Skip to content

Instantly share code, notes, and snippets.

@DevOpsFu
Created February 26, 2020 17:59
Show Gist options
  • Save DevOpsFu/15f5ac8b703ee0708083444d7a6a3b3b to your computer and use it in GitHub Desktop.
Save DevOpsFu/15f5ac8b703ee0708083444d7a6a3b3b to your computer and use it in GitHub Desktop.
Terraform and Linkerd
resource "tls_private_key" "trustanchor_key" {
algorithm = "ECDSA"
ecdsa_curve = "P256"
}
resource "tls_self_signed_cert" "trustanchor_cert" {
key_algorithm = tls_private_key.trustanchor_key.algorithm
private_key_pem = tls_private_key.trustanchor_key.private_key_pem
validity_period_hours = 87600
is_ca_certificate = true
subject {
common_name = "identity.linkerd.cluster.local"
}
allowed_uses = [
"crl_signing",
"cert_signing",
"server_auth",
"client_auth"
]
}
resource "tls_private_key" "issuer_key" {
algorithm = "ECDSA"
ecdsa_curve = "P256"
}
resource "tls_cert_request" "issuer_req" {
key_algorithm = tls_private_key.issuer_key.algorithm
private_key_pem = tls_private_key.issuer_key.private_key_pem
subject {
common_name = "identity.linkerd.cluster.local"
}
}
resource "tls_locally_signed_cert" "issuer_cert" {
cert_request_pem = tls_cert_request.issuer_req.cert_request_pem
ca_key_algorithm = tls_private_key.trustanchor_key.algorithm
ca_private_key_pem = tls_private_key.trustanchor_key.private_key_pem
ca_cert_pem = tls_self_signed_cert.trustanchor_cert.cert_pem
validity_period_hours = 8760
is_ca_certificate = true
allowed_uses = [
"crl_signing",
"cert_signing",
"server_auth",
"client_auth"
]
}
data "helm_repository" "linkerd" {
name = "linkerd"
url = "https://helm.linkerd.io/stable"
}
resource "helm_release" "linkerd" {
name = "linkerd"
repository = data.helm_repository.linkerd.metadata[0].name
chart = "linkerd/linkerd2"
set {
name = "global.identityTrustAnchorsPEM"
value = tls_self_signed_cert.trustanchor_cert.cert_pem
}
set {
name = "identity.issuer.crtExpiry"
value = tls_locally_signed_cert.issuer_cert.validity_end_time
}
set {
name = "identity.issuer.tls.crtPEM"
value = tls_locally_signed_cert.issuer_cert.cert_pem
}
set {
name = "identity.issuer.tls.keyPEM"
value = tls_private_key.issuer_key.private_key_pem
}
}
resource kubernetes_namespace "test1" {
metadata {
name = "test1"
annotations = { "linkerd.io/inject" = "enabled" }
}
}
resource kubernetes_namespace "test2" {
metadata {
name = "test2"
annotations = { "linkerd.io/inject" = "enabled" }
}
}
resource "kubernetes_network_policy" "test1IngressPolicy" {
metadata {
name = "test1-ingress"
namespace = kubernetes_namespace.test1.metadata[0].name
}
spec {
pod_selector {}
ingress {
from {
namespace_selector {
match_labels = { "linkerd.io/is-control-plane" = "true" }
}
}
from {
pod_selector {}
}
}
policy_types = ["Ingress"]
}
}
resource "kubernetes_network_policy" "test2IngressPolicy" {
metadata {
name = "test2-ingress"
namespace = kubernetes_namespace.test2.metadata[0].name
}
spec {
pod_selector {}
ingress {
from {
namespace_selector {
match_labels = { "linkerd.io/is-control-plane" = "true" }
}
}
from {
pod_selector {}
}
}
policy_types = ["Ingress"]
}
}
@learning813
Copy link

helm_repository is deprecated in terraform now :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment