From b2940e7d647ee393d75c62ca84d42d02106e8210 Mon Sep 17 00:00:00 2001
From: Shahe Islam <shahe.islam@education.gov.uk>
Date: Sun, 12 Jan 2025 19:05:46 +0000
Subject: [PATCH 1/3] feat: Adding Helm chart for reloader to test against new
 workload services and deployments

---
 cluster/terraform_kubernetes/reloader.tf  | 32 +++++++++++++++++++++++
 cluster/terraform_kubernetes/variables.tf | 18 +++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 cluster/terraform_kubernetes/reloader.tf

diff --git a/cluster/terraform_kubernetes/reloader.tf b/cluster/terraform_kubernetes/reloader.tf
new file mode 100644
index 00000000..7721f4f2
--- /dev/null
+++ b/cluster/terraform_kubernetes/reloader.tf
@@ -0,0 +1,32 @@
+resource "helm_release" "reloader" {
+  name       = "reloader"
+  namespace  = "monitoring"
+  repository = "https://stakater.github.io/stakater-charts"
+  chart      = "reloader"
+  version    = var.reloader_version
+
+  set {
+    name  = "reloader.watchGlobally"
+    value = "true"
+  }
+
+  set {
+    name  = "reloader.deployment.resources.limits.memory"
+    value = var.reloader_app_mem
+  }
+
+  set {
+    name  = "reloader.deployment.resources.limits.cpu"
+    value = var.reloader_app_cpu
+  }
+
+  set {
+    name  = "reloader.deployment.resources.requests.memory"
+    value = var.reloader_app_mem
+  }
+
+  set {
+    name  = "reloader.deployment.resources.requests.cpu"
+    value = var.reloader_app_cpu
+  }
+}
diff --git a/cluster/terraform_kubernetes/variables.tf b/cluster/terraform_kubernetes/variables.tf
index 0ca3275c..d17dd6c4 100644
--- a/cluster/terraform_kubernetes/variables.tf
+++ b/cluster/terraform_kubernetes/variables.tf
@@ -207,6 +207,24 @@ variable "filebeat_version" {
   default = "8.12.2"
 }
 
+variable "reloader_version" {
+  type        = string
+  description = "Version of the Reloader helm chart to use"
+  default     = "1.0.69"
+}
+
+variable "reloader_app_cpu" {
+  type        = string
+  description = "Reloader app cpu request/limit"
+  default     = "100m"
+}
+
+variable "reloader_app_mem" {
+  type        = string
+  description = "Reloader app memory request/limit"
+  default     = "512Mi"
+}
+
 variable "alertmanager_slack_receiver_list" {
   type        = list(any)
   description = "List of alertmanager Slack receivers. Each entry must have a corresponding webhook in the keyvault."

From f5afce9c9b69a1ca75e4a91c7bd1bc6c5945cdf4 Mon Sep 17 00:00:00 2001
From: Shahe Islam <shahe.islam@education.gov.uk>
Date: Mon, 13 Jan 2025 14:06:54 +0000
Subject: [PATCH 2/3] feat: Adding annotation to alertmanager

---
 cluster/terraform_kubernetes/alertmanager.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cluster/terraform_kubernetes/alertmanager.tf b/cluster/terraform_kubernetes/alertmanager.tf
index 90a6e094..a9216b57 100644
--- a/cluster/terraform_kubernetes/alertmanager.tf
+++ b/cluster/terraform_kubernetes/alertmanager.tf
@@ -41,6 +41,9 @@ resource "kubernetes_deployment" "alertmanager" {
         labels = {
           app = "alertmanager"
         }
+        annotations = {
+          "reloader.stakater.com/auto" = "true"
+        }
       }
 
       spec {

From 7738929d5b630e53c5c2916d44043d2c93718b7d Mon Sep 17 00:00:00 2001
From: Shahe Islam <shahe.islam@education.gov.uk>
Date: Wed, 15 Jan 2025 14:11:51 +0000
Subject: [PATCH 3/3] feat: Changing to reference container image

feat: Changing to reference container image
---
 cluster/terraform_kubernetes/reloader.tf  | 126 ++++++++++++++++++----
 cluster/terraform_kubernetes/variables.tf |   2 +-
 2 files changed, 106 insertions(+), 22 deletions(-)

diff --git a/cluster/terraform_kubernetes/reloader.tf b/cluster/terraform_kubernetes/reloader.tf
index 7721f4f2..c37645ad 100644
--- a/cluster/terraform_kubernetes/reloader.tf
+++ b/cluster/terraform_kubernetes/reloader.tf
@@ -1,32 +1,116 @@
-resource "helm_release" "reloader" {
-  name       = "reloader"
-  namespace  = "monitoring"
-  repository = "https://stakater.github.io/stakater-charts"
-  chart      = "reloader"
-  version    = var.reloader_version
+# ClusterRole for Reloader
+resource "kubernetes_cluster_role" "reloader" {
+  metadata {
+    name = "reloader-role"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps", "secrets"]
+    verbs      = ["list", "get", "watch"]
+  }
+
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments", "daemonsets", "statefulsets"]
+    verbs      = ["list", "get", "update", "patch"]
+  }
 
-  set {
-    name  = "reloader.watchGlobally"
-    value = "true"
+  rule {
+    api_groups = ["extensions"]
+    resources  = ["deployments", "daemonsets"]
+    verbs      = ["list", "get", "update", "patch"]
   }
+}
 
-  set {
-    name  = "reloader.deployment.resources.limits.memory"
-    value = var.reloader_app_mem
+# ServiceAccount for Reloader
+resource "kubernetes_service_account" "reloader" {
+  metadata {
+    name      = "reloader"
+    namespace = "monitoring"
   }
+}
 
-  set {
-    name  = "reloader.deployment.resources.limits.cpu"
-    value = var.reloader_app_cpu
+# ClusterRoleBinding for Reloader
+resource "kubernetes_cluster_role_binding" "reloader" {
+  metadata {
+    name = "reloader-role-binding"
   }
 
-  set {
-    name  = "reloader.deployment.resources.requests.memory"
-    value = var.reloader_app_mem
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.reloader.metadata[0].name
   }
 
-  set {
-    name  = "reloader.deployment.resources.requests.cpu"
-    value = var.reloader_app_cpu
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.reloader.metadata[0].name
+    namespace = kubernetes_service_account.reloader.metadata[0].namespace
+  }
+}
+
+# Deployment for Reloader
+resource "kubernetes_deployment" "reloader" {
+  metadata {
+    name      = "reloader"
+    namespace = "monitoring"
+    labels = {
+      app = "reloader"
+    }
+  }
+
+  spec {
+    replicas = 1
+
+    selector {
+      match_labels = {
+        app = "reloader"
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          app = "reloader"
+        }
+      }
+
+      spec {
+        service_account_name = kubernetes_service_account.reloader.metadata[0].name
+
+        container {
+          name  = "reloader"
+          image = "stakater/reloader:v${var.reloader_version}"
+
+          args = ["--reload-strategy=annotations"]
+
+          resources {
+            limits = {
+              cpu    = var.reloader_app_cpu
+              memory = var.reloader_app_mem
+            }
+            requests = {
+              cpu    = var.reloader_app_cpu
+              memory = var.reloader_app_mem
+            }
+          }
+
+          security_context {
+            run_as_user  = 65534 # nobody user
+            run_as_group = 65534 # nobody group
+            capabilities {
+              drop = ["ALL"]
+            }
+            allow_privilege_escalation = false
+            privileged                 = false
+            read_only_root_filesystem  = true
+            seccomp_profile {
+              type = "RuntimeDefault"
+            }
+          }
+        }
+      }
+    }
   }
 }
diff --git a/cluster/terraform_kubernetes/variables.tf b/cluster/terraform_kubernetes/variables.tf
index d17dd6c4..3b2aa315 100644
--- a/cluster/terraform_kubernetes/variables.tf
+++ b/cluster/terraform_kubernetes/variables.tf
@@ -209,7 +209,7 @@ variable "filebeat_version" {
 
 variable "reloader_version" {
   type        = string
-  description = "Version of the Reloader helm chart to use"
+  description = "Version of the Reloader container image to use"
   default     = "1.0.69"
 }