terraform-provider-flux
terraform-provider-flux copied to clipboard
Docs around kustomization overlay - regression
- https://github.com/fluxcd/terraform-provider-flux/pull/217
Seems to have made some docs changes that remove an explanation about how kustomization.yaml
is used, we are not sure if this patch has made a regression in the docs.
If the proposed alternative doesn't allow updating the kustomization override, then it seems it's not a total replacement for kustomization.yaml
and we should return this section to the docs:
https://github.com/fluxcd/terraform-provider-flux/pull/217/files#diff-c5fd63d104ff4c57163b958295311e8e4a3831eac0df51ccf7f9a880ea191d21L12-L16
cc: @darkowlzz
I found the same thing as I was trying to follow best practices for multi-tenancy. However I found this simple trick which works fine. The trick is at the content
part of the kustomize github file.
locals {
patches = {
deployments = file("${path.module}/fluxcd/templates/deployments.yaml")
}
base = file("${path.module}/fluxcd/templates/kustomization-base.yaml")
data "flux_sync" "this" {
target_path = "clusters/${var.cluster_id}"
patch_names = keys(local.patches)
}
resource "github_repository_file" "kustomize" {
repository = data.github_repository.cluster.name
file = data.flux_sync.this.kustomize_path
content = "${data.flux_sync.this.kustomize_content} ${local.base}"
}
kustomization-base.yaml:
#https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
value: --no-cross-namespace-refs=true
target:
kind: Deployment
name: "(kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller)"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
value: --default-service-account=flux
target:
kind: Deployment
name: "(kustomize-controller|helm-controller)"
- patch: |
- op: add
path: /spec/serviceAccountName
value: kustomize-controller
target:
kind: Kustomization
name: "flux-system"
cc @rtjfarrimond