Add cert-manager and let's encrypt to the k8s-cluster

This change contains a new module which will be applied after the
kubernetes-cluster has been created. It will install the cert-manager in
it and add let's encrypt as a ClusterIssuer to the cluster. That setup
allows me to simply issue certificates for all services in the cluster.

README.adoc

@@ -23,7 +23,7 @@ Though, it should be safe to run each step multiple times, they should all be in
 
 Run this setup in the `infra/` directory.
 
-include::infra/README.adoc[tag=setup]
+include::./infra/README.adoc[tag=setup]
 
 === k3s
 
@@ -33,7 +33,13 @@ Run this setup in the `k3s/` directory.
 The k3s-setup requires a `inventory.ini` which is automatically created by the infra.
 So, make sure to apply the infra at least once, before running these playbooks.
 
-include::k3s/README.adoc[tag=setup]
+include::./k3s/README.adoc[tag=setup]
+
+=== k8s
+
+Run this setup in the `k8s/` directory.
+
+include::./k8s/README.adoc[tag=setup]
 
 == Enlarge / Reduce size of cluster
 

k8s/.terraform.lock.hcl

@@ -0,0 +1,42 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "3.0.2"
+  constraints = "3.0.2"
+  hashes = [
+    "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=",
+    "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0",
+    "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690",
+    "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2",
+    "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310",
+    "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1",
+    "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e",
+    "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f",
+    "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366",
+    "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e",
+    "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad",
+    "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.38.0"
+  constraints = "2.38.0"
+  hashes = [
+    "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=",
+    "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0",
+    "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f",
+    "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b",
+    "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12",
+    "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2",
+    "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc",
+    "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15",
+    "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396",
+    "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d",
+    "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db",
+  ]
+}

k8s/README.adoc

@@ -0,0 +1,21 @@
+= k8s
+:icons: font
+
+This project is responsible for providing general services in the kubernetes-cluster.
+
+== Setup
+
+// tag::setup[]
+[WARNING]
+Make sure `config.auto.tfvars` with all the needed configuration-secrets is present otherwise the module cannot be applied!
+The file is savely stored in the password-manager.
+
+[source,bash]
+----
+terraform init # <1>
+terraform apply # <2>
+----
+
+<1> Init the terraform modules if necessary
+<2> Create services in the cluster
+// end::setup[]

k8s/main.tf

@@ -0,0 +1,56 @@
+resource "helm_release" "cert_manager" {
+  name             = "cert-manager"
+  repository       = "oci://quay.io/jetstack/charts"
+  chart            = "cert-manager"
+  version          = "v1.18.2"
+  namespace        = "cert-manager"
+  create_namespace = true
+  set = [{
+    name  = "crds.enabled"
+    value = "true"
+  }]
+}
+
+locals {
+  letsencrypt = {
+    staging = {
+      server = "https://acme-staging-v02.api.letsencrypt.org/directory"
+      email = var.letsencrypt_issuer_email
+    }
+    prod = {
+      server = "https://acme-v02.api.letsencrypt.org/directory"
+      email = var.letsencrypt_issuer_email
+    }
+  }
+}
+
+resource "kubernetes_manifest" "letsencrypt_clusterissuer" {
+  depends_on = [ helm_release.cert_manager ]
+
+  for_each = local.letsencrypt
+
+  manifest = {
+    apiVersion = "cert-manager.io/v1"
+    kind = "ClusterIssuer"
+    metadata = {
+      name = "letsencrypt-${each.key}"
+    }
+    spec = {
+      acme = {
+        email = lookup(each.value, "email")
+        privateKeySecretRef = {
+          name = "letsencrypt-${each.key}"
+        }
+        server = lookup(each.value, "server")
+        solvers = [{
+          http01 = {
+            ingress = {
+              class = "traefik"
+            }
+          }
+        }]
+      }
+    }
+  }
+}
+

k8s/variables.tf

@@ -0,0 +1,3 @@
+variable "letsencrypt_issuer_email" {
+  type = string
+}

k8s/versions.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "3.0.2"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.38.0"
+    }
+  }
+}
+
+provider "helm" {
+  kubernetes = {
+    config_path = "~/.kube/config"
+  }
+}
+
+provider "kubernetes" {
+  config_path = "~/.kube/config"
+}