Skip to content

Instantly share code, notes, and snippets.

@abatilo
Created March 13, 2023 22:05
Show Gist options
  • Save abatilo/6b287265d541d06da567893c1522999f to your computer and use it in GitHub Desktop.
Save abatilo/6b287265d541d06da567893c1522999f to your computer and use it in GitHub Desktop.
locals {
kruise_ecr_token_updater_service_account = "kruise-ecr-token-updater"
kruise_ecr_token_secret_name = "kruise-ecr-token"
kruise_ecr_token_updater_script = <<EOF
ECR_TOKEN=`aws ecr get-login-password --region $${AWS_REGION}`
NAMESPACE_NAME=${kubernetes_namespace.kruise_system.metadata[0].name}
kubectl delete secret --ignore-not-found $DOCKER_SECRET_NAME -n $NAMESPACE_NAME
kubectl create secret docker-registry $DOCKER_SECRET_NAME \
--docker-server=https://$${AWS_ACCOUNT}.dkr.ecr.$${AWS_REGION}.amazonaws.com \
--docker-username=AWS \
--docker-password="$${ECR_TOKEN}" \
--namespace=$NAMESPACE_NAME
echo "Secret was successfully updated at $(date)"
EOF
}
resource "kubernetes_namespace" "kruise_system" {
metadata {
name = "kruise-system"
}
}
data "aws_iam_policy" "ecr_read_only" {
arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
module "kruise_ecr_token_updater_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "~> 5.0"
create_role = true
role_name = "kruise-ecr-token-updater-${local.cluster_name}"
role_policy_arns = {
ecr_read_only = data.aws_iam_policy.ecr_read_only.arn
}
oidc_providers = {
irsa = {
provider_arn = module.eks-red.oidc_provider_arn
namespace_service_accounts = ["${kubernetes_namespace.kruise_system.metadata[0].name}:${local.kruise_ecr_token_updater_service_account}"]
}
}
}
resource "kubernetes_service_account" "kruise_ecr_token_updater" {
metadata {
name = local.kruise_ecr_token_updater_service_account
namespace = kubernetes_namespace.kruise_system.metadata[0].name
annotations = {
"eks.amazonaws.com/role-arn" = module.kruise_ecr_token_updater_irsa.iam_role_arn
}
}
}
resource "kubernetes_role" "kruise_ecr_token_updater" {
metadata {
name = "kruise-ecr-token-updater"
namespace = kubernetes_namespace.kruise_system.metadata[0].name
}
rule {
api_groups = [""]
resources = ["secrets"]
resource_names = [local.kruise_ecr_token_secret_name]
verbs = ["delete"]
}
rule {
api_groups = [""]
resources = ["secrets"]
verbs = ["create"]
}
}
resource "kubernetes_role_binding" "kruise_ecr_token_updater" {
metadata {
name = "kruise-ecr-token-updater"
namespace = kubernetes_namespace.kruise_system.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.kruise_ecr_token_updater.metadata[0].name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].name
namespace = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].namespace
}
}
resource "kubernetes_config_map" "kruise_ecr_token_updater" {
metadata {
name = "kruise-ecr-token-updater"
namespace = kubernetes_namespace.kruise_system.metadata[0].name
}
data = {
AWS_ACCOUNT = data.aws_caller_identity.current.account_id
AWS_REGION = data.aws_region.current.name
DOCKER_SECRET_NAME = local.kruise_ecr_token_secret_name
}
}
resource "kubernetes_cron_job_v1" "kruise_ecr_token_updater" {
metadata {
name = "kruise-ecr-token-updater"
namespace = kubernetes_namespace.kruise_system.metadata[0].name
}
spec {
schedule = "0 */10 * * *"
job_template {
metadata {}
spec {
template {
metadata {}
spec {
service_account_name = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].name
container {
name = "kruise-ecr-token-updater"
image = "odaniait/aws-kubectl:latest"
command = [
"/bin/sh",
"-c",
local.kruise_ecr_token_updater_script
]
env_from {
config_map_ref {
name = kubernetes_config_map.kruise_ecr_token_updater.metadata[0].name
}
}
}
}
}
}
}
}
}
resource "helm_release" "openkruise" {
name = "kruise"
namespace = "kube-system"
repository = "https://openkruise.github.io/charts/"
chart = "kruise"
version = "1.3.0"
reset_values = true
set {
name = "installation.namespace"
value = kubernetes_namespace.kruise_system.metadata[0].name
}
set {
name = "installation.createNamespace"
value = false
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment