addons/virt/kubevirt/certs.tf

resource "kubectl_manifest" "issuer" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "kubevirt-selfsigned"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      selfSigned: {}
  EOF
}
resource "kubectl_manifest" "kubevirt-ca-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: kubevirt-ca
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      isCA: true
      duration: "${var.duration}"
      commonName: "kubevirt-ca"
      secretName: kubevirt-ca
      issuerRef:
        name: kubevirt-selfsigned
  EOF
}
resource "kubectl_manifest" "kubevirt-export-ca-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: kubevirt-export-ca
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      isCA: true
      duration: "${var.duration}"
      commonName: "kubevirt-export-ca"
      secretName: kubevirt-export-ca
      issuerRef:
        name: kubevirt-selfsigned
  EOF
}
resource "kubectl_manifest" "kubevirt-export-ca" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "kubevirt-export-ca"
      namespace: ${var.namespace}
      labels: ${jsonencode(local.common-labels)}
    spec:
      ca:
        secretName: "kubevirt-export-ca"
  EOF
}
resource "kubectl_manifest" "kubevirt-ca" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "kubevirt-ca"
      namespace: ${var.namespace}
      labels: ${jsonencode(local.common-labels)}
    spec:
      ca:
        secretName: "kubevirt-ca"
  EOF
}
resource "kubectl_manifest" "kubevirt-virt-api-certs" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "kubevirt-virt-api-certs"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - virt-api
      - virt-api.${var.namespace}
      - virt-api.${var.namespace}.svc
      - virt-api.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: kubevirt-ca
      secretName: kubevirt-virt-api-certs
      subject:
        organizationalUnits:
        - kubevirt-virt-api
  EOF
}
resource "kubectl_manifest" "kubevirt-controller-certs" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "kubevirt-controller-certs"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - virt-controller
      - virt-controller.${var.namespace}
      - virt-controller.${var.namespace}.svc
      - virt-controller.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: kubevirt-ca
      secretName: kubevirt-controller-certs
      subject:
        organizationalUnits:
        - kubevirt-virt-controller
  EOF
}
resource "kubectl_manifest" "kubevirt-exportproxy-certs" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "kubevirt-exportproxy-certs"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - virt-exportproxy
      - virt-exportproxy.${var.namespace}
      - virt-exportproxy.${var.namespace}.svc
      - virt-exportproxy.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: kubevirt-ca
      secretName: kubevirt-exportproxy-certs
      subject:
        organizationalUnits:
        - kubevirt-virt-controller
  EOF
}
resource "kubectl_manifest" "kubevirt-operator-certs" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "kubevirt-operator-certs"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - kubevirt-operator-webhook
      - kubevirt-operator-webhook.${var.namespace}
      - kubevirt-operator-webhook.${var.namespace}.svc
      - kubevirt-operator-webhook.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: kubevirt-ca
      secretName: kubevirt-operator-certs
      subject:
        organizationalUnits:
        - kubevirt-operator-webhook
  EOF
}
resource "kubectl_manifest" "kubevirt-virt-handler-server-certs" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "kubevirt-virt-handler-server-certs"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - virt-handler
      - virt-handler.${var.namespace}
      - virt-handler.${var.namespace}.svc
      - virt-handler.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: kubevirt-ca
      secretName: kubevirt-virt-handler-server-certs
      subject:
        organizationalUnits:
        - kubevirt-virt-handler
  EOF
}
resource "kubectl_manifest" "kubevirt-virt-handler-certs" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "kubevirt-virt-handler-certs"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      usages:
      - digital signature
      - client auth
      commonName: "kubevirt-virt-handler-certs"
      issuerRef:
        kind: Issuer
        name: kubevirt-ca
      secretName: kubevirt-virt-handler-certs
      subject:
        organizationalUnits:
        - kubevirt-virt-handler-certs
  EOF
}