gha*_*bdr 6 ssl kubernetes terraform cert-manager
我有一个 terraform 配置,可以在 GCP 上创建 kubernetes(GKE),使用 Helm 安装入口和证书管理器。唯一缺少的部分是 LetsEncrypt ClusterIssuer(当我手动部署 LetsEncrypt.yaml 时,一切正常)。
我的地形配置:
# provider
provider "kubernetes" {
host = google_container_cluster.runners.endpoint
cluster_ca_certificate = base64decode(google_container_cluster.runners.master_auth.0.cluster_ca_certificate)
token = data.google_client_config.current.access_token
}
provider "helm" {
kubernetes {
host = google_container_cluster.runners.endpoint
cluster_ca_certificate = base64decode(google_container_cluster.runners.master_auth.0.cluster_ca_certificate)
token = data.google_client_config.current.access_token
}
}
# create namespace for ingress controller
resource "kubernetes_namespace" "ingress" {
metadata {
name = "ingress"
}
}
# deploy ingress controller
resource "helm_release" "ingress" {
name = "ingress"
namespace = kubernetes_namespace.ingress.metadata[0].name
repository = "https://kubernetes.github.io/ingress-nginx"
chart = "ingress-nginx"
values = [
"${file("./helm_values/ingress.yaml")}"
]
set {
name = "controller.service.loadBalancerIP"
value = google_compute_address.net_runner.address
}
}
#create namespace for cert mananger
resource "kubernetes_namespace" "cert" {
metadata {
name = "cert-manager"
}
}
#deploy cert maanger
resource "helm_release" "cert" {
name = "cert-manager"
namespace = kubernetes_namespace.cert.metadata[0].name
repository = "https://charts.jetstack.io"
chart = "cert-manager"
depends_on = ["helm_release.ingress"]
set {
name = "version"
value = "v1.4.0"
}
set {
name = "installCRDs"
value = "true"
}
}
我的 LetsEncrypt.yaml:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: example@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
知道如何使用 terraform 部署 ClusterIssuer 吗?
您可以直接将YAML文件应用到集群中
provisioner "local-exec" {
command = <<EOT
cat <<EOF | kubectl --server=${aws_eks_cluster.demo.endpoint} --insecure-skip-tls-verify=true --token=${data.aws_eks_cluster_auth.demo.token} create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: lets-encrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: mymail@gmail.com
privateKeySecretRef:
name: letsencrypt
http01: {}
EOF
EOT
}
或者您也可以使用TF 提供程序来应用YAML文件
https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs#installation
更新:
如果您尚未设置 Kubernetes 提供程序进行身份验证,您可以使用: https: //registry.terraform.io/providers/hashicorp/kubernetes/latest/docs
provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "my-context"
}
resource "kubernetes_namespace" "example" {
metadata {
name = "my-first-namespace"
}
}
我最近使用 Terraform 工具tfk8s迁移 yaml 文件最成功地做到了这一点。您还可以使用Terraform yamldecode。
tfk8s cluster-issuer.yaml -o cluster-issuer.tf这将创建一个工作kubernetes_manifest资源。这是我的整个 terraform 脚本的示例,该脚本将其与 CRD 和 ClusterIssuer 一起安装。
resource "helm_release" "cert-manager" {
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
version = "1.7.1"
namespace = "cert-manager"
create_namespace = true
#values = [file("cert-manager-values.yaml")]
set {
name = "installCRDs"
value = "true"
}
}
resource "kubernetes_manifest" "clusterissuer_letsencrypt_prod" {
manifest = {
"apiVersion" = "cert-manager.io/v1"
"kind" = "ClusterIssuer"
"metadata" = {
"name" = "letsencrypt-prod"
}
"spec" = {
"acme" = {
"email" = "myemail@email.com"
"privateKeySecretRef" = {
"name" = "letsencrypt-prod"
}
"server" = "https://acme-v02.api.letsencrypt.org/directory"
"solvers" = [
{
"http01" = {
"ingress" = {
"class" = "nginx"
}
}
},
]
}
}
}
}
注意此工具创建一个资源类型kubernetes_manifest,Terraform 文档声明它不是与初始apply命令一起使用的稳定资源。也就是说,先创建集群等,然后添加文件并再次应用。否则,您需要手动将每个 kubernetes_manifest 迁移到其自己的专用资源类型(部署、服务等)。