chore: intergrated cert-manager and ingress module to argocd automated deployment

Jagoum · Jagoum · commit 92d6d161220b · 2026-01-12T12:54:06.000+01:00
diff --git a/argocd/terraform/.gitignore b/argocd/terraform/.gitignore
@@ -0,0 +1,28 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash logs
+crash.log
+crash.*.log
+
+# Sensitive variable files (where you store your Keycloak credentials)
+*.tfvars
+*.tfvars.json
+override.tf
+override.tf.json
+_override.tf
+_override.tf.json
+
+# Local environment files
+.envrc
+.env
+
+# MacOS files
+.DS_Store
+
+# Helm local cache/logs
+.helm/
diff --git a/argocd/terraform/README.md b/argocd/terraform/README.md
@@ -0,0 +1,15 @@
+# Modular ArgoCD Deployment with Keycloak OIDC & RBAC
+
+This Terraform module deploys **ArgoCD** into a Kubernetes cluster using the official Helm chart. It is designed to be modular, supporting deployment to different clusters (Control Plane vs. Workload) with toggleable features for **Keycloak (OIDC) integration** and **RBAC (Role-Based Access Control)**.
+
+---
+
+##  Directory Structure
+
+```text
+.
+├── main.tf
+├── provider.tf
+├── README.md
+├── terraform.tfvars # Create this file to include you variables as in the terraform.tfvars.template file
+└── variables.tf
diff --git a/argocd/terraform/main.tf b/argocd/terraform/main.tf
@@ -79,15 +79,51 @@ resource "helm_release" "argocd-test" {
           "policy.csv" = "g, /ArgoCDAdmins, role:admin"
         }
       }
-      server = {
-        service = {
-          type = "LoadBalancer"
-        }
-      }
     })
   ]
 }
 
+
+# Managing certificate signing and creation
+# Cert-Manager Module
+module "cert_manager" {
+  providers = {
+    kubernetes = kubernetes
+    helm       = helm
+  }
+
+  source = "../../cert-manager/terraform"
+
+  install_cert_manager = var.install_cert_manager
+  cert_manager_version = var.cert_manager_version
+  release_name         = var.cert_manager_release_name
+  namespace            = var.cert_manager_namespace
+
+  letsencrypt_email = var.letsencrypt_email
+  cert_issuer_name  = var.cert_issuer_name
+  cert_issuer_kind  = var.cert_issuer_kind
+  # If Kind is Issuer, it must be in the observability namespace to be used by the ingress in that namespace.
+  # If Kind is ClusterIssuer, this variable is ignored by the module logic.
+  issuer_namespace   = var.namespace
+  ingress_class_name = var.ingress_class_name
+
+  # Ensure namespace exists before issuer creation (handled inside module)
+}
+
+# Setting Up An Ingress Controller
+# Ingress Controller Module
+module "ingress_nginx" {
+  source = "../../ingress-controller/terraform"
+
+  install_nginx_ingress = var.install_nginx_ingress
+  nginx_ingress_version = var.nginx_ingress_version
+  release_name          = var.nginx_ingress_release_name
+  namespace             = var.nginx_ingress_namespace
+  ingress_class_name    = var.ingress_class_name
+}
+
+
+
 # =============================================================================
 # OUTPUTS
 # =============================================================================
diff --git a/argocd/terraform/provider.tf b/argocd/terraform/provider.tf
@@ -0,0 +1,35 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "mrparkers/keycloak"
+      version = ">= 4.0.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+# 1. Connect to your EXISTING Keycloak
+provider "keycloak" {
+  client_id = "admin-cli"
+  url       = var.keycloak_url      # e.g. https://auth.example.com
+  username  = var.keycloak_user
+  password  = var.keycloak_password
+}
+
+
+
+# 2. Connect to GKE using your local terminal credentials
+provider "helm" {
+  kubernetes {
+    config_path    = "~/.kube/config"
+    config_context = var.kube_context # Optional: specify if you have multiple contexts
+  }
+}
+
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+  config_context = var.kube_context # Optional: specify if you have multiple contexts
+}
diff --git a/argocd/terraform/terraform.tfvars.template b/argocd/terraform/terraform.tfvars.template
@@ -0,0 +1,13 @@
+keycloak_url      = "https://keycloak_domain_name"
+keycloak_user     = "admin"
+keycloak_password = "your-strong-secret-password" # this is to authenticate to keycloak
+argocd_url        = "https://example.com"
+target_realm      = "master" # or your specific realm
+kube_context = "gke_project-id_region_cluster-name"
+
+# For For Setting Up Nginx Loadbalancer
+
+install_nginx_ingress      = false
+nginx_ingress_release_name = "nginx-monitoring"
+nginx_ingress_namespace    = "ingress-nginx"
+ingress_class_name         = "nginx"
diff --git a/argocd/terraform/variables.tf b/argocd/terraform/variables.tf
@@ -30,4 +30,85 @@ variable "kube_context" {
   description = "The context name in your kubeconfig (run 'kubectl config current-context')"
   type        = string
   default     = "" # If empty, uses current context
-}
+}
+
+variable "install_nginx_ingress" {
+  description = "Whether to install NGINX Ingress Controller"
+  type        = bool
+  default     = false
+}
+
+variable "nginx_ingress_version" {
+  description = "Version of ingress-nginx chart"
+  type        = string
+  default     = "4.10.1"
+}
+
+variable "nginx_ingress_release_name" {
+  description = "Helm release name for NGINX Ingress"
+  type        = string
+  default     = "nginx-monitoring"
+}
+
+variable "nginx_ingress_namespace" {
+  description = "Namespace where NGINX Ingress is installed"
+  type        = string
+  default     = "ingress-nginx"
+}
+
+variable "ingress_class_name" {
+  description = "Ingress class to use for all ingress resources (e.g., nginx, traefik, kong). Must match an existing IngressClass in the cluster."
+  type        = string
+  default     = "nginx"
+}
+
+variable "install_cert_manager" {
+  description = "Whether to install cert-manager"
+  type        = bool
+  default     = false
+}
+
+variable "cert_manager_version" {
+  description = "Version of cert-manager chart"
+  type        = string
+  default     = "v1.15.0"
+}
+
+variable "namespace" {
+  description = "Namespace to install cert-manager into"
+  type        = string
+  default     = "cert-manager"
+}
+
+variable "letsencrypt_email" {
+  description = "Email address for Let's Encrypt certificate notifications"
+  type        = string
+}
+
+variable "cert_issuer_name" {
+  description = "Name of the ClusterIssuer or Issuer to create"
+  type        = string
+  default     = "letsencrypt-prod"
+}
+
+variable "cert_issuer_kind" {
+  description = "Kind of Issuer to create (ClusterIssuer or Issuer)"
+  type        = string
+  default     = "ClusterIssuer"
+  validation {
+    condition     = contains(["ClusterIssuer", "Issuer"], var.cert_issuer_kind)
+    error_message = "cert_issuer_kind must be either 'ClusterIssuer' or 'Issuer'."
+  }
+}
+
+variable "cert_manager_release_name" {
+  description = "Helm release name for Cert-Manager"
+  type        = string
+  default     = "cert-manager"
+}
+
+variable "cert_manager_namespace" {
+  description = "Namespace where Cert-Manager is installed"
+  type        = string
+  default     = "cert-manager"
+}
diff --git a/cert-manager/terraform/main.tf b/cert-manager/terraform/main.tf
@@ -22,7 +22,7 @@ resource "helm_release" "cert_manager" {
   create_namespace = true
   version          = var.cert_manager_version
 
-  set = {
+  set {
     name  = "installCRDs"
     value = "true"
   }
diff --git a/ingress-controller/terraform/main.tf b/ingress-controller/terraform/main.tf
@@ -22,35 +22,35 @@ resource "helm_release" "nginx_ingress" {
   create_namespace = true
   version          = var.nginx_ingress_version
 
-  set = [ {
+  set  {
     name  = "controller.replicaCount"
     value = var.replica_count
-  },
+  }
 
-  {
+  set {
     name  = "controller.ingressClassResource.name"
     value = var.ingress_class_name
-  },
+  }
 
-  {
+  set {
     name  = "controller.ingressClass"
     value = var.ingress_class_name
-  },
+  }
 
-   {
+  set {
     name  = "controller.ingressClassResource.controllerValue"
     value = "k8s.io/${var.ingress_class_name}"
-  },
-   {
+   }
+  set {
     name  = "controller.ingressClassResource.enabled"
     value = "true"
-  },
+  }
 
-   {
+  set {
     name  = "controller.ingressClassByName"
     value = "true"
   }
-  ]
+ 
 
   # Wait for the LoadBalancer to be ready
   wait    = true
diff --git a/lgtm-stack/terraform/main.tf b/lgtm-stack/terraform/main.tf
@@ -34,7 +34,7 @@ provider "kubernetes" {
 }
 
 provider "helm" {
-  kubernetes = {
+  kubernetes {
     host                   = "https://${data.google_container_cluster.primary.endpoint}"
     token                  = data.google_client_config.default.access_token
     cluster_ca_certificate = base64decode(data.google_container_cluster.primary.master_auth[0].cluster_ca_certificate)
@@ -155,6 +155,11 @@ resource "google_service_account_iam_member" "workload_identity_binding" {
 
 # Cert-Manager Module
 module "cert_manager" {
+  providers = {
+    kubernetes = kubernetes
+    helm       = helm
+  }
+
   source = "../../cert-manager/terraform"
 
   install_cert_manager = var.install_cert_manager

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ resource "helm_release" "cert_manager" {`
`22`	`22`	`create_namespace = true`
`23`	`23`	`version = var.cert_manager_version`
`24`	`24`
`25`		`- set = {`
	`25`	`+ set {`
`26`	`26`	`name = "installCRDs"`
`27`	`27`	`value = "true"`
`28`	`28`	`}`