From c6558ef3d8424576a906bb626d73d460027f7712 Mon Sep 17 00:00:00 2001 From: Sebastian Florek Date: Fri, 10 Nov 2023 16:48:57 +0100 Subject: [PATCH] feat(gcp): let helm manage certmanager SA instead of terraform (#882) * gcp: let helm manage certmanager SA instead of terraform * bump gke version --- bootstrap/helm/bootstrap/Chart.yaml | 2 +- bootstrap/helm/bootstrap/values.yaml.tpl | 6 +++++- bootstrap/terraform/gcp-bootstrap/deps.yaml | 1 + bootstrap/terraform/gcp-bootstrap/main.tf | 2 +- bootstrap/terraform/gcp-bootstrap/outputs.tf | 4 ++++ bootstrap/terraform/gcp-bootstrap/variables.tf | 2 +- 6 files changed, 13 insertions(+), 4 deletions(-) diff --git a/bootstrap/helm/bootstrap/Chart.yaml b/bootstrap/helm/bootstrap/Chart.yaml index 789f04094..f83819f75 100644 --- a/bootstrap/helm/bootstrap/Chart.yaml +++ b/bootstrap/helm/bootstrap/Chart.yaml @@ -10,7 +10,7 @@ maintainers: email: mguarino46@gmail.com - name: David van der Spek email: david@plural.sh -version: 0.8.77 +version: 0.8.78 dependencies: - name: external-dns version: 6.14.1 diff --git a/bootstrap/helm/bootstrap/values.yaml.tpl b/bootstrap/helm/bootstrap/values.yaml.tpl index 38cf4b559..4035d9867 100644 --- a/bootstrap/helm/bootstrap/values.yaml.tpl +++ b/bootstrap/helm/bootstrap/values.yaml.tpl @@ -183,9 +183,13 @@ dnsSolver: {{ if $isGcp }} cert-manager: + podAnnotations: + checksum/sa: {{ importValue "Terraform" "certmanager_sa_workload_identity_email" | sha256sum }} serviceAccount: - create: false + create: true name: certmanager + annotations: + iam.gke.io/gcp-service-account: {{ importValue "Terraform" "certmanager_sa_workload_identity_email" }} {{ if not $pluraldns }} dnsSolver: diff --git a/bootstrap/terraform/gcp-bootstrap/deps.yaml b/bootstrap/terraform/gcp-bootstrap/deps.yaml index 8804c3265..7641bf59b 100644 --- a/bootstrap/terraform/gcp-bootstrap/deps.yaml +++ b/bootstrap/terraform/gcp-bootstrap/deps.yaml @@ -11,5 +11,6 @@ spec: cluster: cluster vpc_network: vpc_network capi_sa_workload_identity_email: capi_sa_workload_identity_email + certmanager_sa_workload_identity_email: certmanager_sa_workload_identity_email provider_wirings: cluster: module.gcp-bootstrap.cluster diff --git a/bootstrap/terraform/gcp-bootstrap/main.tf b/bootstrap/terraform/gcp-bootstrap/main.tf index 4e758e46a..c46da946e 100644 --- a/bootstrap/terraform/gcp-bootstrap/main.tf +++ b/bootstrap/terraform/gcp-bootstrap/main.tf @@ -104,7 +104,7 @@ resource "kubernetes_namespace" "bootstrap" { } resource "kubernetes_service_account" "certmanager" { - count = var.cluster_api ? 0 : 1 + count = var.cluster_api ? 0 : 0 metadata { name = "certmanager" namespace = var.namespace diff --git a/bootstrap/terraform/gcp-bootstrap/outputs.tf b/bootstrap/terraform/gcp-bootstrap/outputs.tf index 7496af049..cbc2f4a90 100644 --- a/bootstrap/terraform/gcp-bootstrap/outputs.tf +++ b/bootstrap/terraform/gcp-bootstrap/outputs.tf @@ -10,3 +10,7 @@ output "vpc_network" { output "capi_sa_workload_identity_email" { value = module.capi-workload-identity.gcp_service_account_email } + +output "certmanager_sa_workload_identity_email" { + value = module.certmanager-workload-identity.gcp_service_account_email +} diff --git a/bootstrap/terraform/gcp-bootstrap/variables.tf b/bootstrap/terraform/gcp-bootstrap/variables.tf index b941146c5..e209e14e6 100644 --- a/bootstrap/terraform/gcp-bootstrap/variables.tf +++ b/bootstrap/terraform/gcp-bootstrap/variables.tf @@ -253,7 +253,7 @@ variable "num_static_ips" { variable "kubernetes_version" { type = string - default = "1.24.17-gke.200" + default = "1.24.17-gke.2211000" } variable "vpc_subnetwork_cidr_range" {