diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 18a0d67d5..ffc78848a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.88.0
+ rev: v1.92.0
hooks:
- id: terraform_fmt
- id: terraform_validate
@@ -9,11 +9,11 @@ repos:
- --tf-init-args=-upgrade
- id: terraform_docs
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.5.0
+ rev: v4.6.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
- repo: https://github.com/renovatebot/pre-commit-hooks
- rev: 37.213.0
+ rev: 37.432.0
hooks:
- id: renovate-config-validator
diff --git a/README.md b/README.md
index 6f1806401..19c4e6048 100644
--- a/README.md
+++ b/README.md
@@ -135,6 +135,7 @@ No modules.
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -167,6 +168,7 @@ No modules.
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -222,6 +224,8 @@ No modules.
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -300,6 +304,7 @@ No modules.
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
+| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 1363efe5f..5d4756d48 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -57,7 +57,7 @@ dependencies:
version: 2.39.3
repository: https://charts.konghq.com
- name: kube-prometheus-stack
- version: 60.5.0
+ version: 61.3.1
repository: https://prometheus-community.github.io/helm-charts
- name: linkerd2-cni
version: 30.12.2
@@ -72,7 +72,7 @@ dependencies:
version: 30.12.11
repository: https://helm.linkerd.io/stable
- name: loki
- version: 6.6.6
+ version: 6.7.1
repository: https://grafana.github.io/helm-charts
- name: promtail
version: 6.16.4
@@ -105,13 +105,13 @@ dependencies:
version: v3.28.0
repository: https://docs.projectcalico.org/charts
- name: traefik
- version: 28.3.0
+ version: 29.0.1
repository: https://helm.traefik.io/traefik
- name: memcached
- version: 7.4.8
+ version: 7.4.9
repository: https://charts.bitnami.com/bitnami
- name: velero
- version: 6.7.0
+ version: 7.1.1
repository: https://vmware-tanzu.github.io/helm-charts
- name: victoria-metrics-k8s-stack
version: 0.24.2
@@ -119,3 +119,6 @@ dependencies:
- name: yet-another-cloudwatch-exporter
version: 0.14.0
repository: https://nerdswords.github.io/yet-another-cloudwatch-exporter
+ - name: reloader
+ version: 1.0.116
+ repository: https://stakater.github.io/stakater-charts
diff --git a/modules/aws/README.md b/modules/aws/README.md
index 4eac086e2..33d53b076 100644
--- a/modules/aws/README.md
+++ b/modules/aws/README.md
@@ -131,6 +131,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -181,6 +182,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -262,6 +264,8 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -392,6 +396,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [prometheus-cloudwatch-exporter](#input\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
+| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [s3-logging](#input\_s3-logging) | Logging configuration for bucket created by this module | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
diff --git a/modules/aws/reloader.tf b/modules/aws/reloader.tf
new file mode 120000
index 000000000..edfef62c0
--- /dev/null
+++ b/modules/aws/reloader.tf
@@ -0,0 +1 @@
+../../reloader.tf
\ No newline at end of file
diff --git a/modules/azure/README.md b/modules/azure/README.md
index cb57180d0..8f7435c7d 100644
--- a/modules/azure/README.md
+++ b/modules/azure/README.md
@@ -60,6 +60,7 @@ No modules.
| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.tigera-operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -90,6 +91,7 @@ No modules.
| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.tigera-operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -133,6 +135,8 @@ No modules.
| [kubernetes_network_policy.prometheus-adapter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.prometheus-blackbox-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -210,6 +214,7 @@ No modules.
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
+| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [thanos](#input\_thanos) | Customize thanos chart, see `thanos.tf` for supported values | `any` | `{}` | no |
diff --git a/modules/azure/reloader.tf b/modules/azure/reloader.tf
new file mode 120000
index 000000000..edfef62c0
--- /dev/null
+++ b/modules/azure/reloader.tf
@@ -0,0 +1 @@
+../../reloader.tf
\ No newline at end of file
diff --git a/modules/google/README.md b/modules/google/README.md
index 7d15c79e8..51b9d8f72 100644
--- a/modules/google/README.md
+++ b/modules/google/README.md
@@ -48,8 +48,8 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| Name | Source | Version |
|------|--------|---------|
-| [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.0.0 |
-| [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.0.0 |
+| [cert\_manager\_workload\_identity](#module\_cert\_manager\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.1.0 |
+| [external\_dns\_workload\_identity](#module\_external\_dns\_workload\_identity) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.1.0 |
| [iam\_assumable\_sa\_kube-prometheus-stack\_grafana](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_grafana) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.0 |
| [iam\_assumable\_sa\_kube-prometheus-stack\_thanos](#module\_iam\_assumable\_sa\_kube-prometheus-stack\_thanos) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.0 |
| [iam\_assumable\_sa\_loki-stack](#module\_iam\_assumable\_sa\_loki-stack) | terraform-google-modules/kubernetes-engine/google//modules/workload-identity | ~> 31.0 |
@@ -103,6 +103,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -133,6 +134,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -181,6 +183,8 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.secrets-store-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -264,6 +268,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [prometheus-cloudwatch-exporter](#input\_prometheus-cloudwatch-exporter) | Customize prometheus-cloudwatch-exporter chart, see `prometheus-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
+| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
| [tags](#input\_tags) | Map of tags for Google resources | `map(any)` | `{}` | no |
diff --git a/modules/google/cert-manager.tf b/modules/google/cert-manager.tf
index a4513c103..18c2d7754 100644
--- a/modules/google/cert-manager.tf
+++ b/modules/google/cert-manager.tf
@@ -57,7 +57,7 @@ VALUES
module "cert_manager_workload_identity" {
count = local.cert-manager.create_iam_resources && local.cert-manager.enabled ? 1 : 0
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 31.0.0"
+ version = "~> 31.1.0"
name = local.cert-manager.service_account_name
namespace = local.cert-manager.namespace
project_id = local.cert-manager.project_id
diff --git a/modules/google/external-dns.tf b/modules/google/external-dns.tf
index 29cd6bf72..abb89db55 100644
--- a/modules/google/external-dns.tf
+++ b/modules/google/external-dns.tf
@@ -55,7 +55,7 @@ locals {
# to be allowed to use the workload identity on GKE.
module "external_dns_workload_identity" {
source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
- version = "~> 31.0.0"
+ version = "~> 31.1.0"
for_each = { for k, v in local.external-dns : k => v if v.enabled && v.create_iam_resources }
diff --git a/modules/google/reloader.tf b/modules/google/reloader.tf
new file mode 120000
index 000000000..edfef62c0
--- /dev/null
+++ b/modules/google/reloader.tf
@@ -0,0 +1 @@
+../../reloader.tf
\ No newline at end of file
diff --git a/modules/scaleway/README.md b/modules/scaleway/README.md
index d5b8d66dc..c20eb6b48 100644
--- a/modules/scaleway/README.md
+++ b/modules/scaleway/README.md
@@ -74,6 +74,7 @@ No modules.
| [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.promtail](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.scaleway-webhook-dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.sealed-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.thanos](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -106,6 +107,7 @@ No modules.
| [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.prometheus-blackbox-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.promtail](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.reloader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.sealed-secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -158,6 +160,8 @@ No modules.
| [kubernetes_network_policy.promtail_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.promtail_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.reloader_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.sealed-secrets_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.traefik_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -242,6 +246,7 @@ No modules.
| [prometheus-adapter](#input\_prometheus-adapter) | Customize prometheus-adapter chart, see `prometheus-adapter.tf` for supported values | `any` | `{}` | no |
| [prometheus-blackbox-exporter](#input\_prometheus-blackbox-exporter) | Customize prometheus-blackbox-exporter chart, see `prometheus-blackbox-exporter.tf` for supported values | `any` | `{}` | no |
| [promtail](#input\_promtail) | Customize promtail chart, see `loki-stack.tf` for supported values | `any` | `{}` | no |
+| [reloader](#input\_reloader) | Customize reloader chart, see `reloader.tf` for supported values | `any` | `{}` | no |
| [scaleway](#input\_scaleway) | Scaleway provider customization | `any` | `{}` | no |
| [sealed-secrets](#input\_sealed-secrets) | Customize sealed-secrets chart, see `sealed-secrets.tf` for supported values | `any` | `{}` | no |
| [secrets-store-csi-driver](#input\_secrets-store-csi-driver) | Customize secrets-store-csi-driver chart, see `secrets-store-csi-driver.tf` for supported values | `any` | `{}` | no |
diff --git a/modules/scaleway/cert-manager.tf b/modules/scaleway/cert-manager.tf
index 54337f83f..8d8adb914 100644
--- a/modules/scaleway/cert-manager.tf
+++ b/modules/scaleway/cert-manager.tf
@@ -3,20 +3,29 @@ locals {
cert-manager = merge(
local.helm_defaults,
{
- name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
- chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
- repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].repository
- chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].version
- namespace = "cert-manager"
- service_account_name = "cert-manager"
- enabled = false
- default_network_policy = true
- acme_email = "contact@acme.com"
- acme_http01_enabled = false
- acme_http01_ingress_class = "nginx"
- acme_dns01_enabled = false
- allowed_cidrs = ["0.0.0.0/0"]
- csi_driver = false
+ name = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].name
+ repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].repository
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "cert-manager")].version
+ namespace = "cert-manager"
+ service_account_name = "cert-manager"
+ enabled = false
+ default_network_policy = true
+ acme_email = "contact@acme.com"
+ acme_http01_enabled = false
+ acme_http01_ingress_class = "nginx"
+ acme_dns01_enabled = false
+ acme_dns01_provider = ""
+ acme_dns01_hosted_zone_id = ""
+ acme_dns01_aws_secret = ""
+ acme_dns01_aws_access_key_id = ""
+ acme_dns01_aws_access_key_secret = ""
+ acme_dns01_region = ""
+ acme_dns01_google_project = ""
+ acme_dns01_google_secret = ""
+ acme_dns01_google_service_account_key = ""
+ allowed_cidrs = ["0.0.0.0/0"]
+ csi_driver = false
},
var.cert-manager
)
@@ -144,11 +153,20 @@ resource "kubernetes_secret" "cert-manager_scaleway_credentials" {
data "kubectl_path_documents" "cert-manager_cluster_issuers" {
pattern = "${path.module}/templates/cert-manager-cluster-issuers.yaml.tpl"
vars = {
- acme_email = local.cert-manager["acme_email"]
- acme_http01_enabled = local.cert-manager["acme_http01_enabled"]
- acme_http01_ingress_class = local.cert-manager["acme_http01_ingress_class"]
- acme_dns01_enabled = local.cert-manager["acme_dns01_enabled"]
- secret_name = local.cert-manager_scaleway_webhook_dns["secret_name"]
+ acme_email = local.cert-manager["acme_email"]
+ acme_http01_enabled = local.cert-manager["acme_http01_enabled"]
+ acme_http01_ingress_class = local.cert-manager["acme_http01_ingress_class"]
+ acme_dns01_enabled = local.cert-manager["acme_dns01_enabled"]
+ acme_dns01_provider = local.cert-manager["acme_dns01_provider"]
+ acme_dns01_hosted_zone_id = local.cert-manager["acme_dns01_hosted_zone_id"]
+ acme_dns01_aws_secret = local.cert-manager["acme_dns01_aws_secret"]
+ acme_dns01_aws_access_key_id = local.cert-manager["acme_dns01_aws_access_key_id"]
+ acme_dns01_aws_access_key_secret = local.cert-manager["acme_dns01_aws_access_key_secret"]
+ acme_dns01_region = local.cert-manager["acme_dns01_region"]
+ acme_dns01_google_project = local.cert-manager["acme_dns01_google_project"]
+ acme_dns01_google_secret = local.cert-manager["acme_dns01_google_secret"]
+ acme_dns01_google_service_account_key = local.cert-manager["acme_dns01_google_service_account_key"]
+ secret_name = local.cert-manager_scaleway_webhook_dns["secret_name"]
}
}
diff --git a/modules/scaleway/reloader.tf b/modules/scaleway/reloader.tf
new file mode 120000
index 000000000..edfef62c0
--- /dev/null
+++ b/modules/scaleway/reloader.tf
@@ -0,0 +1 @@
+../../reloader.tf
\ No newline at end of file
diff --git a/modules/scaleway/templates/cert-manager-cluster-issuers.yaml.tpl b/modules/scaleway/templates/cert-manager-cluster-issuers.yaml.tpl
index 57f9a7ec1..5b6ab5031 100644
--- a/modules/scaleway/templates/cert-manager-cluster-issuers.yaml.tpl
+++ b/modules/scaleway/templates/cert-manager-cluster-issuers.yaml.tpl
@@ -11,6 +11,20 @@ spec:
name: letsencrypt-staging
solvers:
%{ if acme_dns01_enabled }
+ %{ if acme_dns01_provider == "route53" }
+ - dns01:
+ route53:
+ hostedZoneID: ${acme_dns01_hosted_zone_id}
+ %{ if acme_dns01_region != "" }
+ region: '${acme_dns01_region}'
+ %{ endif }
+ accessKeyIDSecretRef:
+ name: ${acme_dns01_aws_secret}
+ key: ${acme_dns01_aws_access_key_id}
+ secretAccessKeySecretRef:
+ name: ${acme_dns01_aws_secret}
+ key: ${acme_dns01_aws_access_key_secret}
+ %{ else }
- dns01:
webhook:
groupName: acme.scaleway.com
@@ -23,6 +37,7 @@ spec:
key: SCW_SECRET_KEY
name: '${secret_name}'
%{ endif }
+ %{ endif }
%{ if acme_http01_enabled }
- http01:
ingress:
@@ -46,6 +61,28 @@ spec:
name: letsencrypt
solvers:
%{ if acme_dns01_enabled }
+ %{ if acme_dns01_provider == "route53" }
+ - dns01:
+ route53:
+ hostedZoneID: ${acme_dns01_hosted_zone_id}
+ %{ if acme_dns01_region != "" }
+ region: '${acme_dns01_region}'
+ %{ endif }
+ accessKeyIDSecretRef:
+ name: ${acme_dns01_aws_secret}
+ key: ${acme_dns01_aws_access_key_id}
+ secretAccessKeySecretRef:
+ name: ${acme_dns01_aws_secret}
+ key: ${acme_dns01_aws_access_key_secret}
+ %{ else }
+ %{if acme_dns01_provider == "google" }
+ - dns01:
+ clouddns:
+ project: '${acme_dns01_google_project}'
+ serviceAccountSecretRef:
+ name: '${acme_dns01_google_secret}'
+ key: '${acme_dns01_google_service_account_key}'
+ %{ else }
- dns01:
webhook:
groupName: acme.scaleway.com
@@ -58,6 +95,8 @@ spec:
key: SCW_SECRET_KEY
name: '${secret_name}'
%{ endif }
+ %{ endif }
+ %{ endif }
%{ if acme_http01_enabled }
- http01:
ingress:
diff --git a/reloader.tf b/reloader.tf
new file mode 100644
index 000000000..6f59dc162
--- /dev/null
+++ b/reloader.tf
@@ -0,0 +1,106 @@
+locals {
+
+ reloader = merge(
+ local.helm_defaults,
+ {
+ name = local.helm_dependencies[index(local.helm_dependencies.*.name, "reloader")].name
+ chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "reloader")].name
+ repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "reloader")].repository
+ chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "reloader")].version
+ namespace = "reloader"
+ service_account_name = "reloader"
+ enabled = false
+ default_network_policy = true
+ },
+ var.reloader
+ )
+
+ values_reloader = <<-VALUES
+ VALUES
+}
+
+resource "kubernetes_namespace" "reloader" {
+ count = local.reloader["enabled"] ? 1 : 0
+
+ metadata {
+ labels = {
+ name = local.reloader["namespace"]
+ }
+
+ name = local.reloader["namespace"]
+ }
+}
+
+resource "helm_release" "reloader" {
+ count = local.reloader["enabled"] ? 1 : 0
+ repository = local.reloader["repository"]
+ name = local.reloader["name"]
+ chart = local.reloader["chart"]
+ version = local.reloader["chart_version"]
+ timeout = local.reloader["timeout"]
+ force_update = local.reloader["force_update"]
+ recreate_pods = local.reloader["recreate_pods"]
+ wait = local.reloader["wait"]
+ atomic = local.reloader["atomic"]
+ cleanup_on_fail = local.reloader["cleanup_on_fail"]
+ dependency_update = local.reloader["dependency_update"]
+ disable_crd_hooks = local.reloader["disable_crd_hooks"]
+ disable_webhooks = local.reloader["disable_webhooks"]
+ render_subchart_notes = local.reloader["render_subchart_notes"]
+ replace = local.reloader["replace"]
+ reset_values = local.reloader["reset_values"]
+ reuse_values = local.reloader["reuse_values"]
+ skip_crds = local.reloader["skip_crds"]
+ verify = local.reloader["verify"]
+ values = [
+ local.values_reloader,
+ local.reloader["extra_values"]
+ ]
+ namespace = kubernetes_namespace.reloader.*.metadata.0.name[count.index]
+
+ depends_on = [
+ kubectl_manifest.prometheus-operator_crds
+ ]
+}
+
+
+resource "kubernetes_network_policy" "reloader_default_deny" {
+ count = local.reloader["enabled"] && local.reloader["default_network_policy"] ? 1 : 0
+
+ metadata {
+ name = "${kubernetes_namespace.reloader.*.metadata.0.name[count.index]}-default-deny"
+ namespace = kubernetes_namespace.reloader.*.metadata.0.name[count.index]
+ }
+
+ spec {
+ pod_selector {
+ }
+ policy_types = ["Ingress"]
+ }
+}
+
+resource "kubernetes_network_policy" "reloader_allow_namespace" {
+ count = local.reloader["enabled"] && local.reloader["default_network_policy"] ? 1 : 0
+
+ metadata {
+ name = "${kubernetes_namespace.reloader.*.metadata.0.name[count.index]}-allow-namespace"
+ namespace = kubernetes_namespace.reloader.*.metadata.0.name[count.index]
+ }
+
+ spec {
+ pod_selector {
+ }
+
+ ingress {
+ from {
+ namespace_selector {
+ match_labels = {
+ name = kubernetes_namespace.reloader.*.metadata.0.name[count.index]
+ }
+ }
+ }
+ }
+
+ policy_types = ["Ingress"]
+ }
+}
diff --git a/variables.tf b/variables.tf
index 780d64c81..01679a804 100644
--- a/variables.tf
+++ b/variables.tf
@@ -225,3 +225,9 @@ variable "ip-masq-agent" {
type = any
default = {}
}
+
+variable "reloader" {
+ description = "Customize reloader chart, see `reloader.tf` for supported values"
+ type = any
+ default = {}
+}