Linkerd Control Plane with Helm and Terraform

Linkerd|backend.tf

terraform {
  backend "local" {
    path = "../states/linkerd.tfstate"
  }
}
data "terraform_remote_state" "cluster" {
  backend = "local"

  config = {
    path = "../states/cluster.tfstate"
  }
}

data "terraform_remote_state" "cm" {
  backend = "local"

  config = {
    path = "../states/cert_manager.tfstate"
  }
}

data "terraform_remote_state" "cm_crds" {
  backend = "local"

  config = {
    path = "../states/cm_crds.tfstate"
  }
}

Linkerd|helm.tf

resource "helm_release" "linkerd" {
  name       = "linkerd"
  namespace  = "linkerd"
  chart      = "linkerd2"
  repository = "https://helm.linkerd.io/stable"
  version    = "2.10.2"
  atomic = true
  values = [
    file("values-ha.yaml")
  ]
  set {
    name  = "linkerdVersion"
    value = "stable-2.10.2"
  }
  set_sensitive {
    name  = "identityTrustAnchorsPEM"
    value = data.terraform_remote_state.cm_crds.outputs.cert
  }
  set {
    name  = "identity.issuer.scheme"
    value = "kubernetes.io/tls"
  }
  set {
    name  = "installNamespace"
    value = "false"
  }
}

resource "helm_release" "linkerd_viz" {
  name       = "linkerd-viz"
  chart      = "linkerd-viz"
  namespace  = "linkerd"
  repository = "https://helm.linkerd.io/stable"
  version    = "2.10.2"
  set {
    name  = "linkerdVersion"
    value = "stable-2.10.2"
  }
}

Linkerd|terraform.tf

terraform { required_version = ">= 0.12.13" }
provider google {}

data "google_client_config" "default" {}

provider kubernetes {
  host                   = "https://${data.terraform_remote_state.cluster.outputs.cluster_endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(data.terraform_remote_state.cluster.outputs.cacert)
}

provider "helm" {
  kubernetes {
    host                   = "https://${data.terraform_remote_state.cluster.outputs.cluster_endpoint}"
    token                  = data.google_client_config.default.access_token
    cluster_ca_certificate = base64decode(data.terraform_remote_state.cluster.outputs.cacert)
  }
}

Linkerd|values-ha.yaml

# This values.yaml file contains the values needed to enable HA mode.
# Usage:
#   helm install -f values.yaml -f values-ha.yaml

enablePodAntiAffinity: true

global:
  # proxy configuration
  proxy:
    resources:
      cpu:
        limit: "1"
        request: 100m
      memory:
        limit: 250Mi
        request: 20Mi

# controller configuration
controllerReplicas: 3
controllerResources: &controller_resources
  cpu: &controller_resources_cpu
    limit: "1"
    request: 100m
  memory:
    limit: 250Mi
    request: 50Mi
destinationResources: *controller_resources
publicAPIResources: *controller_resources

# identity configuration
identityResources:
  cpu: *controller_resources_cpu
  memory:
    limit: 250Mi
    request: 10Mi

# grafana configuration
grafana:
  resources:
    cpu: *controller_resources_cpu
    memory:
      limit: 1024Mi
      request: 50Mi

# heartbeat configuration
heartbeatResources: *controller_resources

# prometheus configuration
prometheusResources:
  cpu:
    limit: "1"
    request: 300m
  memory:
    limit: 4096Mi
    request: 300Mi

# proxy injector configuration
proxyInjectorResources: *controller_resources
webhookFailurePolicy: Fail

# service profile validator configuration
spValidatorResources: *controller_resources

# tap configuration
tapResources: *controller_resources

# web configuration
webResources: *controller_resources

Linkerd|versions.tf

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.85.0"
    }
    helm = {
      source  = "hashicorp/helm"
      version = "2.3.0"
    }
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.5.0"
    }
  }
  required_version = ">= 1"
}