Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- resource "kubernetes_namespace" "oc_namespace" {
- metadata {
- name = var.release_name
- }
- }
- resource "kubernetes_service_account" "oc_sa" {
- metadata {
- name = var.release_name
- namespace = kubernetes_namespace.oc_namespace.id
- }
- }
- resource "kubernetes_secret" "oc_secret" {
- metadata {
- name = var.release_name
- namespace = kubernetes_namespace.oc_namespace.id
- annotations = {
- "kubernetes.io/service-account.name" = kubernetes_service_account.oc_sa.metadata[0].name
- }
- }
- type = "kubernetes.io/service-account-token"
- lifecycle {
- ignore_changes = [data]
- }
- }
- resource "kubernetes_cluster_role_binding" "oc_role_binding" {
- metadata {
- name = var.release_name
- }
- role_ref {
- api_group = "rbac.authorization.k8s.io"
- kind = "ClusterRole"
- name = "cluster-admin"
- }
- subject {
- kind = "ServiceAccount"
- name = kubernetes_service_account.oc_sa.metadata[0].name
- namespace = kubernetes_namespace.oc_namespace.id
- }
- }
- resource "kubernetes_config_map" "oc_configmap" {
- metadata {
- name = var.release_name
- namespace = kubernetes_namespace.oc_namespace.id
- }
- data = var.bridge_vars
- }
- resource "kubernetes_deployment" "oc_deployment" {
- metadata {
- name = var.release_name
- namespace = kubernetes_namespace.oc_namespace.id
- labels = {
- k8s-app = var.release_name
- }
- }
- spec {
- replicas = var.replicas
- selector {
- match_labels = {
- k8s-app = var.release_name
- }
- }
- template {
- metadata {
- labels = {
- k8s-app = var.release_name
- }
- }
- spec {
- service_account_name = kubernetes_service_account.oc_sa.metadata[0].name
- automount_service_account_token = true
- node_selector = var.node_selector
- container {
- name = var.release_name
- image = join(split(":", var.console_version)[0] == "sha256" ? "@" : ":", [
- "quay.io/openshift/origin-console",
- var.console_version
- ])
- resources {
- requests = {
- cpu = "500m"
- memory = "512Mi"
- }
- limits = {
- cpu = "500m"
- memory = "512Mi"
- }
- }
- env_from {
- config_map_ref {
- name = kubernetes_config_map.oc_configmap.metadata[0].name
- }
- }
- env {
- name = "BRIDGE_K8S_AUTH_BEARER_TOKEN"
- value_from {
- secret_key_ref {
- key = "token"
- name = kubernetes_secret.oc_secret.metadata[0].name
- }
- }
- }
- env {
- name = "BRIDGE_K8S_MODE_OFF_CLUSTER_ENDPOINT"
- value = "https://$(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT)"
- }
- command = ["/opt/bridge/bin/bridge"]
- }
- }
- }
- }
- }
- resource "kubernetes_service" "oc_service" {
- metadata {
- name = var.release_name
- namespace = kubernetes_namespace.oc_namespace.id
- labels = {
- "k8s-app" = kubernetes_deployment.oc_deployment.metadata[0].labels.k8s-app
- }
- }
- spec {
- selector = {
- "k8s-app" = var.release_name
- }
- port {
- port = 9000
- target_port = 9000
- }
- type = "ClusterIP"
- }
- }
- locals {
- middlewares = flatten([
- length(var.users) > 0 ? [{
- name = "${kubernetes_namespace.oc_namespace.id}-${module.auth[0].name}@kubernetescrd"
- }] : [],
- length(var.whitelist) > 0 ? [{
- name = "${kubernetes_namespace.oc_namespace.id}-${kubectl_manifest.oc_middleware_whitelist[0].name}@kubernetescrd"
- }] : []
- ])
- }
- resource "kubectl_manifest" "dashboard_certificate" {
- yaml_body = yamlencode({
- apiVersion = "cert-manager.io/v1"
- kind = "Certificate"
- metadata = {
- name = var.dashboard_host
- namespace = kubernetes_namespace.oc_namespace.id
- }
- spec = {
- secretName = join(".", [
- var.dashboard_host,
- "pem"
- ])
- issuerRef = {
- kind = "ClusterIssuer"
- name = var.letsencrypt_issuer_name
- }
- dnsNames = [
- var.dashboard_host
- ]
- }
- })
- }
- resource "kubectl_manifest" "oc_ingress_route" {
- yaml_body = yamlencode({
- apiVersion = "traefik.containo.us/v1alpha1"
- kind = "IngressRoute"
- metadata = {
- name = var.release_name
- namespace = kubernetes_namespace.oc_namespace.id
- }
- spec = {
- entryPoints = [
- "websecure"
- ]
- routes = [
- {
- match = "Host(`${var.dashboard_host}`) && PathPrefix(`/`)"
- kind = "Rule"
- priority = 12
- services = [
- {
- name = kubernetes_service.oc_service.metadata[0].name
- kind = "Service"
- namespace = kubernetes_namespace.oc_namespace.id
- port = 9000
- weight = 1
- }
- ]
- middlewares = local.middlewares
- },
- {
- match = "Host(`${var.dashboard_host}`) && Path(`/favicon.ico`)"
- kind = "Rule"
- priority = 20
- services = [
- {
- name = kubernetes_service.oc_service.metadata[0].name
- kind = "Service"
- namespace = kubernetes_namespace.oc_namespace.id
- port = 9000
- weight = 1
- }
- ]
- middlewares = [
- {
- name = "${kubernetes_namespace.oc_namespace.id}-${kubectl_manifest.oc_middleware_favicon.name}@kubernetescrd"
- }
- ]
- }
- ]
- tls = {
- secretName = "${var.dashboard_host}.pem"
- }
- }
- })
- }
- module "auth" {
- count = length(var.users) > 0 ? 1 : 0
- source = "../traefik-basic-auth-middleware"
- name = join("-", [
- var.release_name,
- "auth"
- ])
- namespace = kubernetes_namespace.oc_namespace.id
- users = var.users
- }
- resource "kubectl_manifest" "oc_middleware_whitelist" {
- count = length(var.whitelist) > 0 ? 1 : 0
- yaml_body = yamlencode({
- apiVersion = "traefik.containo.us/v1alpha1"
- kind = "Middleware"
- metadata = {
- name = join("-", [
- var.release_name,
- "white-list"
- ])
- namespace = kubernetes_namespace.oc_namespace.id
- }
- spec = {
- ipWhiteList = {
- sourceRange = var.whitelist
- }
- }
- })
- }
- resource "kubectl_manifest" "oc_middleware_favicon" {
- yaml_body = yamlencode({
- apiVersion = "traefik.containo.us/v1alpha1"
- kind = "Middleware"
- metadata = {
- name = join("-", [
- var.release_name,
- "favicon"
- ])
- namespace = kubernetes_namespace.oc_namespace.id
- }
- spec = {
- replacePath = {
- path = "/static/assets/okd-favicon.png"
- }
- }
- })
- }
- resource "kubectl_manifest" "oc_vm_rules" {
- count = var.vm_rules ? 1 : 0
- yaml_body = yamlencode({
- apiVersion = "operator.victoriametrics.com/v1beta1"
- kind = "VMRule"
- metadata = {
- name = join("-", [
- var.release_name,
- "rules"
- ])
- namespace = kubernetes_namespace.oc_namespace.id
- }
- spec = {
- groups = [{
- name = "oc-vm-rules"
- rules = yamldecode(file("${path.module}/rules.yaml"))
- }]
- }
- })
- }
Add Comment
Please, Sign In to add comment