TylerWanner/issuers|backend.tf

## issuers|backend.tf
terraform {
  backend "local" {
    path = "../states/cm_crds.tfstate"
  }
}
data "terraform_remote_state" "cluster" {
  backend = "local"

  config = {
    path = "../states/cluster.tfstate"
  }
}

## issuers|cert.tf
resource "tls_private_key" "root" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

resource "tls_self_signed_cert" "root" {
  key_algorithm   = tls_private_key.root.algorithm
  private_key_pem = tls_private_key.root.private_key_pem

  validity_period_hours = 87600
  early_renewal_hours   = 2190

  is_ca_certificate = true

  allowed_uses = [
    "cert_signing",
    "key_encipherment",
  ]

  subject {
    common_name = "identity.linkerd.cluster.local"
  }
}

## issuers|issuers.tf
resource "kubernetes_manifest" "issuer" {
  manifest = yamldecode(file("l5d_issuer.yaml"))
}

resource "kubernetes_manifest" "certificate" {
  manifest = yamldecode(file("l5d_id_certificate.yaml"))
}

## issuers|l5d_id_cert.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  duration: 48h0m0s
  renewBefore: 25h0m0s
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth

## issuers|l5d_issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor

## issuers|terraform.tf
provider null {}
provider tls {}

provider google {}
data "google_client_config" "default" {}

provider kubernetes {
  host                   = "https://${data.terraform_remote_state.cluster.outputs.cluster_endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(data.terraform_remote_state.cluster.outputs.cacert)
  experiments {
    manifest_resource = true
  }
}

output cert {
  value = tls_self_signed_cert.root.cert_pem
}

## issuers|trust_anchor.tf
resource "kubernetes_namespace" "linkerd" {
  metadata {
    name = "linkerd"
    annotations = {
      "linkerd.io/inject" = "disabled"
    }
    labels = {
      "config.linkerd.io/admission-webhooks" = "disabled"
    }
  }
}

resource "kubernetes_secret" "linkerd" {
  metadata {
    name      = "linkerd-trust-anchor"
    namespace = kubernetes_namespace.linkerd.metadata[0].name
  }
  data = {
    "tls.crt" = tls_self_signed_cert.root.cert_pem
    "tls.key" = tls_private_key.root.private_key_pem
  }
  type = "kubernetes.io/tls"
}

## issuers|versions.tf
terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.85.0"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "2.3.0"
    }
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.5.0"
    }
    tls = {
      source = "hashicorp/tls"
      version = "> 3"
    }
  }
  required_version = ">= 1"
}
	terraform {
	backend "local" {
	path = "../states/cm_crds.tfstate"
	}
	}
	data "terraform_remote_state" "cluster" {
	backend = "local"

	config = {
	path = "../states/cluster.tfstate"
	}
	}
	resource "tls_private_key" "root" {
	algorithm = "ECDSA"
	ecdsa_curve = "P256"
	}

	resource "tls_self_signed_cert" "root" {
	key_algorithm = tls_private_key.root.algorithm
	private_key_pem = tls_private_key.root.private_key_pem

	validity_period_hours = 87600
	early_renewal_hours = 2190

	is_ca_certificate = true

	allowed_uses = [
	"cert_signing",
	"key_encipherment",
	]

	subject {
	common_name = "identity.linkerd.cluster.local"
	}
	}
	resource "kubernetes_manifest" "issuer" {
	manifest = yamldecode(file("l5d_issuer.yaml"))
	}

	resource "kubernetes_manifest" "certificate" {
	manifest = yamldecode(file("l5d_id_certificate.yaml"))
	}
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: linkerd-identity-issuer
	namespace: linkerd
	spec:
	secretName: linkerd-identity-issuer
	duration: 48h0m0s
	renewBefore: 25h0m0s
	issuerRef:
	name: linkerd-trust-anchor
	kind: Issuer
	commonName: identity.linkerd.cluster.local
	dnsNames:
	- identity.linkerd.cluster.local
	isCA: true
	privateKey:
	algorithm: ECDSA
	usages:
	- cert sign
	- crl sign
	- server auth
	- client auth
	provider null {}
	provider tls {}

	provider google {}
	data "google_client_config" "default" {}

	provider kubernetes {
	host = "https://${data.terraform_remote_state.cluster.outputs.cluster_endpoint}"
	token = data.google_client_config.default.access_token
	cluster_ca_certificate = base64decode(data.terraform_remote_state.cluster.outputs.cacert)
	experiments {
	manifest_resource = true
	}
	}

	output cert {
	value = tls_self_signed_cert.root.cert_pem
	}
	resource "kubernetes_namespace" "linkerd" {
	metadata {
	name = "linkerd"
	annotations = {
	"linkerd.io/inject" = "disabled"
	}
	labels = {
	"config.linkerd.io/admission-webhooks" = "disabled"
	}
	}
	}

	resource "kubernetes_secret" "linkerd" {
	metadata {
	name = "linkerd-trust-anchor"
	namespace = kubernetes_namespace.linkerd.metadata[0].name
	}
	data = {
	"tls.crt" = tls_self_signed_cert.root.cert_pem
	"tls.key" = tls_private_key.root.private_key_pem
	}
	type = "kubernetes.io/tls"
	}
	terraform {
	required_providers {
	google = {
	source = "hashicorp/google"
	version = "3.85.0"
	}
	helm = {
	source = "hashicorp/helm"
	version = "2.3.0"
	}
	kubernetes = {
	source = "hashicorp/kubernetes"
	version = "2.5.0"
	}
	tls = {
	source = "hashicorp/tls"
	version = "> 3"
	}
	}
	required_version = ">= 1"
	}