-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy path02_helm_cert_manager.tf
122 lines (117 loc) · 3.4 KB
/
02_helm_cert_manager.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
resource "kubernetes_namespace" "cert_manager" {
depends_on = [module.eks]
metadata {
name = "cert-manager"
labels = {
"certmanager.k8s.io/disable-validation" = "true"
}
}
# This destory provisioner is needed since Rancher adds "finalizers" to this namespace, which
# upsets the terraform removal process since Rancher has already been removed.
provisioner "local-exec" {
when = destroy
command = "KUBECONFIG=$(find . -type f -name 'kubeconfig_*' | head -n1) kubectl patch ns cert-manager -p '{\"metadata\":{\"finalizers\":null}}'"
interpreter = ["bash", "-c"]
}
# We need to ignore annotations and labels since Rancher patches this namespace, which
# confuses terraform.
lifecycle {
ignore_changes = [
metadata[0].annotations,
metadata[0].labels,
]
}
}
# --- CRD installation -- All this is required ---
resource "kubernetes_cluster_role" "prepare_cert_manager" {
depends_on = [kubernetes_namespace.cert_manager]
metadata {
name = "prepare-cert-manager"
labels = {
app = "prepare-cert-manager"
}
}
rule {
api_groups = ["apiextensions.k8s.io"]
resources = ["customresourcedefinitions"]
verbs = ["create", "get", "patch", "delete"]
}
}
resource "kubernetes_service_account" "prepare_cert_manager" {
depends_on = [kubernetes_namespace.cert_manager]
metadata {
name = "prepare-cert-manager"
namespace = "cert-manager"
labels = {
app = "prepare-cert-manager"
}
}
}
resource "kubernetes_cluster_role_binding" "prepare_cert_manager" {
depends_on = [
kubernetes_service_account.prepare_cert_manager,
kubernetes_cluster_role.prepare_cert_manager
]
metadata {
name = "prepare-cert-manager"
labels = {
app = "prepare-cert-manager"
}
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "prepare-cert-manager"
}
subject {
kind = "ServiceAccount"
name = "prepare-cert-manager"
namespace = "cert-manager"
}
}
resource "kubernetes_job" "prepare_cert_manager" {
depends_on = [kubernetes_cluster_role_binding.prepare_cert_manager]
metadata {
name = "prepare-cert-manager-${replace(var.cert_manager_version, "/[^v0-9]/", "-")}"
namespace = "cert-manager"
}
spec {
template {
metadata {}
spec {
service_account_name = "prepare-cert-manager"
automount_service_account_token = true
container {
name = "kubectl"
image = "bitnami/kubectl"
command = [
"bash",
"-c",
join(" ", [
"kubectl",
"apply",
"-f",
"https://github.com/jetstack/cert-manager/releases/download/${var.cert_manager_version}/cert-manager.crds.yaml",
"||",
"sleep 3600"
])
]
}
restart_policy = "Never"
}
}
backoff_limit = 4
}
wait_for_completion = true
}
# --- END CRD installation ---
# install cert-manager
resource "helm_release" "cert_manager" {
depends_on = [kubernetes_job.prepare_cert_manager]
version = var.cert_manager_version
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
namespace = "cert-manager"
values = var.cert_manager_values_filename != "" ? [file(var.cert_manager_values_filename)] : []
}