Skip to content

Commit

Permalink
Manually created a service account and mounted its secrets hashicorp/…
Browse files Browse the repository at this point in the history
  • Loading branch information
davidthor committed Mar 4, 2019
1 parent 552bce3 commit 350f964
Show file tree
Hide file tree
Showing 12 changed files with 123 additions and 1 deletion.
16 changes: 16 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ resource "kubernetes_namespace" "gloo_namespace" {
}
}

resource "kubernetes_service_account" "gloo_service_account" {
metadata {
name = "${var.service_account_name}"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
}
}

module "settings" {
source = "./modules/settings"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
Expand All @@ -15,26 +22,35 @@ module "settings" {
module "cluster_role" {
source = "./modules/cluster-role"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
service_account = "${kubernetes_service_account.gloo_service_account.metadata.0.name}"
}

module "gloo" {
source = "./modules/gloo"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
xds_port = "${var.xds_port}"
service_account_name = "${kubernetes_service_account.gloo_service_account.metadata.0.name}"
service_account_secret_name = "${kubernetes_service_account.gloo_service_account.default_secret_name}"
}

module "discovery" {
source = "./modules/discovery"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
service_account_name = "${kubernetes_service_account.gloo_service_account.metadata.0.name}"
service_account_secret_name = "${kubernetes_service_account.gloo_service_account.default_secret_name}"
}

module "ingress" {
source = "./modules/ingress"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
service_account_name = "${kubernetes_service_account.gloo_service_account.metadata.0.name}"
service_account_secret_name = "${kubernetes_service_account.gloo_service_account.default_secret_name}"
}

module "ingress_proxy" {
source = "./modules/ingress-proxy"
namespace = "${kubernetes_namespace.gloo_namespace.metadata.0.name}"
xds_port = "${var.xds_port}"
service_account_name = "${kubernetes_service_account.gloo_service_account.metadata.0.name}"
service_account_secret_name = "${kubernetes_service_account.gloo_service_account.default_secret_name}"
}
2 changes: 1 addition & 1 deletion modules/cluster-role/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ resource "kubernetes_cluster_role_binding" "gloo_role_binding" {

subject {
kind = "ServiceAccount"
name = "default"
name = "${var.service_account}"
namespace = "${var.namespace}"
api_group = ""
}
Expand Down
5 changes: 5 additions & 0 deletions modules/cluster-role/variables.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
variable "namespace" {
type = "string"
}

variable "service_account" {
type = "string"
default = "default"
}
16 changes: 16 additions & 0 deletions modules/discovery/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,27 @@ resource "kubernetes_deployment" "gloo_discovery" {
}

spec {
service_account_name = "${var.service_account_name}"

volume {
name = "${var.service_account_secret_name}"

secret {
secret_name = "${var.service_account_secret_name}"
}
}

container {
name = "discovery"
image = "${var.container_image}:${var.container_tag}"
image_pull_policy = "Always"

volume_mount {
mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
name = "${var.service_account_secret_name}"
read_only = true
}

env {
name = "POD_NAMESPACE"

Expand Down
8 changes: 8 additions & 0 deletions modules/discovery/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@ variable "namespace" {
type = "string"
}

variable "service_account_name" {
type = "string"
}

variable "service_account_secret_name" {
type = "string"
}

variable "replicas" {
type = "string"
default = 1
Expand Down
16 changes: 16 additions & 0 deletions modules/gloo/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,16 @@ resource "kubernetes_deployment" "gloo" {
}

spec {
service_account_name = "${var.service_account_name}"

volume {
name = "${var.service_account_secret_name}"

secret {
secret_name = "${var.service_account_secret_name}"
}
}

container {
name = "gloo"
image = "${var.container_image}:${var.container_tag}"
Expand All @@ -39,6 +49,12 @@ resource "kubernetes_deployment" "gloo" {
protocol = "TCP"
}

volume_mount {
mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
name = "${var.service_account_secret_name}"
read_only = true
}

env {
name = "POD_NAMESPACE"

Expand Down
8 changes: 8 additions & 0 deletions modules/gloo/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@ variable "namespace" {
type = "string"
}

variable "service_account_name" {
type = "string"
}

variable "service_account_secret_name" {
type = "string"
}

variable "replicas" {
type = "string"
default = 1
Expand Down
16 changes: 16 additions & 0 deletions modules/ingress-proxy/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,16 @@ resource "kubernetes_deployment" "ingress_proxy" {
}

spec {
service_account_name = "${var.service_account_name}"

volume {
name = "${var.service_account_secret_name}"

secret {
secret_name = "${var.service_account_secret_name}"
}
}

volume {
name = "envoy-config"

Expand All @@ -71,6 +81,12 @@ resource "kubernetes_deployment" "ingress_proxy" {
name = "envoy-config"
}

volume_mount {
mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
name = "${var.service_account_secret_name}"
read_only = true
}

port {
name = "http"
protocol = "TCP"
Expand Down
8 changes: 8 additions & 0 deletions modules/ingress-proxy/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@ variable "namespace" {
type = "string"
}

variable "service_account_name" {
type = "string"
}

variable "service_account_secret_name" {
type = "string"
}

variable "xds_port" {
type = "string"
}
Expand Down
16 changes: 16 additions & 0 deletions modules/ingress/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,27 @@ resource "kubernetes_deployment" "ingress" {
}

spec {
service_account_name = "${var.service_account_name}"

volume {
name = "${var.service_account_secret_name}"

secret {
secret_name = "${var.service_account_secret_name}"
}
}

container {
name = "ingress"
image = "${var.container_image}:${var.container_tag}"
image_pull_policy = "Always"

volume_mount {
mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
name = "${var.service_account_secret_name}"
read_only = true
}

env {
name = "POD_NAMESPACE"

Expand Down
8 changes: 8 additions & 0 deletions modules/ingress/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@ variable "namespace" {
type = "string"
}

variable "service_account_name" {
type = "string"
}

variable "service_account_secret_name" {
type = "string"
}

variable "replicas" {
type = "string"
default = 1
Expand Down
5 changes: 5 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ variable "namespace" {
default = "gloo-system"
}

variable "service_account_name" {
type = "string"
default = "gloo"
}

variable "xds_port" {
type = "string"
default = 9977
Expand Down

0 comments on commit 350f964

Please sign in to comment.