-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.tf
120 lines (104 loc) · 3.71 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
resource "kubernetes_namespace" "kerberus_dashboard_namespace" {
metadata {
name = var.kerberus_dashboard_namespace
}
}
resource "kubernetes_service_account" "create_kerberus_dashboard_service_account" {
metadata {
name = var.kerberus_service_account
namespace = kubernetes_namespace.kerberus_dashboard_namespace.metadata[0].name
}
automount_service_account_token = true
}
resource "kubernetes_cluster_role_binding" "bind_kerberus_dashboard_service_account_to_admin_role" {
metadata {
name = kubernetes_service_account.create_kerberus_dashboard_service_account.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.create_kerberus_dashboard_service_account.metadata[0].name
namespace = kubernetes_service_account.create_kerberus_dashboard_service_account.metadata[0].namespace
}
}
data "kubernetes_secret" "retreive_kerberus_dashboard_service_account_token" {
metadata {
name = kubernetes_service_account.create_kerberus_dashboard_service_account.default_secret_name
namespace = kubernetes_service_account.create_kerberus_dashboard_service_account.metadata[0].namespace
}
}
locals {
github_app_credentials_file = templatefile(join("/", [path.module, "./files/github-app-credentials.yaml.tpl"]), {
appId = var.github_app_id,
webhookUrl = var.github_app_webhook_url,
clientId = var.github_app_client_id,
clientSecret = var.github_app_client_secret,
webhookSecret = var.github_app_webhook_secret,
privateKey = var.github_app_private_key
})
}
resource "kubernetes_secret" "github_app_credentials" {
metadata {
name = "github-app-credentials"
namespace = kubernetes_namespace.kerberus_dashboard_namespace.metadata[0].name
}
data = {
"github-app-credentials" = local.github_app_credentials_file
}
}
resource "helm_release" "kerberus_dashboard" {
name = "kerberus-dashboard"
namespace = kubernetes_namespace.kerberus_dashboard_namespace.metadata[0].name
repository = var.kerberus_dashboard_repository
chart = var.kerberus_dashboard_chart
version = var.kerberus_dashboard_chart_version
values = var.kerberus_dashboard_values_path != "" ? [file(var.kerberus_dashboard_values_path)] : []
# Argo CD
set {
name = "argocd.baseUrl"
value = var.argocd_url
}
set {
name = "argocd.token"
value = format("argocd.token=%s", var.argocd_token)
}
# K8S
set {
name = "kubernetes.token"
value = data.kubernetes_secret.retreive_kerberus_dashboard_service_account_token.data["token"]
}
set {
name = "kubernetes.url"
value = var.kerberus_k8s_endpoint
}
# Github
dynamic "set" {
for_each = var.github_client_id != "" && var.github_client_secrets != "" && var.github_token != "" ? { "auth.github.clientId" : var.github_client_id,
"auth.github.clientSecret" : var.github_client_secrets, "providers.github.token" : var.github_token } : {}
content {
name = set.key
value = set.value
}
}
# AD
dynamic "set" {
for_each = var.microsoft_client_id != "" && var.microsoft_client_secrets != "" && var.microsoft_tenantId != "" ? { "providers.microsoft.clientId" : var.microsoft_client_id,
"providers.microsoft.clientSecret" : var.microsoft_client_secrets, "providers.microsoft.tenantId" : var.microsoft_tenantId } : {}
content {
name = set.key
value = set.value
}
}
# Gitlab
dynamic "set" {
for_each = var.gitlab_token != "" ? { "auth.gitlabToken" : var.gitlab_token } : {}
content {
name = set.key
value = set.value
}
}
}