Kubernetes secret with Flux and Terraform

问题

I am new to terraform and devops in general. First I need to get ssh key from url to known host to later use for Flux.

data "helm_repository" "fluxcd" {
  name = "fluxcd"
  url  = "https://charts.fluxcd.io"
}

resource "helm_release" "flux" {
  name      = "flux"
  namespace = "flux"

  repository = data.helm_repository.fluxcd.metadata[0].name
  chart      = "flux"

  set {
    name  = "git.url"
    value = "git.project"
  }

  set {
    name  = "git.secretName"
    value = "flux-git-deploy"
  }

  set {
    name  = "syncGarbageCollection.enabled"
    value = true
  }

  
  set_string {
    name  = "ssh.known_hosts"
    value = Need this value from url
  }

}

Then I need to generate key and use it to create kubernetes secret to communicate with gitlab repository.

resource "kubernetes_secret" "flux-git-deploy" {
  metadata {
    name      = "flux-git-deploy"
    namespace = "flux"
  }

  type = "Opaque"

  data = {
    identity = tls_private_key.flux.private_key_pem
  }
}

resource "gitlab_deploy_key" "flux_deploy_key" {
    title = "Title"
    project = "ProjectID"
    key = tls_private_key.flux.public_key_openssh
    can_push = true
}

I am not sure if I am on the right track. Any advice will help.

回答1:

There are few approaches you could use. These can be divided into "two categories":

• generate manually the ssh_known_hosts and use the output through variables or files
  • create the file on the machine where you're running terraform with the command ssh-keyscan <git_domain> and set the path as value for ssh.known_hosts.
  • You can also use the file function directly in the variable or use the file output directly as env variable. Personally I would not recommend it because the value is saved directly in the terraform state but in this case it is not a critical issue. Critical would be if you're using ssh_keys or credentials.
• Another approach would be to use the local-exec provisioner with a null_resource before you create the helm resource for flux and create the file directly in terraform. But additional to that you have to take care of accessing the file you created and also managing the triggers to run the command if a setting is changed.

In general, I would not use terraform for such things. It is fine to provide infrastructure like aws resources or services which are directly bound to the infrastructure but in order to create and run services you need a provisioning tool like ansible where you can run commands like "ssh-keyscan" directly as module. At the end you need a stable pipeline where you run ansible (or your favorite provisioning tool) after a terraform change.

But if you want to use only terraform you're going to right way.

来源：https://stackoverflow.com/questions/63811781/kubernetes-secret-with-flux-and-terraform