Merge pull request #116 from hyder/issue-113

added scripts for serviceaccount

Author: hyder

docs/terraformoptions.adoc

@@ -37,6 +37,7 @@ Configuration Terraform Options:
 . link:#calico[Calico]
 . link:#kubernetes-metrics-server[Kubernetes Metrics Server]
 . link:#kms-integration[KMS integration]
+. link:#service-account[Service Account]
 
 == Identity and access
 
@@ -583,3 +584,35 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |id of existing KMS key
 |
 |
+|===
+
+== Service Account
+
+[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+|===
+|Parameter
+|Description
+|Values
+|Default
+
+|create_service_account
+|Whether to create a service account. A service account is required for CI/CD. See https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengaddingserviceaccttoken.htm
+|true/false
+|false
+
+|service_account_name
+|The name of service account to create
+|
+|kubeconfigsa
+
+|service_account_namespace
+|The Kubernetes namespace where to create the service account
+|
+|kube-system
+
+|service_account_cluster_role_binding
+|The name of the cluster role binding for the service account
+|
+|
+
+|===

locals.tf

@@ -148,8 +148,8 @@ locals {
   }
 
   helm = {
-    helm_version       = var.helm_version
-    install_helm       = var.install_helm
+    helm_version = var.helm_version
+    install_helm = var.install_helm
   }
 
   calico = {
@@ -161,4 +161,11 @@ locals {
     use_encryption = var.use_encryption
     key_id         = var.existing_key_id
   }
+
+  service_account = {
+    create_service_account               = var.create_service_account
+    service_account_name                 = var.service_account_name
+    service_account_namespace            = var.service_account_namespace
+    service_account_cluster_role_binding = var.service_account_cluster_role_binding
+  }
 }

main.tf

@@ -19,7 +19,7 @@ module "base" {
 
   # bastion parameters
   oci_base_bastion = local.oci_base_bastion
-  
+
   # admin server parameters
   oci_base_admin = local.oci_base_admin
 
@@ -107,4 +107,7 @@ module "oke" {
 
   # metric server
   install_metricserver = var.install_metricserver
+
+  # service account
+  service_account = local.service_account
 }

modules/oke/locals.tf

@@ -19,4 +19,6 @@ locals {
   total_nodes = length(flatten([
     for nodes in local.node_pools_size_list : range(nodes)
   ]))
+
+  service_account_cluster_role_binding_name = var.service_account.service_account_cluster_role_binding == "" ? "${var.service_account.service_account_name}-crb" : var.service_account.service_account_cluster_role_binding
 }

modules/oke/scripts/create_service_account.template.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# Copyright 2017, 2019, Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+if [ ${service_account_namespace} != kube-system ]; then
+  kubectl create ns ${service_account_namespace}
+fi
+
+kubectl -n ${service_account_namespace} create serviceaccount ${service_account_name}
+
+kubectl create clusterrolebinding ${service_account_cluster_role_binding} --clusterrole=cluster-admin --serviceaccount=${service_account_namespace}:${service_account_name}

modules/oke/serviceaccount.tf

@@ -0,0 +1,45 @@
+# Copyright 2017, 2019 Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+data "template_file" "create_service_account" {
+  template = file("${path.module}/scripts/create_service_account.template.sh")
+
+  vars = {
+    service_account_name                 = var.service_account.service_account_name
+    service_account_namespace            = var.service_account.service_account_namespace
+    service_account_cluster_role_binding = local.service_account_cluster_role_binding_name
+  }
+
+  count = var.service_account.create_service_account == true ? 1 : 0
+}
+
+resource null_resource "create_service_account" {
+  connection {
+    host        = var.oke_admin.admin_private_ip
+    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+    timeout     = "40m"
+    type        = "ssh"
+    user        = "opc"
+
+    bastion_host        = var.oke_admin.bastion_public_ip
+    bastion_user        = "opc"
+    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+  }
+
+  depends_on = [null_resource.install_kubectl_admin, null_resource.write_kubeconfig_on_admin]
+
+  provisioner "file" {
+    content     = data.template_file.create_service_account[0].rendered
+    destination = "~/create_service_account.sh"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "chmod +x $HOME/create_service_account.sh",
+      "$HOME/create_service_account.sh",
+      # "rm -f $HOME/create_service_account.sh"
+    ]
+  }
+
+  count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.service_account.create_service_account == true ? 1 : 0
+}

modules/oke/variables.tf

@@ -99,8 +99,8 @@ variable "oke_ocir" {
 # helm
 variable "helm" {
   type = object({
-    helm_version       = string
-    install_helm       = bool
+    helm_version = string
+    install_helm = bool
   })
 }
 
@@ -117,3 +117,14 @@ variable "calico" {
 variable "install_metricserver" {
   default = false
 }
+
+# service account
+
+variable "service_account" {
+  type = object({
+    create_service_account               = bool
+    service_account_name                 = string
+    service_account_namespace            = string
+    service_account_cluster_role_binding = string
+  })
+}

terraform.tfvars.example

@@ -163,3 +163,12 @@ install_metricserver = false
 use_encryption = false
 
 existing_key_id = ""
+
+# service account
+create_service_account = true
+
+service_account_name = "gitlab"
+
+service_account_namespace = "kube-system"
+
+service_account_cluster_role_binding = "gitlab-crb"

variables.tf

@@ -460,3 +460,29 @@ variable "existing_key_id" {
   default     = ""
   type        = string
 }
+
+# serviceaccount
+
+variable "create_service_account" {
+  description = "whether to create a service account. A service account is required for CI/CD. See https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contengaddingserviceaccttoken.htm"
+  default     = false
+  type        = bool
+}
+
+variable "service_account_name" {
+  description = "name of service account to create"
+  default     = "kubeconfigsa"
+  type        = string
+}
+
+variable "service_account_namespace" {
+  description = "kubernetes namespace where to create the service account"
+  default     = "kube-system"
+  type        = string
+}
+
+variable "service_account_cluster_role_binding" {
+  description = "cluster role binding name"
+  default     = ""
+  type        = string
+}