bp

itcaat · itcaat · commit bca6bbee2e77 · 2026-02-12T16:56:04.000+03:00
diff --git a/.github/workflows/k8s.yml b/.github/workflows/k8s.yml
@@ -1,4 +1,5 @@
-name: Terraform Apply
+name: Terraform
+
 on:
   pull_request:
   workflow_dispatch:
@@ -7,32 +8,81 @@ on:
       - main
 
 jobs:
-  run-mock-k8s-and-apply:
+  terraform-plan:
+    name: Terraform Plan
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
-            fetch-depth: 0
-      - name: Install terraform
-        run: | 
-          wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
-          sudo apt update && sudo apt install terraform -y
+          fetch-depth: 0
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.5.0"
+
       - name: Configure mkcert
-        run: | 
+        run: |
           sudo apt install ca-certificates libnss3-tools -y
-          wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
+          wget -q https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
           chmod +x ./mkcert-v1.4.4-linux-amd64
           sudo mv ./mkcert-v1.4.4-linux-amd64 /usr/local/bin/mkcert
           mkcert --install
-          ls -la "$(mkcert -CAROOT)"
-      - name: Testing on a k8s Kind Cluster
+
+      - name: Create Kind cluster
         uses: helm/kind-action@v1.12.0
-      - run: |
+
+      - name: Configure kubectl context
+        run: |
           kubectl cluster-info
           kubectl get nodes
           kubectl config rename-context kind-chart-testing docker-desktop
-      - name : Preparing cluster for kube-ez
+
+      - name: Terraform Init
+        run: |
+          export TF_VAR_cluster_issuer_selfsigned_ca_cert="$(base64 < "$(mkcert -CAROOT)/rootCA.pem")"
+          export TF_VAR_cluster_issuer_selfsigned_ca_key="$(base64 < "$(mkcert -CAROOT)/rootCA-key.pem")"
+          make tf-init
+
+      - name: Terraform Plan
+        run: |
+          export TF_VAR_cluster_issuer_selfsigned_ca_cert="$(base64 < "$(mkcert -CAROOT)/rootCA.pem")"
+          export TF_VAR_cluster_issuer_selfsigned_ca_key="$(base64 < "$(mkcert -CAROOT)/rootCA-key.pem")"
+          make tf-plan
+
+  terraform-apply:
+    name: Terraform Apply
+    needs: terraform-plan
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.5.0"
+
+      - name: Configure mkcert
+        run: |
+          sudo apt install ca-certificates libnss3-tools -y
+          wget -q https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
+          chmod +x ./mkcert-v1.4.4-linux-amd64
+          sudo mv ./mkcert-v1.4.4-linux-amd64 /usr/local/bin/mkcert
+          mkcert --install
+
+      - name: Create Kind cluster
+        uses: helm/kind-action@v1.12.0
+
+      - name: Configure kubectl context
+        run: |
+          kubectl cluster-info
+          kubectl get nodes
+          kubectl config rename-context kind-chart-testing docker-desktop
+
+      - name: Terraform Apply
         run: |
           export TF_VAR_cluster_issuer_selfsigned_ca_cert="$(base64 < "$(mkcert -CAROOT)/rootCA.pem")"
           export TF_VAR_cluster_issuer_selfsigned_ca_key="$(base64 < "$(mkcert -CAROOT)/rootCA-key.pem")"
diff --git a/envs/local/main.tf b/envs/local/main.tf
@@ -1,5 +1,6 @@
 module "metallb" {
-  source = "../../modules/metallb"
+  source   = "../../modules/metallb"
+  ip_range = local.metallb_ip_range
 }
 
 module "cert_manager" {
@@ -41,6 +42,7 @@ module "echo_server" {
   ingress_class_name = local.ingress_class_name
   issuer_name        = local.cluster_issuer_selfsigned
   depends_on = [
-    module.ingress_nginx
+    module.ingress_nginx,
+    module.cluster_issuer_selfsigned
   ]
 }
diff --git a/modules/cert-manager/versions.tf b/modules/cert-manager/versions.tf
@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.10"
+    }
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.19.0"
diff --git a/modules/cluster-issuer-production/variables.tf b/modules/cluster-issuer-production/variables.tf
@@ -12,7 +12,11 @@ variable "namespace" {
 variable "acme_email" {
   type        = string
   description = "Email used for ACME registration"
-  default     = "admin@example.com"
+
+  validation {
+    condition     = can(regex("^[^@]+@[^@]+\\.[^@]+$", var.acme_email))
+    error_message = "Must be a valid email address."
+  }
 }
 
 variable "acme_server" {
diff --git a/modules/echo-server/main.tf b/modules/echo-server/main.tf
@@ -5,6 +5,7 @@ resource "kubernetes_namespace" "echo" {
 }
 
 resource "kubernetes_deployment" "echo" {
+  depends_on = [kubernetes_namespace.echo]
   metadata {
     name      = var.name
     namespace = var.namespace
@@ -36,6 +37,7 @@ resource "kubernetes_deployment" "echo" {
 }
 
 resource "kubernetes_service" "echo" {
+  depends_on = [kubernetes_namespace.echo]
   metadata {
     name      = var.name
     namespace = var.namespace
@@ -53,6 +55,7 @@ resource "kubernetes_service" "echo" {
 }
 
 resource "kubernetes_ingress_v1" "echo" {
+  depends_on = [kubernetes_namespace.echo]
   metadata {
     name      = var.name
     namespace = var.namespace
diff --git a/modules/echo-server/versions.tf b/modules/echo-server/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20"
+    }
+  }
+}
diff --git a/modules/ingress-nginx/versions.tf b/modules/ingress-nginx/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.10"
+    }
+  }
+}
diff --git a/modules/metallb/main.tf b/modules/metallb/main.tf
@@ -13,7 +13,7 @@ resource "kubectl_manifest" "metallb_ip_pool" {
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
-  name: ingress-ip-pool
+  name: ip-pool-${replace(replace(each.value, ".", "-"), "/", "-")}
   namespace: ${var.namespace}
 spec:
   addresses:

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`module "metallb" {`
`2`		`- source = "../../modules/metallb"`
	`2`	`+ source = "../../modules/metallb"`
	`3`	`+ ip_range = local.metallb_ip_range`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`module "cert_manager" {`
`@@ -41,6 +42,7 @@ module "echo_server" {`
`41`	`42`	`ingress_class_name = local.ingress_class_name`
`42`	`43`	`issuer_name = local.cluster_issuer_selfsigned`
`43`	`44`	`depends_on = [`
`44`		`- module.ingress_nginx`
	`45`	`+ module.ingress_nginx,`
	`46`	`+ module.cluster_issuer_selfsigned`
`45`	`47`	`]`
`46`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ resource "kubernetes_namespace" "echo" {`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`resource "kubernetes_deployment" "echo" {`
	`8`	`+ depends_on = [kubernetes_namespace.echo]`
`8`	`9`	`metadata {`
`9`	`10`	`name = var.name`
`10`	`11`	`namespace = var.namespace`
`@@ -36,6 +37,7 @@ resource "kubernetes_deployment" "echo" {`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`resource "kubernetes_service" "echo" {`
	`40`	`+ depends_on = [kubernetes_namespace.echo]`
`39`	`41`	`metadata {`
`40`	`42`	`name = var.name`
`41`	`43`	`namespace = var.namespace`
`@@ -53,6 +55,7 @@ resource "kubernetes_service" "echo" {`
`53`	`55`	`}`
`54`	`56`
`55`	`57`	`resource "kubernetes_ingress_v1" "echo" {`
	`58`	`+ depends_on = [kubernetes_namespace.echo]`
`56`	`59`	`metadata {`
`57`	`60`	`name = var.name`
`58`	`61`	`namespace = var.namespace`