In order to issue commands against a Kubernetes cluster, you need the kubernetes provider and establish a connection. In many cases, you can specify a kubeconfig file from Terraform. But what if your cluster is ephemeral? What if you want to create and do some basic set-up against the cluster through one declarative script?

The Kubernetes Provider

Another option from the Kubernetes provider, is to avoid using the config file by specifying load_config_file to false.

provider "kubernetes" {
  host                   = "some host"
  username               = "some username"
  password               = "some password"
  client_certificate     = "some client certificate"
  client_key             = "some client key"
  cluster_ca_certificate = "some ca certificate'

  load_config_file = "false"
}

When you turn off the config file authentication, you need to specify other parameters to grant the provider enough information to connect to the cluster. Luckily, you can get these values from output variables when you provision the cluster.

provider "azurerm" {
  version = "=1.43.0"
}

resource "azurerm_resource_group" "resource_group" {
  name     = var.resource_group_name
  location = var.location
}

resource "azurerm_kubernetes_cluster" "aks_cluster" {
  name                = var.cluster_name
  location            = var.location
  resource_group_name = azurerm_resource_group.resource_group.name
  dns_prefix          = var.dns_prefix

  default_node_pool {
    name       = "default"
    node_count = var.node_count
    vm_size    = var.node_size
  }

  service_principal {
    client_id     = var.service_principal.client_id
    client_secret = var.service_principal.client_secret
  }

  tags = {
    Environment = var.environment
  }
}

Then your Kubernetes provider would look like this

provider "kubernetes" {
  host                   = azurerm_kubernetes_cluster.aks_cluster.kube_config.0.host
  username               = azurerm_kubernetes_cluster.aks_cluster.kube_config.0.username
  password               = azurerm_kubernetes_cluster.aks_cluster.kube_config.0.password
  client_certificate     = base64decode(azurerm_kubernetes_cluster.aks_cluster.kube_config.0.client_certificate)
  client_key             = base64decode(azurerm_kubernetes_cluster.aks_cluster.kube_config.0.client_key)
  cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks_cluster.kube_config.0.cluster_ca_certificate)

  load_config_file = "false"
}

Installing apps

Edit: If you try the approaches below, you will have to do them from a separate Terraform plan. If you try to deploy using the Kubernetes or Helm provider without an existing cluster, then validation will fail because it will try to establish a connection with a cluster that doesn't exist to build a plan. Lastly, there's this limitation and this limitation that prevent you staggering the providers cleanly.

Once the connection is establish, the hard part if over. You can use the kubernetes provider to create namespaces.

resource "kubernetes_namespace" "app_namespace" {
  metadata {
    name = "my-namespace"
  }
}

Or you could choose to install something like Redis through the Helm provider which takes in the same arguments as the kubernetes provider.

provider "helm" {
  kubernetes {
    host                   = azurerm_kubernetes_cluster.aks_cluster.kube_config.0.host
    username               = azurerm_kubernetes_cluster.aks_cluster.kube_config.0.username
    password               = azurerm_kubernetes_cluster.aks_cluster.kube_config.0.password
    client_certificate     = base64decode(azurerm_kubernetes_cluster.aks_cluster.kube_config.0.client_certificate)
    client_key             = base64decode(azurerm_kubernetes_cluster.aks_cluster.kube_config.0.client_key)
    cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks_cluster.kube_config.0.cluster_ca_certificate)

    load_config_file = "false"
  }
}

resource "helm_release" "my_redis" {
  name  = "my-release"
  chart = "stable/redis"
}