127 lines
3.9 KiB
HCL
127 lines
3.9 KiB
HCL
locals {
|
|
app_slug = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
|
|
mongo_labels = merge(var.labels, {
|
|
"app.kubernetes.io/component" = "mongo"
|
|
})
|
|
db_name = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
|
|
username = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
|
|
mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
|
|
}
|
|
resource "kubectl_manifest" "mongo_secret" {
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
|
|
kind: "StringSecret"
|
|
metadata:
|
|
name: "${local.app_slug}-mongo"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.mongo_labels)}
|
|
spec:
|
|
forceRegenerate: false
|
|
fields:
|
|
- fieldName: "password"
|
|
length: "16"
|
|
EOF
|
|
}
|
|
data "kubernetes_secret_v1" "mongo_secret" {
|
|
depends_on = [kubectl_manifest.mongo_secret]
|
|
metadata {
|
|
name = "${local.app_slug}-mongo"
|
|
namespace = var.namespace
|
|
}
|
|
}
|
|
resource "kubectl_manifest" "mongo" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: mongodbcommunity.mongodb.com/v1
|
|
kind: MongoDBCommunity
|
|
metadata:
|
|
name: "${local.app_slug}-mongo"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.mongo_labels)}
|
|
spec:
|
|
members: 1
|
|
type: ${var.mongo_type}
|
|
version: "${var.mongo_version}"
|
|
statefulSet:
|
|
spec:
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
"k8up.io/backupcommand": "sh -c 'mongodump --username=$MONGODB_USER --password=$MONGODB_PASSWORD mongodb://localhost/$MONGODB_NAME --archive'"
|
|
"k8up.io/file-extension": ".archive"
|
|
spec:
|
|
containers:
|
|
- name: mongod
|
|
imagePullPolicy: "${var.pull_policy}"
|
|
resources: ${jsonencode(var.resources)}
|
|
env:
|
|
- name: MONGODB_NAME
|
|
value: ${local.db_name}
|
|
- name: MONGODB_USER
|
|
value: ${local.username}
|
|
- name: MONGODB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${local.app_slug}-mongo"
|
|
key: password
|
|
security:
|
|
authentication:
|
|
modes: ["SCRAM"]
|
|
additionalMongodConfig:
|
|
storage.wiredTiger.engineConfig.cacheSizeGB: 1
|
|
users:
|
|
- name: ${local.username}
|
|
db: ${local.db_name}
|
|
passwordSecretRef:
|
|
name: "${local.app_slug}-mongo"
|
|
roles:
|
|
- db: ${local.db_name}
|
|
name: readWrite
|
|
scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "mongo_sa" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: "${local.app_slug}-mongodb-database"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.mongo_labels)}
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "mongo_role" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: "${local.app_slug}-mongodb-database"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.mongo_labels)}
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["patch", "delete", "get"]
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "mongo_rb" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: "${local.app_slug}-mongodb-database"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.mongo_labels)}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: ${local.app_slug}-mongodb-database
|
|
roleRef:
|
|
kind: Role
|
|
name: ${local.app_slug}-mongodb-database
|
|
apiGroup: rbac.authorization.k8s.io
|
|
EOF
|
|
}
|