Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide support for Active Directory Certificate Services as an issuer for internal PKI #42

Merged
merged 6 commits into from
May 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions cert-manager.tf
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ resource "helm_release" "cert_manager" {
count = var.enable_k8s_resources ? 1 : 0

depends_on = [
module.aks,
kubectl_manifest.certmanager_namespace,
kubectl_manifest.cert_manager_clusterissuer_keyvault_secret,
azurerm_role_assignment.cert_manager_keyvault
]
Expand All @@ -72,14 +72,15 @@ resource "helm_release" "cert_manager" {

values = [templatefile("${path.module}/manifests/cert-manager-values.yml.tpl", {
clusterissuer = var.clusterissuer
issuerkind = var.clusterissuer == "adcs-issuer" ? "ClusterAdcsIssuer" : "ClusterIssuer"
issuergroup = var.clusterissuer == "adcs-issuer" ? "adcs.certmanager.csf.nokia.com" : "cert-manager.io"
}), var.clusterissuer == "keyvault" ? templatefile("${path.module}/manifests/cert-manager-csi-values.yml.tpl", {}) : ""]
}

resource "kubectl_manifest" "cert_manager_clusterissuer" {
count = var.enable_k8s_resources && var.clusterissuer == "letsencrypt-prod" ? 1 : 0

depends_on = [
module.aks,
helm_release.cert_manager,
]

Expand All @@ -96,7 +97,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_vaas" {
count = var.enable_k8s_resources && var.clusterissuer == "vaas-issuer" ? 1 : 0

depends_on = [
module.aks,
helm_release.cert_manager,
kubectl_manifest.cert_manager_clusterissuer_vaas_secret
]
Expand All @@ -110,7 +110,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_vaas_secret" {
count = var.enable_k8s_resources && var.clusterissuer == "vaas-issuer" ? 1 : 0

depends_on = [
module.aks,
helm_release.cert_manager,
]

Expand All @@ -123,7 +122,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault" {
count = var.enable_k8s_resources && var.clusterissuer == "keyvault" ? 1 : 0

depends_on = [
module.aks,
helm_release.cert_manager,
kubectl_manifest.cert_manager_clusterissuer_keyvault_secret
]
Expand All @@ -135,7 +133,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault_secret" {
count = var.enable_k8s_resources && var.clusterissuer == "keyvault" ? 1 : 0

depends_on = [
module.aks,
kubectl_manifest.certmanager_namespace
]

Expand All @@ -146,3 +143,14 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault_secret" {
tenant_id = data.azurerm_subscription.current.tenant_id
})
}

module "adcs" {
count = var.enable_k8s_resources && var.clusterissuer == "adcs-issuer" ? 1 : 0
source = "./modules/adcs"

adcs_url = var.adcs.url
username = var.adcs.username
password = var.adcs_password
adcs_ca_bundle = var.adcs.ca_bundle
certificate_template_name = var.adcs.certificate_template_name
}
4 changes: 2 additions & 2 deletions manifests/cert-manager-values.yml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@ serviceAccount:
azure.workload.identity/use: "true"
ingressShim:
defaultIssuerName: ${clusterissuer}
defaultIssuerKind: ClusterIssuer
defaultIssuerGroup: cert-manager.io
defaultIssuerKind: ${issuerkind}
defaultIssuerGroup: ${issuergroup}
8 changes: 6 additions & 2 deletions manifests/wayfinder-values.yml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ api:
tlsEnabled: true
tlsSecret: "wayfinder-ingress-api-tls"
annotations:
cert-manager.io/cluster-issuer: ${clusterissuer}
cert-manager.io/issuer: ${clusterissuer}
cert-manager.io/issuer-kind: ${issuerkind}
cert-manager.io/issuer-group: ${issuergroup}
cert-manager.io/common-name: ${api_hostname}
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-buffer-size: '16k'
Expand All @@ -31,7 +33,9 @@ ui:
tlsEnabled: true
tlsSecret: "wayfinder-ingress-ui-tls"
annotations:
cert-manager.io/cluster-issuer: ${clusterissuer}
cert-manager.io/issuer: ${clusterissuer}
cert-manager.io/issuer-kind: ${issuerkind}
cert-manager.io/issuer-group: ${issuergroup}
cert-manager.io/common-name: ${ui_hostname}
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
namespace: "ingress-nginx"
Expand Down
55 changes: 55 additions & 0 deletions modules/adcs/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
resource "helm_release" "adcs_issuer" {
namespace = "adcs-issuer"
create_namespace = true

name = "adcs-issuer"
repository = "https://djkormo.github.io/adcs-issuer/"
chart = "adcs-issuer"
version = "2.1.1"
max_history = 5

set {
name = "simulator.enabled"
value = "false"
}

set {
name = "simulator.exampleCertificate.enabled"
value = "false"
}
}

resource "kubectl_manifest" "adcs_credentials_secret" {
depends_on = [ helm_release.adcs_issuer ]

yaml_body = <<YAML
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: adcs-issuer-credentials
namespace: adcs-issuer
stringData:
username: ${var.username}
password: ${var.password}
YAML
}

resource "kubectl_manifest" "adcs_cluster_issuer" {
depends_on = [ kubectl_manifest.adcs_credentials_secret ]

yaml_body = <<YAML
apiVersion: adcs.certmanager.csf.nokia.com/v1
kind: ClusterAdcsIssuer
metadata:
name: adcs-issuer
spec:
caBundle: ${var.adcs_ca_bundle}
credentialsRef:
name: adcs-issuer-credentials
retryInterval: 1h
statusCheckInterval: 6h
templateName: ${var.certificate_template_name}
url: ${var.adcs_url}
YAML
}
Empty file added modules/adcs/outputs.tf
Empty file.
12 changes: 12 additions & 0 deletions modules/adcs/terraform.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = ">= 2.9.0"
}
kubectl = {
source = "gavinbunney/kubectl"
version = ">= 1.14.0"
}
}
}
25 changes: 25 additions & 0 deletions modules/adcs/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
variable "adcs_url" {
type = string
description = "URL of the ADCS web UI"
}

variable "username" {
type = string
description = "Username of the identity that will authenticate with ADCS to request certificates"
}

variable "password" {
type = string
sensitive = true
description = "Password of the identity that will authenticate with ADCS to request certificates"
}

variable "adcs_ca_bundle" {
type = string
description = "Base64 encoded ca bundle for communication with ADCS. Can be obtained with 'cat bundle.pem | base64 -w 0'"
}

variable "certificate_template_name" {
type = string
description = "ADCS certificate template name to use for signing."
}
22 changes: 20 additions & 2 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,21 @@
variable "adcs" {
description = "ADCS variables required when using ADCS Issuer with Cert Manager"
type = object({
url = string
username = string
ca_bundle = string
certificate_template_name = string
})
default = null
}

variable "adcs_password" {
description = "ADCS password required when using ADCS Issuer with Cert Manager"
type = string
sensitive = true
default = ""
}

variable "aks_agents_size" {
description = "The default size of the agents pool."
type = string
Expand Down Expand Up @@ -73,8 +91,8 @@ variable "clusterissuer" {
type = string
default = "letsencrypt-prod"
validation {
condition = contains(["letsencrypt-prod", "vaas-issuer", "keyvault"], var.clusterissuer)
error_message = "clusterissuer must be one of: letsencrypt-prod, vaas-issuer, keyvault"
condition = contains(["letsencrypt-prod", "vaas-issuer", "keyvault", "adcs-issuer"], var.clusterissuer)
error_message = "clusterissuer must be one of: letsencrypt-prod, vaas-issuer, keyvault, adcs-issuer"
}
}

Expand Down
2 changes: 2 additions & 0 deletions wayfinder.tf
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,8 @@ resource "helm_release" "wayfinder" {
templatefile("${path.module}/manifests/wayfinder-values.yml.tpl", {
api_hostname = var.wayfinder_domain_name_api
clusterissuer = var.clusterissuer
issuerkind = var.clusterissuer == "adcs-issuer" ? "ClusterAdcsIssuer" : "ClusterIssuer"
issuergroup = var.clusterissuer == "adcs-issuer" ? "adcs.certmanager.csf.nokia.com" : "cert-manager.io"
disable_local_login = var.wayfinder_idp_details["type"] == "none" ? false : var.disable_local_login
enable_localadmin_user = var.create_localadmin_user
storage_class = "managed"
Expand Down