forked from rancher/terraform-rancher-server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrancher-ha.tf
109 lines (91 loc) · 2.83 KB
/
rancher-ha.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
resource "null_resource" "cert-manager-crds" {
provisioner "local-exec" {
command = <<EOF
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/v${var.certmanager_version}/deploy/manifests/00-crds.yaml
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
EOF
environment = {
KUBECONFIG = local_file.kube_cluster_yaml.filename
}
}
}
# install cert-manager
resource "helm_release" "cert_manager" {
depends_on = [null_resource.cert-manager-crds]
version = "v${var.certmanager_version}"
name = "cert-manager"
chart = var.certmanager_chart
namespace = "cert-manager"
# Bogus set to link together resources for proper tear down
set {
name = "tf_link"
value = rke_cluster.rancher_server.api_server_url
}
}
# install rancher
resource "helm_release" "rancher" {
name = "rancher"
chart = var.rancher_chart
version = "v${local.rancher_version}"
namespace = "cattle-system"
set {
name = "hostname"
value = "${local.name}.${local.domain}"
}
set {
name = "ingress.tls.source"
value = "letsEncrypt"
}
set {
name = "letsEncrypt.email"
value = local.le_email
}
set {
name = "letsEncrypt.environment"
value = "production" # valid options are 'staging' or 'production'
}
# Bogus set to link togeather resources for proper tear down
set {
name = "tf_link"
value = helm_release.cert_manager.name
}
}
resource "null_resource" "wait_for_rancher" {
provisioner "local-exec" {
command = <<EOF
while [ "$${subject}" != "* subject: CN=$${RANCHER_HOSTNAME}" ]; do
subject=$(curl -vk -m 2 "https://$${RANCHER_HOSTNAME}/ping" 2>&1 | grep "subject:")
echo "Cert Subject Response: $${subject}"
if [ "$${subject}" != "* subject: CN=$${RANCHER_HOSTNAME}" ]; then
sleep 10
fi
done
while [ "$${resp}" != "pong" ]; do
resp=$(curl -sSk -m 2 "https://$${RANCHER_HOSTNAME}/ping")
echo "Rancher Response: $${resp}"
if [ "$${resp}" != "pong" ]; then
sleep 10
fi
done
EOF
environment = {
RANCHER_HOSTNAME = "${local.name}.${local.domain}"
TF_LINK = helm_release.rancher.name
}
}
}
resource "rancher2_bootstrap" "admin" {
provider = rancher2.bootstrap
depends_on = [null_resource.wait_for_rancher]
current_password = var.rancher_current_password
password = var.rancher_password
}
resource "rancher2_auth_config_github" "github" {
count = local.rancher2_auth_config_github_count
client_id = var.github_client_id
client_secret = var.github_client_secret
access_mode = "restricted"
# Concatanate the local Rancher id with any specified GitHub principals
allowed_principal_ids = concat(["local://${data.rancher2_user.admin.id}"], local.rancher2_auth_github_principal_list)
}