使用 terraform 设置 letencrypt ClusterIssuer

时间:2021-07-24 15:39:18

标签: ssl kubernetes terraform cert-manager

我有一个在 GCP 上创建 kubernetes(GKE) 的 terraform 配置,使用 Helm 安装入口和证书管理器。 唯一缺少的部分是letsencrypt ClusterIssuer(当我手动部署letsencrypt.yaml 时一切正常)。

我的 Terraform 配置:

# provider
provider "kubernetes" {
  host                   = google_container_cluster.runners.endpoint
  cluster_ca_certificate = base64decode(google_container_cluster.runners.master_auth.0.cluster_ca_certificate)
  token                  = data.google_client_config.current.access_token
}

provider "helm" {
  kubernetes {
      host                   = google_container_cluster.runners.endpoint
      cluster_ca_certificate = base64decode(google_container_cluster.runners.master_auth.0.cluster_ca_certificate)
      token                  = data.google_client_config.current.access_token
  }
}

# create namespace for ingress controller
resource "kubernetes_namespace" "ingress" {
  metadata {
    name = "ingress"
  }
}
# deploy ingress controller
resource "helm_release" "ingress" {
  name       = "ingress"
  namespace = kubernetes_namespace.ingress.metadata[0].name

  repository = "https://kubernetes.github.io/ingress-nginx"
  chart      = "ingress-nginx"

  values = [
    "${file("./helm_values/ingress.yaml")}"
  ]
  set {
    name  = "controller.service.loadBalancerIP"
    value = google_compute_address.net_runner.address
  }
}

#create namespace for cert mananger
resource "kubernetes_namespace" "cert" {
  metadata {
    name = "cert-manager"
  }
}

#deploy cert maanger
resource "helm_release" "cert" {
  name       = "cert-manager"
  namespace = kubernetes_namespace.cert.metadata[0].name
  repository = "https://charts.jetstack.io"
  chart      = "cert-manager"
  depends_on = ["helm_release.ingress"]
  set {
    name  = "version"
    value = "v1.4.0"
  }
  set {
    name  = "installCRDs"
    value = "true"
  }
}

我的letsencrypt.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: example@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

知道如何使用 terraform 部署 ClusterIssuer 吗?

1 个答案:

答案 0 :(得分:2)

您可以将YAML文件直接应用到集群

provisioner "local-exec" {
    command = <<EOT
cat <<EOF | kubectl --server=${aws_eks_cluster.demo.endpoint} --insecure-skip-tls-verify=true --token=${data.aws_eks_cluster_auth.demo.token} create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: mymail@gmail.com
    privateKeySecretRef:
      name: letsencrypt
    http01: {}
EOF
EOT
  }

或者您也可以使用 TF provider 来应用 YAML 文件

https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs#installation

相关问题
最新问题