locals { needKnownHost = var.haveGitea && (length(local.sorted-stages)>0 || var.haveTekton) needDeploy = var.haveGitea && length(local.sorted-stages)>0 gitea_host = "http://gitea-http.${var.domain}-ci.svc:3000/" gitea_username = data.kubernetes_secret_v1.gitea.data["username"] gitea_password = data.kubernetes_secret_v1.gitea.data["password"] ci-user-password = random_password.password.result } data "kubernetes_secret_v1" "gitea-cert" { metadata { name = "gitea-cert" namespace = "${var.domain}-ci" } } data "kubernetes_secret_v1" "gitea" { metadata { name = "gitea-admin-user" namespace = "${var.domain}-ci" } } data "kubernetes_ingress_v1" "gitea" { metadata { name = "gitea" namespace = "${var.domain}-ci" } } data "kubernetes_service" "gitea-ssh" { metadata { name = "gitea-ssh" namespace = "${var.domain}-ci" } } resource "null_resource" "get_known" { count = local.needKnownHost?1:0 triggers = { always_run = "${timestamp()}" } provisioner "local-exec" { command = "ssh-keyscan -p ${data.kubernetes_service.gitea-ssh.spec.0.port.0.port} ${var.gitea-ssh-domain!=""?var.gitea-ssh-domain:data.kubernetes_ingress_v1.gitea.spec[0].rule[0].host} > ${path.module}/known_host.txt" } } data "local_file" "known_host" { count = local.needKnownHost?1:0 filename = "${path.module}/known_host.txt" depends_on = [null_resource.get_known] } resource "kubectl_manifest" "ssh-creds" { depends_on = [kubernetes_namespace_v1.ns] count = var.haveGitea?length(local.sorted-stages):0 yaml_body = <<-EOF apiVersion: "secretgenerator.mittwald.de/v1alpha1" kind: "SSHKeyPair" metadata: name: "ssh-credentials" namespace: "${local.sorted-stages[count.index].namespace}" labels: ${jsonencode(local.common_labels)} spec: length: "4096" forceRegenerate: false data: known_hosts: "${data.local_file.known_host[0].content}" EOF lifecycle { ignore_changes = [ yaml_body, ] } } data "kubernetes_secret_v1" "ssh-creds-read" { depends_on = [kubectl_manifest.ssh-creds] count = var.haveGitea?length(local.sorted-stages):0 metadata { name = "ssh-credentials" namespace = "${local.sorted-stages[count.index].namespace}" } } resource "random_password" "password" { length = 16 special = true override_special = "!#$%&*()-_=+[]{}<>:?" } resource "gitea_user" "user-ci" { count = local.needKnownHost?1:0 username = "${var.instance}-ci" login_name = "${var.instance}-ci" password = local.ci-user-password email = "${var.instance}-ci@${var.domain_name}" must_change_password = true } resource "gitea_public_key" "user-ci-keys" { count = var.haveGitea?length(local.sorted-stages):0 title = "Stage ${local.sorted-stages[count.index].name} for organisation ${var.instance}" username = gitea_user.user-ci[0].username key = data.kubernetes_secret_v1.ssh-creds-read[count.index].data["ssh-publickey"] } resource "gitea_org" "orga" { count = var.haveGitea?1:0 name = "${trimprefix(var.instance,"org-")}" } resource "gitea_repository" "deploy" { count = local.needKnownHost?1:0 username = gitea_org.orga[0].name name = "deploy" private = true } resource "gitea_team" "cd-team" { count = local.needKnownHost?1:0 name = "Deployment" organisation = gitea_org.orga[0].name description = "Deployment" permission = "write" members = [gitea_user.user-ci[0].username] include_all_repositories = false repositories = local.needKnownHost?[gitea_repository.deploy[0].name]:[] } resource "gitea_team" "ci-team" { count = local.needKnownHost?1:0 name = "Automation" organisation = gitea_org.orga[0].name description = "Automation" permission = "read" members = [gitea_user.user-ci[0].username] } resource "gitea_team" "dev-team" { count = var.haveGitea?1:0 name = "Devs" organisation = gitea_org.orga[0].name description = "Dev Team" permission = "write" }