.gtpl

mathieu-benoit · Nov 20, 2024 · 7891a04 · 7891a04
1 parent dfaf33a
commit 7891a04
Show file tree

Hide file tree

Showing 10 changed files with 61 additions and 60 deletions.
diff --git a/modules/htc_res_defs/k8s_service_account.tf b/modules/htc_res_defs/k8s_service_account.tf
@@ -7,21 +7,9 @@ resource "humanitec_resource_definition" "k8s_service_account" {
   driver_inputs = {
     values_string = jsonencode({
       templates = {
-        init      = <<EOL
-name: {{ index (splitList "." "$${context.res.id}") 1 }}
-EOL
-        manifests = <<EOL
-service-account.yaml:
-  location: namespace
-  data:
-    apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: {{ .init.name }}
-EOL
-        outputs   = <<EOL
-name: {{ .init.name }}
-EOL
+        init      = file("${path.module}/manifests/k8s-service-account/init.gtpl")
+        manifests = file("${path.module}/manifests/k8s-service-account/manifests.gtpl")
+        outputs   = file("${path.module}/manifests/k8s-service-account/outputs.gtpl")
       }
     })
   }

diff --git a/modules/htc_res_defs/manifests/k8s-namespace/init.gtpl b/modules/htc_res_defs/manifests/k8s-namespace/init.gtpl
@@ -0,0 +1 @@
+name: ${context.app.id}-${context.env.id}
diff --git a/modules/htc_res_defs/manifests/k8s-namespace/manifests.gtpl b/modules/htc_res_defs/manifests/k8s-namespace/manifests.gtpl
@@ -0,0 +1,12 @@
+namespace.yaml:
+  location: cluster
+  data:
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+      labels:
+        humanitec.io/app: ${context.app.id}
+        humanitec.io/env: ${context.env.id}
+        pod-security.kubernetes.io/enforce: restricted
+        istio-injection: enabled
+      name: {{ .init.name }}
diff --git a/modules/htc_res_defs/manifests/k8s-namespace/outputs.gtpl b/modules/htc_res_defs/manifests/k8s-namespace/outputs.gtpl
@@ -0,0 +1 @@
+namespace: {{ .init.name }}
diff --git a/modules/htc_res_defs/manifests/k8s-service-account/init.gtpl b/modules/htc_res_defs/manifests/k8s-service-account/init.gtpl
@@ -0,0 +1 @@
+name: {{ index (splitList "." "${context.res.id}") 1 }}
diff --git a/modules/htc_res_defs/manifests/k8s-service-account/manifests.gtpl b/modules/htc_res_defs/manifests/k8s-service-account/manifests.gtpl
@@ -0,0 +1,11 @@
+service-account.yaml:
+  location: namespace
+  data:
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      labels:
+        humanitec.io/workload: {{ .init.name }}
+        humanitec.io/app: ${context.app.id}
+        humanitec.io/env: ${context.env.id}
+      name: {{ .init.name }}
diff --git a/modules/htc_res_defs/manifests/k8s-service-account/outputs.gtpl b/modules/htc_res_defs/manifests/k8s-service-account/outputs.gtpl
@@ -0,0 +1 @@
+name: {{ .init.name }}
diff --git a/modules/htc_res_defs/manifests/workload/outputs.gtpl b/modules/htc_res_defs/manifests/workload/outputs.gtpl
@@ -0,0 +1,27 @@
+update:
+  - op: add
+    path: /spec/serviceAccountName
+    value: $${resources.k8s-service-account.outputs.name}
+  - op: add
+    path: /spec/automountServiceAccountToken
+    value: false
+  - op: add
+    path: /spec/securityContext
+    value:
+      fsGroup: 1000
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+  {{- range $containerId, $value := .resource.spec.containers }}
+  - op: add
+    path: /spec/containers/{{ $containerId }}/securityContext
+    value:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+  {{- end }}
diff --git a/modules/htc_res_defs/namespace.tf b/modules/htc_res_defs/namespace.tf
@@ -7,20 +7,9 @@ resource "humanitec_resource_definition" "k8s_namespace" {
   driver_inputs = {
     values_string = jsonencode({
       templates = {
-        init      = "name: $${context.app.id}-$${context.env.id}"
-        manifests = <<EOL
-namespace.yaml:
-  location: cluster
-  data:
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      labels:
-        pod-security.kubernetes.io/enforce: restricted
-        istio-injection: enabled
-      name: {{ .init.name }}
-EOL
-        outputs   = "namespace: {{ .init.name }}"
+        init      = file("${path.module}/manifests/k8s-namespace/init.gtpl")
+        manifests = file("${path.module}/manifests/k8s-namespace/manifests.gtpl")
+        outputs   = file("${path.module}/manifests/k8s-namespace/outputs.gtpl")
       }
     })
   }

diff --git a/modules/htc_res_defs/workload.tf b/modules/htc_res_defs/workload.tf
@@ -7,37 +7,7 @@ resource "humanitec_resource_definition" "workload" {
   driver_inputs = {
     values_string = jsonencode({
       templates = {
-        init      = ""
-        manifests = ""
-        outputs   = <<EOL
-update:
-  - op: add
-    path: /spec/serviceAccountName
-    value: $${resources.k8s-service-account.outputs.name}
-  - op: add
-    path: /spec/automountServiceAccountToken
-    value: false
-  - op: add
-    path: /spec/securityContext
-    value:
-      fsGroup: 1000
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-  {{- range $containerId, $value := .resource.spec.containers }}
-  - op: add
-    path: /spec/containers/{{ $containerId }}/securityContext
-    value:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-  {{- end }}
-EOL
+        outputs   = file("${path.module}/manifests/workload/outputs.gtpl")
       }
     })
   }