Merge pull request #106 from JoshVanL/move-ca-to-module

jetstack-bot · web-flow · commit 4c18fb10ab9b · 2019-11-06T13:16:29.000Z
Move ca files into own modules
diff --git a/demo/infrastructure/amazon/dns.tf b/demo/infrastructure/amazon/dns.tf
@@ -7,3 +7,10 @@ data "external" "externaldns" {
   program = ["jq", ".externaldns", "../../manifests/google-config.json"]
   query   = { }
 }
+
+module "ca" {
+  source = "../modules/ca"
+
+  ca_crt_file = "${var.ca_crt_file}"
+  ca_key_file = "${var.ca_key_file}"
+}
diff --git a/demo/infrastructure/amazon/outputs.tf b/demo/infrastructure/amazon/outputs.tf
@@ -3,6 +3,11 @@ locals {
     cert_manager = "${data.external.cert_manager.result}"
     externaldns  = "${data.external.externaldns.result}"
     gangway      = "${module.gangway.config}"
+
+    ca = {
+      key = "${module.ca.key}"
+      crt = "${module.ca.crt}"
+    }
   }
 }
 
diff --git a/demo/infrastructure/amazon/providers.tf b/demo/infrastructure/amazon/providers.tf
@@ -20,3 +20,6 @@ module "cluster" {
 
   cluster_version = "${var.cluster_version}"
 }
+
+variable "ca_crt_file" {}
+variable "ca_key_file" {}
diff --git a/demo/infrastructure/digitalocean/dns.tf b/demo/infrastructure/digitalocean/dns.tf
@@ -7,3 +7,10 @@ data "external" "externaldns" {
   program = ["jq", ".externaldns", "../../manifests/google-config.json"]
   query   = {}
 }
+
+module "ca" {
+  source = "../modules/ca"
+
+  ca_crt_file = "${var.ca_crt_file}"
+  ca_key_file = "${var.ca_key_file}"
+}
diff --git a/demo/infrastructure/digitalocean/outputs.tf b/demo/infrastructure/digitalocean/outputs.tf
@@ -3,6 +3,11 @@ locals {
     cert_manager = "${data.external.cert_manager.result}"
     externaldns  = "${data.external.externaldns.result}"
     gangway      = "${module.gangway.config}"
+
+    ca = {
+      key = "${module.ca.key}"
+      crt = "${module.ca.crt}"
+    }
   }
 }
 
diff --git a/demo/infrastructure/digitalocean/providers.tf b/demo/infrastructure/digitalocean/providers.tf
@@ -5,7 +5,7 @@ variable "digitalocean_region" {
 }
 
 variable "cluster_version" {
-  default = "1.12.8-do.1"
+  default = "1.15.5-do.0"
 }
 
 module "cluster" {
@@ -15,3 +15,6 @@ module "cluster" {
   cluster_version = "${var.cluster_version}"
   region          = "${var.digitalocean_region}"
 }
+
+variable "ca_crt_file" {}
+variable "ca_key_file" {}
diff --git a/demo/infrastructure/google/dns.tf b/demo/infrastructure/google/dns.tf
@@ -1,6 +1,10 @@
 module "dns" {
   source = "../modules/google-dns"
   suffix = "${random_id.suffix.hex}"
+}
+
+module "ca" {
+  source  = "../modules/ca"
 
   ca_crt_file = "${var.ca_crt_file}"
   ca_key_file = "${var.ca_key_file}"
diff --git a/demo/infrastructure/google/output.tf b/demo/infrastructure/google/output.tf
@@ -3,6 +3,11 @@ locals {
     cert_manager = "${module.dns.config}"
     externaldns  = "${module.dns.config}"
     gangway      = "${module.gangway.config}"
+
+    ca = {
+      key = "${module.ca.key}"
+      crt = "${module.ca.crt}"
+    }
   }
 }
 
diff --git a/demo/infrastructure/modules/ca/ca.tf b/demo/infrastructure/modules/ca/ca.tf
@@ -0,0 +1,19 @@
+variable "ca_crt_file" {}
+variable "ca_key_file" {}
+
+data "local_file" "crt_file" {
+    filename = "${var.ca_crt_file}"
+}
+
+data "local_file" "key_file" {
+    filename = "${var.ca_key_file}"
+}
+
+
+output "crt" {
+  value = "${data.local_file.crt_file.content}"
+}
+
+output "key" {
+  value = "${data.local_file.key_file.content}"
+}
diff --git a/demo/infrastructure/modules/google-dns/dns.tf b/demo/infrastructure/modules/google-dns/dns.tf
@@ -1,8 +1,5 @@
 variable "suffix" {}
 
-variable "ca_crt_file" {}
-variable "ca_key_file" {}
-
 resource "google_service_account" "external_dns" {
   account_id   = "external-dns-${var.suffix}"
   display_name = "External DNS/Cert Manager service account for GKE cluster cluster-${var.suffix}"
@@ -18,21 +15,11 @@ resource "google_service_account_key" "external_dns" {
   service_account_id = "${google_service_account.external_dns.account_id}"
 }
 
-data "local_file" "ca_crt" {
-    filename = "${var.ca_crt_file}"
-}
-
-data "local_file" "ca_key" {
-    filename = "${var.ca_key_file}"
-}
-
 output "config" {
   value = {
     service_account_credentials = "${base64decode(google_service_account_key.external_dns.private_key)}"
 
     project  = "${google_service_account.external_dns.project}"
     provider = "google"
-    ca_crt   = "${data.local_file.ca_crt.content}"
-    ca_key   = "${data.local_file.ca_key.content}"
   }
 }
diff --git a/demo/manifests/main.jsonnet b/demo/manifests/main.jsonnet
@@ -66,6 +66,16 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
   else
     {};
 
+local apply_google_secret(cert_manager) =
+  if std.objectHas(cert_manager, 'service_account_credentials') then
+    kube.Secret(cert_manager.p + 'clouddns-google-credentials') + cert_manager.metadata {
+      data_+: {
+        'credentials.json': cert_manager.service_account_credentials,
+      },
+    }
+  else
+    {};
+
 {
 
   cloud:: 'google',
@@ -107,15 +117,11 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
   ns: kube.Namespace($.namespace),
 
 
-  ca_crt:: $.config.cert_manager.ca_crt,
-  ca_key:: $.config.cert_manager.ca_key,
+  ca_crt:: $.config.ca.crt,
+  ca_key:: $.config.ca.key,
 
   cert_manager: cert_manager {
-    google_secret: kube.Secret($.cert_manager.p + 'clouddns-google-credentials') + $.cert_manager.metadata {
-      data_+: {
-        'credentials.json': $.config.cert_manager.service_account_credentials,
-      },
-    },
+    google_secret: apply_google_secret($.config.cert_manager),
 
     metadata:: {
       metadata+: {
@@ -142,49 +148,52 @@ local apply_ca_issuer(ca_crt, ca_key, obj) =
     },
   },
 
-  externaldns: externaldns {
-    metadata:: {
-      metadata+: {
-        namespace: 'kube-system',
+  externaldns: if $.master && $.cloud == 'google' then
+    externaldns {
+      metadata:: {
+        metadata+: {
+          namespace: 'kube-system',
+        },
       },
-    },
 
-    gcreds: kube.Secret($.externaldns.p + 'externaldns-google-credentials') + $.externaldns.metadata {
-      data_+: {
-        'credentials.json': $.config.externaldns.service_account_credentials,
+      gcreds: kube.Secret($.externaldns.p + 'externaldns-google-credentials') + $.externaldns.metadata {
+        data_+: {
+          'credentials.json': $.config.externaldns.service_account_credentials,
+        },
       },
-    },
 
-    deploy+: {
-      domainFilter: removeLeadingDot($.base_domain),
-      ownerId: $.cluster_domain,
-      spec+: {
-        template+: {
-          spec+: {
-            volumes_+: {
-              gcreds: kube.SecretVolume($.externaldns.gcreds),
-            },
-            containers_+: {
-              edns+: {
-                image: 'bitnami/external-dns:0.5.14',
-                args_+: {
-                  provider: 'google',
-                  'google-project': $.config.externaldns.project,
-                  'txt-prefix': '_external-dns.',
-                },
-                env_+: {
-                  GOOGLE_APPLICATION_CREDENTIALS: '/google/credentials.json',
-                },
-                volumeMounts_+: {
-                  gcreds: { mountPath: '/google', readOnly: true },
+      deploy+: {
+        domainFilter: removeLeadingDot($.base_domain),
+        ownerId: $.cluster_domain,
+        spec+: {
+          template+: {
+            spec+: {
+              volumes_+: {
+                gcreds: kube.SecretVolume($.externaldns.gcreds),
+              },
+              containers_+: {
+                edns+: {
+                  image: 'bitnami/external-dns:0.5.14',
+                  args_+: {
+                    provider: 'google',
+                    'google-project': $.config.externaldns.project,
+                    'txt-prefix': '_external-dns.',
+                  },
+                  env_+: {
+                    GOOGLE_APPLICATION_CREDENTIALS: '/google/credentials.json',
+                  },
+                  volumeMounts_+: {
+                    gcreds: { mountPath: '/google', readOnly: true },
+                  },
                 },
               },
             },
           },
         },
       },
-    },
-  },
+    }
+  else
+    {},
 
   sslPassthroughDomains:: std.prune([$.gangway.domain, $.kube_oidc_proxy.domain, if $.master then $.dex_domain]),
 

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,11 @@ locals {`
`3`	`3`	`cert_manager = "${data.external.cert_manager.result}"`
`4`	`4`	`externaldns = "${data.external.externaldns.result}"`
`5`	`5`	`gangway = "${module.gangway.config}"`
	`6`	`+`
	`7`	`+ ca = {`
	`8`	`+ key = "${module.ca.key}"`
	`9`	`+ crt = "${module.ca.crt}"`
	`10`	`+ }`
`6`	`11`	`}`
`7`	`12`	`}`
`8`	`13`
Original file line number	Diff line number	Diff line change
`@@ -20,3 +20,6 @@ module "cluster" {`
`20`	`20`
`21`	`21`	`cluster_version = "${var.cluster_version}"`
`22`	`22`	`}`
	`23`	`+`
	`24`	`+variable "ca_crt_file" {}`
	`25`	`+variable "ca_key_file" {}`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ variable "digitalocean_region" {`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`variable "cluster_version" {`
`8`		`- default = "1.12.8-do.1"`
	`8`	`+ default = "1.15.5-do.0"`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`module "cluster" {`
`@@ -15,3 +15,6 @@ module "cluster" {`
`15`	`15`	`cluster_version = "${var.cluster_version}"`
`16`	`16`	`region = "${var.digitalocean_region}"`
`17`	`17`	`}`
	`18`	`+`
	`19`	`+variable "ca_crt_file" {}`
	`20`	`+variable "ca_key_file" {}`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,11 @@ locals {`
`3`	`3`	`cert_manager = "${module.dns.config}"`
`4`	`4`	`externaldns = "${module.dns.config}"`
`5`	`5`	`gangway = "${module.gangway.config}"`
	`6`	`+`
	`7`	`+ ca = {`
	`8`	`+ key = "${module.ca.key}"`
	`9`	`+ crt = "${module.ca.crt}"`
	`10`	`+ }`
`6`	`11`	`}`
`7`	`12`	`}`
`8`	`13`