change irc-reader deployment to get oauth through kubernetes secrets,…

… rather than config
SevenTV · Oct 10, 2023 · 012d8d7 · 012d8d7
1 parent 95e0db1
commit 012d8d7
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 12 deletions.
diff --git a/terraform/irc-reader/config.template.yaml b/terraform/irc-reader/config.template.yaml
@@ -1,6 +1,10 @@
 loglevel: info
 replicas: ${replicas}
 
+kube:
+  namespace: ${namespace}
+  oauthsecret: ${oauthsecret}
+
 ratelimit:
   join: ${ratelimit_join}
   auth: ${ratelimit_auth}
@@ -16,7 +20,6 @@ ratelimit:
 
 twitch:
   user: ${twitch_username}
-  oauth: ${twitch_oauth}
 
 nats:
   url: ${nats_url}

diff --git a/terraform/irc-reader/irc-reader.tf b/terraform/irc-reader/irc-reader.tf
@@ -18,16 +18,6 @@ data "kubernetes_namespace" "app" {
   }
 }
 
-data "kubernetes_secret" "oauth" {
-  metadata {
-    name = var.oauth_secret
-    namespace = var.namespace
-  }
-  binary_data = {
-    "access-token" = ""
-  }
-}
-
 // Define config secret
 resource "kubernetes_secret" "app" {
   metadata {
@@ -37,9 +27,10 @@ resource "kubernetes_secret" "app" {
 
   data = {
     "config.yaml" = templatefile("${path.module}/config.template.yaml", {
+      namespace = data.kubernetes_namespace.app.metadata[0].name
+      oauthsecret = var.oauth_secret
       replicas = var.replicas
       twitch_username  = var.twitch_username
-      twitch_oauth     = join(":", ["oauth", base64decode(data.kubernetes_secret.oauth.binary_data["access-token"])])
       ratelimit_join   = var.ratelimit_join
       ratelimit_auth   = var.ratelimit_auth
       ratelimit_reset  = var.ratelimit_reset
@@ -148,3 +139,36 @@ resource "kubernetes_stateful_set" "app" {
     }
   }
 }
+
+resource "kubernetes_role" "app" {
+  metadata {
+    name      = "stats-irc-reader"
+    namespace = data.kubernetes_namespace.app.metadata[0].name
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["secrets"]
+    verbs      = ["watch", "get", "list"]
+  }
+}
+
+resource "kubernetes_role_binding" "app" {
+  // bind to kubernetes_role.app
+  metadata {
+    name      = "stats-irc-reader"
+    namespace = data.kubernetes_namespace.app.metadata[0].name
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = "default"
+    namespace = data.kubernetes_namespace.app.metadata[0].name
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "Role"
+    name      = kubernetes_role.app.metadata[0].name
+  }
+}