This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| locals { | |
| kruise_ecr_token_updater_service_account = "kruise-ecr-token-updater" | |
| kruise_ecr_token_secret_name = "kruise-ecr-token" | |
| kruise_ecr_token_updater_script = <<EOF | |
| ECR_TOKEN=`aws ecr get-login-password --region $${AWS_REGION}` | |
| NAMESPACE_NAME=${kubernetes_namespace.kruise_system.metadata[0].name} | |
| kubectl delete secret --ignore-not-found $DOCKER_SECRET_NAME -n $NAMESPACE_NAME | |
| kubectl create secret docker-registry $DOCKER_SECRET_NAME \ | |
| --docker-server=https://$${AWS_ACCOUNT}.dkr.ecr.$${AWS_REGION}.amazonaws.com \ | |
| --docker-username=AWS \ | |
| --docker-password="$${ECR_TOKEN}" \ | |
| --namespace=$NAMESPACE_NAME | |
| echo "Secret was successfully updated at $(date)" | |
| EOF | |
| } | |
| resource "kubernetes_namespace" "kruise_system" { | |
| metadata { | |
| name = "kruise-system" | |
| } | |
| } | |
| data "aws_iam_policy" "ecr_read_only" { | |
| arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" | |
| } | |
| module "kruise_ecr_token_updater_irsa" { | |
| source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" | |
| version = "~> 5.0" | |
| create_role = true | |
| role_name = "kruise-ecr-token-updater-${local.cluster_name}" | |
| role_policy_arns = { | |
| ecr_read_only = data.aws_iam_policy.ecr_read_only.arn | |
| } | |
| oidc_providers = { | |
| irsa = { | |
| provider_arn = module.eks-red.oidc_provider_arn | |
| namespace_service_accounts = ["${kubernetes_namespace.kruise_system.metadata[0].name}:${local.kruise_ecr_token_updater_service_account}"] | |
| } | |
| } | |
| } | |
| resource "kubernetes_service_account" "kruise_ecr_token_updater" { | |
| metadata { | |
| name = local.kruise_ecr_token_updater_service_account | |
| namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
| annotations = { | |
| "eks.amazonaws.com/role-arn" = module.kruise_ecr_token_updater_irsa.iam_role_arn | |
| } | |
| } | |
| } | |
| resource "kubernetes_role" "kruise_ecr_token_updater" { | |
| metadata { | |
| name = "kruise-ecr-token-updater" | |
| namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
| } | |
| rule { | |
| api_groups = [""] | |
| resources = ["secrets"] | |
| resource_names = [local.kruise_ecr_token_secret_name] | |
| verbs = ["delete"] | |
| } | |
| rule { | |
| api_groups = [""] | |
| resources = ["secrets"] | |
| verbs = ["create"] | |
| } | |
| } | |
| resource "kubernetes_role_binding" "kruise_ecr_token_updater" { | |
| metadata { | |
| name = "kruise-ecr-token-updater" | |
| namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
| } | |
| role_ref { | |
| api_group = "rbac.authorization.k8s.io" | |
| kind = "Role" | |
| name = kubernetes_role.kruise_ecr_token_updater.metadata[0].name | |
| } | |
| subject { | |
| kind = "ServiceAccount" | |
| name = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].name | |
| namespace = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].namespace | |
| } | |
| } | |
| resource "kubernetes_config_map" "kruise_ecr_token_updater" { | |
| metadata { | |
| name = "kruise-ecr-token-updater" | |
| namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
| } | |
| data = { | |
| AWS_ACCOUNT = data.aws_caller_identity.current.account_id | |
| AWS_REGION = data.aws_region.current.name | |
| DOCKER_SECRET_NAME = local.kruise_ecr_token_secret_name | |
| } | |
| } | |
| resource "kubernetes_cron_job_v1" "kruise_ecr_token_updater" { | |
| metadata { | |
| name = "kruise-ecr-token-updater" | |
| namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
| } | |
| spec { | |
| schedule = "0 */10 * * *" | |
| job_template { | |
| metadata {} | |
| spec { | |
| template { | |
| metadata {} | |
| spec { | |
| service_account_name = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].name | |
| container { | |
| name = "kruise-ecr-token-updater" | |
| image = "odaniait/aws-kubectl:latest" | |
| command = [ | |
| "/bin/sh", | |
| "-c", | |
| local.kruise_ecr_token_updater_script | |
| ] | |
| env_from { | |
| config_map_ref { | |
| name = kubernetes_config_map.kruise_ecr_token_updater.metadata[0].name | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| resource "helm_release" "openkruise" { | |
| name = "kruise" | |
| namespace = "kube-system" | |
| repository = "https://openkruise.github.io/charts/" | |
| chart = "kruise" | |
| version = "1.3.0" | |
| reset_values = true | |
| set { | |
| name = "installation.namespace" | |
| value = kubernetes_namespace.kruise_system.metadata[0].name | |
| } | |
| set { | |
| name = "installation.createNamespace" | |
| value = false | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment