Add cluster certificate and host outputs to the ske_cluster data

[tchelovilar]

Adding the cluster certificate and host outputs to the ske_cluster data will smoothly improve Kubernetes provider setup.

data "stackit_ske_cluster" "main" {
  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  name       = "example-name"
}

provider "kubernetes" {
  host                   = data.stackit_ske_cluster.main.host
  cluster_ca_certificate = base64decode(data.stackit_ske_cluster.main.cluster_ca_certificate)

  exec {
    api_version = "client.authentication.k8s.io/v1"
    command     = "stackit"
    args        = ["ske", "kubeconfig", "login", "--project=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "--cluster=name"]
  }
}

[vicentepinto98]

Hi @tchelovilar, we are currently checking how to provide this info. I'll get back to you soon

[vicentepinto98]

Like mentioned in stackitcloud/stackit-cli#358, in the meantime, you can manually retrieve the login kubeconfig and provide it to the Kubernetes TF provider:

provider "kubernetes" {
  config_path = "~/.kube/config"
}

[not22day]

my current solution based on the short lived kubeconfig resource

locals {
  kubeconfig_yaml = stackit_ske_kubeconfig.ske.kube_config
  kubeconfig_hcl  = yamldecode(local.kubeconfig_yaml)
}

provider "kubernetes" {
  host                   = local.kubeconfig_hcl.clusters.0.cluster.server
  cluster_ca_certificate = base64decode(local.kubeconfig_hcl.clusters.0.cluster.certificate-authority-data)
  client_certificate     =  base64decode(local.kubeconfig_hcl.users.0.user.client-certificate-data)
  client_key     =  base64decode(local.kubeconfig_hcl.users.0.user.client-key-data)
}


provider "helm" {
  kubernetes {
    host                   = local.kubeconfig_hcl.clusters.0.cluster.server
    cluster_ca_certificate = base64decode(local.kubeconfig_hcl.clusters.0.cluster.certificate-authority-data)
    client_certificate     =  base64decode(local.kubeconfig_hcl.users.0.user.client-certificate-data)
    client_key     =  base64decode(local.kubeconfig_hcl.users.0.user.client-key-data)
  }
}

[tchelovilar]

Hi @not22day ,

I have found an interesting workaround, I created the ske_login.sh script to generate the expected values for the Kubernetes provider. That is working well, and will be better once we have the certificate ca and host outputs from the ske cluster resource and data. You just need a service account token and activate the service account before run the terraform stackit auth activate-service-account --service-account-token $STACKIT_SERVICE_ACCOUNT_TOKEN.

ske_login.sh

#!/bin/bash
# Workaround to generate the StackIT kubeconfig for kubernetes terraform provider 

STACKIT_PROJECT_ID=$1
SERVER=$2
CLUSTER_NAME=$3

export KUBERNETES_EXEC_INFO='{"apiVersion": "client.authentication.k8s.io/v1","kind": "ExecCredential", "spec": { "cluster": { "config": { "STACKITProjectID": "'$STACKIT_PROJECT_ID'", "ClusterName": "'$CLUSTER_NAME'"}, "server": "'$SERVER'"}, "interactive": false } }'

stackit ske kubeconfig login

Provider configuration:

provider "kubernetes" {
  host                   = var.cluster_endpoint
  cluster_ca_certificate = base64decode(var.cluster_ca_cert)

  exec {
    api_version = "client.authentication.k8s.io/v1"
    args        = [var.stackit_project_id, var.cluster_endpoint, stackit_ske_cluster.main.name]
    command     = "../ske_login.sh"
  }
}