Ensure serviceaccount created in correct namespace (#398)

bobdoah · Robert Williams · web-flow · commit faf2f9a304b7 · 2022-04-22T17:12:18.000+01:00
* Ensure serviceaccount created in correct namespace The serviceaccount for a module is created via the IRSA module. If the namespace of a module differs from the default, it needs to also be passed to the IRSA module. Otherwise any deployments tied to the serviceaccount will fail to deploy pods. * Create a non-default namespace Create the namespace, if it is not the default "kube-system" which (typically) exists on every cluster. To allow the namespace to be created external to this module, allow the IRSA config to be overridden. This should fit both my and @vara-bonthu's proposed use cases. * Apply reccommended changes * Apply the fix to cert-manager Co-authored-by: Robert Williams <robert.williams@nominet.uk>
diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf
@@ -1,5 +1,5 @@
 resource "kubernetes_namespace_v1" "irsa" {
-  count = var.create_kubernetes_namespace ? 1 : 0
+  count = var.create_kubernetes_namespace && var.kubernetes_namespace != "kube-system" ? 1 : 0
   metadata {
     name = var.kubernetes_namespace
 
diff --git a/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf b/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf
@@ -41,9 +41,9 @@ locals {
   }
 
   irsa_config = {
-    kubernetes_namespace              = "kube-system"
+    kubernetes_namespace              = local.helm_config["namespace"]
     kubernetes_service_account        = local.service_account_name
-    create_kubernetes_namespace       = false
+    create_kubernetes_namespace       = try(local.helm_config["create_namespace"], true)
     create_kubernetes_service_account = true
     irsa_iam_policies                 = [aws_iam_policy.aws_load_balancer_controller.arn]
   }
diff --git a/modules/kubernetes-addons/cert-manager/locals.tf b/modules/kubernetes-addons/cert-manager/locals.tf
@@ -33,7 +33,7 @@ locals {
   irsa_config = {
     kubernetes_namespace              = local.helm_config["namespace"]
     kubernetes_service_account        = local.service_account_name
-    create_kubernetes_namespace       = true
+    create_kubernetes_namespace       = try(local.helm_config["create_namespace"], true)
     create_kubernetes_service_account = true
   }
 

Original file line number	Diff line number	Diff line change
`@@ -41,9 +41,9 @@ locals {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`irsa_config = {`
`44`		`- kubernetes_namespace = "kube-system"`
	`44`	`+ kubernetes_namespace = local.helm_config["namespace"]`
`45`	`45`	`kubernetes_service_account = local.service_account_name`
`46`		`- create_kubernetes_namespace = false`
	`46`	`+ create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)`
`47`	`47`	`create_kubernetes_service_account = true`
`48`	`48`	`irsa_iam_policies = [aws_iam_policy.aws_load_balancer_controller.arn]`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ locals {`
`33`	`33`	`irsa_config = {`
`34`	`34`	`kubernetes_namespace = local.helm_config["namespace"]`
`35`	`35`	`kubernetes_service_account = local.service_account_name`
`36`		`- create_kubernetes_namespace = true`
	`36`	`+ create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)`
`37`	`37`	`create_kubernetes_service_account = true`
`38`	`38`	`}`
`39`	`39`