init: copy from lawndale-infra

2022-05-27 02:51:52 +02:00
commit 6a60d271bf
18 changed files with 1126 additions and 0 deletions
--- a/ci.tf
+++ b/ci.tf
@@ -0,0 +1,118 @@
+resource "kubernetes_service_account" "terraform_ci_cd" {
+  metadata {
+    namespace = "kube-system"
+    name      = "terraform-ci-cd"
+  }
+  automount_service_account_token = false
+}
+
+
+resource "kubernetes_cluster_role_binding" "terraform_ci_is_a_ci" {
+
+  metadata {
+    name = "terraform-ci-cd-is-a-ci-cd"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.ci_cd.metadata.0.name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.terraform_ci_cd.metadata.0.name
+    namespace = kubernetes_service_account.terraform_ci_cd.metadata.0.namespace
+  }
+}
+
+resource "kubernetes_cluster_role" "ci_cd" {
+  metadata {
+    name = "ci-cd"
+  }
+
+
+  rule {
+    api_groups = [""]
+    resources = [
+      "configmaps",
+      "persistentvolumes",
+      "persistentvolumeclaims",
+      "pods",
+      "namespaces",
+      "secrets",
+      "services",
+    ]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
+  }
+
+  rule {
+    api_groups = ["apps"]
+    resources = [
+      "deployments",
+      "replicasets", # needed for 'helm upgrade --wait'
+    ]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
+  }
+
+  rule {
+    api_groups = ["autoscaling"]
+    resources = [
+      "horizontalpodautoscalers"
+    ]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
+  }
+  rule {
+    api_groups = ["networking.k8s.io"]
+
+    resources = [
+      "ingresses",
+    ]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
+  }
+  rule {
+    api_groups = ["networking.k8s.io"]
+    resources = [
+      "networkpolicies"
+    ]
+    verbs = [
+      "create",
+      "delete",
+      "get",
+      "list",
+      "patch",
+      "update",
+      "watch",
+    ]
+  }
+}