@@ -27,15 +27,63 @@ data "google_container_cluster" "cluster" {
2727 location = "europe-west1"
2828}
2929
30+ # Create the service account, cluster role + binding, which ArgoCD expects to be present in the targeted cluster
31+ resource "kubernetes_service_account" "argocd_manager" {
32+ metadata {
33+ name = "argocd-manager"
34+ namespace = "kube-system"
35+ }
36+ }
37+
38+ resource "kubernetes_cluster_role" "argocd_manager" {
39+ metadata {
40+ name = "argocd-manager-role"
41+ }
42+
43+ rule {
44+ api_groups = ["*"]
45+ resources = ["*"]
46+ verbs = ["*"]
47+ }
48+
49+ rule {
50+ non_resource_urls = ["*"]
51+ verbs = ["*"]
52+ }
53+ }
54+
55+ resource "kubernetes_cluster_role_binding" "argocd_manager" {
56+ metadata {
57+ name = "argocd-manager-role-binding"
58+ }
59+
60+ role_ref {
61+ api_group = "rbac.authorization.k8s.io"
62+ kind = "ClusterRole"
63+ name = kubernetes_cluster_role.argocd_manager.metadata.0.name
64+ }
65+
66+ subject {
67+ kind = "ServiceAccount"
68+ name = kubernetes_service_account.argocd_manager.metadata.0.name
69+ namespace = kubernetes_service_account.argocd_manager.metadata.0.namespace
70+ }
71+ }
72+
73+ data "kubernetes_secret" "argocd_manager" {
74+ metadata {
75+ name = kubernetes_service_account.argocd_manager.default_secret_name
76+ namespace = kubernetes_service_account.argocd_manager.metadata.0.namespace
77+ }
78+ }
79+
3080resource "argocd_cluster" "gke" {
3181 server = format("https://%s", data.google_container_cluster.cluster.endpoint)
3282 name = "gke"
3383
3484 config {
3585 tls_client_config {
36- ca_data = data.google_container_cluster.cluster.master_auth.0.cluster_ca_certificate
37- cert_data = data.google_container_cluster.cluster.master_auth.0.client_certificate
38- key_data = data.google_container_cluster.cluster.master_auth.0.client_key
86+ ca_data = base64decode(data.google_container_cluster.cluster.master_auth.0.cluster_ca_certificate)
3987 }
4088 }
4189}
0 commit comments