Migrate to wildcard certs for httptoolk.it as well

Author: pimterry

certificates.tf

@@ -54,12 +54,6 @@ resource "kubectl_manifest" "letsencrypt_prod" {
                 }
               }
             }
-            selector = {
-              dnsNames = [
-                "httptoolkit.tech",
-                "*.httptoolkit.tech"
-              ]
-            }
           }
         ]
       }
@@ -72,23 +66,6 @@ resource "kubectl_manifest" "letsencrypt_prod" {
   ]
 }
 
-# Manually set up the TLS cert for *.e.httptoolk.it, for now:
-resource "kubernetes_secret_v1" "cert_httptoolk_it" {
-  metadata {
-    name      = "cert-httptoolk-it"
-    namespace = "certificates"
-  }
-
-  type = "kubernetes.io/tls"
-
-  data = {
-    "tls.crt" = var.httptoolk_it_tls_cert
-    "tls.key" = var.httptoolk_it_tls_key
-  }
-
-  depends_on = [helm_release.envoy_gateway]
-}
-
 # We create a new app & API key for cert manager to automate our DNS:
 resource "scaleway_iam_application" "acme_dns_bot" {
   name        = "acme-dns-bot"
@@ -154,9 +131,31 @@ resource "kubectl_manifest" "cert_wildcard_httptoolkit_tech" {
       ]
     }
   })
+  depends_on = [kubectl_manifest.letsencrypt_prod]
+}
 
-  depends_on = [
-    kubectl_manifest.letsencrypt_prod,
-    kubectl_manifest.gateways
-  ]
+
+resource "kubectl_manifest" "cert_wildcard_httptoolk_it" {
+  yaml_body = yamlencode({
+    apiVersion = "cert-manager.io/v1"
+    kind       = "Certificate"
+    metadata = {
+      name      = "cert-wildcard-httptoolk-it"
+      namespace = "certificates"
+    }
+    spec = {
+      secretName = "cert-wildcard-httptoolk-it"
+      issuerRef = {
+        name = "letsencrypt-prod"
+        kind = "ClusterIssuer"
+      }
+      commonName = "httptoolk.it"
+      dnsNames = [
+        "httptoolk.it",
+        "*.httptoolk.it",
+        "*.e.httptoolk.it"
+      ]
+    }
+  })
+  depends_on = [kubectl_manifest.letsencrypt_prod]
 }

gateway.tf

@@ -74,7 +74,7 @@ locals {
       }
       tls = {
         mode            = "Terminate"
-        certificateRefs = [{ kind = "Secret", namespace = "certificates", name = "cert-httptoolk-it" }]
+        certificateRefs = [{ kind = "Secret", namespace = "certificates", name = "cert-wildcard-httptoolk-it" }]
       }
     },
     // TLS termination but then raw TCP passthrough for the endpoint admin:

variables.tf

@@ -31,16 +31,4 @@ variable "secondary_zone" {
   type        = string
   default     = "fr-par-2"
   description = "Secondary/failover zone for zonal resources"
-}
-
-variable "httptoolk_it_tls_cert" {
-  description = "PEM-encoded TLS certificate for *.e.httptoolk.it"
-  type        = string
-  sensitive   = true
-}
-
-variable "httptoolk_it_tls_key" {
-  description = "PEM-encoded TLS private key for *.e.httptoolk.it"
-  type        = string
-  sensitive   = true
 }