feat(gcp): let helm manage certmanager SA instead of terraform (#882)

floreks · web-flow · commit c6558ef3d842 · 2023-11-10T16:48:57.000+01:00
* gcp: let helm manage certmanager SA instead of terraform

* bump gke version
diff --git a/bootstrap/helm/bootstrap/Chart.yaml b/bootstrap/helm/bootstrap/Chart.yaml
@@ -10,7 +10,7 @@ maintainers:
   email: mguarino46@gmail.com
 - name: David van der Spek
   email: david@plural.sh
-version: 0.8.77
+version: 0.8.78
 dependencies:
 - name: external-dns
   version: 6.14.1
diff --git a/bootstrap/helm/bootstrap/values.yaml.tpl b/bootstrap/helm/bootstrap/values.yaml.tpl
@@ -183,9 +183,13 @@ dnsSolver:
 
 {{ if $isGcp }}
 cert-manager:
+  podAnnotations:
+    checksum/sa: {{ importValue "Terraform" "certmanager_sa_workload_identity_email" | sha256sum }}
   serviceAccount:
-    create: false
+    create: true
     name: certmanager
+    annotations:
+      iam.gke.io/gcp-service-account: {{ importValue "Terraform" "certmanager_sa_workload_identity_email" }}
 
 {{ if not $pluraldns }}
 dnsSolver:
diff --git a/bootstrap/terraform/gcp-bootstrap/deps.yaml b/bootstrap/terraform/gcp-bootstrap/deps.yaml
@@ -11,5 +11,6 @@ spec:
     cluster: cluster
     vpc_network: vpc_network
     capi_sa_workload_identity_email: capi_sa_workload_identity_email
+    certmanager_sa_workload_identity_email: certmanager_sa_workload_identity_email
   provider_wirings:
     cluster: module.gcp-bootstrap.cluster
diff --git a/bootstrap/terraform/gcp-bootstrap/main.tf b/bootstrap/terraform/gcp-bootstrap/main.tf
@@ -104,7 +104,7 @@ resource "kubernetes_namespace" "bootstrap" {
 }
 
 resource "kubernetes_service_account" "certmanager" {
-  count = var.cluster_api ? 0 : 1
+  count = var.cluster_api ? 0 : 0
   metadata {
     name      = "certmanager"
     namespace = var.namespace
diff --git a/bootstrap/terraform/gcp-bootstrap/outputs.tf b/bootstrap/terraform/gcp-bootstrap/outputs.tf
@@ -10,3 +10,7 @@ output "vpc_network" {
 output "capi_sa_workload_identity_email" {
   value = module.capi-workload-identity.gcp_service_account_email
 }
+
+output "certmanager_sa_workload_identity_email" {
+  value = module.certmanager-workload-identity.gcp_service_account_email
+}
diff --git a/bootstrap/terraform/gcp-bootstrap/variables.tf b/bootstrap/terraform/gcp-bootstrap/variables.tf
@@ -253,7 +253,7 @@ variable "num_static_ips" {
 
 variable "kubernetes_version" {
   type = string
-  default = "1.24.17-gke.200"
+  default = "1.24.17-gke.2211000"
 }
 
 variable "vpc_subnetwork_cidr_range" {

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ resource "kubernetes_namespace" "bootstrap" {`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`resource "kubernetes_service_account" "certmanager" {`
`107`		`- count = var.cluster_api ? 0 : 1`
	`107`	`+ count = var.cluster_api ? 0 : 0`
`108`	`108`	`metadata {`
`109`	`109`	`name = "certmanager"`
`110`	`110`	`namespace = var.namespace`
Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,7 @@ output "vpc_network" {`
`10`	`10`	`output "capi_sa_workload_identity_email" {`
`11`	`11`	`value = module.capi-workload-identity.gcp_service_account_email`
`12`	`12`	`}`
	`13`	`+`
	`14`	`+output "certmanager_sa_workload_identity_email" {`
	`15`	`+ value = module.certmanager-workload-identity.gcp_service_account_email`
	`16`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,7 @@ variable "num_static_ips" {`
`253`	`253`
`254`	`254`	`variable "kubernetes_version" {`
`255`	`255`	`type = string`
`256`		`- default = "1.24.17-gke.200"`
	`256`	`+ default = "1.24.17-gke.2211000"`
`257`	`257`	`}`
`258`	`258`
`259`	`259`	`variable "vpc_subnetwork_cidr_range" {`