-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
146 lines (124 loc) · 4.1 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
provider "azurerm" {
version = "=2.12.0"
features {}
}
resource "random_string" "unique" {
length = 6
special = false
upper = false
}
resource "azurerm_resource_group" "rg" {
name = "rg-${random_string.unique.result}"
location = var.rg_location
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "aks-${random_string.unique.result}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
kubernetes_version = var.aks_version
dns_prefix = "aks"
default_node_pool {
name = "default"
node_count = var.aks_node_count
vm_size = var.aks_vm_size
}
identity {
type = "SystemAssigned"
}
role_based_access_control {
enabled = true
}
}
provider "helm" {
kubernetes {
load_config_file = false
host = azurerm_kubernetes_cluster.aks.kube_config.0.host
username = azurerm_kubernetes_cluster.aks.kube_config.0.username
password = azurerm_kubernetes_cluster.aks.kube_config.0.password
client_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate)
client_key = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.client_key)
cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate)
}
}
resource "azurerm_public_ip" "ingress" {
name = "pip-${random_string.unique.result}"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group
domain_name_label = random_string.unique.result
allocation_method = "Static"
sku = "Standard"
}
resource "helm_release" "cert_manager" {
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
namespace = var.cert_manager_ns
create_namespace = true
version = "v0.15.0"
set {
name = "installCRDs"
value = true
}
}
resource "helm_release" "ingress" {
name = "nginx-ingress"
repository = "https://kubernetes-charts.storage.googleapis.com"
chart = "nginx-ingress"
namespace = var.ingress_ns
create_namespace = true
# Until Helm really fixes this issue (and not just mark it as closed), keep this flag false
# https://github.com/helm/charts/issues/11904
wait = false
set {
name = "controller.replicaCount"
value = var.ingress_replica_count
}
set {
name = "controller.service.loadBalancerIP"
value = azurerm_public_ip.ingress.ip_address
}
set {
name = "controller.nodeSelector.beta\\.kubernetes\\.io/os"
value = "linux"
type = "string"
}
set {
name = "defaultBackend.nodeSelector.beta\\.kubernetes\\.io/os"
value = "linux"
type = "string"
}
set {
name = "controller.extraArgs.default-ssl-certificate"
value = "${helm_release.cert_manager.namespace}/${var.default_cert_secret_name}"
}
}
resource "local_file" "kube_config" {
filename = "${path.module}/kubeconfig"
sensitive_content = azurerm_kubernetes_cluster.aks.kube_config_raw
}
locals {
cert_manager_yaml = "${path.module}/cert-manager.yaml"
}
resource "null_resource" "cert_manager" {
triggers = {
kube_config = sha1(azurerm_kubernetes_cluster.aks.kube_config_raw)
cert_manager_ns = helm_release.cert_manager.namespace
default_cert_secret_name = var.default_cert_secret_name
fqdn = azurerm_public_ip.ingress.fqdn
cert_manager_sha1 = filesha1(local.cert_manager_yaml)
}
provisioner "local-exec" {
environment = {
KUBECONFIG = local_file.kube_config.filename
DEFAULT_CERT_SECRET_NAME = var.default_cert_secret_name
FQDN = azurerm_public_ip.ingress.fqdn
}
command = <<EOF
envsubst < ${local.cert_manager_yaml} | kubectl apply -n ${helm_release.cert_manager.namespace} -f -
EOF
}
depends_on = [
helm_release.ingress,
helm_release.cert_manager
]
}