diff --git a/intents/ack_acm_controller/facets.yaml b/intents/ack_acm_controller/facets.yaml deleted file mode 100644 index f0e37bd8..00000000 --- a/intents/ack_acm_controller/facets.yaml +++ /dev/null @@ -1,7 +0,0 @@ -name: ack_acm_controller -type: k8s -displayName: ACK ACM Controller -description: AWS Controllers for Kubernetes (ACK) ACM Controller that manages AWS Certificate Manager certificates as Kubernetes resources and exports them to TLS secrets. -outputs: - - name: default - type: "@outputs/ack_acm_controller" diff --git a/modules/ack_acm_controller/legacy/1.0/README.md b/modules/ack_acm_controller/legacy/1.0/README.md deleted file mode 100644 index e3199723..00000000 --- a/modules/ack_acm_controller/legacy/1.0/README.md +++ /dev/null @@ -1,147 +0,0 @@ -# ACK ACM Controller (Legacy) - -Deploys the AWS Controllers for Kubernetes (ACK) ACM Controller on EKS clusters, enabling management of AWS Certificate Manager certificates as Kubernetes resources. - -## Overview - -This module installs the ACK ACM Controller via Helm and configures IAM Role for Service Accounts (IRSA) so the controller can manage ACM certificates. Once deployed, you can create `Certificate` custom resources in Kubernetes that provision real ACM certificates and export them to Kubernetes TLS secrets. - -This is primarily used by the `nginx_gateway_fabric_legacy_aws` module to handle domains with ACM ARN `certificate_reference`. - -## Architecture - -``` - ┌──────────────────────────────────────────┐ - │ ACK ACM Controller │ - │ │ - │ 1. Watches Certificate CRDs │ - │ 2. Calls ACM API via IRSA │ - │ 3. Requests/validates certificates │ - │ 4. Exports cert to K8s TLS secret │ - │ │ - │ IAM: acm:RequestCertificate, │ - │ acm:DescribeCertificate, │ - │ acm:GetCertificate, ... │ - └──────────────────────────────────────────┘ - │ │ - ▼ ▼ - AWS ACM (Certificate) K8s TLS Secret - (DNS validation) (exported cert) -``` - -## What It Creates - -| Resource | Description | -|----------|-------------| -| `aws_iam_policy` | IAM policy granting ACM permissions | -| IRSA module | IAM role bound to the controller's service account | -| `helm_release` | ACK ACM Controller deployment from `oci://public.ecr.aws/aws-controllers-k8s/acm-chart` | - -## Configuration - -### Basic Example - -```json -{ - "kind": "ack_acm_controller", - "flavor": "legacy", - "version": "1.0", - "spec": { - "chart_version": "1.3.4" - } -} -``` - -### With Custom Namespace - -```json -{ - "kind": "ack_acm_controller", - "flavor": "legacy", - "version": "1.0", - "spec": { - "chart_version": "1.3.4", - "namespace": "cert-manager" - } -} -``` - -## Spec Options - -| Field | Type | Default | Required | Description | -|-------|------|---------|----------|-------------| -| `chart_version` | string | `1.3.4` | Yes | Helm chart version of the ACK ACM Controller | -| `namespace` | string | environment namespace | No | Kubernetes namespace for the controller | -| `helm_values` | object | - | No | Additional Helm values to override defaults | - -## Inputs - -| Input | Type | Required | Description | -|-------|------|----------|-------------| -| `kubernetes_details` | `@outputs/kubernetes` | Yes | Kubernetes cluster connection (provides OIDC provider ARN for IRSA) | - -## Outputs - -| Attribute | Description | -|-----------|-------------| -| `namespace` | Namespace where the controller is deployed | -| `release_name` | Helm release name | -| `chart_version` | Deployed chart version | -| `role_arn` | IAM role ARN used by the controller | -| `helm_release_id` | Helm release ID | - -## Usage with nginx_gateway_fabric_legacy_aws - -Once deployed, the `nginx_gateway_fabric_legacy_aws` module can use ACM ARNs as `certificate_reference` on domains: - -```json -{ - "kind": "ingress", - "flavor": "nginx_gateway_fabric_legacy_aws", - "version": "1.0", - "spec": { - "domains": { - "production": { - "domain": "api.example.com", - "alias": "prod", - "certificate_reference": "arn:aws:acm:us-east-1:123456789:certificate/abc-123" - } - } - } -} -``` - -The ingress module detects the ACM ARN, creates a `Certificate` CRD (kind: `acm.services.k8s.aws/v1alpha1`), and the ACK controller provisions the certificate and exports it to a K8s TLS secret. - -## Prerequisites - -- EKS cluster with OIDC provider configured -- Route53 hosted zone for DNS validation of ACM certificates - -## Troubleshooting - -### Check Controller Status - -```bash -kubectl get pods -n -l app.kubernetes.io/name=acm-chart -kubectl logs -n -l app.kubernetes.io/name=acm-chart -``` - -### Check ACM Certificate CRDs - -```bash -kubectl get certificate.acm.services.k8s.aws -n -kubectl describe certificate.acm.services.k8s.aws -n -``` - -### Check IRSA - -```bash -kubectl get sa ack-acm-controller -n -o yaml | grep eks.amazonaws.com/role-arn -``` - -### Common Issues - -- **Certificate stuck in pending**: Check Route53 DNS validation records are created. The ACM controller needs DNS validation to complete. -- **IAM errors**: Verify the IRSA role ARN in the service account annotation matches the IAM role with ACM permissions. -- **Export failure**: The target K8s secret must exist before the controller can export. The ingress module pre-creates empty TLS secrets for this purpose. diff --git a/modules/ack_acm_controller/legacy/1.0/facets.yaml b/modules/ack_acm_controller/legacy/1.0/facets.yaml deleted file mode 100644 index 40c79812..00000000 --- a/modules/ack_acm_controller/legacy/1.0/facets.yaml +++ /dev/null @@ -1,58 +0,0 @@ -intent: ack_acm_controller -flavor: legacy -version: "1.0" -description: | - Deploys the AWS ACK ACM Controller on EKS clusters via Helm. - This controller manages AWS Certificate Manager (ACM) certificates as Kubernetes resources - and can export issued certificates to Kubernetes TLS secrets for use with Gateway API or Ingress. - Uses IRSA for secure IAM authentication. Supports DNS validation via Route53. -clouds: - - aws - - kubernetes -inputs: - kubernetes_details: - type: "@outputs/kubernetes" - optional: false - default: - resource_type: kubernetes_cluster - resource_name: default - providers: - - kubernetes - - kubernetes-alpha - - helm -outputs: - default: - type: "@outputs/ack_acm_controller" -spec: - title: ACK ACM Controller Configuration - type: object - properties: - chart_version: - type: string - default: "1.3.4" - title: Chart Version - description: Helm chart version of the ACK ACM Controller - namespace: - type: string - title: Namespace - description: Kubernetes namespace for the controller (defaults to environment namespace) - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - maxLength: 63 - helm_values: - type: object - title: Helm Values - description: Additional Helm values to override defaults - x-ui-yaml-editor: true - required: - - chart_version - x-ui-order: - - chart_version - - namespace - - helm_values -sample: - kind: ack_acm_controller - flavor: legacy - version: "1.0" - disabled: true - spec: - chart_version: "1.3.4" diff --git a/modules/ack_acm_controller/legacy/1.0/main.tf b/modules/ack_acm_controller/legacy/1.0/main.tf deleted file mode 100644 index d4496fd4..00000000 --- a/modules/ack_acm_controller/legacy/1.0/main.tf +++ /dev/null @@ -1,118 +0,0 @@ -data "aws_region" "current" {} - -module "name" { - source = "github.com/Facets-cloud/facets-utility-modules//name" - environment = var.environment - limit = 48 - resource_name = var.instance_name - resource_type = "ack_acm_controller" - globally_unique = true -} - -locals { - name = module.name.name - controller_namespace = coalesce(lookup(var.instance.spec, "namespace", null), var.environment.namespace) - controller_service_account = "ack-acm-controller" - eks_oidc_provider_arn = try(var.inputs.kubernetes_details.attributes.legacy_outputs.k8s_details.oidc_provider_arn, var.baseinfra.k8s_details.oidc_provider_arn) - aws_region = data.aws_region.current.name - - # Tolerations: merge environment defaults with facets dedicated tolerations - tolerations = concat( - lookup(var.environment, "default_tolerations", []), - try(var.inputs.kubernetes_details.attributes.legacy_outputs.facets_dedicated_tolerations, []) - ) - - # Node selector from kubernetes_details legacy outputs - node_selector = try(var.inputs.kubernetes_details.attributes.legacy_outputs.facets_dedicated_node_selectors, {}) - - controller_tolerations = [ - for taint in local.tolerations : { - key = taint.key - operator = "Equal" - value = lookup(taint, "value", "") - effect = taint.effect - } - ] -} - -# IAM Policy for ACK ACM Controller -resource "aws_iam_policy" "ack_acm" { - name = "${local.name}-ack-acm" - description = "IAM policy for the ACK ACM Controller" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "acm:DescribeCertificate", - "acm:GetCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate", - "acm:AddTagsToCertificate", - "acm:RemoveTagsFromCertificate" - ] - Resource = "*" - } - ] - }) -} - -# IRSA - IAM Role for Service Account -module "irsa" { - source = "github.com/Facets-cloud/facets-utility-modules//aws_irsa" - eks_oidc_provider_arn = local.eks_oidc_provider_arn - iam_role_name = local.name - namespace = local.controller_namespace - sa_name = local.controller_service_account - iam_arns = { - (local.controller_service_account) = { - arn = aws_iam_policy.ack_acm.arn - } - } -} - -# Deploy ACK ACM Controller via Helm -resource "helm_release" "ack_acm" { - namespace = local.controller_namespace - create_namespace = true - name = "ack-acm-controller" - repository = "oci://public.ecr.aws/aws-controllers-k8s" - chart = "acm-chart" - version = var.instance.spec.chart_version - wait = true - timeout = 600 - - values = [ - yamlencode(merge({ - aws = { - region = local.aws_region - } - serviceAccount = { - create = true - name = local.controller_service_account - annotations = { - "eks.amazonaws.com/role-arn" = module.irsa.iam_role_arn - } - } - resources = { - requests = { - cpu = "50m" - memory = "64Mi" - } - limits = { - cpu = "100m" - memory = "128Mi" - } - } - nodeSelector = local.node_selector - tolerations = local.controller_tolerations - installScope = "cluster" - }, lookup(var.instance.spec, "helm_values", {}))) - ] - - depends_on = [ - module.irsa - ] -} diff --git a/modules/ack_acm_controller/legacy/1.0/outputs.tf b/modules/ack_acm_controller/legacy/1.0/outputs.tf deleted file mode 100644 index a11d2c70..00000000 --- a/modules/ack_acm_controller/legacy/1.0/outputs.tf +++ /dev/null @@ -1,11 +0,0 @@ -locals { - output_attributes = { - namespace = local.controller_namespace - release_name = helm_release.ack_acm.name - chart_version = var.instance.spec.chart_version - role_arn = module.irsa.iam_role_arn - helm_release_id = helm_release.ack_acm.id - } - - output_interfaces = {} -} diff --git a/modules/ack_acm_controller/legacy/1.0/variables.tf b/modules/ack_acm_controller/legacy/1.0/variables.tf deleted file mode 100644 index 8ea33853..00000000 --- a/modules/ack_acm_controller/legacy/1.0/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "cluster" { - type = any - default = {} -} - -variable "baseinfra" { - type = any - default = {} -} - -variable "cc_metadata" { - type = any - default = {} -} - -variable "instance" { - type = any -} - -variable "instance_name" { - type = string - default = "test_instance" -} - -variable "environment" { - type = any - default = {} -} - -variable "inputs" { - type = any - default = {} -} diff --git a/modules/gateway_api_crd/k8s/1.0/facets.yaml b/modules/gateway_api_crd/k8s/1.0/facets.yaml index 2a465521..fb4c7744 100644 --- a/modules/gateway_api_crd/k8s/1.0/facets.yaml +++ b/modules/gateway_api_crd/k8s/1.0/facets.yaml @@ -33,9 +33,11 @@ spec: - experimental version: type: string - default: v1.4.1 + default: v1.5.1 description: Gateway API version to install enum: + - v1.5.1 + - v1.5.0 - v1.4.1 - v1.4.0 - v1.3.0 @@ -47,4 +49,4 @@ sample: disabled: true spec: channel: experimental - version: v1.4.1 + version: v1.5.1 diff --git a/modules/gateway_api_crd/k8s/1.0/main.tf b/modules/gateway_api_crd/k8s/1.0/main.tf index 86de61dc..3da0b3f7 100644 --- a/modules/gateway_api_crd/k8s/1.0/main.tf +++ b/modules/gateway_api_crd/k8s/1.0/main.tf @@ -1,7 +1,7 @@ locals { name = lower(var.environment.namespace == "default" ? var.instance_name : "${var.environment.namespace}-${var.instance_name}") namespace = var.environment.namespace - version = lookup(var.instance.spec, "version", "v1.4.1") + version = lookup(var.instance.spec, "version", "v1.5.1") channel = lookup(var.instance.spec, "channel", "experimental") # Build the install URL based on version and channel @@ -37,6 +37,13 @@ resource "kubernetes_cluster_role_v1" "gateway_api_crd_installer" { resources = ["customresourcedefinitions"] verbs = ["get", "list", "create", "update", "patch"] } + + # v1.5.x experimental manifest ships the safe-upgrades ValidatingAdmissionPolicy + binding. + rule { + api_groups = ["admissionregistration.k8s.io"] + resources = ["validatingadmissionpolicies", "validatingadmissionpolicybindings"] + verbs = ["get", "list", "create", "update", "patch", "delete"] + } } # ClusterRoleBinding for Gateway API CRD installer diff --git a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/README.md b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/README.md index ea0c80be..d074a956 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/README.md +++ b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/README.md @@ -1,6 +1,6 @@ # NGINX Gateway Fabric (AWS Legacy) -Kubernetes Gateway API implementation for AWS with NLB, Proxy Protocol v2, ACM, and DNS-01 support. +Kubernetes Gateway API implementation for AWS with NLB, Proxy Protocol v2, and ACM support. ## Overview @@ -8,8 +8,7 @@ This module is an **AWS-specific wrapper** around the base `nginx_gateway_fabric - **AWS NLB**: Network Load Balancer with Proxy Protocol v2 and IP target type - **Dual-Mode TLS**: Automatically selects TLS termination point based on configuration -- **ACM Integration**: Use AWS Certificate Manager ARNs as `certificate_reference` -- **DNS-01 Wildcard Certificates**: Optional DNS-01 validation via a pre-existing ClusterIssuer (e.g., `gts-production`) for wildcard listeners +- **ACM Integration**: Use AWS Certificate Manager ARNs as `certificate_reference` (NLB terminates TLS) This is the **legacy** flavor that uses `cc_metadata` and legacy input conventions. @@ -22,10 +21,8 @@ This is the **legacy** flavor that uses `cc_metadata` and legacy input conventio │ AWS Wrapper (this module) │ │ │ │ 1. Dual-mode TLS detection │ - │ 2. ACM ARN → K8s secret (ACK path) │ - │ or ACM ARN → NLB ssl-cert (ACM mode) │ - │ 3. DNS-01 → certificate_reference rewrite │ - │ 4. AWS NLB annotations │ + │ 2. ACM ARN → NLB ssl-cert (ACM mode) │ + │ 3. AWS NLB annotations │ │ │ │ ┌──────────────────────────────────┐ │ │ │ Base Utility Module │ │ @@ -41,7 +38,7 @@ This is the **legacy** flavor that uses `cc_metadata` and legacy input conventio ## Dual-Mode TLS -The module automatically selects between two TLS termination modes based on the presence of ACM ARNs and the ACK ACM controller input. +The module automatically selects between two TLS termination modes based on the presence of ACM ARNs. ### Mode Detection @@ -49,8 +46,7 @@ The module automatically selects between two TLS termination modes based on the For each domain in spec.domains: if certificate_reference matches "arn:aws:acm:" → ACM domain -If ACK controller input provided → ACK path (Gateway terminates TLS) -If ACM domains exist + no ACK controller → ACM mode (NLB terminates TLS) +If ACM domains exist → ACM mode (NLB terminates TLS) If no ACM domains → cert-manager mode (Gateway terminates TLS) ``` @@ -66,19 +62,7 @@ Client (TLS) → NLB:443 (TCP passthrough) NLB annotations: no `ssl-cert`, no `ssl-ports`. Gateway has per-domain HTTPS listeners with TLS termination. -### Path 2: ACK Path (ACM ARNs + ACK Controller) - -Same as cert-manager mode, but the ACK ACM controller creates ACM certificates and exports them to K8s TLS secrets. The Gateway terminates TLS using those secrets. - -``` -Client (TLS) → NLB:443 (TCP passthrough) - → [PP2 header][TLS encrypted data] - → Gateway:443 (HTTPS listener + ProxyProtocol) - → Gateway terminates TLS with ACK-exported K8s secret - → HTTPRoute matching, proxies to upstream -``` - -### Path 3: ACM Mode (ACM ARNs + No ACK Controller) +### Path 2: ACM Mode (ACM ARNs) NLB terminates TLS using free, non-exportable ACM public certificates. Gateway receives plaintext HTTP on port 443. @@ -93,8 +77,7 @@ Client (TLS) → NLB:443 (TLS listener, ACM terminates) NLB annotations include `ssl-cert` (ACM ARNs) and `ssl-ports: 443`. Gateway has a single HTTP listener on port 443 with no hostname restriction — routing is handled entirely by HTTPRoute `hostnames` fields. **Key differences in ACM mode:** -- No TLS certificates created or managed (no bootstrap, no cert-manager, no ACK CRDs) -- DNS-01 is automatically disabled (incompatible with NLB TLS termination) +- No TLS certificates created or managed (no bootstrap, no cert-manager) - Single Gateway listener instead of per-domain listeners - All HTTPRoutes reference the single `"https"` listener @@ -104,67 +87,17 @@ NLB annotations include `ssl-cert` (ACM ARNs) and `ssl-ports: 443`. Gateway has | Domain has | Flow | Listener | Managed by | |---|---|---|---| -| ACM ARN + ACK controller | ACK ACM Certificate CRD | HTTPS, wildcard (`*.domain`) | AWS wrapper | -| ACM ARN + no ACK controller | NLB TLS termination | HTTP on 443 (single listener) | NLB/ACM | -| No cert ref + `use_dns01: true` | cert-manager DNS-01 via ClusterIssuer | HTTPS, wildcard (`*.domain`) | AWS wrapper | -| No cert ref + `use_dns01: false` | cert-manager HTTP-01 (default) | HTTPS, exact hostname | Utility module | +| ACM ARN | NLB TLS termination | HTTP on 443 (single listener) | NLB/ACM | +| No cert ref | cert-manager HTTP-01 (default) | HTTPS, exact hostname | Utility module | | K8s secret in `certificate_reference` | User-managed | HTTPS, wildcard (`*.domain`) | User | ### HTTP-01 (Default) No extra configuration needed. The utility module creates a bundled HTTP-01 ClusterIssuer and issues certificates automatically via Let's Encrypt. -### DNS-01 Wildcard Certificates - -When `use_dns01: true`, the module: - -1. Creates cert-manager `Certificate` resources requesting wildcard certs (`*.domain` + `domain`) from the specified ClusterIssuer -2. Creates bootstrap self-signed TLS secrets so Gateway listeners can start immediately -3. Sets `certificate_reference` on all domains, causing the utility module to create wildcard listeners (`*.domain`) -4. Disables the utility module's HTTP-01 ClusterIssuer and bootstrap cert creation (no domains left without `certificate_reference`) - -**Note**: DNS-01 is automatically disabled when ACM mode is active (incompatible with NLB TLS termination). - -**Prerequisite**: The ClusterIssuer (default: `gts-production`) must already exist in the cluster with a DNS-01 solver configured. - -```json -{ - "spec": { - "use_dns01": true, - "dns01_cluster_issuer": "gts-production", - "domains": { - "production": { - "domain": "api.example.com", - "alias": "prod" - } - } - } -} -``` - -### ACM Certificates (with ACK Controller) - -Use an ACM ARN as `certificate_reference` with the ACK ACM controller deployed. The module creates an ACK Certificate CRD that provisions the cert and exports it to a K8s TLS secret. - -```json -{ - "spec": { - "domains": { - "production": { - "domain": "api.example.com", - "alias": "prod", - "certificate_reference": "arn:aws:acm:us-east-1:123456789:certificate/abc-123" - } - } - } -} -``` - -**Prerequisite**: The `ack_acm_controller` must be deployed (optional input). +### ACM Certificates (NLB Termination) -### ACM Certificates (NLB Termination — No ACK Controller) - -Use an ACM ARN as `certificate_reference` without the ACK controller. The NLB terminates TLS using the free ACM certificate directly. +Use an ACM ARN as `certificate_reference`. The NLB terminates TLS using the free ACM certificate directly. ```json { @@ -180,9 +113,9 @@ Use an ACM ARN as `certificate_reference` without the ACK controller. The NLB te } ``` -**No ACK controller needed.** The ACM cert is attached directly to the NLB via `aws-load-balancer-ssl-cert` annotation. The Gateway receives plaintext HTTP on port 443. +The ACM cert is attached directly to the NLB via `aws-load-balancer-ssl-cert` annotation. The Gateway receives plaintext HTTP on port 443. -**Limitation**: When any domain uses ACM without ACK, ALL traffic goes through NLB TLS termination. No mixing of ACM and cert-manager on the same instance. +**Limitation**: When any domain uses ACM, ALL traffic goes through NLB TLS termination. No mixing of ACM and cert-manager on the same instance. --- @@ -211,36 +144,6 @@ Use an ACM ARN as `certificate_reference` without the ACK controller. The NLB te } ``` -### DNS-01 + Private LB Example - -```json -{ - "kind": "ingress", - "flavor": "nginx_gateway_fabric_legacy_aws", - "version": "1.0", - "spec": { - "private": true, - "force_ssl_redirection": true, - "use_dns01": true, - "dns01_cluster_issuer": "gts-production", - "domains": { - "internal": { - "domain": "internal.example.com", - "alias": "internal" - } - }, - "rules": { - "api": { - "service_name": "api-service", - "namespace": "default", - "port": "8080", - "path": "/api" - } - } - } -} -``` - ### ACM (NLB Termination) Example ```json @@ -270,7 +173,7 @@ Use an ACM ARN as `certificate_reference` without the ACK controller. The NLB te } ``` -No `ack_acm_controller_details` input needed. The NLB terminates TLS with the ACM certificate. +The NLB terminates TLS with the ACM certificate. --- @@ -282,9 +185,6 @@ No `ack_acm_controller_details` input needed. The NLB terminates TLS with the AC | `force_ssl_redirection` | boolean | `true` | Redirect HTTP to HTTPS | | `disable_base_domain` | boolean | `false` | Disable auto-generated base domain | | `domain_prefix_override` | string | - | Override auto-generated domain prefix | -| `use_dns01` | boolean | `false` | Enable DNS-01 wildcard certificates (disabled automatically in ACM mode) | -| `dns01_cluster_issuer` | string | `gts-production` | ClusterIssuer name for DNS-01 validation | -| `disable_endpoint_validation` | boolean | `false` | Disable HTTP endpoint validation | | `basic_auth` | boolean | `false` | Enable basic authentication | | `body_size` | string | `150m` | Maximum client request body size | | `helm_wait` | boolean | `true` | Wait for Helm release to be ready | @@ -299,7 +199,6 @@ No `ack_acm_controller_details` input needed. The NLB terminates TLS with the AC | `kubernetes_details` | `@outputs/kubernetes` | Yes | Kubernetes cluster connection | | `gateway_api_crd_details` | `@outputs/gateway_api_crd` | Yes | Gateway API CRD installation | | `prometheus_details` | `@outputs/prometheus` | No | Prometheus for PodMonitor | -| `ack_acm_controller_details` | `@outputs/ack_acm_controller` | No | ACK ACM controller — when provided, ACM certs are exported to K8s secrets via ACK CRDs (Gateway terminates TLS). When absent and ACM ARNs are used, NLB terminates TLS directly. | --- @@ -314,7 +213,7 @@ No `ack_acm_controller_details` input needed. The NLB terminates TLS with the AC ### NLB Annotations by Mode -| Annotation | cert-manager / ACK | ACM mode | +| Annotation | cert-manager | ACM mode | |---|---|---| | `aws-load-balancer-backend-protocol` | `tcp` | `tcp` | | `aws-load-balancer-type` | `external` | `external` | @@ -331,25 +230,17 @@ Always enabled in all modes. The module configures `NginxProxy` CRD with `rewrit ## Troubleshooting -### Check DNS-01 Certificate Status +### Check Certificate Status (cert-manager mode) ```bash kubectl get certificate -n -kubectl describe certificate -dns01-cert- -n -kubectl get clusterissuer gts-production -o yaml -``` - -### Check ACM Certificate Status (ACK path) - -```bash -kubectl get certificate.acm.services.k8s.aws -n -kubectl describe certificate.acm.services.k8s.aws -acm-cert- -n +kubectl describe certificate -n ``` ### Check Gateway Listeners ```bash -# cert-manager/ACK mode: expect per-domain HTTPS listeners +# cert-manager mode: expect per-domain HTTPS listeners # ACM mode: expect single HTTP listener named "https" on port 443 kubectl get gateway -n -o yaml | grep -A 20 listeners ``` diff --git a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/facets.yaml b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/facets.yaml index 236c8599..9a70ea2e 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/facets.yaml +++ b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/facets.yaml @@ -29,9 +29,6 @@ inputs: default: resource_type: configuration resource_name: prometheus - ack_acm_controller_details: - type: "@outputs/ack_acm_controller" - optional: true outputs: default: type: "@outputs/ingress" @@ -207,14 +204,14 @@ spec: title: CPU Request description: Minimum CPU requirement (e.g., 100m, 250m, 500m) pattern: ^([0-9]*\.?[0-9]+m?|[0-9]+)$ - default: 200m + default: 250m x-ui-placeholder: 200m memory: type: string title: Memory Request description: Minimum memory requirement (e.g., 256Mi, 512Mi) pattern: ^[0-9]+(\.[0-9]+)?(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$ - default: 256Mi + default: 512Mi x-ui-placeholder: 256Mi limits: type: object @@ -226,14 +223,14 @@ spec: title: CPU Limit description: Maximum CPU allowed (e.g., 500m, 1, 2) pattern: ^([0-9]*\.?[0-9]+m?|[0-9]+)$ - default: 500m + default: "1" x-ui-placeholder: 500m memory: type: string title: Memory Limit description: Maximum memory allowed (e.g., 512Mi, 1Gi) pattern: ^[0-9]+(\.[0-9]+)?(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$ - default: 512Mi + default: 1Gi x-ui-placeholder: 512Mi rules: title: Routing Rules @@ -873,22 +870,6 @@ spec: title: Domain Prefix Override description: Override the automatically generated domain prefix x-ui-toggle: true - use_dns01: - type: boolean - title: Use DNS-01 Resolver - description: Use DNS-01 challenge type for certificate issuance. When enabled, all domain listeners use wildcard hostnames (*.domain) and certificates are issued via the DNS-01 ClusterIssuer. - default: false - x-ui-toggle: true - dns01_cluster_issuer: - type: string - title: DNS-01 ClusterIssuer - description: Name of the ClusterIssuer to use for DNS-01 certificate issuance - default: gts-production - x-ui-toggle: true - x-ui-visible-if: - field: spec.use_dns01 - values: - - true helm_wait: type: boolean title: Helm Wait @@ -911,8 +892,6 @@ spec: - proxy_connect_timeout - proxy_read_timeout - proxy_send_timeout - - use_dns01 - - dns01_cluster_issuer - data_plane - control_plane - helm_values @@ -952,9 +931,9 @@ sample: target_memory_utilization_percentage: 80 resources: requests: - cpu: 200m - memory: 256Mi - limits: - cpu: 500m + cpu: 250m memory: 512Mi + limits: + cpu: "1" + memory: 1Gi rules: {} diff --git a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/main.tf b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/main.tf index 1162ec68..396eeaa6 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/main.tf +++ b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/main.tf @@ -1,111 +1,19 @@ locals { - # Compute name the same way as the base module (needed for ACM secret names) - name = lower(var.environment.namespace == "default" ? var.instance_name : "${var.environment.namespace}-${var.instance_name}") - - # --- DNS-01 configuration --- - # DNS-01 is incompatible with ACM mode (NLB terminates TLS, no cert-manager involvement) - use_dns01 = !local.acm_mode && lookup(var.instance.spec, "use_dns01", false) - dns01_cluster_issuer = lookup(var.instance.spec, "dns01_cluster_issuer", "gts-production") - - # Compute base domain (mirrors utility module logic — needed to take over base domain for DNS-01) - instance_env_name = length(var.environment.unique_name) + length(var.instance_name) + length(var.cc_metadata.tenant_base_domain) >= 60 ? substr(md5("${var.instance_name}-${var.environment.unique_name}"), 0, 20) : "${var.instance_name}-${var.environment.unique_name}" - check_domain_prefix = coalesce(lookup(var.instance.spec, "domain_prefix_override", null), local.instance_env_name) - base_domain = lower("${local.check_domain_prefix}.${var.cc_metadata.tenant_base_domain}") - - # --- ACM handling --- - # Detect domains with ACM ARN as certificate_reference + # Detect domains whose certificate_reference is an ACM ARN acm_cert_domains = { for domain_key, domain in lookup(var.instance.spec, "domains", {}) : domain_key => domain if can(domain.certificate_reference) && length(regexall("arn:aws:acm:", lookup(domain, "certificate_reference", ""))) > 0 } - # Detect ACK ACM controller availability - use_ack_acm = try(var.inputs.ack_acm_controller_details, null) != null + # ACM mode: ACM ARNs present → terminate TLS at the NLB (not the Gateway). All other + # domains use the base module's cert-manager HTTP-01 + ListenerSet path. + acm_mode = length(local.acm_cert_domains) > 0 - # ACM mode: when ACM domains exist but no ACK controller, - # TLS terminates at the NLB instead of at the Gateway pod - acm_mode = !local.use_ack_acm && length(local.acm_cert_domains) > 0 - - # ACM ARNs to attach to NLB for TLS termination acm_cert_arns = local.acm_mode ? distinct([ for domain_key, domain in local.acm_cert_domains : domain.certificate_reference ]) : [] - # K8s secret name for ACM cert domains — the ACK Certificate CRD exports cert to this secret - # Only relevant when ACK controller is available - acm_cert_secret_names = { - for domain_key, domain in local.acm_cert_domains : - domain_key => "${local.name}-${domain_key}-acm-tls" - } - - # Rewrite ACM ARN certificate_reference → K8s secret name for all ACM domains. - # In ACM mode (no ACK), this rewrite is harmless — external_tls_termination=true - # tells the base module to ignore certificate_reference entirely. - # Always rewriting avoids unknown map values when use_ack_acm is unresolved at plan time. - acm_modified_domains = { - for domain_key, domain in lookup(var.instance.spec, "domains", {}) : - domain_key => contains(keys(local.acm_cert_secret_names), domain_key) ? merge(domain, { - certificate_reference = local.acm_cert_secret_names[domain_key] - }) : domain - } - - # --- DNS-01 domain handling --- - # User-configured domains eligible for DNS-01: use_dns01 enabled + no certificate_reference after ACM rewrite - dns01_domains = { - for domain_key, domain in local.acm_modified_domains : - domain_key => domain - if local.use_dns01 && lookup(domain, "certificate_reference", "") == "" - } - - # Base domain for DNS-01: when use_dns01 is enabled and base domain is not disabled, - # we take over the base domain from the utility module (set disable_base_domain=true - # and re-add it ourselves with certificate_reference for wildcard listener) - dns01_base_domain = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? { - "facets" = { - domain = local.base_domain - alias = "base" - } - } : {} - - # All domains that need DNS-01 wildcard certs (user domains + base domain) - all_dns01_domains = merge(local.dns01_domains, local.dns01_base_domain) - - # K8s secret names for DNS-01 wildcard certs - dns01_cert_secret_names = { - for domain_key, domain in local.all_dns01_domains : - domain_key => "${local.name}-${domain_key}-dns01-tls" - } - - # Final domain rewrite: apply DNS-01 certificate_reference on top of ACM rewrites - # Setting certificate_reference causes the utility module to use wildcard listeners (*.domain) - modified_domains = merge( - { - for domain_key, domain in local.acm_modified_domains : - domain_key => contains(keys(local.dns01_cert_secret_names), domain_key) ? merge(domain, { - certificate_reference = local.dns01_cert_secret_names[domain_key] - }) : domain - }, - # Add base domain with certificate_reference when DNS-01 is active - { - for domain_key, domain in local.dns01_base_domain : - domain_key => merge(domain, { - certificate_reference = local.dns01_cert_secret_names[domain_key] - }) - } - ) - - # Build modified instance with rewritten domains - # ACM mode: pass original domains/spec — base module ignores certificate_reference when external_tls_termination=true - # cert-manager/ACK mode: apply domain rewrites and DNS-01 overrides - modified_instance = merge(var.instance, { - spec = merge(var.instance.spec, { - domains = local.acm_mode ? lookup(var.instance.spec, "domains", {}) : local.modified_domains - disable_base_domain = local.acm_mode ? lookup(var.instance.spec, "disable_base_domain", false) : (local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? true : lookup(var.instance.spec, "disable_base_domain", false)) - }) - }) - - # Merge default_tolerations into inputs so the utility module picks them up via kubernetes_node_pool_details.attributes.taints default_tolerations = lookup(var.environment, "default_tolerations", []) existing_taints = try(var.inputs.kubernetes_node_pool_details.attributes.taints, []) @@ -144,60 +52,21 @@ locals { } : {} ) - # ACK ACM Certificate CRD resources — creates ACM certificates via ACK controller - # and exports them to K8s TLS secrets for Gateway listener consumption. - # Only created when ACK controller is available. - ack_acm_resources = local.use_ack_acm ? { - for domain_key, domain in local.acm_cert_domains : - "ack-acm-cert-${domain_key}" => { - apiVersion = "acm.services.k8s.aws/v1alpha1" - kind = "Certificate" - metadata = { - name = "${local.name}-acm-cert-${domain_key}" - namespace = var.environment.namespace - } - spec = { - domainName = "*.${domain.domain}" - subjectAlternativeNames = [ - domain.domain, - "*.${domain.domain}" - ] - validationMethod = "DNS" - options = { - certificateTransparencyLoggingPreference = "ENABLED" - } - exportTo = { - namespace = var.environment.namespace - name = local.acm_cert_secret_names[domain_key] - key = "tls.crt" - } - } - } - } : {} + # Private LB → HTTP-01 can't validate an internal NLB; issue certs via the + # gts-production DNS-01 ClusterIssuer instead. No effect in acm_mode (NLB + # terminates TLS with the ACM cert, no cert-manager involvement). + cluster_issuer_override = lookup(var.instance.spec, "private", false) && !local.acm_mode ? "gts-production" : null - # DNS-01 wildcard certificate resources for cert-manager - dns01_certificate_resources = { - for domain_key, domain in local.all_dns01_domains : - "dns01-cert-${domain_key}" => { - apiVersion = "cert-manager.io/v1" - kind = "Certificate" - metadata = { - name = "${local.name}-dns01-cert-${domain_key}" - namespace = var.environment.namespace - } - spec = { - secretName = local.dns01_cert_secret_names[domain_key] - issuerRef = { - name = local.dns01_cluster_issuer - kind = "ClusterIssuer" - } - dnsNames = [ - domain.domain, - "*.${domain.domain}" - ] - } - } - } + # Private + DNS-01 (non-ACM): one wildcard cert [domain, *.domain] per domain (single DNS-01 + # challenge) via the listenerset-shim + gts-production, instead of per-hostname HTTP-01 certs. + wildcard_tls = lookup(var.instance.spec, "private", false) && !local.acm_mode + + modified_instance = merge(var.instance, { + spec = merge(var.instance.spec, { + cluster_issuer_override = local.cluster_issuer_override + wildcard_tls = local.wildcard_tls + }) + }) } # Call the base utility module @@ -223,115 +92,4 @@ module "nginx_gateway_fabric" { }] } } - - additional_base_resources = merge(local.ack_acm_resources, local.dns01_certificate_resources) -} - -# Pre-create empty TLS secrets for ACK ACM certificate export -# ACK ACM controller requires the target secret to exist before it can export -# Only created when ACK controller is available -resource "kubernetes_secret_v1" "acm_cert" { - for_each = local.use_ack_acm ? local.acm_cert_domains : {} - - metadata { - name = local.acm_cert_secret_names[each.key] - namespace = var.environment.namespace - } - - data = { - "tls.crt" = "" - "tls.key" = "" - } - - type = "kubernetes.io/tls" - - lifecycle { - ignore_changes = [data, metadata[0].annotations, metadata[0].labels] - } -} - -# Bootstrap TLS secrets for DNS-01 domains — Gateway 443 listeners need a TLS secret -# to start. cert-manager will overwrite these once the DNS-01 challenge succeeds. -resource "tls_private_key" "dns01_bootstrap" { - for_each = local.all_dns01_domains - algorithm = "RSA" - rsa_bits = 2048 -} - -resource "tls_self_signed_cert" "dns01_bootstrap" { - for_each = local.all_dns01_domains - private_key_pem = tls_private_key.dns01_bootstrap[each.key].private_key_pem - - subject { - common_name = each.value.domain - } - - validity_period_hours = 8760 # 1 year - - dns_names = [ - each.value.domain, - "*.${each.value.domain}" - ] - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth" - ] -} - -resource "kubernetes_secret_v1" "dns01_bootstrap_tls" { - for_each = local.all_dns01_domains - - metadata { - name = local.dns01_cert_secret_names[each.key] - namespace = var.environment.namespace - } - - data = { - "tls.crt" = tls_self_signed_cert.dns01_bootstrap[each.key].cert_pem - "tls.key" = tls_private_key.dns01_bootstrap[each.key].private_key_pem - } - - type = "kubernetes.io/tls" - - lifecycle { - ignore_changes = [data, metadata[0].annotations, metadata[0].labels] - } -} - -# --- Route53 DNS records for DNS-01 base domain --- -# When use_dns01 is active, we set disable_base_domain=true in the modified instance -# which causes the utility module to skip Route53 record creation. -# We must create them ourselves to maintain DNS resolution. -resource "aws_route53_record" "cluster-base-domain" { - count = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? 1 : 0 - depends_on = [ - module.nginx_gateway_fabric - ] - zone_id = var.cc_metadata.tenant_base_domain_id - name = local.base_domain - type = module.nginx_gateway_fabric.record_type - ttl = "300" - records = [module.nginx_gateway_fabric.lb_record_value] - provider = aws3tooling - lifecycle { - prevent_destroy = true - } -} - -resource "aws_route53_record" "cluster-base-domain-wildcard" { - count = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? 1 : 0 - depends_on = [ - module.nginx_gateway_fabric - ] - zone_id = var.cc_metadata.tenant_base_domain_id - name = "*.${local.base_domain}" - type = module.nginx_gateway_fabric.record_type - ttl = "300" - records = [module.nginx_gateway_fabric.lb_record_value] - provider = aws3tooling - lifecycle { - prevent_destroy = true - } } diff --git a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/variables.tf b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/variables.tf index d861347c..15ee8f4a 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/variables.tf +++ b/modules/ingress/nginx_gateway_fabric_legacy_aws/1.0/variables.tf @@ -34,8 +34,6 @@ variable "instance" { helm_values = optional(any, {}) domain_prefix_override = optional(string) helm_wait = optional(bool, true) - use_dns01 = optional(bool, false) - dns01_cluster_issuer = optional(string, "gts-production") }) }) } diff --git a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/README.md b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/README.md index b85e9a07..9f7e0434 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/README.md +++ b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/README.md @@ -1,13 +1,12 @@ # NGINX Gateway Fabric (Azure Legacy) -Kubernetes Gateway API implementation for Azure with Azure Load Balancer and DNS-01 support. +Kubernetes Gateway API implementation for Azure with Azure Load Balancer. ## Overview This module is an **Azure-specific wrapper** around the base `nginx_gateway_fabric` utility module. It adds: - **Azure Load Balancer**: Internal/external LB configuration via annotations -- **DNS-01 Wildcard Certificates**: Optional DNS-01 validation via a pre-existing ClusterIssuer (e.g., `gts-production`) for wildcard listeners This is the **legacy** flavor that uses `cc_metadata` and legacy input conventions. @@ -19,8 +18,7 @@ This is the **legacy** flavor that uses `cc_metadata` and legacy input conventio ┌──────────────────────────────────────────────┐ │ Azure Wrapper (this module) │ │ │ - │ 1. DNS-01 → certificate_reference rewrite │ - │ 2. Azure LB annotations │ + │ 1. Azure LB annotations │ │ │ │ ┌──────────────────────────────────┐ │ │ │ Base Utility Module │ │ @@ -40,46 +38,13 @@ Two certificate strategies per domain: | Domain has | Flow | Listener | Managed by | |---|---|---|---| -| No cert ref + `use_dns01: true` | cert-manager DNS-01 via ClusterIssuer | Wildcard (`*.domain`) | Azure wrapper | -| No cert ref + `use_dns01: false` | cert-manager HTTP-01 (default) | Exact hostname | Utility module | +| No cert ref | cert-manager HTTP-01 (default) | Exact hostname | Utility module | | K8s secret in `certificate_reference` | User-managed | Wildcard (`*.domain`) | User | ### HTTP-01 (Default) No extra configuration needed. The utility module creates a bundled HTTP-01 ClusterIssuer and issues certificates automatically via Let's Encrypt. -### DNS-01 Wildcard Certificates - -When `use_dns01: true`, the module: - -1. Creates cert-manager `Certificate` resources requesting wildcard certs (`*.domain` + `domain`) from the specified ClusterIssuer -2. Creates bootstrap self-signed TLS secrets so Gateway listeners can start immediately -3. Sets `certificate_reference` on all domains, causing the utility module to create wildcard listeners (`*.domain`) -4. Disables the utility module's HTTP-01 ClusterIssuer and bootstrap cert creation (no domains left without `certificate_reference`) -5. Creates Route53 records for the base domain (since the utility module skips them when `disable_base_domain` is set internally) - -**Prerequisite**: The ClusterIssuer (default: `gts-production`) must already exist in the cluster with a DNS-01 solver configured. - -```json -{ - "spec": { - "use_dns01": true, - "dns01_cluster_issuer": "gts-production", - "domains": { - "production": { - "domain": "api.example.com", - "alias": "prod" - } - } - } -} -``` - -This creates: -- Wildcard listener: `*.api.example.com` -- Certificate: `*.api.example.com` + `api.example.com` via `gts-production` -- Base domain also gets a wildcard listener and DNS-01 cert - --- ## Configuration @@ -107,7 +72,7 @@ This creates: } ``` -### DNS-01 + Private LB Example +### Private LB Example ```json { @@ -117,8 +82,6 @@ This creates: "spec": { "private": true, "force_ssl_redirection": true, - "use_dns01": true, - "dns01_cluster_issuer": "gts-production", "domains": { "internal": { "domain": "internal.example.com", @@ -147,9 +110,6 @@ This creates: | `force_ssl_redirection` | boolean | `true` | Redirect HTTP to HTTPS | | `disable_base_domain` | boolean | `false` | Disable auto-generated base domain | | `domain_prefix_override` | string | - | Override auto-generated domain prefix | -| `use_dns01` | boolean | `false` | Enable DNS-01 wildcard certificates for all domains | -| `dns01_cluster_issuer` | string | `gts-production` | ClusterIssuer name for DNS-01 validation | -| `disable_endpoint_validation` | boolean | `false` | Disable HTTP endpoint validation | | `basic_auth` | boolean | `false` | Enable basic authentication | | `body_size` | string | `150m` | Maximum client request body size | | `helm_wait` | boolean | `true` | Wait for Helm release to be ready | @@ -178,12 +138,11 @@ This creates: ## Troubleshooting -### Check DNS-01 Certificate Status +### Check Certificate Status ```bash kubectl get certificate -n -kubectl describe certificate -dns01-cert- -n -kubectl get clusterissuer gts-production -o yaml +kubectl describe certificate -n ``` ### Check Gateway Listeners diff --git a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/facets.yaml b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/facets.yaml index 4aacbee5..f6e2c48d 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/facets.yaml +++ b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/facets.yaml @@ -204,14 +204,14 @@ spec: title: CPU Request description: Minimum CPU requirement (e.g., 100m, 250m, 500m) pattern: ^([0-9]*\.?[0-9]+m?|[0-9]+)$ - default: 200m + default: 250m x-ui-placeholder: 200m memory: type: string title: Memory Request description: Minimum memory requirement (e.g., 256Mi, 512Mi) pattern: ^[0-9]+(\.[0-9]+)?(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$ - default: 256Mi + default: 512Mi x-ui-placeholder: 256Mi limits: type: object @@ -223,14 +223,14 @@ spec: title: CPU Limit description: Maximum CPU allowed (e.g., 500m, 1, 2) pattern: ^([0-9]*\.?[0-9]+m?|[0-9]+)$ - default: 500m + default: "1" x-ui-placeholder: 500m memory: type: string title: Memory Limit description: Maximum memory allowed (e.g., 512Mi, 1Gi) pattern: ^[0-9]+(\.[0-9]+)?(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$ - default: 512Mi + default: 1Gi x-ui-placeholder: 512Mi rules: title: Routing Rules @@ -870,22 +870,6 @@ spec: title: Domain Prefix Override description: Override the automatically generated domain prefix x-ui-toggle: true - use_dns01: - type: boolean - title: Use DNS-01 Resolver - description: Use DNS-01 challenge type for certificate issuance. When enabled, all domain listeners use wildcard hostnames (*.domain) and certificates are issued via the DNS-01 ClusterIssuer. - default: false - x-ui-toggle: true - dns01_cluster_issuer: - type: string - title: DNS-01 ClusterIssuer - description: Name of the ClusterIssuer to use for DNS-01 certificate issuance - default: gts-production - x-ui-toggle: true - x-ui-visible-if: - field: spec.use_dns01 - values: - - true helm_wait: type: boolean title: Helm Wait @@ -908,8 +892,6 @@ spec: - proxy_connect_timeout - proxy_read_timeout - proxy_send_timeout - - use_dns01 - - dns01_cluster_issuer - data_plane - control_plane - helm_values @@ -949,9 +931,9 @@ sample: target_memory_utilization_percentage: 80 resources: requests: - cpu: 200m - memory: 256Mi - limits: - cpu: 500m + cpu: 250m memory: 512Mi + limits: + cpu: "1" + memory: 1Gi rules: {} diff --git a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/main.tf b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/main.tf index 0188ca71..c0ad7abf 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/main.tf +++ b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/main.tf @@ -1,70 +1,4 @@ locals { - # Compute name the same way as the base module - name = lower(var.environment.namespace == "default" ? var.instance_name : "${var.environment.namespace}-${var.instance_name}") - - # --- DNS-01 configuration --- - use_dns01 = lookup(var.instance.spec, "use_dns01", false) - dns01_cluster_issuer = lookup(var.instance.spec, "dns01_cluster_issuer", "gts-production") - - # Compute base domain (mirrors utility module logic — needed to take over base domain for DNS-01) - instance_env_name = length(var.environment.unique_name) + length(var.instance_name) + length(var.cc_metadata.tenant_base_domain) >= 60 ? substr(md5("${var.instance_name}-${var.environment.unique_name}"), 0, 20) : "${var.instance_name}-${var.environment.unique_name}" - check_domain_prefix = coalesce(lookup(var.instance.spec, "domain_prefix_override", null), local.instance_env_name) - base_domain = lower("${local.check_domain_prefix}.${var.cc_metadata.tenant_base_domain}") - - # --- DNS-01 domain handling --- - # User-configured domains eligible for DNS-01: use_dns01 enabled + no certificate_reference - dns01_domains = { - for domain_key, domain in lookup(var.instance.spec, "domains", {}) : - domain_key => domain - if local.use_dns01 && lookup(domain, "certificate_reference", "") == "" - } - - # Base domain for DNS-01: when use_dns01 is enabled and base domain is not disabled, - # we take over the base domain from the utility module (set disable_base_domain=true - # and re-add it ourselves with certificate_reference for wildcard listener) - dns01_base_domain = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? { - "facets" = { - domain = local.base_domain - alias = "base" - } - } : {} - - # All domains that need DNS-01 wildcard certs (user domains + base domain) - all_dns01_domains = merge(local.dns01_domains, local.dns01_base_domain) - - # K8s secret names for DNS-01 wildcard certs - dns01_cert_secret_names = { - for domain_key, domain in local.all_dns01_domains : - domain_key => "${local.name}-${domain_key}-dns01-tls" - } - - # Final domain rewrite: apply DNS-01 certificate_reference - # Setting certificate_reference causes the utility module to use wildcard listeners (*.domain) - modified_domains = merge( - { - for domain_key, domain in lookup(var.instance.spec, "domains", {}) : - domain_key => contains(keys(local.dns01_cert_secret_names), domain_key) ? merge(domain, { - certificate_reference = local.dns01_cert_secret_names[domain_key] - }) : domain - }, - # Add base domain with certificate_reference when DNS-01 is active - { - for domain_key, domain in local.dns01_base_domain : - domain_key => merge(domain, { - certificate_reference = local.dns01_cert_secret_names[domain_key] - }) - } - ) - - # Build modified instance with rewritten domains - # When DNS-01 is active: disable_base_domain=true (we re-add it ourselves with certificate_reference) - modified_instance = merge(var.instance, { - spec = merge(var.instance.spec, { - domains = local.modified_domains - disable_base_domain = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? true : lookup(var.instance.spec, "disable_base_domain", false) - }) - }) - # Merge default_tolerations into inputs so the utility module picks them up via kubernetes_node_pool_details.attributes.taints default_tolerations = lookup(var.environment, "default_tolerations", []) existing_taints = try(var.inputs.kubernetes_node_pool_details.attributes.taints, []) @@ -87,29 +21,20 @@ locals { "service.beta.kubernetes.io/azure-load-balancer-internal" = lookup(var.instance.spec, "private", false) ? "true" : "false" } - # DNS-01 wildcard certificate resources for cert-manager - dns01_certificate_resources = { - for domain_key, domain in local.all_dns01_domains : - "dns01-cert-${domain_key}" => { - apiVersion = "cert-manager.io/v1" - kind = "Certificate" - metadata = { - name = "${local.name}-dns01-cert-${domain_key}" - namespace = var.environment.namespace - } - spec = { - secretName = local.dns01_cert_secret_names[domain_key] - issuerRef = { - name = local.dns01_cluster_issuer - kind = "ClusterIssuer" - } - dnsNames = [ - domain.domain, - "*.${domain.domain}" - ] - } - } - } + # Private LB → HTTP-01 can't validate an internal LB; issue certs via the + # gts-production DNS-01 ClusterIssuer instead. + cluster_issuer_override = lookup(var.instance.spec, "private", false) ? "gts-production" : null + + # Private: one wildcard cert [domain, *.domain] per domain (single DNS-01 challenge) + # via the listenerset-shim + gts-production, instead of per-hostname HTTP-01 certs. + wildcard_tls = lookup(var.instance.spec, "private", false) + + modified_instance = merge(var.instance, { + spec = merge(var.instance.spec, { + cluster_issuer_override = local.cluster_issuer_override + wildcard_tls = local.wildcard_tls + }) + }) } # Call the base utility module @@ -121,92 +46,5 @@ module "nginx_gateway_fabric" { environment = var.environment inputs = local.merged_inputs - service_annotations = local.azure_annotations - additional_base_resources = local.dns01_certificate_resources -} - -# Bootstrap TLS secrets for DNS-01 domains — Gateway 443 listeners need a TLS secret -# to start. cert-manager will overwrite these once the DNS-01 challenge succeeds. -resource "tls_private_key" "dns01_bootstrap" { - for_each = local.all_dns01_domains - algorithm = "RSA" - rsa_bits = 2048 -} - -resource "tls_self_signed_cert" "dns01_bootstrap" { - for_each = local.all_dns01_domains - private_key_pem = tls_private_key.dns01_bootstrap[each.key].private_key_pem - - subject { - common_name = each.value.domain - } - - validity_period_hours = 8760 # 1 year - - dns_names = [ - each.value.domain, - "*.${each.value.domain}" - ] - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth" - ] -} - -resource "kubernetes_secret_v1" "dns01_bootstrap_tls" { - for_each = local.all_dns01_domains - - metadata { - name = local.dns01_cert_secret_names[each.key] - namespace = var.environment.namespace - } - - data = { - "tls.crt" = tls_self_signed_cert.dns01_bootstrap[each.key].cert_pem - "tls.key" = tls_private_key.dns01_bootstrap[each.key].private_key_pem - } - - type = "kubernetes.io/tls" - - lifecycle { - ignore_changes = [data, metadata[0].annotations, metadata[0].labels] - } -} - -# --- Route53 DNS records for DNS-01 base domain --- -# When use_dns01 is active, we set disable_base_domain=true in the modified instance -# which causes the utility module to skip Route53 record creation. -# We must create them ourselves to maintain DNS resolution. -resource "aws_route53_record" "cluster-base-domain" { - count = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? 1 : 0 - depends_on = [ - module.nginx_gateway_fabric - ] - zone_id = var.cc_metadata.tenant_base_domain_id - name = local.base_domain - type = module.nginx_gateway_fabric.record_type - ttl = "300" - records = [module.nginx_gateway_fabric.lb_record_value] - provider = aws3tooling - lifecycle { - prevent_destroy = true - } -} - -resource "aws_route53_record" "cluster-base-domain-wildcard" { - count = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? 1 : 0 - depends_on = [ - module.nginx_gateway_fabric - ] - zone_id = var.cc_metadata.tenant_base_domain_id - name = "*.${local.base_domain}" - type = module.nginx_gateway_fabric.record_type - ttl = "300" - records = [module.nginx_gateway_fabric.lb_record_value] - provider = aws3tooling - lifecycle { - prevent_destroy = true - } + service_annotations = local.azure_annotations } diff --git a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/variables.tf b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/variables.tf index d861347c..15ee8f4a 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/variables.tf +++ b/modules/ingress/nginx_gateway_fabric_legacy_azure/1.0/variables.tf @@ -34,8 +34,6 @@ variable "instance" { helm_values = optional(any, {}) domain_prefix_override = optional(string) helm_wait = optional(bool, true) - use_dns01 = optional(bool, false) - dns01_cluster_issuer = optional(string, "gts-production") }) }) } diff --git a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/README.md b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/README.md index 29812a13..0fbd424a 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/README.md +++ b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/README.md @@ -1,13 +1,12 @@ # NGINX Gateway Fabric (GCP Legacy) -Kubernetes Gateway API implementation for GCP with GKE Load Balancer and DNS-01 support. +Kubernetes Gateway API implementation for GCP with GKE Load Balancer. ## Overview This module is a **GCP-specific wrapper** around the base `nginx_gateway_fabric` utility module. It adds: - **GCP Load Balancer**: Internal LB with global access support for private deployments -- **DNS-01 Wildcard Certificates**: Optional DNS-01 validation via a pre-existing ClusterIssuer (e.g., `gts-production`) for wildcard listeners This is the **legacy** flavor that uses `cc_metadata` and legacy input conventions. @@ -19,8 +18,7 @@ This is the **legacy** flavor that uses `cc_metadata` and legacy input conventio ┌──────────────────────────────────────────────┐ │ GCP Wrapper (this module) │ │ │ - │ 1. DNS-01 → certificate_reference rewrite │ - │ 2. GCP LB annotations │ + │ 1. GCP LB annotations │ │ │ │ ┌──────────────────────────────────┐ │ │ │ Base Utility Module │ │ @@ -40,46 +38,13 @@ Two certificate strategies per domain: | Domain has | Flow | Listener | Managed by | |---|---|---|---| -| No cert ref + `use_dns01: true` | cert-manager DNS-01 via ClusterIssuer | Wildcard (`*.domain`) | GCP wrapper | -| No cert ref + `use_dns01: false` | cert-manager HTTP-01 (default) | Exact hostname | Utility module | +| No cert ref | cert-manager HTTP-01 (default) | Exact hostname | Utility module | | K8s secret in `certificate_reference` | User-managed | Wildcard (`*.domain`) | User | ### HTTP-01 (Default) No extra configuration needed. The utility module creates a bundled HTTP-01 ClusterIssuer and issues certificates automatically via Let's Encrypt. -### DNS-01 Wildcard Certificates - -When `use_dns01: true`, the module: - -1. Creates cert-manager `Certificate` resources requesting wildcard certs (`*.domain` + `domain`) from the specified ClusterIssuer -2. Creates bootstrap self-signed TLS secrets so Gateway listeners can start immediately -3. Sets `certificate_reference` on all domains, causing the utility module to create wildcard listeners (`*.domain`) -4. Disables the utility module's HTTP-01 ClusterIssuer and bootstrap cert creation (no domains left without `certificate_reference`) -5. Creates Route53 records for the base domain (since the utility module skips them when `disable_base_domain` is set internally) - -**Prerequisite**: The ClusterIssuer (default: `gts-production`) must already exist in the cluster with a DNS-01 solver configured. - -```json -{ - "spec": { - "use_dns01": true, - "dns01_cluster_issuer": "gts-production", - "domains": { - "production": { - "domain": "api.example.com", - "alias": "prod" - } - } - } -} -``` - -This creates: -- Wildcard listener: `*.api.example.com` -- Certificate: `*.api.example.com` + `api.example.com` via `gts-production` -- Base domain also gets a wildcard listener and DNS-01 cert - --- ## Configuration @@ -107,7 +72,7 @@ This creates: } ``` -### DNS-01 + Private LB Example +### Private LB Example ```json { @@ -117,8 +82,6 @@ This creates: "spec": { "private": true, "force_ssl_redirection": true, - "use_dns01": true, - "dns01_cluster_issuer": "gts-production", "domains": { "internal": { "domain": "internal.example.com", @@ -147,9 +110,6 @@ This creates: | `force_ssl_redirection` | boolean | `true` | Redirect HTTP to HTTPS | | `disable_base_domain` | boolean | `false` | Disable auto-generated base domain | | `domain_prefix_override` | string | - | Override auto-generated domain prefix | -| `use_dns01` | boolean | `false` | Enable DNS-01 wildcard certificates for all domains | -| `dns01_cluster_issuer` | string | `gts-production` | ClusterIssuer name for DNS-01 validation | -| `disable_endpoint_validation` | boolean | `false` | Disable HTTP endpoint validation | | `basic_auth` | boolean | `false` | Enable basic authentication | | `body_size` | string | `150m` | Maximum client request body size | | `helm_wait` | boolean | `true` | Wait for Helm release to be ready | @@ -178,12 +138,11 @@ This creates: ## Troubleshooting -### Check DNS-01 Certificate Status +### Check Certificate Status ```bash kubectl get certificate -n -kubectl describe certificate -dns01-cert- -n -kubectl get clusterissuer gts-production -o yaml +kubectl describe certificate -n ``` ### Check Gateway Listeners diff --git a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/facets.yaml b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/facets.yaml index 7db6acbd..b7272ba5 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/facets.yaml +++ b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/facets.yaml @@ -204,14 +204,14 @@ spec: title: CPU Request description: Minimum CPU requirement (e.g., 100m, 250m, 500m) pattern: ^([0-9]*\.?[0-9]+m?|[0-9]+)$ - default: 200m + default: 250m x-ui-placeholder: 200m memory: type: string title: Memory Request description: Minimum memory requirement (e.g., 256Mi, 512Mi) pattern: ^[0-9]+(\.[0-9]+)?(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$ - default: 256Mi + default: 512Mi x-ui-placeholder: 256Mi limits: type: object @@ -223,14 +223,14 @@ spec: title: CPU Limit description: Maximum CPU allowed (e.g., 500m, 1, 2) pattern: ^([0-9]*\.?[0-9]+m?|[0-9]+)$ - default: 500m + default: "1" x-ui-placeholder: 500m memory: type: string title: Memory Limit description: Maximum memory allowed (e.g., 512Mi, 1Gi) pattern: ^[0-9]+(\.[0-9]+)?(Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$ - default: 512Mi + default: 1Gi x-ui-placeholder: 512Mi rules: title: Routing Rules @@ -870,22 +870,6 @@ spec: title: Domain Prefix Override description: Override the automatically generated domain prefix x-ui-toggle: true - use_dns01: - type: boolean - title: Use DNS-01 Resolver - description: Use DNS-01 challenge type for certificate issuance. When enabled, all domain listeners use wildcard hostnames (*.domain) and certificates are issued via the DNS-01 ClusterIssuer. - default: false - x-ui-toggle: true - dns01_cluster_issuer: - type: string - title: DNS-01 ClusterIssuer - description: Name of the ClusterIssuer to use for DNS-01 certificate issuance - default: gts-production - x-ui-toggle: true - x-ui-visible-if: - field: spec.use_dns01 - values: - - true helm_wait: type: boolean title: Helm Wait @@ -908,8 +892,6 @@ spec: - proxy_connect_timeout - proxy_read_timeout - proxy_send_timeout - - use_dns01 - - dns01_cluster_issuer - data_plane - control_plane - helm_values @@ -949,9 +931,9 @@ sample: target_memory_utilization_percentage: 80 resources: requests: - cpu: 200m - memory: 256Mi - limits: - cpu: 500m + cpu: 250m memory: 512Mi + limits: + cpu: "1" + memory: 1Gi rules: {} diff --git a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/main.tf b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/main.tf index 0f320a68..835207c3 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/main.tf +++ b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/main.tf @@ -1,70 +1,4 @@ locals { - # Compute name the same way as the base module (needed for cert secret names) - name = lower(var.environment.namespace == "default" ? var.instance_name : "${var.environment.namespace}-${var.instance_name}") - - # --- DNS-01 configuration --- - use_dns01 = lookup(var.instance.spec, "use_dns01", false) - dns01_cluster_issuer = lookup(var.instance.spec, "dns01_cluster_issuer", "gts-production") - - # Compute base domain (mirrors utility module logic — needed to take over base domain for DNS-01) - instance_env_name = length(var.environment.unique_name) + length(var.instance_name) + length(var.cc_metadata.tenant_base_domain) >= 60 ? substr(md5("${var.instance_name}-${var.environment.unique_name}"), 0, 20) : "${var.instance_name}-${var.environment.unique_name}" - check_domain_prefix = coalesce(lookup(var.instance.spec, "domain_prefix_override", null), local.instance_env_name) - base_domain = lower("${local.check_domain_prefix}.${var.cc_metadata.tenant_base_domain}") - - # --- DNS-01 domain handling --- - # User-configured domains eligible for DNS-01: use_dns01 enabled + no certificate_reference - dns01_domains = { - for domain_key, domain in lookup(var.instance.spec, "domains", {}) : - domain_key => domain - if local.use_dns01 && lookup(domain, "certificate_reference", "") == "" - } - - # Base domain for DNS-01: when use_dns01 is enabled and base domain is not disabled, - # we take over the base domain from the utility module (set disable_base_domain=true - # and re-add it ourselves with certificate_reference for wildcard listener) - dns01_base_domain = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? { - "facets" = { - domain = local.base_domain - alias = "base" - } - } : {} - - # All domains that need DNS-01 wildcard certs (user domains + base domain) - all_dns01_domains = merge(local.dns01_domains, local.dns01_base_domain) - - # K8s secret names for DNS-01 wildcard certs - dns01_cert_secret_names = { - for domain_key, domain in local.all_dns01_domains : - domain_key => "${local.name}-${domain_key}-dns01-tls" - } - - # Final domain rewrite: apply DNS-01 certificate_reference - # Setting certificate_reference causes the utility module to use wildcard listeners (*.domain) - modified_domains = merge( - { - for domain_key, domain in lookup(var.instance.spec, "domains", {}) : - domain_key => contains(keys(local.dns01_cert_secret_names), domain_key) ? merge(domain, { - certificate_reference = local.dns01_cert_secret_names[domain_key] - }) : domain - }, - # Add base domain with certificate_reference when DNS-01 is active - { - for domain_key, domain in local.dns01_base_domain : - domain_key => merge(domain, { - certificate_reference = local.dns01_cert_secret_names[domain_key] - }) - } - ) - - # Build modified instance with rewritten domains - # When DNS-01 is active: disable_base_domain=true (we re-add it ourselves with certificate_reference) - modified_instance = merge(var.instance, { - spec = merge(var.instance.spec, { - domains = local.modified_domains - disable_base_domain = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? true : lookup(var.instance.spec, "disable_base_domain", false) - }) - }) - # Merge default_tolerations into inputs so the utility module picks them up via kubernetes_node_pool_details.attributes.taints default_tolerations = lookup(var.environment, "default_tolerations", []) existing_taints = try(var.inputs.kubernetes_node_pool_details.attributes.taints, []) @@ -89,29 +23,20 @@ locals { "networking.gke.io/internal-load-balancer-allow-global-access" = "true" } : {} - # DNS-01 wildcard certificate resources for cert-manager - dns01_certificate_resources = { - for domain_key, domain in local.all_dns01_domains : - "dns01-cert-${domain_key}" => { - apiVersion = "cert-manager.io/v1" - kind = "Certificate" - metadata = { - name = "${local.name}-dns01-cert-${domain_key}" - namespace = var.environment.namespace - } - spec = { - secretName = local.dns01_cert_secret_names[domain_key] - issuerRef = { - name = local.dns01_cluster_issuer - kind = "ClusterIssuer" - } - dnsNames = [ - domain.domain, - "*.${domain.domain}" - ] - } - } - } + # Private LB → HTTP-01 can't validate an internal LB; issue certs via the + # gts-production DNS-01 ClusterIssuer instead. + cluster_issuer_override = lookup(var.instance.spec, "private", false) ? "gts-production" : null + + # Private: one wildcard cert [domain, *.domain] per domain (single DNS-01 challenge) + # via the listenerset-shim + gts-production, instead of per-hostname HTTP-01 certs. + wildcard_tls = lookup(var.instance.spec, "private", false) + + modified_instance = merge(var.instance, { + spec = merge(var.instance.spec, { + cluster_issuer_override = local.cluster_issuer_override + wildcard_tls = local.wildcard_tls + }) + }) } # Call the base utility module @@ -123,92 +48,5 @@ module "nginx_gateway_fabric" { environment = var.environment inputs = local.merged_inputs - service_annotations = local.gcp_annotations - additional_base_resources = local.dns01_certificate_resources -} - -# Bootstrap TLS secrets for DNS-01 domains — Gateway 443 listeners need a TLS secret -# to start. cert-manager will overwrite these once the DNS-01 challenge succeeds. -resource "tls_private_key" "dns01_bootstrap" { - for_each = local.all_dns01_domains - algorithm = "RSA" - rsa_bits = 2048 -} - -resource "tls_self_signed_cert" "dns01_bootstrap" { - for_each = local.all_dns01_domains - private_key_pem = tls_private_key.dns01_bootstrap[each.key].private_key_pem - - subject { - common_name = each.value.domain - } - - validity_period_hours = 8760 # 1 year - - dns_names = [ - each.value.domain, - "*.${each.value.domain}" - ] - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth" - ] -} - -resource "kubernetes_secret_v1" "dns01_bootstrap_tls" { - for_each = local.all_dns01_domains - - metadata { - name = local.dns01_cert_secret_names[each.key] - namespace = var.environment.namespace - } - - data = { - "tls.crt" = tls_self_signed_cert.dns01_bootstrap[each.key].cert_pem - "tls.key" = tls_private_key.dns01_bootstrap[each.key].private_key_pem - } - - type = "kubernetes.io/tls" - - lifecycle { - ignore_changes = [data, metadata[0].annotations, metadata[0].labels] - } -} - -# --- Route53 DNS records for DNS-01 base domain --- -# When use_dns01 is active, we set disable_base_domain=true in the modified instance -# which causes the utility module to skip Route53 record creation. -# We must create them ourselves to maintain DNS resolution. -resource "aws_route53_record" "cluster-base-domain" { - count = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? 1 : 0 - depends_on = [ - module.nginx_gateway_fabric - ] - zone_id = var.cc_metadata.tenant_base_domain_id - name = local.base_domain - type = module.nginx_gateway_fabric.record_type - ttl = "300" - records = [module.nginx_gateway_fabric.lb_record_value] - provider = aws3tooling - lifecycle { - prevent_destroy = true - } -} - -resource "aws_route53_record" "cluster-base-domain-wildcard" { - count = local.use_dns01 && !lookup(var.instance.spec, "disable_base_domain", false) ? 1 : 0 - depends_on = [ - module.nginx_gateway_fabric - ] - zone_id = var.cc_metadata.tenant_base_domain_id - name = "*.${local.base_domain}" - type = module.nginx_gateway_fabric.record_type - ttl = "300" - records = [module.nginx_gateway_fabric.lb_record_value] - provider = aws3tooling - lifecycle { - prevent_destroy = true - } + service_annotations = local.gcp_annotations } diff --git a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/variables.tf b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/variables.tf index d861347c..15ee8f4a 100644 --- a/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/variables.tf +++ b/modules/ingress/nginx_gateway_fabric_legacy_gcp/1.0/variables.tf @@ -34,8 +34,6 @@ variable "instance" { helm_values = optional(any, {}) domain_prefix_override = optional(string) helm_wait = optional(bool, true) - use_dns01 = optional(bool, false) - dns01_cluster_issuer = optional(string, "gts-production") }) }) } diff --git a/outputs/ack_acm_controller/output.facets.yaml b/outputs/ack_acm_controller/output.facets.yaml deleted file mode 100644 index 14b9dcb9..00000000 --- a/outputs/ack_acm_controller/output.facets.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: ack_acm_controller -out: - type: object - title: ACK ACM Controller - description: ACK ACM Controller Attributes - properties: - attributes: - namespace: - required: true - type: string - description: Kubernetes namespace where the controller is deployed - release_name: - required: true - type: string - description: Helm release name - chart_version: - required: true - type: string - description: Helm chart version - role_arn: - required: true - type: string - description: IAM role ARN used by the controller - helm_release_id: - required: true - type: string - description: Helm release ID - interfaces: