This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
locals { | |
kruise_ecr_token_updater_service_account = "kruise-ecr-token-updater" | |
kruise_ecr_token_secret_name = "kruise-ecr-token" | |
kruise_ecr_token_updater_script = <<EOF | |
ECR_TOKEN=`aws ecr get-login-password --region $${AWS_REGION}` | |
NAMESPACE_NAME=${kubernetes_namespace.kruise_system.metadata[0].name} | |
kubectl delete secret --ignore-not-found $DOCKER_SECRET_NAME -n $NAMESPACE_NAME | |
kubectl create secret docker-registry $DOCKER_SECRET_NAME \ | |
--docker-server=https://$${AWS_ACCOUNT}.dkr.ecr.$${AWS_REGION}.amazonaws.com \ | |
--docker-username=AWS \ | |
--docker-password="$${ECR_TOKEN}" \ | |
--namespace=$NAMESPACE_NAME | |
echo "Secret was successfully updated at $(date)" | |
EOF | |
} | |
resource "kubernetes_namespace" "kruise_system" { | |
metadata { | |
name = "kruise-system" | |
} | |
} | |
data "aws_iam_policy" "ecr_read_only" { | |
arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" | |
} | |
module "kruise_ecr_token_updater_irsa" { | |
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" | |
version = "~> 5.0" | |
create_role = true | |
role_name = "kruise-ecr-token-updater-${local.cluster_name}" | |
role_policy_arns = { | |
ecr_read_only = data.aws_iam_policy.ecr_read_only.arn | |
} | |
oidc_providers = { | |
irsa = { | |
provider_arn = module.eks-red.oidc_provider_arn | |
namespace_service_accounts = ["${kubernetes_namespace.kruise_system.metadata[0].name}:${local.kruise_ecr_token_updater_service_account}"] | |
} | |
} | |
} | |
resource "kubernetes_service_account" "kruise_ecr_token_updater" { | |
metadata { | |
name = local.kruise_ecr_token_updater_service_account | |
namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
annotations = { | |
"eks.amazonaws.com/role-arn" = module.kruise_ecr_token_updater_irsa.iam_role_arn | |
} | |
} | |
} | |
resource "kubernetes_role" "kruise_ecr_token_updater" { | |
metadata { | |
name = "kruise-ecr-token-updater" | |
namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
} | |
rule { | |
api_groups = [""] | |
resources = ["secrets"] | |
resource_names = [local.kruise_ecr_token_secret_name] | |
verbs = ["delete"] | |
} | |
rule { | |
api_groups = [""] | |
resources = ["secrets"] | |
verbs = ["create"] | |
} | |
} | |
resource "kubernetes_role_binding" "kruise_ecr_token_updater" { | |
metadata { | |
name = "kruise-ecr-token-updater" | |
namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
} | |
role_ref { | |
api_group = "rbac.authorization.k8s.io" | |
kind = "Role" | |
name = kubernetes_role.kruise_ecr_token_updater.metadata[0].name | |
} | |
subject { | |
kind = "ServiceAccount" | |
name = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].name | |
namespace = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].namespace | |
} | |
} | |
resource "kubernetes_config_map" "kruise_ecr_token_updater" { | |
metadata { | |
name = "kruise-ecr-token-updater" | |
namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
} | |
data = { | |
AWS_ACCOUNT = data.aws_caller_identity.current.account_id | |
AWS_REGION = data.aws_region.current.name | |
DOCKER_SECRET_NAME = local.kruise_ecr_token_secret_name | |
} | |
} | |
resource "kubernetes_cron_job_v1" "kruise_ecr_token_updater" { | |
metadata { | |
name = "kruise-ecr-token-updater" | |
namespace = kubernetes_namespace.kruise_system.metadata[0].name | |
} | |
spec { | |
schedule = "0 */10 * * *" | |
job_template { | |
metadata {} | |
spec { | |
template { | |
metadata {} | |
spec { | |
service_account_name = kubernetes_service_account.kruise_ecr_token_updater.metadata[0].name | |
container { | |
name = "kruise-ecr-token-updater" | |
image = "odaniait/aws-kubectl:latest" | |
command = [ | |
"/bin/sh", | |
"-c", | |
local.kruise_ecr_token_updater_script | |
] | |
env_from { | |
config_map_ref { | |
name = kubernetes_config_map.kruise_ecr_token_updater.metadata[0].name | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
resource "helm_release" "openkruise" { | |
name = "kruise" | |
namespace = "kube-system" | |
repository = "https://openkruise.github.io/charts/" | |
chart = "kruise" | |
version = "1.3.0" | |
reset_values = true | |
set { | |
name = "installation.namespace" | |
value = kubernetes_namespace.kruise_system.metadata[0].name | |
} | |
set { | |
name = "installation.createNamespace" | |
value = false | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment