From 7738929d5b630e53c5c2916d44043d2c93718b7d Mon Sep 17 00:00:00 2001 From: Shahe Islam Date: Wed, 15 Jan 2025 14:11:51 +0000 Subject: [PATCH] feat: Changing to reference container image feat: Changing to reference container image --- cluster/terraform_kubernetes/reloader.tf | 126 ++++++++++++++++++---- cluster/terraform_kubernetes/variables.tf | 2 +- 2 files changed, 106 insertions(+), 22 deletions(-) diff --git a/cluster/terraform_kubernetes/reloader.tf b/cluster/terraform_kubernetes/reloader.tf index 7721f4f2..c37645ad 100644 --- a/cluster/terraform_kubernetes/reloader.tf +++ b/cluster/terraform_kubernetes/reloader.tf @@ -1,32 +1,116 @@ -resource "helm_release" "reloader" { - name = "reloader" - namespace = "monitoring" - repository = "https://stakater.github.io/stakater-charts" - chart = "reloader" - version = var.reloader_version +# ClusterRole for Reloader +resource "kubernetes_cluster_role" "reloader" { + metadata { + name = "reloader-role" + } + + rule { + api_groups = [""] + resources = ["configmaps", "secrets"] + verbs = ["list", "get", "watch"] + } + + rule { + api_groups = ["apps"] + resources = ["deployments", "daemonsets", "statefulsets"] + verbs = ["list", "get", "update", "patch"] + } - set { - name = "reloader.watchGlobally" - value = "true" + rule { + api_groups = ["extensions"] + resources = ["deployments", "daemonsets"] + verbs = ["list", "get", "update", "patch"] } +} - set { - name = "reloader.deployment.resources.limits.memory" - value = var.reloader_app_mem +# ServiceAccount for Reloader +resource "kubernetes_service_account" "reloader" { + metadata { + name = "reloader" + namespace = "monitoring" } +} - set { - name = "reloader.deployment.resources.limits.cpu" - value = var.reloader_app_cpu +# ClusterRoleBinding for Reloader +resource "kubernetes_cluster_role_binding" "reloader" { + metadata { + name = "reloader-role-binding" } - set { - name = "reloader.deployment.resources.requests.memory" - value = var.reloader_app_mem + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = kubernetes_cluster_role.reloader.metadata[0].name } - set { - name = "reloader.deployment.resources.requests.cpu" - value = var.reloader_app_cpu + subject { + kind = "ServiceAccount" + name = kubernetes_service_account.reloader.metadata[0].name + namespace = kubernetes_service_account.reloader.metadata[0].namespace + } +} + +# Deployment for Reloader +resource "kubernetes_deployment" "reloader" { + metadata { + name = "reloader" + namespace = "monitoring" + labels = { + app = "reloader" + } + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "reloader" + } + } + + template { + metadata { + labels = { + app = "reloader" + } + } + + spec { + service_account_name = kubernetes_service_account.reloader.metadata[0].name + + container { + name = "reloader" + image = "stakater/reloader:v${var.reloader_version}" + + args = ["--reload-strategy=annotations"] + + resources { + limits = { + cpu = var.reloader_app_cpu + memory = var.reloader_app_mem + } + requests = { + cpu = var.reloader_app_cpu + memory = var.reloader_app_mem + } + } + + security_context { + run_as_user = 65534 # nobody user + run_as_group = 65534 # nobody group + capabilities { + drop = ["ALL"] + } + allow_privilege_escalation = false + privileged = false + read_only_root_filesystem = true + seccomp_profile { + type = "RuntimeDefault" + } + } + } + } + } } } diff --git a/cluster/terraform_kubernetes/variables.tf b/cluster/terraform_kubernetes/variables.tf index d17dd6c4..3b2aa315 100644 --- a/cluster/terraform_kubernetes/variables.tf +++ b/cluster/terraform_kubernetes/variables.tf @@ -209,7 +209,7 @@ variable "filebeat_version" { variable "reloader_version" { type = string - description = "Version of the Reloader helm chart to use" + description = "Version of the Reloader container image to use" default = "1.0.69" }