Add flux

main.tf

@@ -120,3 +120,11 @@ module "dns" {
     }
   ]
 }
+
+module "flux" {
+  source    = "./modules/flux"
+  path      = "clank"
+  namespace = "clank"
+  url       = "ssh://git@git.front.kjuulh.io/clank/kubernetes-state.git"
+  branch    = "main"
+}

modules/flux/main.tf

@@ -0,0 +1,84 @@
+# Install
+
+data "flux_install" "main" {
+  target_path    = var.path
+  network_policy = false
+  version        = "latest"
+}
+
+resource "kubernetes_namespace" "flux_system" {
+  metadata {
+    name = var.namespace
+  }
+
+  lifecycle {
+    ignore_changes = [
+      metadata[0].labels,
+    ]
+  }
+}
+
+data "kubectl_file_documents" "apply" {
+  content = data.flux_install.main.content
+}
+
+# Convert documents list to include parsed yaml data
+locals {
+  apply = [for v in data.kubectl_file_documents.apply.documents : {
+    data : yamldecode(v)
+    content : v
+    }
+  ]
+}
+
+# Apply manifests on the cluster
+resource "kubectl_manifest" "apply" {
+  for_each   = { for v in local.apply : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
+  depends_on = [kubernetes_namespace.flux_system]
+  yaml_body  = each.value
+}
+
+# Sync
+
+data "flux_sync" "main" {
+  target_path = var.path
+  url         = var.url
+  branch      = var.branch
+}
+
+# Split multi-doc YAML with
+# https://registry.terraform.io/providers/gavinbunney/kubectl/latest
+data "kubectl_file_documents" "sync" {
+  content = data.flux_sync.main.content
+}
+
+# Convert documents list to include parsed yaml data
+locals {
+  sync = [for v in data.kubectl_file_documents.sync.documents : {
+    data : yamldecode(v)
+    content : v
+    }
+  ]
+}
+
+# Apply manifests on the cluster
+resource "kubectl_manifest" "sync" {
+  for_each   = { for v in local.sync : lower(join("/", compact([v.data.apiVersion, v.data.kind, lookup(v.data.metadata, "namespace", ""), v.data.metadata.name]))) => v.content }
+  depends_on = [kubernetes_namespace.flux_system]
+  yaml_body  = each.value
+}
+
+# Generate a Kubernetes secret with the Git credentials
+resource "kubernetes_secret" "main" {
+  depends_on = [kubectl_manifest.apply]
+
+  metadata {
+    name      = data.flux_sync.main.secret
+    namespace = data.flux_sync.main.namespace
+  }
+
+  data = {
+    username = "git"
+    password = var.flux_token
+  }
+}

modules/flux/providers.tf

@@ -0,0 +1,30 @@
+
+terraform {
+  required_providers {
+    flux = {
+      source = "fluxcd/flux"
+      version = "0.14.1"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0.2"
+    }
+  }
+}
+
+provider "flux" {
+  # Configuration options
+}
+
+provider "kubectl" {
+}
+
+provider "kubernetes" {
+  config_path = "~/.kube/config"
+}
+
+

modules/flux/variables.tf

@@ -0,0 +1,19 @@
+variable "path" {
+  type     = string
+  nullable = false
+}
+
+variable "namespace" {
+  type     = string
+  nullable = false
+}
+
+variable "url" {
+  type     = string
+  nullable = false
+}
+
+variable "branch" {
+  type     = string
+  nullable = false
+}