Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
When using a TLS enabled Tiller instance, it is cumbersome to setup the helm provider in Terraform. Specifically, any operator machine that needs to access
helm
needs to runkubergrunt helm configure
before runningterraform apply
. This has several failure modes:configure
, and so terraform fails to authenticate to helm.configure
against a different Tiller and forgot to run `configure for the intended Tiller. This causes the terraform code to apply to the wrong Tiller instance.To make this more robust, we want to store the helm authentication configuration as code.
We can work around this limitation by calling
kubergrunt helm configure
inline as alocal-exec
provisioner in Terraform. This has a few downsides, most notably being the inability to configure providers from resources. Ideally, we would like to callkubergrunt helm configure
as an external data source. Additionally, this has the problem of requiring knowledge of the intended helm home directory beforehand. This can still lead to collisions, if the same helm home is used for each terraform call.Proposed solution
This change set updates
kubergrunt helm configure
with a new option--as-tf-data
, which enables you to call it in an external data source. Passing this flag will cause the command to output the configured helm home directory in the output json on stdout at the end of the command.Additionally, this proposes a new magic string you can set for
--helm-home
(arbitrary chosen to__TMP__
). This magic string informskubergrunt
that the user intends to use a tmp directory for the configured helm home directory, and the command will useioutil.TempDir
to generate a new directory to use as the helm home.The above two features, when used in combination, allows us to define helm credentials as code in terraform.
One major downside of this approach is that the credentials are still stored on disk on the client machine unencrypted. This can't be avoided because that is a strict requirement of helm in TLS authentication. This isn't a problem in CI environments, where the FS is thrown away in each run, but may be a problem for operators running terraform directly. The only saving grace is that using
__TMP__
makes it so that reboots will delete the directory on most operating systems.