Provide support for Active Directory Certificate Services as an issue…

…r for internal PKI (#42) * Allow ADCS as cert issuer type
appvia · May 23, 2024 · 4a3156f · 4a3156f
1 parent 037a1e1
commit 4a3156f
Show file tree

Hide file tree

Showing 9 changed files with 136 additions and 12 deletions.
diff --git a/cert-manager.tf b/cert-manager.tf
@@ -56,7 +56,7 @@ resource "helm_release" "cert_manager" {
   count = var.enable_k8s_resources ? 1 : 0
 
   depends_on = [
-    module.aks,
+    kubectl_manifest.certmanager_namespace,
     kubectl_manifest.cert_manager_clusterissuer_keyvault_secret,
     azurerm_role_assignment.cert_manager_keyvault
   ]
@@ -72,14 +72,15 @@ resource "helm_release" "cert_manager" {
 
   values = [templatefile("${path.module}/manifests/cert-manager-values.yml.tpl", {
     clusterissuer = var.clusterissuer
+    issuerkind    = var.clusterissuer == "adcs-issuer" ? "ClusterAdcsIssuer" : "ClusterIssuer"
+    issuergroup   = var.clusterissuer == "adcs-issuer" ? "adcs.certmanager.csf.nokia.com" : "cert-manager.io"
   }), var.clusterissuer == "keyvault" ? templatefile("${path.module}/manifests/cert-manager-csi-values.yml.tpl", {}) : ""]
 }
 
 resource "kubectl_manifest" "cert_manager_clusterissuer" {
   count = var.enable_k8s_resources && var.clusterissuer == "letsencrypt-prod" ? 1 : 0
 
   depends_on = [
-    module.aks,
     helm_release.cert_manager,
   ]
 
@@ -96,7 +97,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_vaas" {
   count = var.enable_k8s_resources && var.clusterissuer == "vaas-issuer" ? 1 : 0
 
   depends_on = [
-    module.aks,
     helm_release.cert_manager,
     kubectl_manifest.cert_manager_clusterissuer_vaas_secret
   ]
@@ -110,7 +110,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_vaas_secret" {
   count = var.enable_k8s_resources && var.clusterissuer == "vaas-issuer" ? 1 : 0
 
   depends_on = [
-    module.aks,
     helm_release.cert_manager,
   ]
 
@@ -123,7 +122,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault" {
   count = var.enable_k8s_resources && var.clusterissuer == "keyvault" ? 1 : 0
 
   depends_on = [
-    module.aks,
     helm_release.cert_manager,
     kubectl_manifest.cert_manager_clusterissuer_keyvault_secret
   ]
@@ -135,7 +133,6 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault_secret" {
   count = var.enable_k8s_resources && var.clusterissuer == "keyvault" ? 1 : 0
 
   depends_on = [
-    module.aks,
     kubectl_manifest.certmanager_namespace
   ]
 
@@ -146,3 +143,14 @@ resource "kubectl_manifest" "cert_manager_clusterissuer_keyvault_secret" {
     tenant_id              = data.azurerm_subscription.current.tenant_id
   })
 }
+
+module "adcs" {
+  count  = var.enable_k8s_resources && var.clusterissuer == "adcs-issuer" ? 1 : 0
+  source = "./modules/adcs"
+
+  adcs_url                  = var.adcs.url
+  username                  = var.adcs.username
+  password                  = var.adcs_password
+  adcs_ca_bundle            = var.adcs.ca_bundle
+  certificate_template_name = var.adcs.certificate_template_name
+}
diff --git a/manifests/cert-manager-values.yml.tpl b/manifests/cert-manager-values.yml.tpl
@@ -6,5 +6,5 @@ serviceAccount:
     azure.workload.identity/use: "true"
 ingressShim:
   defaultIssuerName: ${clusterissuer}
-  defaultIssuerKind: ClusterIssuer
-  defaultIssuerGroup: cert-manager.io
+  defaultIssuerKind: ${issuerkind}
+  defaultIssuerGroup: ${issuergroup}
diff --git a/manifests/wayfinder-values.yml.tpl b/manifests/wayfinder-values.yml.tpl
@@ -8,7 +8,9 @@ api:
     tlsEnabled: true
     tlsSecret: "wayfinder-ingress-api-tls"
     annotations:
-      cert-manager.io/cluster-issuer: ${clusterissuer}
+      cert-manager.io/issuer: ${clusterissuer}
+      cert-manager.io/issuer-kind: ${issuerkind}
+      cert-manager.io/issuer-group: ${issuergroup}
       cert-manager.io/common-name: ${api_hostname}
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
       nginx.ingress.kubernetes.io/proxy-buffer-size: '16k'
@@ -31,7 +33,9 @@ ui:
     tlsEnabled: true
     tlsSecret: "wayfinder-ingress-ui-tls"
     annotations:
-      cert-manager.io/cluster-issuer: ${clusterissuer}
+      cert-manager.io/issuer: ${clusterissuer}
+      cert-manager.io/issuer-kind: ${issuerkind}
+      cert-manager.io/issuer-group: ${issuergroup}
       cert-manager.io/common-name: ${ui_hostname}
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
     namespace: "ingress-nginx"

diff --git a/modules/adcs/main.tf b/modules/adcs/main.tf
@@ -0,0 +1,55 @@
+resource "helm_release" "adcs_issuer" {
+  namespace        = "adcs-issuer"
+  create_namespace = true
+
+  name        = "adcs-issuer"
+  repository  = "https://djkormo.github.io/adcs-issuer/"
+  chart       = "adcs-issuer"
+  version     = "2.1.1"
+  max_history = 5
+
+  set {
+    name  = "simulator.enabled"
+    value = "false"
+  }
+
+  set {
+    name  = "simulator.exampleCertificate.enabled"
+    value = "false"
+  }
+}
+
+resource "kubectl_manifest" "adcs_credentials_secret" {
+  depends_on = [ helm_release.adcs_issuer ]
+
+  yaml_body = <<YAML
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: adcs-issuer-credentials
+  namespace: adcs-issuer
+stringData:
+  username: ${var.username}
+  password: ${var.password}
+YAML
+}
+
+resource "kubectl_manifest" "adcs_cluster_issuer" {
+  depends_on = [ kubectl_manifest.adcs_credentials_secret ]
+
+  yaml_body = <<YAML
+apiVersion: adcs.certmanager.csf.nokia.com/v1
+kind: ClusterAdcsIssuer
+metadata:
+  name: adcs-issuer
+spec:
+  caBundle: ${var.adcs_ca_bundle}
+  credentialsRef:
+    name: adcs-issuer-credentials
+  retryInterval: 1h
+  statusCheckInterval: 6h
+  templateName: ${var.certificate_template_name}
+  url: ${var.adcs_url}
+YAML
+}
diff --git a/modules/adcs/outputs.tf b/modules/adcs/outputs.tf
diff --git a/modules/adcs/terraform.tf b/modules/adcs/terraform.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.9.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14.0"
+    }
+  }
+}
diff --git a/modules/adcs/variables.tf b/modules/adcs/variables.tf
@@ -0,0 +1,25 @@
+variable "adcs_url" {
+    type = string
+    description = "URL of the ADCS web UI"
+}
+
+variable "username" {
+    type = string
+    description = "Username of the identity that will authenticate with ADCS to request certificates"
+}
+
+variable "password" {
+    type = string
+    sensitive = true
+    description = "Password of the identity that will authenticate with ADCS to request certificates"
+}
+
+variable "adcs_ca_bundle" {
+    type = string
+    description = "Base64 encoded ca bundle for communication with ADCS.  Can be obtained with 'cat bundle.pem | base64 -w 0'"
+}
+
+variable "certificate_template_name" {
+    type = string
+    description = "ADCS certificate template name to use for signing."
+}
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,21 @@
+variable "adcs" {
+  description = "ADCS variables required when using ADCS Issuer with Cert Manager"
+  type = object({
+    url                       = string
+    username                  = string
+    ca_bundle                 = string
+    certificate_template_name = string
+  })
+  default = null
+}
+
+variable "adcs_password" {
+  description = "ADCS password required when using ADCS Issuer with Cert Manager"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
 variable "aks_agents_size" {
   description = "The default size of the agents pool."
   type        = string
@@ -73,8 +91,8 @@ variable "clusterissuer" {
   type        = string
   default     = "letsencrypt-prod"
   validation {
-    condition     = contains(["letsencrypt-prod", "vaas-issuer", "keyvault"], var.clusterissuer)
-    error_message = "clusterissuer must be one of: letsencrypt-prod, vaas-issuer, keyvault"
+    condition     = contains(["letsencrypt-prod", "vaas-issuer", "keyvault", "adcs-issuer"], var.clusterissuer)
+    error_message = "clusterissuer must be one of: letsencrypt-prod, vaas-issuer, keyvault, adcs-issuer"
   }
 }
 

diff --git a/wayfinder.tf b/wayfinder.tf
@@ -123,6 +123,8 @@ resource "helm_release" "wayfinder" {
     templatefile("${path.module}/manifests/wayfinder-values.yml.tpl", {
       api_hostname                  = var.wayfinder_domain_name_api
       clusterissuer                 = var.clusterissuer
+      issuerkind                    = var.clusterissuer == "adcs-issuer" ? "ClusterAdcsIssuer" : "ClusterIssuer"
+      issuergroup                   = var.clusterissuer == "adcs-issuer" ? "adcs.certmanager.csf.nokia.com" : "cert-manager.io"
       disable_local_login           = var.wayfinder_idp_details["type"] == "none" ? false : var.disable_local_login
       enable_localadmin_user        = var.create_localadmin_user
       storage_class                 = "managed"