kubernetes_certificate_signing_request_v1

Use this resource to generate TLS certificates using Kubernetes.

This is a logical resource, so it contributes only to the current Terraform state and does not persist any external managed resources.

This resource enables automation of X.509 credential provisioning (including TLS/SSL certificates). It does this by creating a CertificateSigningRequest using the Kubernetes API, which generates a certificate from the Certificate Authority (CA) configured in the Kubernetes cluster. The CSR can be approved automatically by Terraform, or it can be approved by a custom controller running in Kubernetes. See Kubernetes reference for all available options pertaining to CertificateSigningRequests.

Example Usage

resource "kubernetes_certificate_signing_request_v1" "example" {
  metadata {
    name = "example"
  }
  spec {
    usages      = ["client auth", "server auth"]
    signer_name = "kubernetes.io/kube-apiserver-client"

    request = <<EOT
-----BEGIN CERTIFICATE REQUEST-----
MIHSMIGBAgEAMCoxGDAWBgNVBAoTD2V4YW1wbGUgY2x1c3RlcjEOMAwGA1UEAxMF
YWRtaW4wTjAQBgcqhkjOPQIBBgUrgQQAIQM6AASSG8S2+hQvfMq5ucngPCzK0m0C
ImigHcF787djpF2QDbz3oQ3QsM/I7ftdjB/HHlG2a5YpqjzT0KAAMAoGCCqGSM49
BAMCA0AAMD0CHQDErNLjX86BVfOsYh/A4zmjmGknZpc2u6/coTHqAhxcR41hEU1I
DpNPvh30e0Js8/DYn2YUfu/pQU19
-----END CERTIFICATE REQUEST-----
EOT
  }

  auto_approve = true
}


resource "kubernetes_secret" "example" {
  metadata {
    name = "example"
  }
  data = {
    "tls.crt" = kubernetes_certificate_signing_request_v1.example.certificate
    "tls.key" = tls_private_key.example.private_key_pem # key used to generate Certificate Request
  }
  type = "kubernetes.io/tls"
}

Argument Reference

The following arguments are supported:

Nested Blocks

metadata

Arguments

Attributes

spec

Arguments

Generating a New Certificate

Since the certificate is a logical resource that lives only in the Terraform state, it will persist until it is explicitly destroyed by the user.

In order to force the generation of a new certificate within an existing state, the certificate instance can be "tainted":

terraform taint kubernetes_certificate_signing_request_v1.example

A new certificate will then be generated on the next terraform apply.