feat: viz toggle (#7)

* feat: viz toggle

* chore: fmt

* chore: updated docs

Author: neko1101

README.md

@@ -110,6 +110,7 @@ No modules.
 | <a name="input_viz_cert_renew_before"></a> [viz\_cert\_renew\_before](#input\_viz\_cert\_renew\_before) | Viz TLS cert renew before eg: 1h0m0s | `string` | `"24h0m0s"` | no |
 | <a name="input_viz_enable_pod_anti_affinity"></a> [viz\_enable\_pod\_anti\_affinity](#input\_viz\_enable\_pod\_anti\_affinity) | Viz enable podAntiAffinity | `bool` | `false` | no |
 | <a name="input_viz_enable_pod_distruption_budget"></a> [viz\_enable\_pod\_distruption\_budget](#input\_viz\_enable\_pod\_distruption\_budget) | Viz enable podDisruptionBudget | `bool` | `false` | no |
+| <a name="input_viz_enabled"></a> [viz\_enabled](#input\_viz\_enabled) | Toggle Linkerd Viz deployment | `bool` | `true` | no |
 | <a name="input_viz_helm_version"></a> [viz\_helm\_version](#input\_viz\_helm\_version) | Viz helm version | `string` | `"30.12.10"` | no |
 | <a name="input_viz_namespace"></a> [viz\_namespace](#input\_viz\_namespace) | Viz namespace | `string` | `"linkerd-viz"` | no |
 | <a name="input_webhook_ca_validity"></a> [webhook\_ca\_validity](#input\_webhook\_ca\_validity) | Webhook Issuer CA validity in hours eg: 175200 for 20 years | `string` | `"175200"` | no |

TODO.md

@@ -1,9 +1,9 @@
 # TODO
-1. terraform-docs
-2. automated lint
-3. publish to tf registry
+1. ~~terraform-docs~~
+2. ~~automated lint~~
+3. ~~publish to tf registry~~
 4. cni toggle
-5. viz toggle
+5. ~~viz toggle~~
 6. jaeger toggle
 7. viz ingress toggle
 8. modular self-sign tls commonname

main.tf

@@ -46,18 +46,22 @@ data "kubernetes_secret" "linkerd_sp_validator_certificate" {
 }
 
 data "kubernetes_secret" "linkerd_viz_certificate" {
+  count = var.viz_enabled == true ? 1 : 0
+
   metadata {
-    name      = kubernetes_manifest.linkerd_viz_certificate.manifest.spec.secretName
-    namespace = kubernetes_namespace.linkerd_viz.id
+    name      = kubernetes_manifest.linkerd_viz_certificate[0].manifest.spec.secretName
+    namespace = kubernetes_namespace.linkerd_viz[0].id
   }
 
   depends_on = [time_sleep.wait_viz_certificate_provisioning]
 }
 
 data "kubernetes_secret" "linkerd_tap_injector_certificate" {
+  count = var.viz_enabled == true ? 1 : 0
+
   metadata {
-    name      = kubernetes_manifest.linkerd_tap_injector_certificate.manifest.spec.secretName
-    namespace = kubernetes_namespace.linkerd_viz.id
+    name      = kubernetes_manifest.linkerd_tap_injector_certificate[0].manifest.spec.secretName
+    namespace = kubernetes_namespace.linkerd_viz[0].id
   }
 
   depends_on = [time_sleep.wait_viz_certificate_provisioning]
@@ -153,11 +157,13 @@ resource "helm_release" "linkerd_control_plane" {
 
 ## Linkerd Viz
 resource "helm_release" "linkerd_viz" {
+  count = var.viz_enabled == true ? 1 : 0
+
   name             = "linkerd-viz"
   repository       = local.linkerd_repository[var.linkerd_repository]
   chart            = "linkerd-viz"
   version          = var.viz_helm_version
-  namespace        = kubernetes_namespace.linkerd_viz.id
+  namespace        = kubernetes_namespace.linkerd_viz[0].id
   create_namespace = false
 
   values = coalesce([
@@ -187,12 +193,12 @@ resource "helm_release" "linkerd_viz" {
 
   set_sensitive {
     name  = "tap.caBundle"
-    value = data.kubernetes_secret.linkerd_viz_certificate.data["ca.crt"]
+    value = data.kubernetes_secret.linkerd_viz_certificate[0].data["ca.crt"]
   }
 
   set_sensitive {
     name  = "tapInjector.caBundle"
-    value = data.kubernetes_secret.linkerd_tap_injector_certificate.data["ca.crt"]
+    value = data.kubernetes_secret.linkerd_tap_injector_certificate[0].data["ca.crt"]
   }
 
   set {

namespaces.tf

@@ -16,6 +16,8 @@ resource "kubernetes_namespace" "linkerd" {
 }
 
 resource "kubernetes_namespace" "linkerd_viz" {
+  count = var.viz_enabled == true ? 1 : 0
+
   metadata {
     name = var.viz_namespace
     labels = {

tls-viz.tf

@@ -1,10 +1,14 @@
 resource "tls_private_key" "linkerd_viz_private_key" {
+  count = var.viz_enabled == true ? 1 : 0
+
   algorithm   = "ECDSA"
   ecdsa_curve = "P256"
 }
 
 resource "tls_self_signed_cert" "linkerd_viz_root_ca" {
-  private_key_pem       = tls_private_key.linkerd_viz_private_key.private_key_pem
+  count = var.viz_enabled == true ? 1 : 0
+
+  private_key_pem       = tls_private_key.linkerd_viz_private_key[0].private_key_pem
   is_ca_certificate     = true
   set_subject_key_id    = true
   validity_period_hours = var.viz_ca_validity
@@ -21,44 +25,50 @@ resource "tls_self_signed_cert" "linkerd_viz_root_ca" {
 }
 
 resource "kubernetes_secret" "linkerd_viz_root_ca" {
+  count = var.viz_enabled == true ? 1 : 0
+
   metadata {
     name      = "webhook-issuer-tls"
-    namespace = kubernetes_namespace.linkerd_viz.id
+    namespace = kubernetes_namespace.linkerd_viz[0].id
   }
 
   data = {
-    "tls.crt" = tls_self_signed_cert.linkerd_viz_root_ca.cert_pem
-    "tls.key" = tls_self_signed_cert.linkerd_viz_root_ca.private_key_pem
+    "tls.crt" = tls_self_signed_cert.linkerd_viz_root_ca[0].cert_pem
+    "tls.key" = tls_self_signed_cert.linkerd_viz_root_ca[0].private_key_pem
   }
 
   type = "kubernetes.io/tls"
 }
 
 resource "kubernetes_manifest" "linkerd_viz_issuer" {
+  count = var.viz_enabled == true ? 1 : 0
+
   manifest = {
     "apiVersion" = "cert-manager.io/v1"
     "kind"       = "Issuer"
     "metadata" = {
       "name"      = "webhook-issuer"
-      "namespace" = "${kubernetes_namespace.linkerd_viz.id}"
+      "namespace" = "${kubernetes_namespace.linkerd_viz[0].id}"
     }
     "spec" = {
       "ca" = {
-        "secretName" : "${kubernetes_secret.linkerd_viz_root_ca.metadata[0].name}"
+        "secretName" : "${kubernetes_secret.linkerd_viz_root_ca[0].metadata[0].name}"
       }
     }
   }
 }
 
 resource "kubernetes_manifest" "linkerd_viz_certificate" {
+  count = var.viz_enabled == true ? 1 : 0
+
   computed_fields = ["spec.duration", "spec.renewBefore", "spec.isCA"]
 
   manifest = {
     "apiVersion" = "cert-manager.io/v1"
     "kind"       = "Certificate"
     "metadata" = {
       "name"      = "tap"
-      "namespace" = "${kubernetes_namespace.linkerd_viz.id}"
+      "namespace" = "${kubernetes_namespace.linkerd_viz[0].id}"
     }
     "spec" = {
       "secretName"  = "tap-k8s-tls"
@@ -86,14 +96,16 @@ resource "kubernetes_manifest" "linkerd_viz_certificate" {
 }
 
 resource "kubernetes_manifest" "linkerd_tap_injector_certificate" {
+  count = var.viz_enabled == true ? 1 : 0
+
   computed_fields = ["spec.duration", "spec.renewBefore", "spec.isCA"]
 
   manifest = {
     "apiVersion" = "cert-manager.io/v1"
     "kind"       = "Certificate"
     "metadata" = {
       "name"      = "linkerd-tap-injector"
-      "namespace" = "${kubernetes_namespace.linkerd_viz.id}"
+      "namespace" = "${kubernetes_namespace.linkerd_viz[0].id}"
     }
     "spec" = {
       "secretName"  = "tap-injector-k8s-tls"
@@ -121,6 +133,8 @@ resource "kubernetes_manifest" "linkerd_tap_injector_certificate" {
 }
 
 resource "time_sleep" "wait_viz_certificate_provisioning" {
+  count = var.viz_enabled == true ? 1 : 0
+
   depends_on = [
     kubernetes_manifest.linkerd_tap_injector_certificate,
     kubernetes_manifest.linkerd_viz_certificate

variables.tf

@@ -144,6 +144,12 @@ variable "viz_cert_renew_before" {
   default     = "24h0m0s"
 }
 
+variable "viz_enabled" {
+  description = "Toggle Linkerd Viz deployment"
+  type        = bool
+  default     = true
+}
+
 variable "crds_helm_vesion" {
   description = "Crds helm version"
   type        = string