kube_certificates
Stable
Direct

Kubernetes Certificates

This module provides our standard set up for cert-manager including cluster issuers.

It includes:

  • Cluster issuer for public domain names

  • Cluster issuer for self-signed certs

  • Cluster issuer for intermediate CAs

Providers

The following providers are needed by this module:

Required Inputs

The following input variables are required:

alert_email

Description: An email that will receive certificate alerts.

Type: string

kube_domain

Description: The domain under which cluster utilities have subdomains registered.

Type: string

Optional Inputs

The following input variables are optional (have default values):

aws_iam_ip_allow_list

Description: A list of IPs that can use the service account token to authenticate with AWS API

Type: list(string)

Default: []

burstable_nodes_enabled

Description: Whether to allow pods to schedule on burstable nodes

Type: bool

Default: true

canary_enabled

Description: Whether to add canary checks to the deployed systems

Type: bool

Default: false

cert_manager_version

Description: The version of cert-manager to deploy

Type: string

Default: "1.16.3"

cloudflare_api_token

Description: Cloudflare API Token

Type: string

Default: null

cloudflare_zones

Description: A list of public DNS domains managed by Cloudflare; cert-manager uses this to issue public-facing certificates.

Type: list(string)

Default: []

controller_nodes_enabled

Description: Whether to allow pods to schedule on EKS Node Group nodes (controller nodes)

Type: bool

Default: true

log_verbosity

Description: The log verbosity (0-9) for the cert-manager pods

Type: number

Default: 0

monitoring_enabled

Description: Whether to add active monitoring to the deployed systems

Type: bool

Default: false

panfactum_scheduler_enabled

Description: Whether to use the Panfactum pod scheduler with enhanced bin-packing

Type: bool

Default: false

pull_through_cache_enabled

Description: Whether to use the ECR pull through cache for the deployed images

Type: bool

Default: true

route53_zones

Description: A mapping of public DNS domains managed by AWS to their configuration; cert-manager uses this to issue public-facing certificates.

Type:

map(object({
    record_manager_role_arn = string
    zone_id                 = string
  }))

Default: {}

self_generated_certs_enabled

Description: Whether to enable self-generated webhook certs (only use on initial installation)

Type: bool

Default: true

sla_target

Description: The Panfactum SLA level for the module deployment. 1 = lowest uptime (99.9%), lowest cost — 3 = highest uptime (99.999%), highest Cost

Type: number

Default: 3

spot_nodes_enabled

Description: Whether to allow pods to schedule on spot nodes

Type: bool

Default: true

vault_internal_url

Description: The url to the vault instance for internal cert issuance

Type: string

Default: "http://vault-active.vault.svc.cluster.local:8200"

vpa_enabled

Description: Whether the VPA resources should be enabled

Type: bool

Default: false

wait

Description: Wait for resources to be in a ready state before proceeding. Disabling this flag will allow upgrades to proceed faster but will disable automatic rollbacks. As a result, manual intervention may be required for deployment failures.

Type: bool

Default: true

Outputs

The following outputs are exported:

cloudflare_zones

Description: The cloudflare DNS names provided as an input

namespace

Description: n/a

route53_zones

Description: The route53 zone configuration provided as an input

service_account

Description: n/a

vault_ca_crt

Description: The public certificate of the root vault certificate authority

Usage

No notes