51 lines
1.3 KiB
HCL
51 lines
1.3 KiB
HCL
resource "random_password" "rancher_admin_password" {
|
|
length = 20
|
|
special = false
|
|
}
|
|
|
|
resource "vault_kv_secret_v2" "rancher_creds" {
|
|
mount = "management"
|
|
name = "rancher"
|
|
delete_all_versions = true
|
|
data_json = jsonencode({
|
|
admin_password = random_password.rancher_admin_password.result
|
|
})
|
|
}
|
|
|
|
resource "kubernetes_secret" "bootstrap_secret" {
|
|
metadata {
|
|
name = "bootstrap-secret"
|
|
namespace = "cattle-system"
|
|
annotations = {
|
|
"field.cattle.io/projectId" = "local:p-q7vbv"
|
|
"helm.sh/hook" = "pre-install,pre-upgrade"
|
|
"helm.sh/hook-weight" = "-5"
|
|
"helm.sh/resource-policy" = "keep"
|
|
}
|
|
}
|
|
|
|
data = {
|
|
bootstrapPassword = vault_kv_secret_v2.rancher_creds.data["admin_password"]
|
|
}
|
|
|
|
type = "Opaque"
|
|
}
|
|
|
|
# Force a rollout of the Rancher deployment to pick up the new secret
|
|
resource "null_resource" "rancher_rollout" {
|
|
triggers = {
|
|
password_change = kubernetes_secret.bootstrap_secret.data["bootstrapPassword"]
|
|
}
|
|
|
|
provisioner "remote-exec" {
|
|
inline = ["kubectl rollout restart deployment rancher -n cattle-system"]
|
|
connection {
|
|
type = "ssh"
|
|
host = var.node_ip
|
|
user = var.node_username
|
|
private_key = data.minio_s3_object.id_rsa.content
|
|
}
|
|
}
|
|
|
|
depends_on = [kubernetes_secret.bootstrap_secret]
|
|
} |