Kubernetes Certificates
This module provides our standard set up for cert-manager including cluster issuers.
It includes:
Cluster issuer for public domain names
Cluster issuer for self-signed certs
Cluster issuer for intermediate CAs
Providers
The following providers are needed by this module:
Required Inputs
The following input variables are required:
alert_email
Description: An email that will receive certificate alerts.
Type: string
kube_domain
Description: The domain under which cluster utilities have subdomains registered.
Type: string
Optional Inputs
The following input variables are optional (have default values):
aws_iam_ip_allow_list
Description: A list of IPs that can use the service account token to authenticate with AWS API
Type: list(string)
Default: []
burstable_nodes_enabled
Description: Whether to allow pods to schedule on burstable nodes
Type: bool
Default: true
canary_enabled
Description: Whether to add canary checks to the deployed systems
Type: bool
Default: false
cert_manager_version
Description: The version of cert-manager to deploy
Type: string
Default: "1.16.3"
cloudflare_api_token
Description: Cloudflare API Token
Type: string
Default: null
cloudflare_zones
Description: A list of public DNS domains managed by Cloudflare; cert-manager uses this to issue public-facing certificates.
Type: list(string)
Default: []
controller_nodes_enabled
Description: Whether to allow pods to schedule on EKS Node Group nodes (controller nodes)
Type: bool
Default: true
log_verbosity
Description: The log verbosity (0-9) for the cert-manager pods
Type: number
Default: 0
monitoring_enabled
Description: Whether to add active monitoring to the deployed systems
Type: bool
Default: false
panfactum_scheduler_enabled
Description: Whether to use the Panfactum pod scheduler with enhanced bin-packing
Type: bool
Default: false
pull_through_cache_enabled
Description: Whether to use the ECR pull through cache for the deployed images
Type: bool
Default: true
route53_zones
Description: A mapping of public DNS domains managed by AWS to their configuration; cert-manager uses this to issue public-facing certificates.
Type:
map(object({
record_manager_role_arn = string
zone_id = string
}))
Default: {}
self_generated_certs_enabled
Description: Whether to enable self-generated webhook certs (only use on initial installation)
Type: bool
Default: true
sla_target
Description: The Panfactum SLA level for the module deployment. 1 = lowest uptime (99.9%), lowest cost — 3 = highest uptime (99.999%), highest Cost
Type: number
Default: 3
spot_nodes_enabled
Description: Whether to allow pods to schedule on spot nodes
Type: bool
Default: true
vault_internal_url
Description: The url to the vault instance for internal cert issuance
Type: string
Default: "http://vault-active.vault.svc.cluster.local:8200"
vpa_enabled
Description: Whether the VPA resources should be enabled
Type: bool
Default: false
wait
Description: Wait for resources to be in a ready state before proceeding. Disabling this flag will allow upgrades to proceed faster but will disable automatic rollbacks. As a result, manual intervention may be required for deployment failures.
Type: bool
Default: true
Outputs
The following outputs are exported:
cloudflare_zones
Description: The cloudflare DNS names provided as an input
namespace
Description: n/a
route53_zones
Description: The route53 zone configuration provided as an input
service_account
Description: n/a
vault_ca_crt
Description: The public certificate of the root vault certificate authority
Usage
No notes