Merge pull request #3 from sparkfabrik/platform/#3230-managed-namespaces

add additional managed namespaces

.gitignore

@@ -11,6 +11,7 @@ crash.log
 
 # IDE files
 .idea
+.fleet
 
 # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
 # .tfvars files are managed as part of configuration and so should be included in

CHANGELOG.md

@@ -10,6 +10,6 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
 
-## [0.1.0] - 2024-11-05
+## [0.1.0] - 2024-11-06
 
-- First release.
+- First release.

README.md

@@ -28,7 +28,7 @@ This is a Terraform module to install a cron job on a Kubernetes cluster that us
 | <a name="input_k8s_additional_labels"></a> [k8s\_additional\_labels](#input\_k8s\_additional\_labels) | Set of additional labels to apply to all resources. | `map(string)` | `{}` | no |
 | <a name="input_k8s_labels"></a> [k8s\_labels](#input\_k8s\_labels) | Set of labels to apply to all resources. | `map(string)` | <pre>{<br>  "managed-by": "terraform",<br>  "scope": "finops"<br>}</pre> | no |
 | <a name="input_managed_namespaces"></a> [managed\_namespaces](#input\_managed\_namespaces) | List of namespaces where the controller should manage the scale of deployments. The namespaces defined here will be merged with the namespaces fetched by the `managed_namespaces_label_selector` variable. | `list(string)` | `[]` | no |
-| <a name="input_managed_namespaces_label_selector"></a> [managed\_namespaces\_label\_selector](#input\_managed\_namespaces\_label\_selector) | Label selector for the namespaces where the controller should manage the scale of deployments. The namespaces fetched by this selector will be merged with the `managed_namespaces` variable. | `map(string)` | <pre>{<br>  "sparkfabrik.com/stage-application-finops": "enabled"<br>}</pre> | no |
+| <a name="input_managed_namespaces_label_selector"></a> [managed\_namespaces\_label\_selector](#input\_managed\_namespaces\_label\_selector) | Label selector for the namespaces where the controller should manage the scale of deployments. The namespaces fetched by this selector will be merged with the `managed_namespaces` variable. **WARNING:** remember that if the labels specified here are added to new namespaces, the module will send the Terraform state into drift, as the list of namespaces is retrieved dynamically. You must then re-apply your Terraform configuration to fix the drift.. | `map(string)` | <pre>{<br>  "sparkfabrik.com/application-sleep-cycles": "enabled"<br>}</pre> | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace to create resources. | `string` | `"application-sleep-cycles"` | no |
 | <a name="input_role_binding_name"></a> [role\_binding\_name](#input\_role\_binding\_name) | Name of the role binding. | `string` | `"custom:application-sleep-cycles:controller"` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Name of the service account. | `string` | `"application-sleep-cycles-sa"` | no |
@@ -61,6 +61,7 @@ This is a Terraform module to install a cron job on a Kubernetes cluster that us
 | [kubernetes_secret_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_service_account_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource |
 | [kubernetes_namespace_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace_v1) | data source |
+| [kubernetes_resources.managed_namespaces_by_labels](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/resources) | data source |
 
 ## Modules
 

main.tf

@@ -1,13 +1,25 @@
+# Get list of namespaces with a given label, where the controller should manage
+# the scale of deployments.
+data "kubernetes_resources" "managed_namespaces_by_labels" {
+  kind           = "Namespace"
+  api_version    = "v1"
+  label_selector = join(",", [for k, v in var.managed_namespaces_label_selector : "${k}=${v}"])
+}
 
 locals {
   k8s_full_labels = merge(
     var.k8s_labels,
     var.k8s_additional_labels,
   )
 
-  final_namespace = var.create_namespace ? resource.kubernetes_namespace_v1.this[0].metadata[0].name : data.kubernetes_namespace_v1.this[0].metadata[0].name
+  cronjob_namespace = var.create_namespace ? var.namespace : data.kubernetes_namespace_v1.this[0].metadata[0].name
+
+  managed_namespaces = distinct(concat(var.managed_namespaces, data.kubernetes_resources.managed_namespaces_by_labels.objects[*].metadata.name))
 }
 
+# The namespace in which we want to deploy the cronjob is created only if the
+# `create_namespace` variable is set to true.
+# Otherwise, the namespace must be created before using this module.
 resource "kubernetes_namespace_v1" "this" {
   count = var.create_namespace ? 1 : 0
 
@@ -28,18 +40,20 @@ data "kubernetes_namespace_v1" "this" {
   }
 }
 
+# The service account used by the cronjob to interact with the Kubernetes API.
 resource "kubernetes_service_account_v1" "this" {
   metadata {
     name      = var.service_account_name
-    namespace = local.final_namespace
+    namespace = local.cronjob_namespace
     labels    = local.k8s_full_labels
   }
 }
 
 resource "kubernetes_secret_v1" "this" {
   metadata {
+    # This is the prefix, used by the server, to generate a unique name ONLY IF the name field has not been provided. This value will also be combined with a unique suffix.
     generate_name = "${var.service_account_name}-"
-    namespace     = local.final_namespace
+    namespace     = local.cronjob_namespace
     labels        = local.k8s_full_labels
 
     annotations = {
@@ -51,6 +65,7 @@ resource "kubernetes_secret_v1" "this" {
   wait_for_service_account_token = true
 }
 
+# Service account permissions.
 resource "kubernetes_cluster_role_v1" "cluster_scoped" {
   metadata {
     name   = "${var.cluster_role_name_prefix}-cluster-scoped"
@@ -79,7 +94,7 @@ resource "kubernetes_cluster_role_binding_v1" "cluster_scoped" {
   subject {
     kind      = "ServiceAccount"
     name      = kubernetes_service_account_v1.this.metadata[0].name
-    namespace = local.final_namespace
+    namespace = local.cronjob_namespace
   }
 }
 
@@ -102,8 +117,10 @@ resource "kubernetes_cluster_role_v1" "namespace_scoped" {
   }
 }
 
+# This role binding must be created in each namespace where the controller should
+# manage the scale of deployments.
 resource "kubernetes_role_binding_v1" "this" {
-  for_each = toset(var.managed_namespaces)
+  for_each = toset(local.managed_namespaces)
 
   metadata {
     name      = var.role_binding_name
@@ -120,14 +137,14 @@ resource "kubernetes_role_binding_v1" "this" {
   subject {
     kind      = "ServiceAccount"
     name      = kubernetes_service_account_v1.this.metadata[0].name
-    namespace = local.final_namespace
+    namespace = local.cronjob_namespace
   }
 }
 
 resource "kubernetes_config_map_v1" "app_env" {
   metadata {
     name      = "${var.configmap_name_prefix}-env"
-    namespace = local.final_namespace
+    namespace = local.cronjob_namespace
     labels    = local.k8s_full_labels
   }
 
@@ -141,7 +158,7 @@ resource "kubernetes_config_map_v1" "app_env" {
 resource "kubernetes_config_map_v1" "app" {
   metadata {
     name      = "${var.configmap_name_prefix}-app"
-    namespace = local.final_namespace
+    namespace = local.cronjob_namespace
     labels    = local.k8s_full_labels
   }
 
@@ -157,7 +174,7 @@ resource "kubernetes_manifest" "scale_down" {
       "${path.module}/files/k8s-working-hours-cronjob.yaml.tftpl",
       {
         name               = "${var.working_hours_resource_prefix}-scale-down"
-        namespace          = local.final_namespace
+        namespace          = local.cronjob_namespace
         labels             = local.k8s_full_labels
         suspend            = var.working_hours_suspend
         schedule           = var.working_hours_scale_down_schedule
@@ -180,7 +197,7 @@ resource "kubernetes_manifest" "scale_up" {
       "${path.module}/files/k8s-working-hours-cronjob.yaml.tftpl",
       {
         name               = "${var.working_hours_resource_prefix}-scale-up"
-        namespace          = local.final_namespace
+        namespace          = local.cronjob_namespace
         labels             = local.k8s_full_labels
         suspend            = var.working_hours_suspend
         schedule           = var.working_hours_scale_up_schedule

outputs.tf

@@ -1,6 +1,6 @@
 output "namespace" {
   description = "Namespace where the descheduler is installed."
-  value       = local.final_namespace
+  value       = local.cronjob_namespace
 }
 
 output "k8s_full_labels" {

variables.tf

@@ -50,7 +50,7 @@ variable "managed_namespaces" {
 }
 
 variable "managed_namespaces_label_selector" {
-  description = "Label selector for the namespaces where the controller should manage the scale of deployments. The namespaces fetched by this selector will be merged with the `managed_namespaces` variable."
+  description = "Label selector for the namespaces where the controller should manage the scale of deployments. The namespaces fetched by this selector will be merged with the `managed_namespaces` variable. **WARNING:** remember that if the labels specified here are added to new namespaces, the module will send the Terraform state into drift, as the list of namespaces is retrieved dynamically. You must then re-apply your Terraform configuration to fix the drift.."
   type        = map(string)
   default = {
     "sparkfabrik.com/application-sleep-cycles" : "enabled"