Last active
June 8, 2023 12:43
-
-
Save jeremysells/061dfacb0a1da1cf77e4439dcbf76ddb to your computer and use it in GitHub Desktop.
Terraform-DigitalOcean-Kubernetes-Helm-Dashboard.tf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This was a test, use as is where is (MIT License) | |
| # Test of Terraforming a Kubernetes cluster on Digital Ocean with Helm and a basic setup (dashboard and ingress) | |
| # I was also push a container in via local Helm that had an image stored in Gitlabs Docker Registry | |
| # You need to have the following tools installed (Terraform, Helm, Kubectl) | |
| # run `terraform init`, then `terraform apply` | |
| # Goto the Digital Ocean dashboard and download the kubeconfig to `/.kube/config` | |
| # To access the proxy run `kubectl proxy` and then goto | |
| # `http://localhost:8001/api/v1/namespaces/kube-system/services/https:dashboard-kubernetes-dashboard:https/proxy/ | |
| # | |
| # To get the token, use something like: | |
| # * `kubectl -n kube-system get secret | grep dashboard-user-token` | |
| # * `kubectl -n kube-system describe secret dashboard-user-token-hhdsg` | |
| # | |
| # Helpful Links: | |
| # * https://alexanderzeitler.com/articles/enabling-the-kubernetes-dashboard-for-digitalocean-kubernetes/ | |
| # * https://github.com/helm/helm/issues/3130#issuecomment-345506262 | |
| #===STATE==================================================================== | |
| terraform { | |
| backend "local" { | |
| path = "_data/terraform.tfstate" | |
| } | |
| } | |
| #===DIGITAL OCEAN============================================================ | |
| provider "digitalocean" { | |
| token = "${var.digitalocean_token}" | |
| version = "~> 1.4" | |
| } | |
| resource "digitalocean_kubernetes_cluster" "testcluster" { | |
| name = "testcluster" | |
| region = "${var.digitalocean_region}" | |
| version = "1.14.1-do.4" | |
| tags = ["test"] | |
| node_pool { | |
| name = "testcluster-pool" | |
| size = "s-1vcpu-2gb" | |
| node_count = 1 | |
| } | |
| } | |
| //#===K8TESTCLUSTER KUBERNETES=============================================== | |
| provider "kubernetes" { | |
| host = "${digitalocean_kubernetes_cluster.testcluster.endpoint}" | |
| version = "~> 1.7" | |
| client_certificate = "${base64decode(digitalocean_kubernetes_cluster.testcluster.kube_config.0.client_certificate)}" | |
| client_key = "${base64decode(digitalocean_kubernetes_cluster.testcluster.kube_config.0.client_key)}" | |
| cluster_ca_certificate = "${base64decode(digitalocean_kubernetes_cluster.testcluster.kube_config.0.cluster_ca_certificate)}" | |
| } | |
| //resource "kubernetes_namespace" "gitlab" { | |
| // "metadata" { | |
| // name = "gitlab" | |
| // } | |
| //} | |
| # `kubectl get secret gitlab-login -n gitlab -o jsonpath="{['data']['\.dockerconfigjson']}" | base64 --decode` | |
| resource "kubernetes_secret" "gitlab-login" { | |
| "metadata" { | |
| name = "gitlab-login" | |
| } | |
| data { | |
| ".dockerconfigjson" = "{ \"auths\": { \"${var.gitlab_hostname}\": { \"auth\": \"${base64encode(format("%s:%s", var.gitlab_username, var.gitlab_password))}\" } } }" | |
| } | |
| type = "kubernetes.io/dockerconfigjson" | |
| } | |
| #---HELM/TILLER USER--------------------------------------------------------- | |
| resource "kubernetes_service_account" "tiller" { | |
| automount_service_account_token = true | |
| metadata { | |
| name = "tiller" | |
| namespace = "kube-system" | |
| } | |
| } | |
| resource "kubernetes_cluster_role_binding" "tiller-clusterrolebinding" { | |
| metadata { | |
| name = "tiller-clusterrolebinding" | |
| } | |
| subject { | |
| kind = "ServiceAccount" | |
| name = "tiller" | |
| namespace = "kube-system" | |
| } | |
| role_ref { | |
| kind = "ClusterRole" | |
| name = "cluster-admin" | |
| api_group = "rbac.authorization.k8s.io" | |
| } | |
| } | |
| #---GENERIC/DASHBOARD USER------------------------------------------------- | |
| # This account has the token we use to get into the dashboard using its permissions | |
| resource "kubernetes_service_account" "dashboard-user" { | |
| automount_service_account_token = true | |
| metadata { | |
| name = "dashboard-user" | |
| namespace = "kube-system" | |
| } | |
| } | |
| resource "kubernetes_cluster_role_binding" "dashboard-user-clusterrolebinding" { | |
| metadata { | |
| name = "dashboard-user-clusterrolebinding" | |
| } | |
| subject { | |
| kind = "ServiceAccount" | |
| name = "dashboard-user" | |
| namespace = "kube-system" | |
| } | |
| role_ref { | |
| kind = "ClusterRole" | |
| name = "cluster-admin" | |
| api_group = "rbac.authorization.k8s.io" | |
| } | |
| } | |
| #---GITLAB USER-------------------------------------------------------------- | |
| # To get the 'Kubernetes cluster name' | |
| # `kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'` | |
| # To get the SECRET_NAME | |
| # `kubectl get secrets --all-namespaces | grep gitlab` | |
| # To get the CA Certificate | |
| # kubectl get secret <SECRET_NAME> -n kube-system -o jsonpath="{['data']['ca\.crt']}" | base64 --decode | |
| # To get the Token | |
| # kubectl get secret <SECRET_NAME> -n kube-system -o jsonpath="{['data']['token']}" | base64 --decode | |
| //resource "kubernetes_service_account" "gitlab-user" { | |
| // metadata { | |
| // name = "gitlab-user" | |
| // namespace = "kube-system" | |
| // } | |
| //} | |
| //resource "kubernetes_cluster_role_binding" "gitlab_as_admin" { | |
| // metadata { | |
| // name = "gitlab-cluster-admin" | |
| // } | |
| // subject { | |
| // kind = "ServiceAccount" | |
| // name = "${kubernetes_service_account.dashboard-user.metadata.0.name}" | |
| // namespace = "kube-system" | |
| // } | |
| // role_ref { | |
| // kind = "ClusterRole" | |
| // name = "cluster-admin" | |
| // api_group = "rbac.authorization.k8s.io" | |
| // } | |
| //} | |
| #===K8TESTCLUSTER HELM======================================================= | |
| # initialize Helm provider | |
| provider "helm" { | |
| version = "~> 0.9" | |
| service_account = "${kubernetes_service_account.tiller.metadata.0.name}" | |
| # tiller_image = "gcr.io/kubernetes-helm/tiller:v2.11.0" | |
| kubernetes { | |
| host = "${digitalocean_kubernetes_cluster.testcluster.endpoint}" | |
| client_certificate = "${base64decode(digitalocean_kubernetes_cluster.testcluster.kube_config.0.client_certificate)}" | |
| client_key = "${base64decode(digitalocean_kubernetes_cluster.testcluster.kube_config.0.client_key)}" | |
| cluster_ca_certificate = "${base64decode(digitalocean_kubernetes_cluster.testcluster.kube_config.0.cluster_ca_certificate)}" | |
| } | |
| } | |
| data "helm_repository" "stable" { | |
| name = "stable" | |
| url = "https://kubernetes-charts.storage.googleapis.com" | |
| } | |
| resource "helm_release" "kubernetes_dashboard" { | |
| name = "dashboard" | |
| repository = "${data.helm_repository.stable.metadata.0.name}" | |
| chart = "stable/kubernetes-dashboard" | |
| namespace = "kube-system" | |
| } | |
| //===NGINX INGRESS=========================================================== | |
| resource "helm_release" "nginx-ingress" { | |
| name = "nginx-ingress" | |
| repository = "${data.helm_repository.stable.metadata.0.name}" | |
| chart = "stable/nginx-ingress" | |
| #version = "0.25.1" | |
| #namespace = "${kubernetes_namespace.deployments.metadata.name}" | |
| set { | |
| name = "cluster.enabled" | |
| value = "true" | |
| } | |
| set { | |
| name = "replicaCount" | |
| value = 1 | |
| } | |
| set { | |
| name = "resources.limits.cpu" | |
| value = "20m" | |
| } | |
| set { | |
| name = "resources.limits.memory" | |
| value = "256Mi" | |
| } | |
| set { | |
| name = "resources.requests.cpu" | |
| value = "10m" | |
| } | |
| set { | |
| name = "resources.requests.memory" | |
| value = "128Mi" | |
| } | |
| set { | |
| name = "nginx-default-backend.replicaCount" | |
| value = "2" | |
| } | |
| set { | |
| name = "nginx-default-backend.resources.limits.cpu" | |
| value = "2m" | |
| } | |
| set { | |
| name = "nginx-default-backend.resources.limits.memory" | |
| value = "5Mi" | |
| } | |
| set { | |
| name = "nginx-default-backend.resources.requests.cpu" | |
| value = "1m" | |
| } | |
| set { | |
| name = "nginx-default-backend.resources.requests.memory" | |
| value = "3M" | |
| } | |
| } | |
| //===GITLAB================================================================== | |
| //provider "gitlab" { | |
| // token = "${var.gitlab_token}" | |
| // version = "~> 2.1" | |
| //} | |
| //data "gitlab_project" "test-cluster-deploy" { | |
| // id = "${var.test_deploy_project_id}" | |
| //} | |
| //data "kubernetes_secret" "gitlab-user-token" { | |
| // metadata { | |
| // name = "${kubernetes_service_account.gitlab-user.default_secret_name}" | |
| // namespace = "${kubernetes_service_account.gitlab-user.metadata.0.namespace}" | |
| // } | |
| //} | |
| // | |
| //resource gitlab_project_cluster "test-cluster-deploy-testcluster" { | |
| // project = "${data.gitlab_project.test-cluster-deploy.id}" | |
| // name = "testcluster" | |
| // domain = "${var.test_deploy_domain_name}" | |
| // enabled = true | |
| // kubernetes_api_url = "${digitalocean_kubernetes_cluster.testcluster.endpoint}" | |
| // kubernetes_token = "${data.kubernetes_secret.gitlab-user-token.data.token}" | |
| // kubernetes_ca_cert = "${chomp(data.kubernetes_secret.gitlab-user-token.data.ca.crt)}" | |
| // kubernetes_namespace = "${kubernetes_namespace.gitlab.metadata.0.name}" | |
| // kubernetes_authorization_type = "rbac" | |
| // environment_scope = "*" | |
| //} | |
| //===DEPLOY AN APPLICATION=================================================== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment