Allow kustomization plugin to run in-cluster

Ensure that plugin can run in cluster

Author: willthames

.github/workflows/main.yml

@@ -162,6 +162,55 @@ jobs:
     - name: 'Terraform Apply'
       run: terraform apply --auto-approve
 
+  int_test_in_cluster:
+    runs-on: ubuntu-latest
+    needs: [compile_provider]
+
+    steps:
+    - name: 'Checkout'
+      uses: actions/checkout@v1
+
+    - name: 'Setup Kind'
+      uses: engineerd/[email protected]
+      with:
+        version: "v0.11.0"
+
+    - name: 'Download terraform-plugins'
+      uses: actions/download-artifact@v2
+      with:
+        name: terraform-plugins
+        path: terraform.d/plugins
+
+    - name: Create terraform pod
+      run: kubectl apply -f tests/in-cluster.yaml
+
+    - name: Wait for pod to be ready
+      run: kubectl wait pod/terraform --for condition=Ready --timeout 60s
+
+    - name: 'Ensure provider is executable'
+      run: chmod +x terraform.d/plugins/registry.terraform.io/kbst/kustomization/1.0.0/linux_amd64/terraform-provider-kustomization_v1.0.0
+
+    - name: Make provider directory
+      run: kubectl exec terraform -- mkdir terraform.d
+
+    - name: Copy provider
+      run: kubectl cp terraform.d/plugins terraform:terraform.d/plugins
+
+    - name: Copy test file
+      run: kubectl cp test.tf terraform:test.tf
+
+    - name: Copy kustomize directory
+      run: kubectl cp kustomize terraform:kustomize
+
+    - name: Create provider file
+      run: kubectl exec -it terraform -- sh -c 'echo "provider \"kustomization\" {\n  kubeconfig_incluster = true\n}" > provider.tf'
+
+    - name: 'Terraform Init'
+      run: kubectl exec -it terraform -- terraform init
+
+    - name: 'Terraform Apply'
+      run: kubectl exec -it terraform -- terraform apply --auto-approve
+
   int_test_state_import:
     runs-on: ubuntu-latest
     needs: [compile_provider]
@@ -285,7 +334,13 @@ jobs:
 
   goreleaser:
     runs-on: ubuntu-latest
-    needs: [tf_tests, int_test_kubeconfig_path, int_test_kubeconfig_raw, int_test_state_import, int_test_kubestack_kind]
+    needs:
+      - tf_tests
+      - int_test_kubeconfig_path
+      - int_test_kubeconfig_raw
+      - int_test_in_cluster
+      - int_test_state_import
+      - int_test_kubestack_kind
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Checkout

docs/index.md

@@ -27,21 +27,24 @@ terraform {
 }
 
 provider "kustomization" {
-  # one of kubeconfig_path or kubeconfig_raw is required
+  # one of kubeconfig_path, kubeconfig_raw or kubeconfig_incluster must be set
 
   # kubeconfig_path = "~/.kube/config"
   # can also be set using KUBECONFIG_PATH environment variable
 
   # kubeconfig_raw = data.template_file.kubeconfig.rendered
   # kubeconfig_raw = yamlencode(local.kubeconfig)
+
+  # kubeconfig_incluster = true
 }
 
 ```
 
 ## Argument Reference
 
-- `kubeconfig_path` - (One of `kubeconfig_path` or `kubeconfig_raw` required) Path to a kubeconfig file. Can be set using `KUBECONFIG_PATH` environment variable.
-- `kubeconfig_raw` - (One of `kubeconfig_path` or `kubeconfig_raw` required) Raw kubeconfig file. If `kubeconfig_raw` is set, `kubeconfig_path` is ignored.
+- `kubeconfig_path` - Path to a kubeconfig file. Can be set using `KUBECONFIG_PATH` environment variable.
+- `kubeconfig_raw` - Raw kubeconfig file. If `kubeconfig_raw` is set, `kubeconfig_path` is ignored.
+- `kubeconfig_incluster` - Set to `true` when running inside a kubernetes cluster.
 - `context` - (Optional) Context to use in kubeconfig with multiple contexts, if not specified the default context is used.
 
 ## Imports

kustomize/provider.go

@@ -47,14 +47,20 @@ func Provider() *schema.Provider {
 				Type:         schema.TypeString,
 				Optional:     true,
 				DefaultFunc:  schema.EnvDefaultFunc("KUBECONFIG_PATH", nil),
-				ExactlyOneOf: []string{"kubeconfig_path", "kubeconfig_raw"},
-				Description:  fmt.Sprintf("Path to a kubeconfig file. Can be set using KUBECONFIG_PATH env var. Either kubeconfig_path or kubeconfig_raw is required."),
+				ExactlyOneOf: []string{"kubeconfig_path", "kubeconfig_raw", "kubeconfig_incluster"},
+				Description:  "Path to a kubeconfig file. Can be set using KUBECONFIG_PATH env var",
 			},
 			"kubeconfig_raw": {
 				Type:         schema.TypeString,
 				Optional:     true,
-				ExactlyOneOf: []string{"kubeconfig_path", "kubeconfig_raw"},
-				Description:  "Raw kube config. If kubeconfig_raw is set, kubeconfig_path is ignored.",
+				ExactlyOneOf: []string{"kubeconfig_path", "kubeconfig_raw", "kubeconfig_incluster"},
+				Description:  "Raw kube config. If kubeconfig_raw is set, KUBECONFIG_PATH is ignored.",
+			},
+			"kubeconfig_incluster": {
+				Type:         schema.TypeBool,
+				Optional:     true,
+				ExactlyOneOf: []string{"kubeconfig_path", "kubeconfig_raw", "kubeconfig_incluster"},
+				Description:  "Set to true when running inside a kubernetes cluster. If kubeconfig_incluster is set, KUBECONFIG_PATH is ignored.",
 			},
 			"context": {
 				Type:        schema.TypeString,
@@ -71,6 +77,7 @@ func Provider() *schema.Provider {
 
 		raw := d.Get("kubeconfig_raw").(string)
 		path := d.Get("kubeconfig_path").(string)
+		incluster := d.Get("kubeconfig_incluster").(bool)
 		context := d.Get("context").(string)
 
 		if raw != "" {
@@ -92,6 +99,13 @@ func Provider() *schema.Provider {
 			}
 		}
 
+		if incluster {
+			config, err = rest.InClusterConfig()
+			if err != nil {
+				return nil, fmt.Errorf("provider kustomization: couldn't load in cluster config: %s", err)
+			}
+		}
+
 		// empty default config required to support
 		// using a cluster resource or data source
 		// that may not exist yet, to configure the provider

tests/in-cluster.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: terraform
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: terraform-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: terraform
+  namespace: default
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: terraform
+  name: terraform
+  namespace: default
+spec:
+  containers:
+  - command:
+    - sleep
+    - "100000"
+    image: hashicorp/terraform:1.0.5
+    imagePullPolicy: IfNotPresent
+    name: terraform
+    workingDir: /terraform
+  serviceAccount: terraform