Modularize cert-manager and ingress, update LGTM, and add deployment docs

Author: onelrian

cert-manager/README.md

@@ -0,0 +1,17 @@
+# Cert-Manager Component
+
+This directory contains the necessary configurations for **Cert-Manager**, which handles certificate management and issuance for the observability stack.
+
+## Deployment Options
+
+You can deploy Cert-Manager using one of the following methods:
+
+### 1. Terraform (Automated)
+This method uses the Terraform configuration located in the `terraform/` directory. It is the recommended approach for integration with the full observability stack.
+
+- [**Terraform Deployment Guide**](../docs/cert-manager-terraform-deployment.md)
+
+### 2. Manual (Helm & Kubectl)
+If you prefer to deploy manually using CLI tools, you can follow the manual guide.
+
+- [**Manual Deployment Guide**](../docs/cert-manager-manual-deployment.md)

cert-manager/terraform/main.tf

@@ -0,0 +1,58 @@
+resource "helm_release" "cert_manager" {
+  count = var.install_cert_manager ? 1 : 0
+
+  name             = "cert-manager"
+  repository       = "https://charts.jetstack.io"
+  chart            = "cert-manager"
+  namespace        = var.namespace
+  create_namespace = var.create_namespace
+  version          = var.cert_manager_version
+
+  set {
+    name  = "installCRDs"
+    value = var.install_crds
+  }
+
+  wait    = true
+  timeout = 600
+}
+
+# Issuer for Let's Encrypt
+resource "kubernetes_manifest" "letsencrypt_issuer" {
+  count = var.install_cert_manager ? 1 : 0
+
+  manifest = {
+    apiVersion = "cert-manager.io/v1"
+    kind       = var.cert_issuer_kind
+    metadata = merge(
+      {
+        name = var.cert_issuer_name
+      },
+      # Only add namespace if Kind is Issuer. 
+      # If issuer_namespace is set, use it. Otherwise fallback to var.namespace.
+      var.cert_issuer_kind == "Issuer" ? {
+        namespace = coalesce(var.issuer_namespace, var.namespace)
+      } : {}
+    )
+    spec = {
+      acme = {
+        server = var.issuer_server
+        email  = var.letsencrypt_email
+        privateKeySecretRef = {
+          name = "${var.cert_issuer_name}-key"
+        }
+        solvers = [
+          {
+            http01 = {
+              ingress = {
+                class = var.ingress_class_name
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+
+  depends_on = [helm_release.cert_manager]
+}

cert-manager/terraform/outputs.tf

@@ -0,0 +1,9 @@
+output "namespace" {
+  description = "Namespace where cert-manager was installed"
+  value       = var.namespace
+}
+
+output "issuer_name" {
+  description = "Name of the created Issuer"
+  value       = var.install_cert_manager ? var.cert_issuer_name : ""
+}

cert-manager/terraform/variables.tf

@@ -0,0 +1,68 @@
+variable "install_cert_manager" {
+  description = "Whether to install cert-manager"
+  type        = bool
+  default     = false
+}
+
+variable "cert_manager_version" {
+  description = "Version of cert-manager chart"
+  type        = string
+  default     = "v1.15.0"
+}
+
+variable "namespace" {
+  description = "Namespace to install cert-manager into"
+  type        = string
+  default     = "cert-manager"
+}
+
+variable "create_namespace" {
+  description = "Whether to create the namespace"
+  type        = bool
+  default     = true
+}
+
+variable "install_crds" {
+  description = "Whether to install CRDs"
+  type        = bool
+  default     = true
+}
+
+variable "letsencrypt_email" {
+  description = "Email address for Let's Encrypt certificate notifications"
+  type        = string
+}
+
+variable "cert_issuer_name" {
+  description = "Name of the ClusterIssuer or Issuer to create"
+  type        = string
+  default     = "letsencrypt-prod"
+}
+
+variable "cert_issuer_kind" {
+  description = "Kind of Issuer to create (ClusterIssuer or Issuer)"
+  type        = string
+  default     = "ClusterIssuer"
+  validation {
+    condition     = contains(["ClusterIssuer", "Issuer"], var.cert_issuer_kind)
+    error_message = "cert_issuer_kind must be either 'ClusterIssuer' or 'Issuer'."
+  }
+}
+
+variable "issuer_namespace" {
+  description = "Namespace for the Issuer (required if cert_issuer_kind is Issuer). Defaults to the installation namespace if not provided."
+  type        = string
+  default     = ""
+}
+
+variable "issuer_server" {
+  description = "ACME server URL"
+  type        = string
+  default     = "https://acme-v02.api.letsencrypt.org/directory"
+}
+
+variable "ingress_class_name" {
+  description = "Ingress class to solve challenges"
+  type        = string
+  default     = "nginx"
+}

cert-manager/terraform/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.12"
+    }
+  }
+}

docs/cert-manager-manual-deployment.md

@@ -0,0 +1,74 @@
+# Manual Cert-Manager Deployment (Helm & Kubectl)
+
+This guide explains how to manually deploy **Cert-Manager** and configure a **ClusterIssuer** without using Terraform.
+
+## Prerequisites
+
+- **Helm** 3.x installed
+- **kubectl** installed and configured
+
+## 1. Verify Context
+
+Ensure you are targeting the correct Kubernetes cluster:
+
+```bash
+kubectl config current-context
+```
+
+## 2. Install Cert-Manager via Helm
+
+1. **Add the Jetstack Helm repository**:
+   ```bash
+   helm repo add jetstack https://charts.jetstack.io
+   helm repo update
+   ```
+
+2. **Install Cert-Manager**:
+   ```bash
+   helm install cert-manager jetstack/cert-manager \
+     --namespace cert-manager \ # You can change this to your preferred namespace
+     --create-namespace \
+     --version v1.15.0 \
+     --set installCRDs=true
+   ```
+
+3. **Verify Installation**:
+   ```bash
+   kubectl get pods --namespace cert-manager # Adjust namespace if changed above
+   ```
+
+## 3. Configure ClusterIssuer
+
+1. **Create the manifest file**:
+   Create a file named `cluster-issuer.yaml` in your current directory:
+
+   ```yaml
+   apiVersion: cert-manager.io/v1
+   kind: ClusterIssuer
+   metadata:
+     name: letsencrypt-prod
+   spec:
+     acme:
+       server: https://acme-v02.api.letsencrypt.org/directory
+       email: your-email@example.com  # REPLACE THIS
+       privateKeySecretRef:
+         name: letsencrypt-prod-key
+       solvers:
+       - http01:
+           ingress:
+             class: nginx
+   ```
+
+2. **Apply the manifest**:
+   ```bash
+   kubectl apply -f cluster-issuer.yaml
+   ```
+
+## 4. Verification
+
+Check the status of the ClusterIssuer:
+
+```bash
+kubectl get clusterissuer letsencrypt-prod -o wide
+```
+It should say `True` in the `READY` column.

docs/cert-manager-terraform-deployment.md

@@ -0,0 +1,63 @@
+# Cert-Manager Deployment (Terraform)
+
+This guide explains how to deploy **Cert-Manager** using the standalone Terraform configuration.
+
+## Prerequisites
+
+- **Terraform** >= 1.0
+- **Kubernetes Cluster** (GKE, etc.)
+- **kubectl** configured to context
+
+## Deployment Steps
+
+1. **Verify Context**:
+   Ensure you are pointing to the correct cluster before running Terraform.
+   ```bash
+   kubectl config current-context
+   ```
+
+2. **Navigate to the directory**:
+   From the project root:
+   ```bash
+   cd cert-manager/terraform
+   ```
+
+3. **Initialize Terraform**:
+   ```bash
+   terraform init
+   ```
+
+4. **Create a `terraform.tfvars` file**:
+   Create a file named `terraform.tfvars` with your specific configuration:
+   ```hcl
+   letsencrypt_email = "your-email@example.com"
+   cert_issuer_name  = "letsencrypt-prod"
+   install_cert_manager = true  # Must be set to true explicitly
+   
+   # Optional:
+   # cert_issuer_kind = "ClusterIssuer" # or "Issuer"
+   # namespace = "cert-manager"
+   ```
+
+5. **Review the Plan**:
+   ```bash
+   terraform plan
+   ```
+
+6. **Apply**:
+   ```bash
+   terraform apply
+   ```
+
+## Variables
+
+| Name | Description | Default |
+|------|-------------|---------|
+| `install_cert_manager` | Install Cert-Manager via Helm | `false` |
+| `cert_manager_version` | Chart version | `v1.15.0` |
+| `namespace` | Namespace to install into | `cert-manager` |
+| `letsencrypt_email` | Email for ACME registration | **Required** |
+| `cert_issuer_name` | Name of ClusterIssuer/Issuer | `letsencrypt-prod` |
+| `cert_issuer_kind` | Kind of Issuer (`ClusterIssuer` or `Issuer`) | `ClusterIssuer` |
+| `issuer_namespace` | Namespace for Issuer (if Kind is Issuer). Defaults to install namespace. | `null` |
+| `ingress_class_name` | Ingress class for solving challenges | `nginx` |

docs/ingress-controller-manual-deployment.md

@@ -0,0 +1,50 @@
+# Manual NGINX Ingress Controller Deployment (Helm)
+
+This guide explains how to manually deploy the **NGINX Ingress Controller** using Helm.
+
+## Prerequisites
+
+- **Helm** 3.x installed
+- **kubectl** installed and configured
+
+## 1. Verify Context
+
+Ensure you are targeting the correct Kubernetes cluster:
+
+```bash
+kubectl config current-context
+```
+
+## 2. Installation
+
+1. **Add the Kubernetes Ingress Nginx repository**:
+   ```bash
+   helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+   helm repo update
+   ```
+
+2. **Install the Controller**:
+   ```bash
+   helm install nginx-monitoring ingress-nginx/ingress-nginx \
+     --namespace ingress-nginx \ # You can change this to your preferred namespace
+     --create-namespace \
+     --version 4.10.1 \
+     --set controller.ingressClassResource.name=nginx \
+     --set controller.ingressClass=nginx \
+     --set controller.ingressClassResource.controllerValue=k8s.io/nginx \
+     --set controller.ingressClassResource.enabled=true \
+     --set controller.ingressClassByName=true
+   ```
+
+## 3. Verification
+
+1. **Check Pods**:
+   ```bash
+   kubectl get pods -n ingress-nginx # Adjust namespace if changed above
+   ```
+
+2. **Check LoadBalancer Service**:
+   ```bash
+   kubectl get svc -n ingress-nginx # Adjust namespace if changed above
+   ```
+   Wait for the `EXTERNAL-IP` to be assigned.