roleypoly/v3
1
0
Fork 0
mirror of https://github.com/roleypoly/roleypoly.git synced 2025-04-25 11:59:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
v3/terraform/modules/nginx-ingress-controller/main.tf
Katalina Okano ec505739c8 temp tf
2020-10-09 10:54:55 -04:00

331 lines
7.3 KiB
HCL
Raw Blame History

locals {
ns = kubernetes_namespace.ns.metadata.0.name
labels = {
"app.kubernetes.io/name" = "ingress-nginx"
"app.kubernetes.io/part-of" = "ingress-nginx"
}
}
resource "kubernetes_namespace" "ns" {
metadata {
name = "ingress-nginx"
labels = local.labels
}
}
resource "kubernetes_config_map" "cm-nginx" {
metadata {
name = "nginx-configuration"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_config_map" "cm-tcp" {
metadata {
name = "tcp-services"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_config_map" "cm-udp" {
metadata {
name = "udp-services"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_service_account" "sa" {
metadata {
name = "nginx-ingress-serviceaccount"
namespace = local.ns
labels = local.labels
}
}
resource "kubernetes_cluster_role" "cr" {
metadata {
name = "nginx-ingress-clusterrole"
labels = local.labels
}
rule {
api_groups = [""]
resources = ["configmaps", "endpoints", "nodes", "pods", "secrets"]
verbs = ["list", "watch"]
}
rule {
api_groups = [""]
resources = ["nodes"]
verbs = ["get"]
}
rule {
api_groups = [""]
resources = ["services"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = [""]
resources = ["events"]
verbs = ["create", "patch"]
}
rule {
api_groups = ["extensions", "networking.k8s.io"]
resources = ["ingresses"]
verbs = ["get", "list", "watch"]
}
rule {
api_groups = ["extensions", "networking.k8s.io"]
resources = ["ingresses/status"]
verbs = ["update"]
}
}
resource "kubernetes_role" "role" {
metadata {
name = "nginx-ingress-role"
namespace = local.ns
labels = local.labels
}
rule {
api_groups = [""]
resources = ["configmaps", "pods", "secrets", "namespaces"]
verbs = ["get"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
resource_names = ["ingress-controller-leader-nginx"]
verbs = ["get", "update"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
verbs = ["create"]
}
rule {
api_groups = [""]
resources = ["endpoints"]
verbs = ["get"]
}
}
resource "kubernetes_role_binding" "rb" {
metadata {
name = "nginx-ingress-role-nisa-binding"
namespace = local.ns
labels = local.labels
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.role.metadata.0.name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.sa.metadata.0.name
namespace = local.ns
}
}
resource "kubernetes_cluster_role_binding" "crb" {
metadata {
name = "nginx-ingress-clusterrole-nisa-binding"
labels = local.labels
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.cr.metadata.0.name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.sa.metadata.0.name
namespace = local.ns
}
}
resource "kubernetes_deployment" "deployment" {
metadata {
name = "nginx-ingress-controller"
namespace = local.ns
labels = local.labels
}
spec {
replicas = 3
selector {
match_labels = local.labels
}
template {
metadata {
labels = local.labels
annotations = {
"prometheus.io/port" = "10254"
"prometheus.io/scrape" = "true"
}
}
spec {
automount_service_account_token = true
termination_grace_period_seconds = 300
service_account_name = kubernetes_service_account.sa.metadata.0.name
node_selector = {
"kubernetes.io/os" = "linux"
node_type = "static"
}
container {
name = "nginx-ingress-controller"
image = "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:${var.nginx-ingress-version}"
args = [
"/nginx-ingress-controller",
"--configmap=${local.ns}/${kubernetes_config_map.cm-nginx.metadata.0.name}",
"--tcp-services-configmap=${local.ns}/${kubernetes_config_map.cm-tcp.metadata.0.name}",
"--udp-services-configmap=${local.ns}/${kubernetes_config_map.cm-udp.metadata.0.name}",
"--publish-service=${local.ns}/ingress-nginx",
"--annotations-prefix=nginx.ingress.kubernetes.io",
]
security_context {
allow_privilege_escalation = true
capabilities {
drop = ["ALL"]
add = ["NET_BIND_SERVICE"]
}
run_as_user = 101
}
env {
name = "POD_NAME"
value_from {
field_ref {
field_path = "metadata.name"
}
}
}
env {
name = "POD_NAMESPACE"
value_from {
field_ref {
field_path = "metadata.namespace"
}
}
}
port {
name = "http"
container_port = 80
protocol = "TCP"
}
port {
name = "https"
container_port = 443
protocol = "TCP"
}
liveness_probe {
http_get {
path = "/healthz"
port = 10254
scheme = "HTTP"
}
failure_threshold = 3
initial_delay_seconds = 10
period_seconds = 10
success_threshold = 1
timeout_seconds = 10
}
readiness_probe {
http_get {
path = "/healthz"
port = 10254
scheme = "HTTP"
}
failure_threshold = 3
initial_delay_seconds = 10
period_seconds = 10
success_threshold = 1
timeout_seconds = 10
}
lifecycle {
pre_stop {
exec {
command = ["/wait-shutdown"]
}
}
}
}
}
}
}
}
resource "kubernetes_limit_range" "lr" {
metadata {
name = "ingress-nginx"
namespace = local.ns
labels = local.labels
}
spec {
limit {
min = {
memory = "90Mi"
cpu = "100m"
}
type = "Container"
}
}
}
# Specific service related to Google Cloud
resource "kubernetes_service" "svc" {
metadata {
name = "ingress-nginx"
namespace = local.ns
labels = local.labels
}
spec {
external_traffic_policy = "Local"
type = "LoadBalancer"
selector = local.labels
port {
name = "http"
port = 80
protocol = "TCP"
target_port = "http"
}
port {
name = "https"
port = 443
protocol = "TCP"
target_port = "https"
}
}
lifecycle {
ignore_changes = [
// We add no annotations, but DO adds some.
metadata[0].annotations,
]
}
}
Reference in a new issue View git blame Copy permalink