terraform-google-modules · bharathkkb · Jan 13, 2021 · Nov 23, 2020 · Nov 23, 2020 · Dec 1, 2020
@@ -62,6 +62,7 @@ By default, this module will attempt to download the ACM operator from Google di
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create\_ssh\_key' variable. Can be set using 'file(path/to/file)'-function. | `string` | `null` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | `string` | `""` | no |
 | sync\_repo | ACM Git repo address | `string` | n/a | yes |
+| use\_existing\_context | Use existing kubecontext to auth kube-api. | `bool` | `false` | no |
 
 ## Outputs
 

@@ -50,6 +50,7 @@ module "acm_operator" {
   hierarchy_controller     = var.hierarchy_controller
   enable_log_denies        = var.enable_log_denies
   service_account_key_file = var.service_account_key_file
+  use_existing_context     = var.use_existing_context
 
   operator_latest_manifest_url  = "gs://config-management-release/released/latest/config-management-operator.yaml"
   operator_cr_template_path     = "${path.module}/templates/acm-config.yml.tpl"

@@ -109,3 +109,9 @@ variable "service_account_key_file" {
   description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
   default     = ""
 }
+
+variable "use_existing_context" {
+  description = "Use existing kubecontext to auth kube-api."
+  type        = bool
+  default     = false
+}
@@ -15,15 +15,16 @@
  */
 
 locals {
-  cluster_endpoint              = "https://${var.cluster_endpoint}"
-  private_key                   = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.k8sop_creds[0].private_key_pem : var.ssh_auth_key
-  k8sop_creds_secret_key        = var.secret_type == "cookiefile" ? "cookie_file" : var.secret_type
-  should_download_manifest      = var.operator_path == null ? true : false
-  manifest_path                 = local.should_download_manifest ? "${path.root}/.terraform/tmp/${var.project_id}-${var.cluster_name}/config-management-operator.yaml" : var.operator_path
-  sync_branch_node              = var.sync_branch != "" ? format("syncBranch: %s", var.sync_branch) : ""
-  policy_dir_node               = var.policy_dir != "" ? format("policyDir: %s", var.policy_dir) : ""
-  hierarchy_controller_map_node = var.hierarchy_controller == null ? "" : format("hierarchy_controller:\n    %s", yamlencode(var.hierarchy_controller))
-  source_format_node            = var.source_format != "" ? format("sourceFormat: %s", var.source_format) : ""
+  cluster_endpoint                               = "https://${var.cluster_endpoint}"
+  private_key                                    = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.k8sop_creds[0].private_key_pem : var.ssh_auth_key
+  k8sop_creds_secret_key                         = var.secret_type == "cookiefile" ? "cookie_file" : var.secret_type
+  should_download_manifest                       = var.operator_path == null ? true : false
+  manifest_path                                  = local.should_download_manifest ? "${path.root}/.terraform/tmp/${var.project_id}-${var.cluster_name}/config-management-operator.yaml" : var.operator_path
+  sync_branch_node                               = var.sync_branch != "" ? format("syncBranch: %s", var.sync_branch) : ""
+  policy_dir_node                                = var.policy_dir != "" ? format("policyDir: %s", var.policy_dir) : ""
+  hierarchy_controller_map_node                  = var.hierarchy_controller == null ? "" : format("hierarchy_controller:\n    %s", yamlencode(var.hierarchy_controller))
+  source_format_node                             = var.source_format != "" ? format("sourceFormat: %s", var.source_format) : ""
+  append_arg_use_existing_context_for_gatekeeper = var.use_existing_context ? "USE_EXISTING_CONTEXT_ARG" : ""
 }
 
 module "k8sop_manifest" {
@@ -46,6 +47,7 @@ module "k8s_operator" {
   cluster_location         = var.location
   project_id               = var.project_id
   service_account_key_file = var.service_account_key_file
+  use_existing_context     = var.use_existing_context
 
   kubectl_create_command  = "kubectl apply -f ${local.manifest_path}"
   kubectl_destroy_command = "kubectl delete -f ${local.manifest_path}"
@@ -68,6 +70,7 @@ module "k8sop_creds_secret" {
   cluster_location         = var.location
   project_id               = var.project_id
   service_account_key_file = var.service_account_key_file
+  use_existing_context     = var.use_existing_context
 
   kubectl_create_command  = local.private_key != null ? "kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'" : ""
   kubectl_destroy_command = "kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}"
@@ -100,6 +103,7 @@ module "k8sop_config" {
   project_id               = var.project_id
   create_cmd_triggers      = { configmanagement = data.template_file.k8sop_config.rendered }
   service_account_key_file = var.service_account_key_file
+  use_existing_context     = var.use_existing_context
 
   kubectl_create_command  = "kubectl apply -f - <<EOF\n${data.template_file.k8sop_config.rendered}EOF"
   kubectl_destroy_command = "kubectl delete -f - <<EOF\n${data.template_file.k8sop_config.rendered}EOF"
@@ -115,7 +119,8 @@ module "wait_for_gatekeeper" {
   project_id               = var.project_id
   create_cmd_triggers      = { script_sha1 = sha1(file("${path.module}/scripts/wait_for_gatekeeper.sh")) }
   service_account_key_file = var.service_account_key_file
+  use_existing_context     = var.use_existing_context
 
-  kubectl_create_command  = "${path.module}/scripts/wait_for_gatekeeper.sh ${var.project_id} ${var.cluster_name} ${var.location}"
+  kubectl_create_command  = format("%s %s", "${path.module}/scripts/wait_for_gatekeeper.sh ${var.project_id} ${var.cluster_name} ${var.location}", local.append_arg_use_existing_context_for_gatekeeper)
   kubectl_destroy_command = ""
 }
@@ -74,7 +74,19 @@ fi
 PROJECT_ID=$1
 CLUSTER_NAME=$2
 CLUSTER_LOCATION=$3
+USE_EXISTING_CONTEXT=$4
 
 # Gatekeeper causes issues if not ready
-is_deployment_ready gke_"${PROJECT_ID}"_"${CLUSTER_LOCATION}"_"${CLUSTER_NAME}" gatekeeper-system gatekeeper-controller-manager
-is_service_ready gke_"${PROJECT_ID}"_"${CLUSTER_LOCATION}"_"${CLUSTER_NAME}" gatekeeper-system gatekeeper-webhook-service
+
+# Check if we need to use the current context
+if [ -z ${USE_EXISTING_CONTEXT+x} ]; then
+    # GKE Cluster. Use the GKE cluster context
+    is_deployment_ready gke_"${PROJECT_ID}"_"${CLUSTER_LOCATION}"_"${CLUSTER_NAME}" gatekeeper-system gatekeeper-controller-manager
+    is_service_ready gke_"${PROJECT_ID}"_"${CLUSTER_LOCATION}"_"${CLUSTER_NAME}" gatekeeper-system gatekeeper-webhook-service
+else
+    echo "USE_EXISTING_CONTEXT variable is set. Using current context to wait for deployment to be ready."
+    # Get the current context. This can be used for non GKE Clusters
+    CURRENT_CONTEXT=$(kubectl config current-context)
+    is_deployment_ready "${CURRENT_CONTEXT}" gatekeeper-system gatekeeper-controller-manager
+    is_service_ready "${CURRENT_CONTEXT}" gatekeeper-system gatekeeper-webhook-service
+fi
@@ -133,3 +133,9 @@ variable "service_account_key_file" {
   description = "Path to service account key file to auth as for running `gcloud container clusters get-credentials`."
   default     = ""
 }
+
+variable "use_existing_context" {
+  description = "Use existing kubecontext to auth kube-api. Useful when working with to non GKE clusters"
+  type        = bool
+  default     = false
+}