add gitattributes with git-crypt

.drone.yml

@@ -3,14 +3,13 @@ type: kubernetes
 name: default
 
 steps:
-  - name: test
+  - name: Get terraform files
     image: alpine
     # environment:
       # kek:
       #   from_secret: tfstate
     commands:
-      - "apk update && apk add jq curl perl"
+      - "apk update && apk add jq curl"
-      # - "sleep 900"
       - |
         curl -k https://kubernetes:6443/api/v1/namespaces/drone/configmaps/tfstate -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.tfstate | base64 -d | gzip -d > /terraform.tfstate
       - |
@@ -26,7 +25,14 @@ steps:
   - name: Terraform apply
     image: hashicorp/terraform:latest
     commands:
-      - "terraform init && terraform plan"
+      - "terraform init"
+      - "terraform plan -target=module.kubernetes_cluster"
+
+  - name: Update configmap
+    image: alpine
+    commands:
+      - "apk update && apk add curl"
+      - "head terraform.tfstate"
     # plan: true
     # root_dir: "/data/src"
     # var_files:

.gitattributes

@@ -0,0 +1,4 @@
+.gitattributes !filter !diff
+
+*.tfstate filter=git-crypt diff=git-crypt
+*.tfvars filter=git-crypt diff=git-crypt

.gitignore

@@ -7,7 +7,7 @@
 **/.terraform/*
 
 # .tfstate files
-*.tfstate
+#*.tfstate
 *.tfstate.*
 
 # Crash log files
@@ -18,7 +18,7 @@ crash.log
 # version control.
 #
 # example.tfvars
-*.tfvars
+#*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

main.tf

@@ -1,3 +1,7 @@
+variable "prod" {
+  type    = bool
+  default = false
+}
 variable "vsphere_password" {}
 variable "vsphere_user" {}
 variable "vsphere_server" {}
@@ -26,13 +30,26 @@ variable "ansible_prefix" {
   default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
   description = "Provisioner command"
 }
+
+data "terraform_remote_state" "foo" {
+  backend = "kubernetes"
+  config = {
+    secret_suffix     = "state"
+    namespace         = "drone"
+    in_cluster_config = var.prod
+    host              = "https://kubernetes:6443"
+    //  load_config_file  = true
+  }
+
+  depends_on = [module.kubernetes_cluster]
+}
 provider "kubernetes" {
-  config_path = "~/.kube/config"
+  # config_path = "~/.kube/config"
 }
 
 provider "helm" {
   kubernetes {
-    config_path = "~/.kube/config"
+    # config_path = "~/.kube/config"
   }
 }
 

modules/kubernetes/drone/main.tf

@@ -28,6 +28,28 @@ module "tls_secret" {
   tls_key         = var.tls_key
 }
 
+resource "kubernetes_config_map" "tfvars" {
+  metadata {
+    name      = "tfvars"
+    namespace = "drone"
+  }
+
+  data = {
+    "tfvars" = base64gzip(file("${path.root}/terraform.tfvars"))
+  }
+}
+
+resource "kubernetes_config_map" "tfstate" {
+  metadata {
+    name      = "tfstate"
+    namespace = "drone"
+  }
+
+  data = {
+    "tfstate" = base64gzip(file("${path.root}/terraform.tfstate"))
+  }
+}
+
 resource "kubernetes_deployment" "drone_server" {
   metadata {
     name      = "drone-server"
@@ -141,6 +163,8 @@ resource "kubernetes_ingress" "drone" {
     namespace = "drone"
     annotations = {
       "kubernetes.io/ingress.class" = "nginx"
+      //"nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
+      //"nginx.ingress.kubernetes.io/auth-tls-secret"        = "default/ca-secret"
     }
   }
 
@@ -169,6 +193,11 @@ resource "kubernetes_cluster_role" "drone" {
   metadata {
     name = "drone"
   }
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps"]
+    verbs      = ["get", "list", "update", "patch"]
+  }
   rule {
     api_groups = [""]
     resources  = ["secrets"]
@@ -197,7 +226,8 @@ resource "kubernetes_cluster_role_binding" "drone" {
   }
   role_ref {
     kind = "ClusterRole"
-    name      = "drone"
+    # name      = "drone"
+    name      = "cluster-admin"
     api_group = "rbac.authorization.k8s.io"
   }
 }
@@ -240,6 +270,15 @@ resource "kubernetes_deployment" "drone_runner" {
               memory = "1Gi"
             }
           }
+          volume_mount {
+            mount_path = "/terraform.tfvars"
+            name       = "tfvars"
+            sub_path   = "tfvars"
+          }
+          # volume_mount {
+          #   mount_path = "/data/"
+          #   name       = "data"
+          # }
           env {
             name  = "DRONE_RPC_HOST"
             value = var.rpc_host
@@ -274,6 +313,22 @@ resource "kubernetes_deployment" "drone_runner" {
             value = "true"
           }
         }
+        volume {
+          name = "tfvars"
+          config_map {
+            name = "tfvars"
+          }
+        }
+        # volume {
+        #   name = "data"
+        #   iscsi {
+        #     target_portal = "iscsi.viktorbarzin.lan:3260"
+        #     fs_type       = "ext4"
+        #     iqn           = "iqn.2020-12.lan.viktorbarzin:storage:drone:tfstate"
+        #     lun           = 0
+        #     read_only     = false
+        #   }
+        # }
       }
     }
   }
@@ -321,6 +376,11 @@ resource "kubernetes_deployment" "drone_runner_secret" {
             name  = "KUBERNETES_NAMESPACE"
             value = "drone"
           }
+          // Custom variable to start terraform as prod
+          env {
+            name  = "TF_VAR_prod"
+            value = true
+          }
         }
       }
     }