Browse Source

modules

master
Vladimir Smagin 1 month ago
parent
commit
38cc7b9256
6 changed files with 143 additions and 0 deletions
  1. +56
    -0
      modules-sample/modules/k8s-users/main.tf
  2. +5
    -0
      modules-sample/modules/k8s-users/outputs.tf
  3. +19
    -0
      modules-sample/modules/k8s-users/variables.tf
  4. +20
    -0
      modules-sample/scripts/kubeconfig/config.tmpl
  5. +12
    -0
      modules-sample/scripts/kubeconfig/generate.sh
  6. +31
    -0
      modules-sample/users.tf

+ 56
- 0
modules-sample/modules/k8s-users/main.tf View File

@ -0,0 +1,56 @@
resource "kubernetes_service_account" "user" {
metadata {
name = "user-${var.username}"
namespace = var.namespace
}
}
# `count` helps set some condition for resources
# to create or not to create, this is a question
resource "kubernetes_role_binding" "role-binding" {
count = var.use_crb == false ? 1 : 0
metadata {
name = "role-binding-${var.username}"
namespace = var.namespace
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = var.role
}
subject {
kind = "ServiceAccount"
name = "user-${var.username}"
namespace = var.namespace
}
}
resource "kubernetes_cluster_role_binding" "role-binding" {
count = var.use_crb == true ? 1 : 0
metadata {
name = "role-binding-${var.username}"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = var.role
}
subject {
kind = "ServiceAccount"
name = "user-${var.username}"
namespace = var.namespace
}
}
data "kubernetes_service_account" "user" {
depends_on = [kubernetes_service_account.user]
metadata {
name = kubernetes_service_account.user.metadata[0].name
namespace = kubernetes_service_account.user.metadata[0].namespace
}
}

+ 5
- 0
modules-sample/modules/k8s-users/outputs.tf View File

@ -0,0 +1,5 @@
output "user-token" {
depends_on = [ kubernetes_service_account.user ]
value = "kubectl get secret -o yaml -n ${data.kubernetes_service_account.user.metadata[0].namespace} ${data.kubernetes_service_account.user.default_secret_name}"
description = "command to get user cert"
}

+ 19
- 0
modules-sample/modules/k8s-users/variables.tf View File

@ -0,0 +1,19 @@
variable "username" {
description = "Name of user"
type = string
}
variable "namespace" {
description = "Namespace to deploy"
type = string
}
variable "role" {
description = "ClusterRole to bind"
type = string
}
variable "use_crb" {
description = "Use ClusterRoleBinding"
type = bool
}

+ 20
- 0
modules-sample/scripts/kubeconfig/config.tmpl View File

@ -0,0 +1,20 @@
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %CRT%
server: https://192.168.1.9:16443
name: my-cluster
contexts:
- context:
cluster: my-cluster
namespace: %NAMESPACE%
user: developer
name: my-cluster
current-context: my-cluster
kind: Config
preferences: {}
users:
- name: developer
user:
token: %TOKEN%

+ 12
- 0
modules-sample/scripts/kubeconfig/generate.sh View File

@ -0,0 +1,12 @@
#!/bin/bash
set -e
NAMESPACE="$1"
SECRET="$2"
TOKEN=$(kubectl get secret -o jsonpath="{.data.token}" -n $NAMESPACE $SECRET|base64 -d)
CRT=$(kubectl get secret -o jsonpath="{.data.ca\.crt}" -n $NAMESPACE $SECRET)
USERNAME=$(kubectl get secret -o jsonpath="{.metadata.annotations.kubernetes\.io\/service\-account\.name}" -n $NAMESPACE $SECRET)
sed "s/%TOKEN%/$TOKEN/g" config.tmpl > "kubeconfig-$USERNAME"
sed -i "s/%NAMESPACE%/$NAMESPACE/g" "kubeconfig-$USERNAME"
sed -i "s/%CRT%/$CRT/g" "kubeconfig-$USERNAME"

+ 31
- 0
modules-sample/users.tf View File

@ -0,0 +1,31 @@
# create some role before use
resource "kubernetes_cluster_role" "role-developers" {
metadata {
name = "role-developers"
}
rule {
api_groups = ["", "apiextensions.k8s.io", "apps"]
resources = ["*"]
verbs = ["*"]
}
}
# use module
module "user-lisax" {
source = "./modules/k8s-users"
username = "lisax"
namespace = "default"
# you can use role above or one of predefined in kubernetes
role = "cluster-admin"
# use ClusterRoleBinding instead of RoleBinding to make permissions cluster-wide
use_crb = true
}
# print module output
output "user-lisax-token" {
value = module.user-lisax.user-token
}

Loading…
Cancel
Save