terraform-provider-stackit icon indicating copy to clipboard operation
terraform-provider-stackit copied to clipboard
verified publisher icon stackitcloud

Add cluster certificate and host outputs to the ske_cluster data

Open tchelovilar opened this issue 1 year ago • 4 comments

Adding the cluster certificate and host outputs to the ske_cluster data will smoothly improve Kubernetes provider setup.

data "stackit_ske_cluster" "main" {
  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name       = "example-name"
}

provider "kubernetes" {
  host                   = data.stackit_ske_cluster.main.host
  cluster_ca_certificate = base64decode(data.stackit_ske_cluster.main.cluster_ca_certificate)

  exec {
    api_version = "client.authentication.k8s.io/v1"
    command     = "stackit"
    args        = ["ske", "kubeconfig", "login", "--project=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "--cluster=name"]
  }
}

tchelovilar avatar May 28 '24 11:05 tchelovilar

Hi @tchelovilar, we are currently checking how to provide this info. I'll get back to you soon

vicentepinto98 avatar May 31 '24 15:05 vicentepinto98

Like mentioned in https://github.com/stackitcloud/stackit-cli/issues/358, in the meantime, you can manually retrieve the login kubeconfig and provide it to the Kubernetes TF provider:

provider "kubernetes" {
  config_path = "~/.kube/config"
}

vicentepinto98 avatar May 31 '24 15:05 vicentepinto98

my current solution based on the short lived kubeconfig resource

locals {
  kubeconfig_yaml = stackit_ske_kubeconfig.ske.kube_config
  kubeconfig_hcl  = yamldecode(local.kubeconfig_yaml)
}

provider "kubernetes" {
  host                   = local.kubeconfig_hcl.clusters.0.cluster.server
  cluster_ca_certificate = base64decode(local.kubeconfig_hcl.clusters.0.cluster.certificate-authority-data)
  client_certificate     =  base64decode(local.kubeconfig_hcl.users.0.user.client-certificate-data)
  client_key     =  base64decode(local.kubeconfig_hcl.users.0.user.client-key-data)
}


provider "helm" {
  kubernetes {
    host                   = local.kubeconfig_hcl.clusters.0.cluster.server
    cluster_ca_certificate = base64decode(local.kubeconfig_hcl.clusters.0.cluster.certificate-authority-data)
    client_certificate     =  base64decode(local.kubeconfig_hcl.users.0.user.client-certificate-data)
    client_key     =  base64decode(local.kubeconfig_hcl.users.0.user.client-key-data)
  }
}

not22day avatar Jun 12 '24 08:06 not22day

Hi @not22day ,

I have found an interesting workaround, I created the ske_login.sh script to generate the expected values for the Kubernetes provider. That is working well, and will be better once we have the certificate ca and host outputs from the ske cluster resource and data. You just need a service account token and activate the service account before run the terraform stackit auth activate-service-account --service-account-token $STACKIT_SERVICE_ACCOUNT_TOKEN.

ske_login.sh

#!/bin/bash
# Workaround to generate the StackIT kubeconfig for kubernetes terraform provider 

STACKIT_PROJECT_ID=$1
SERVER=$2
CLUSTER_NAME=$3

export KUBERNETES_EXEC_INFO='{"apiVersion": "client.authentication.k8s.io/v1","kind": "ExecCredential", "spec": { "cluster": { "config": { "STACKITProjectID": "'$STACKIT_PROJECT_ID'", "ClusterName": "'$CLUSTER_NAME'"}, "server": "'$SERVER'"}, "interactive": false } }'

stackit ske kubeconfig login

Provider configuration:

provider "kubernetes" {
  host                   = var.cluster_endpoint
  cluster_ca_certificate = base64decode(var.cluster_ca_cert)

  exec {
    api_version = "client.authentication.k8s.io/v1"
    args        = [var.stackit_project_id, var.cluster_endpoint, stackit_ske_cluster.main.name]
    command     = "../ske_login.sh"
  }
}

tchelovilar avatar Jun 12 '24 11:06 tchelovilar