12,7 @@ locals {
lint = try(var.kiali_server_extra_configs.lint, "false")
repository_key_file = try(var.kiali_server_extra_configs.repository_key_file, "")
repository_cert_file = try(var.kiali_server_extra_configs.repository_cert_file, "")
- repository_username = try(var.kiali_server_extra_configs.repository_password, "")
+ repository_username = try(var.kiali_server_extra_configs.repository_username, "")
repository_password = try(var.kiali_server_extra_configs.repository_password, "")
verify = try(var.kiali_server_extra_configs.verify, "false")
keyring = try(var.kiali_server_extra_configs.keyring, "")
@@ -33,11 +33,8 @@ locals {
replace = try(var.kiali_server_extra_configs.replace, "false")
}
- kiali_server_extra_configs = var.kiali_server_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.kiali_server_extra_configs
)
}
diff --git a/addons/kube-state-metrics/locals.tf b/addons/kube-state-metrics/locals.tf
index a7ff591..7657bc9 100644
--- a/addons/kube-state-metrics/locals.tf
+++ b/addons/kube-state-metrics/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.kube_state_metrics_extra_configs.lint, "false")
repository_key_file = try(var.kube_state_metrics_extra_configs.repository_key_file, "")
repository_cert_file = try(var.kube_state_metrics_extra_configs.repository_cert_file, "")
- repository_username = try(var.kube_state_metrics_extra_configs.repository_password, "")
+ repository_username = try(var.kube_state_metrics_extra_configs.repository_username, "")
repository_password = try(var.kube_state_metrics_extra_configs.repository_password, "")
verify = try(var.kube_state_metrics_extra_configs.verify, "false")
keyring = try(var.kube_state_metrics_extra_configs.keyring, "")
diff --git a/addons/kubeclarity/locals.tf b/addons/kubeclarity/locals.tf
index ff9740a..9c002ce 100644
--- a/addons/kubeclarity/locals.tf
+++ b/addons/kubeclarity/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.kubeclarity_extra_configs.lint, "false")
repository_key_file = try(var.kubeclarity_extra_configs.repository_key_file, "")
repository_cert_file = try(var.kubeclarity_extra_configs.repository_cert_file, "")
- repository_username = try(var.kubeclarity_extra_configs.repository_password, "")
+ repository_username = try(var.kubeclarity_extra_configs.repository_username, "")
repository_password = try(var.kubeclarity_extra_configs.repository_password, "")
verify = try(var.kubeclarity_extra_configs.verify, "false")
keyring = try(var.kubeclarity_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
replace = try(var.kubeclarity_extra_configs.replace, "false")
}
- kubeclarity_extra_configs = var.kubeclarity_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.kubeclarity_extra_configs
)
}
diff --git a/addons/metrics-server/locals.tf b/addons/metrics-server/locals.tf
index 05a6ff5..2eaa736 100644
--- a/addons/metrics-server/locals.tf
+++ b/addons/metrics-server/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.metrics_server_extra_configs.lint, "false")
repository_key_file = try(var.metrics_server_extra_configs.repository_key_file, "")
repository_cert_file = try(var.metrics_server_extra_configs.repository_cert_file, "")
- repository_username = try(var.metrics_server_extra_configs.repository_password, "")
+ repository_username = try(var.metrics_server_extra_configs.repository_username, "")
repository_password = try(var.metrics_server_extra_configs.repository_password, "")
verify = try(var.metrics_server_extra_configs.verify, "false")
keyring = try(var.metrics_server_extra_configs.keyring, "")
@@ -34,11 +34,8 @@ locals {
replace = try(var.metrics_server_extra_configs.replace, "false")
}
- metrics_server_extra_configs = var.metrics_server_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.metrics_server_extra_configs
)
}
diff --git a/addons/metrics-server/main.tf b/addons/metrics-server/main.tf
index ff859df..7c7af3d 100644
--- a/addons/metrics-server/main.tf
+++ b/addons/metrics-server/main.tf
@@ -4,14 +4,4 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context
-
- depends_on = [kubernetes_namespace_v1.this]
-}
-
-resource "kubernetes_namespace_v1" "this" {
- count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
-
- metadata {
- name = local.helm_config["namespace"]
- }
}
diff --git a/addons/nri-bundle/locals.tf b/addons/nri-bundle/locals.tf
index 2e72eac..817fba4 100644
--- a/addons/nri-bundle/locals.tf
+++ b/addons/nri-bundle/locals.tf
@@ -14,7 +14,7 @@ locals {
lint = try(var.new_relic_extra_configs.lint, "false")
repository_key_file = try(var.new_relic_extra_configs.repository_key_file, "")
repository_cert_file = try(var.new_relic_extra_configs.repository_cert_file, "")
- repository_username = try(var.new_relic_extra_configs.repository_password, "")
+ repository_username = try(var.new_relic_extra_configs.repository_username, "")
repository_password = try(var.new_relic_extra_configs.repository_password, "")
verify = try(var.new_relic_extra_configs.verify, "false")
keyring = try(var.new_relic_extra_configs.keyring, "")
@@ -35,11 +35,8 @@ locals {
replace = try(var.new_relic_extra_configs.replace, "false")
}
- new_relic_extra_configs = var.new_relic_extra_configs
-
helm_config = merge(
local.default_helm_config,
var.helm_config,
- local.new_relic_extra_configs
)
}
diff --git a/addons/velero/locals.tf b/addons/velero/locals.tf
index 29b97dc..81fa31e 100644
--- a/addons/velero/locals.tf
+++ b/addons/velero/locals.tf
@@ -13,7 +13,7 @@ locals {
lint = try(var.velero_extra_configs.lint, "false")
repository_key_file = try(var.velero_extra_configs.repository_key_file, "")
repository_cert_file = try(var.velero_extra_configs.repository_cert_file, "")
- repository_username = try(var.velero_extra_configs.repository_password, "")
+ repository_username = try(var.velero_extra_configs.repository_username, "")
repository_password = try(var.velero_extra_configs.repository_password, "")
verify = try(var.velero_extra_configs.verify, "false")
keyring = try(var.velero_extra_configs.keyring, "")
diff --git a/main.tf b/main.tf
index b572053..1ba7e6f 100644
--- a/main.tf
+++ b/main.tf
@@ -117,6 +117,7 @@ module "external_secrets" {
eks_cluster_name = data.aws_eks_cluster.eks_cluster.name
account_id = data.aws_caller_identity.current.account_id
external_secrets_extra_configs = var.external_secrets_extra_configs
+ iampolicy_json_content = var.external_secrets_iampolicy_json_content
}
module "ingress_nginx" {
@@ -189,6 +190,15 @@ module "keda" {
keda_extra_configs = var.keda_extra_configs
}
+module "certification_manager" {
+ count = var.certification_manager ? 1 : 0
+ source = "./addons/cert-manager"
+ helm_config = var.certification_manager_helm_config != null ? var.certification_manager_helm_config : { values = [local_file.certification_manager_helm_config[count.index].content] }
+ manage_via_gitops = var.manage_via_gitops
+ addon_context = local.addon_context
+ certification_manager_extra_configs = var.certification_manager_extra_configs
+}
+
module "filebeat" {
count = var.filebeat ? 1 : 0
source = "./addons/filebeat"
diff --git a/outputs.tf b/outputs.tf
index 306360b..64d72b5 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -159,6 +159,10 @@ output "external_secrets_repository" {
value = module.ingress_nginx[*].repository
description = "helm repository url of external-secrets"
}
+output "external_secrets_iam_policy" {
+ value = module.external_secrets[*].iam_policy
+ description = "Name of IAM Policy used in external-secrets irsa"
+}
#----------- INGRESS NGINX ---------------------
output "ingress_nginx_namespace" {
@@ -296,6 +300,20 @@ output "keda_repository" {
description = "Helm chart repository of the Keda."
}
+#----------- CERTICATION-MANAGER ------------------------
+output "certification_manager_namespace" {
+ value = module.certification_manager[*].namespace
+ description = "The namespace where certification-manager is deployed."
+}
+output "certification_manager_chart_version" {
+ value = module.certification_manager[*].chart_version
+ description = "Chart version of the certification-manager Helm Chart."
+}
+output "certification_manager_repository" {
+ value = module.certification_manager[*].repository
+ description = "Helm chart repository of the certification-manager."
+}
+
#----------- FILEBEAT ------------------------
output "filebeat_namespace" {
value = module.filebeat[*].namespace
diff --git a/override_values.tf b/override_values.tf
index f5086a3..87b70db 100644
--- a/override_values.tf
+++ b/override_values.tf
@@ -633,4 +633,33 @@ resources:
memory: 150Mi
EOT
filename = "${path.module}/override_vales/keda.yaml"
+}
+
+#-----------CERTIFICATION-MANAGER--------------------
+resource "local_file" "certification_manager_helm_config" {
+ count = var.certification_manager && (var.certification_manager_helm_config == null) ? 1 : 0
+ content = <