我有一个在 GCP 上创建 kubernetes(GKE) 的 terraform 配置,使用 Helm 安装入口和证书管理器。 唯一缺少的部分是letsencrypt ClusterIssuer(当我手动部署letsencrypt.yaml 时一切正常)。
我的 Terraform 配置:
# provider
provider "kubernetes" {
host = google_container_cluster.runners.endpoint
cluster_ca_certificate = base64decode(google_container_cluster.runners.master_auth.0.cluster_ca_certificate)
token = data.google_client_config.current.access_token
}
provider "helm" {
kubernetes {
host = google_container_cluster.runners.endpoint
cluster_ca_certificate = base64decode(google_container_cluster.runners.master_auth.0.cluster_ca_certificate)
token = data.google_client_config.current.access_token
}
}
# create namespace for ingress controller
resource "kubernetes_namespace" "ingress" {
metadata {
name = "ingress"
}
}
# deploy ingress controller
resource "helm_release" "ingress" {
name = "ingress"
namespace = kubernetes_namespace.ingress.metadata[0].name
repository = "https://kubernetes.github.io/ingress-nginx"
chart = "ingress-nginx"
values = [
"${file("./helm_values/ingress.yaml")}"
]
set {
name = "controller.service.loadBalancerIP"
value = google_compute_address.net_runner.address
}
}
#create namespace for cert mananger
resource "kubernetes_namespace" "cert" {
metadata {
name = "cert-manager"
}
}
#deploy cert maanger
resource "helm_release" "cert" {
name = "cert-manager"
namespace = kubernetes_namespace.cert.metadata[0].name
repository = "https://charts.jetstack.io"
chart = "cert-manager"
depends_on = ["helm_release.ingress"]
set {
name = "version"
value = "v1.4.0"
}
set {
name = "installCRDs"
value = "true"
}
}
我的letsencrypt.yaml:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: example@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
知道如何使用 terraform 部署 ClusterIssuer 吗?
答案 0 :(得分:2)
您可以将YAML文件直接应用到集群
provisioner "local-exec" {
command = <<EOT
cat <<EOF | kubectl --server=${aws_eks_cluster.demo.endpoint} --insecure-skip-tls-verify=true --token=${data.aws_eks_cluster_auth.demo.token} create -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: mymail@gmail.com
privateKeySecretRef:
name: letsencrypt
http01: {}
EOF
EOT
}
或者您也可以使用 TF provider 来应用 YAML 文件
https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs#installation