feat(gcp): let helm manage certmanager SA instead of terraform (#882)

* gcp: let helm manage certmanager SA instead of terraform * bump gke version
pluralsh · Nov 10, 2023 · c6558ef · c6558ef
1 parent 581a1d2
commit c6558ef
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 4 deletions.
diff --git a/bootstrap/helm/bootstrap/Chart.yaml b/bootstrap/helm/bootstrap/Chart.yaml
@@ -10,7 +10,7 @@ maintainers:
   email: [email protected]
 - name: David van der Spek
   email: [email protected]
-version: 0.8.77
+version: 0.8.78
 dependencies:
 - name: external-dns
   version: 6.14.1

diff --git a/bootstrap/helm/bootstrap/values.yaml.tpl b/bootstrap/helm/bootstrap/values.yaml.tpl
@@ -183,9 +183,13 @@ dnsSolver:
 
 {{ if $isGcp }}
 cert-manager:
+  podAnnotations:
+    checksum/sa: {{ importValue "Terraform" "certmanager_sa_workload_identity_email" | sha256sum }}
   serviceAccount:
-    create: false
+    create: true
     name: certmanager
+    annotations:
+      iam.gke.io/gcp-service-account: {{ importValue "Terraform" "certmanager_sa_workload_identity_email" }}
 
 {{ if not $pluraldns }}
 dnsSolver:

diff --git a/bootstrap/terraform/gcp-bootstrap/deps.yaml b/bootstrap/terraform/gcp-bootstrap/deps.yaml
@@ -11,5 +11,6 @@ spec:
     cluster: cluster
     vpc_network: vpc_network
     capi_sa_workload_identity_email: capi_sa_workload_identity_email
+    certmanager_sa_workload_identity_email: certmanager_sa_workload_identity_email
   provider_wirings:
     cluster: module.gcp-bootstrap.cluster
diff --git a/bootstrap/terraform/gcp-bootstrap/main.tf b/bootstrap/terraform/gcp-bootstrap/main.tf
@@ -104,7 +104,7 @@ resource "kubernetes_namespace" "bootstrap" {
 }
 
 resource "kubernetes_service_account" "certmanager" {
-  count = var.cluster_api ? 0 : 1
+  count = var.cluster_api ? 0 : 0
   metadata {
     name      = "certmanager"
     namespace = var.namespace

diff --git a/bootstrap/terraform/gcp-bootstrap/outputs.tf b/bootstrap/terraform/gcp-bootstrap/outputs.tf
@@ -10,3 +10,7 @@ output "vpc_network" {
 output "capi_sa_workload_identity_email" {
   value = module.capi-workload-identity.gcp_service_account_email
 }
+
+output "certmanager_sa_workload_identity_email" {
+  value = module.certmanager-workload-identity.gcp_service_account_email
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/variables.tf b/bootstrap/terraform/gcp-bootstrap/variables.tf
@@ -253,7 +253,7 @@ variable "num_static_ips" {
 
 variable "kubernetes_version" {
   type = string
-  default = "1.24.17-gke.200"
+  default = "1.24.17-gke.2211000"
 }
 
 variable "vpc_subnetwork_cidr_range" {