Merge pull request #4 from goci-io/chore

allow to disable rbac role and service account
goci-io · Dec 31, 2019 · 0d345f8 · 0d345f8
2 parents e7f7b80 + 610b5aa
commit 0d345f8
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/provider.tf b/provider.tf
@@ -1,7 +1,7 @@
 terraform {
   required_version = ">= 0.12.1"
 
-  required_providers = {
+  required_providers {
     kubernetes = "~> 1.8"
   }
 }
diff --git a/rbac.tf b/rbac.tf
@@ -1,4 +1,6 @@
 resource "kubernetes_role" "deployment" {
+  count = var.enabled_rbac_binding ? 1 : 0
+
   metadata {
     name = module.label.id
 
@@ -28,21 +30,23 @@ resource "kubernetes_role" "deployment" {
   }
 }
 
-resource "kubernetes_role_binding" "example" {
+resource "kubernetes_role_binding" "sa_binding" {
+  count = var.enabled_rbac_binding ? 1 : 0
+
   metadata {
-    name      = module.label.id
+    name      = "apps-sa-binding"
     namespace = kubernetes_namespace.namespace.metadata.0.name
   }
 
   role_ref {
-    name      = kubernetes_role.deployment.metadata.0.name
+    name      = kubernetes_role.deployment[0].metadata.0.name
     api_group = "rbac.authorization.k8s.io"
     kind      = "Role"
   }
 
   subject {
     kind      = "ServiceAccount"
-    name      = "${module.label.id}-apps"
+    name      = kubernetes_service_account.namespace[0].metadata.0.name
     namespace = kubernetes_namespace.namespace.metadata.0.name
   }
 }
diff --git a/service-account.tf b/service-account.tf
@@ -4,13 +4,16 @@ locals {
 }
 
 resource "kubernetes_service_account" "namespace" {
+  count = var.enabled_rbac_binding ? 1 : 0
+
   metadata {
     name      = "${module.label.id}-apps"
-    namespace = module.label.id
+    namespace = kubernetes_namespace.namespace.metadata.0.name
   }
 
   dynamic "image_pull_secret" {
     for_each = var.image_pull_secrets
+
     content {
       name = image_pull_secret.key
     }
@@ -23,7 +26,7 @@ resource "kubernetes_secret" "image_pull" {
 
   metadata {
     name      = element(local.pull_secret_keys, count.index)
-    namespace = module.label.id
+    namespace = kubernetes_namespace.namespace.metadata.0.name
   }
 
   data = {

diff --git a/variables.tf b/variables.tf
@@ -30,6 +30,12 @@ variable "image_pull_secrets" {
   description = "Pull secrets to provide to the service account to fetch docker images"
 }
 
+variable "enabled_rbac_binding" {
+  type        = bool
+  default     = true
+  description = "Deploys additional RBAC role binding to a service account named like the namespace (+-apps)"
+}
+
 variable "max_pv_claims" {
   default     = 30
   description = "Maximum amount of PersistentVolumeClaims which can be claimed within this namespace"