Skip to content

Commit

Permalink
A terraform module for installing kubernetes/ingress controller onto …
Browse files Browse the repository at this point in the history
…GKE kubernetes
  • Loading branch information
yaman committed Sep 3, 2019
1 parent c574a58 commit 4f08ada
Show file tree
Hide file tree
Showing 3 changed files with 285 additions and 0 deletions.
34 changes: 34 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,36 @@
# terraform-kubernetes-ingress
Ingress Controller on Kubernetes

### Please do not get confused with NginxInc Ingress Controller. This module installs kubernetes ingress controller maintained at https://github.com/kubernetes/ingress-nginx

Tested on GKE. According to [original tutorial from kubernetes falks](https://kubernetes.github.io/ingress-nginx/deploy/), Aws and Azure needs different kind of setup. Please see the deployment differences from [here](https://kubernetes.github.io/ingress-nginx/deploy/)


## How does it work?

This module creates following resources;

- config_maps
- roles/role_bindings with necessary permissions
- cluster_role/cluster_role_bindings with necessary permissions
- a service with LoadBalancer configured
- a deployment with kubernetes/ingress controller image running within the given namespace(only listening ingress events specified for this namespace) for multi-namespace deployments

## Inputs

- **namespace** : kubernetes namespace to be deployed
- **replicacount** : replica instance count for Ingress Controller

## Dependencies

Terraform Kubernetes Provider

## Tested With

- terraform-providers/kubernetes : 1.9.0
- mongodb:bionic(4.2) docker image
- kubernetes 1.13.7-gke.8

## Credits

This module was initially generated following the original tutorial of kubernetes ingress https://kubernetes.github.io/ingress-nginx/deploy a [k2tf](https://github.com/sl1pm4t/k2tf) project.
249 changes: 249 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,249 @@
resource "kubernetes_config_map" "nginx_configuration" {
count = length(var.environments)
metadata {
name = "nginx-configuration"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
}

resource "kubernetes_config_map" "tcp_services" {
count = length(var.environments)
metadata {
name = "tcp-services"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
}

resource "kubernetes_config_map" "udp_services" {
count = length(var.environments)
metadata {
name = "udp-services"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
}

resource "kubernetes_service_account" "nginx_ingress_serviceaccount" {
count = length(var.environments)
metadata {
name = "nginx-ingress-serviceaccount"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
}

resource "kubernetes_cluster_role" "nginx_ingress_clusterrole" {
metadata {
name = "nginx-ingress-clusterrole"
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
rule {
verbs = ["list", "watch"]
api_groups = [""]
resources = ["configmaps", "endpoints", "nodes", "pods", "secrets"]
}
rule {
verbs = ["get"]
api_groups = [""]
resources = ["nodes"]
}
rule {
verbs = ["get", "list", "watch"]
api_groups = [""]
resources = ["services"]
}
rule {
verbs = ["create", "patch"]
api_groups = [""]
resources = ["events"]
}
rule {
verbs = ["get", "list", "watch"]
api_groups = ["extensions", "networking.k8s.io"]
resources = ["ingresses"]
}
rule {
verbs = ["update"]
api_groups = ["extensions", "networking.k8s.io"]
resources = ["ingresses/status"]
}
}

resource "kubernetes_role" "nginx_ingress_role" {
count = length(var.environments)
metadata {
name = "nginx-ingress-role"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
rule {
verbs = ["get"]
api_groups = [""]
resources = ["configmaps", "pods", "secrets", "namespaces"]
}
rule {
verbs = ["get", "update"]
api_groups = [""]
resources = ["configmaps"]
resource_names = ["ingress-controller-leader-nginx"]
}
rule {
verbs = ["create"]
api_groups = [""]
resources = ["configmaps"]
}
rule {
verbs = ["get"]
api_groups = [""]
resources = ["endpoints"]
}
}

resource "kubernetes_role_binding" "nginx_ingress_role_nisa_binding" {
count = length(var.environments)
metadata {
name = "nginx-ingress-role-nisa-binding"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
subject {
kind = "ServiceAccount"
name = "nginx-ingress-serviceaccount"
namespace = var.environments[count.index]
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = "nginx-ingress-role"
}
}

resource "kubernetes_cluster_role_binding" "nginx_ingress_clusterrole_nisa_binding" {
count = length(var.environments)
metadata {
name = "${var.environments[count.index]}-nginx-ingress-clusterrole-nisa-binding"
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
subject {
kind = "ServiceAccount"
name = "nginx-ingress-serviceaccount"
namespace = var.environments[count.index]
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "nginx-ingress-clusterrole"
}
}

resource "kubernetes_deployment" "nginx_ingress_controller" {
count = length(var.environments)
metadata {
name = "nginx-ingress-controller"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
spec {
replicas = "${var.replicacount}"
selector {
match_labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
template {
metadata {
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
annotations = { "prometheus.io/port" = "10254", "prometheus.io/scrape" = "true" }
}
spec {
automount_service_account_token = true
container {
name = "nginx-ingress-controller"
image = "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1"
args = ["/nginx-ingress-controller", "--configmap=$(POD_NAMESPACE)/nginx-configuration", "--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services", "--udp-services-configmap=$(POD_NAMESPACE)/udp-services", "--publish-service=$(POD_NAMESPACE)/ingress-nginx", "--annotations-prefix=nginx.ingress.kubernetes.io", "--watch-namespace=$(POD_NAMESPACE)"]
port {
name = "http"
container_port = 80
}
port {
name = "https"
container_port = 443
}
env {
name = "POD_NAME"
value_from {
field_ref {
field_path = "metadata.name"
}
}
}
env {
name = "POD_NAMESPACE"
value_from {
field_ref {
field_path = "metadata.namespace"
}
}
}
liveness_probe {
http_get {
path = "/healthz"
port = "10254"
scheme = "HTTP"
}
initial_delay_seconds = 10
timeout_seconds = 10
period_seconds = 10
success_threshold = 1
failure_threshold = 3
}
readiness_probe {
http_get {
path = "/healthz"
port = "10254"
scheme = "HTTP"
}
timeout_seconds = 10
period_seconds = 10
success_threshold = 1
failure_threshold = 3
}
security_context {
capabilities {
add = ["NET_BIND_SERVICE"]
drop = ["ALL"]
}
run_as_user = 33
allow_privilege_escalation = true
}
}
service_account_name = "nginx-ingress-serviceaccount"
}
}
}
}

resource "kubernetes_service" "ingress_nginx" {
count = length(var.environments)
metadata {
name = "ingress-nginx"
namespace = var.environments[count.index]
labels = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
}
spec {
port {
name = "http"
port = 80
target_port = "http"
}
port {
name = "https"
port = 443
target_port = "https"
}
selector = { "app.kubernetes.io/name" = "ingress-nginx", "app.kubernetes.io/part-of" = "ingress-nginx" }
type = "LoadBalancer"
external_traffic_policy = "Local"
}
}

2 changes: 2 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
variable "namespace" {}
variable "replicacount" {}

0 comments on commit 4f08ada

Please sign in to comment.