fetch config before locally applying k8s manifest

davidcheung · davidcheung · commit f6235f2b63f7 · 2020-04-24T19:05:39.000-04:00
diff --git a/Makefile b/Makefile
@@ -17,11 +17,13 @@ apply-env:
 	terraform init; \
 	terraform apply
 
-apply-k8s-utils:
+apply-k8s-utils: update-k8s-conf
 	pushd kubernetes/terraform/environments/$(ENV); \
 	terraform init; \
 	terraform apply
 
+update-k8s-conf: eks --region <% index .Params `region` %> update-kubeconfig --name <% .Name %>-$(ENV)-<% index .Params `region` %>
+
 teardown: teardown-k8s-utils teardown-env teardown-secrets teardown-remote-state
 
 teardown-remote-state: 
diff --git a/kubernetes/terraform/modules/kubernetes/cert_manager.tf b/kubernetes/terraform/modules/kubernetes/cert_manager.tf
@@ -1,10 +1,16 @@
 locals {
-  cert_manager_namespace   = "kube-system"
+  cert_manager_namespace   = "cert-manager"
   cert_manager_version     = "0.14.2"
   cluster_issuer_name      = var.cert_manager_use_production_acme_environment ? "clusterissuer-letsencrypt-production" : "clusterissuer-letsencrypt-staging"
   cert_manager_acme_server = var.cert_manager_use_production_acme_environment ? "https://acme-v02.api.letsencrypt.org/directory" : "https://acme-staging-v02.api.letsencrypt.org/directory"
 }
 
+resource "kubernetes_namespace" "cert_manager" {
+  metadata {
+    name = "cert-manager"
+  }
+}
+
 # Reference an existing route53 zone
 data "aws_route53_zone" "public" {
   name = var.external_dns_zone
@@ -21,9 +27,11 @@ resource "null_resource" "cert_manager" {
   triggers = {
     manifest_sha1 = "${sha1("${data.local_file.cert_manager.content}")}"
   }
+  # local exec call requires kubeconfig to be updated
   provisioner "local-exec" {
     command = "kubectl apply --validate=false -f ${path.module}/files/cert-manager.crds.yaml"
   }
+  depends_on = [kubernetes_namespace.cert_manager]
 }
 
 
@@ -46,6 +54,7 @@ resource "null_resource" "cert_manager_issuer" {
   triggers = {
     manifest_sha1 = "${sha1("${data.template_file.cert_manager_issuer.rendered}")}"
   }
+  # local exec call requires kubeconfig to be updated
   provisioner "local-exec" {
     command = "kubectl apply -f - <<EOF\n${data.template_file.cert_manager_issuer.rendered}\nEOF"
   }
diff --git a/kubernetes/terraform/modules/kubernetes/kubernetes_dashboard.tf b/kubernetes/terraform/modules/kubernetes/kubernetes_dashboard.tf
@@ -233,6 +233,7 @@ resource "kubernetes_deployment" "kubernetes_dashboard" {
     }
     revision_history_limit = 10
   }
+  depends_on = [kubernetes_role_binding.kubernetes_dashboard]
 }
 
 resource "kubernetes_service" "dashboard_metrics_scraper" {
diff --git a/terraform/modules/database/main.tf b/terraform/modules/database/main.tf
@@ -36,9 +36,16 @@ module "db_password" {
   name_prefix = "${var.project}-${var.environment}-rds"
 }
 
+# secret declared so secret version waits for rds-secret to be ready
+# or else we often see a AWSDEFAULT VERSION secret not found error
+data "aws_secretsmanager_secret" "rds_master_secret" {
+  name = module.db_password.secret_name
+}
+
 # RDS does not support secret-manager, have to provide the actual string
 data "aws_secretsmanager_secret_version" "rds_master_secret" {
-  secret_id = module.db_password.secret_name
+  secret_id = data.aws_secretsmanager_secret.rds_master_secret.name
+  depends_on = [data.aws_secretsmanager_secret.rds_master_secret]
 }
 
 module "rds" {

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,16 @@`
`1`	`1`	`locals {`
`2`		`- cert_manager_namespace = "kube-system"`
	`2`	`+ cert_manager_namespace = "cert-manager"`
`3`	`3`	`cert_manager_version = "0.14.2"`
`4`	`4`	`cluster_issuer_name = var.cert_manager_use_production_acme_environment ? "clusterissuer-letsencrypt-production" : "clusterissuer-letsencrypt-staging"`
`5`	`5`	`cert_manager_acme_server = var.cert_manager_use_production_acme_environment ? "https://acme-v02.api.letsencrypt.org/directory" : "https://acme-staging-v02.api.letsencrypt.org/directory"`
`6`	`6`	`}`
`7`	`7`
	`8`	`+resource "kubernetes_namespace" "cert_manager" {`
	`9`	`+ metadata {`
	`10`	`+ name = "cert-manager"`
	`11`	`+ }`
	`12`	`+}`
	`13`	`+`
`8`	`14`	`# Reference an existing route53 zone`
`9`	`15`	`data "aws_route53_zone" "public" {`
`10`	`16`	`name = var.external_dns_zone`
`@@ -21,9 +27,11 @@ resource "null_resource" "cert_manager" {`
`21`	`27`	`triggers = {`
`22`	`28`	`manifest_sha1 = "${sha1("${data.local_file.cert_manager.content}")}"`
`23`	`29`	`}`
	`30`	`+ # local exec call requires kubeconfig to be updated`
`24`	`31`	`provisioner "local-exec" {`
`25`	`32`	`command = "kubectl apply --validate=false -f ${path.module}/files/cert-manager.crds.yaml"`
`26`	`33`	`}`
	`34`	`+ depends_on = [kubernetes_namespace.cert_manager]`
`27`	`35`	`}`
`28`	`36`
`29`	`37`
`@@ -46,6 +54,7 @@ resource "null_resource" "cert_manager_issuer" {`
`46`	`54`	`triggers = {`
`47`	`55`	`manifest_sha1 = "${sha1("${data.template_file.cert_manager_issuer.rendered}")}"`
`48`	`56`	`}`
	`57`	`+ # local exec call requires kubeconfig to be updated`
`49`	`58`	`provisioner "local-exec" {`
`50`	`59`	`command = "kubectl apply -f - <<EOF\n${data.template_file.cert_manager_issuer.rendered}\nEOF"`
`51`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -233,6 +233,7 @@ resource "kubernetes_deployment" "kubernetes_dashboard" {`
`233`	`233`	`}`
`234`	`234`	`revision_history_limit = 10`
`235`	`235`	`}`
	`236`	`+ depends_on = [kubernetes_role_binding.kubernetes_dashboard]`
`236`	`237`	`}`
`237`	`238`
`238`	`239`	`resource "kubernetes_service" "dashboard_metrics_scraper" {`