feat: external-secrets, version: 0.9.2

clouddrove · Aug 4, 2023 · 8e1cee9 · 8e1cee9
1 parent f4f326a
commit 8e1cee9
Show file tree

Hide file tree

Showing 18 changed files with 391 additions and 11 deletions.
diff --git a/_examples/basic/main.tf b/_examples/basic/main.tf
@@ -199,8 +199,9 @@ module "addons" {
   aws_node_termination_handler = true
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
-  karpenter                    = false
-  calico_tigera                = false
+  karpenter                    = true
+  calico_tigera                = true
+  external_secrets             = true
 
   kiali_server    = true
   kiali_manifests = var.kiali_manifests

diff --git a/_examples/complete/config/external-secret/external-secret.yaml b/_examples/complete/config/external-secret/external-secret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-secret               # -- Provide external secret name
+  namespace: kube-system              # -- Do not change this namespace field
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: external-secrets-store      # -- Provide previously created secret store name
+    kind: SecretStore
+  target:
+    name: externalsecret-data         # -- Name of secret which will contain data specified below
+    creationPolicy: Owner
+  data:
+  - secretKey: sm_secret_key_1        # -- AWS Secret-Manager secret key
+    remoteRef:
+      key: addon/external_secrets     # -- AWS Secrets Manager secret name
+      property: sm_secret_key_1                 # -- AWS Secret-Manager secret key
+  - secretKey: sm_secret_key_2        # -- AWS Secret-Manager secret key          
+    remoteRef:
+      key: addon/external_secrets     # --  AWS Secrets Manager secret name
+      property: sm_secret_key_2       # -- AWS Secret-Manager secret key
diff --git a/_examples/complete/config/external-secret/secret-store.yaml b/_examples/complete/config/external-secret/secret-store.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: external-secrets-store # -- Provide secret store name
+  namespace: kube-system # -- Do not change this namespace name
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: us-east-1 # -- Provoide your cluster region
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: external-secrets-sa # -- Do not change this name field
diff --git a/_examples/complete/config/external-secret/usage.yaml b/_examples/complete/config/external-secret/usage.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ubuntu-pod
+  namespace: kube-system             # -- keep this namespace same as ExternalSecret namespace
+  labels:
+    app: ubuntu-pod
+spec:
+  containers:
+  - image: ubuntu
+    command:
+      - "sleep"
+      - "604800"
+    imagePullPolicy: IfNotPresent
+    name: ubuntu-pod
+    env:
+      - name: USER_1                           # -- Environment variable of pod
+        valueFrom:
+          secretKeyRef:
+            name: externalsecret-data
+            key: sm_secret_key_1               # -- Same as spec.data.secretKey[1] field of ExternalStore          
+            optional: false
+      - name: USER_2                           # -- Environment variable of pod           
+        valueFrom:
+          secretKeyRef:
+            name: externalsecret-data
+            key: sm_secret_key_2               # -- Same as spec.data.secretKey[2] field of ExternalStore      
+            optional: false    
+  restartPolicy: Always
diff --git a/_examples/complete/config/override-external_secrets.yaml b/_examples/complete/config/override-external_secrets.yaml
@@ -0,0 +1,24 @@
+## Node affinity for particular node in which labels key is "Infra-Services" and value is "true"
+
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: "eks.amazonaws.com/nodegroup"
+          operator: In
+          values:
+          - "critical"
+
+## Using limits and requests
+
+resources:
+  limits:
+    cpu: 200m
+    memory: 250Mi
+  requests:
+    cpu: 50m
+    memory: 150Mi
+
+podAnnotations:
+  co.elastic.logs/enabled: "true"
diff --git a/_examples/complete/locals.tf b/_examples/complete/locals.tf
@@ -1,7 +1,7 @@
 
 locals {
 
-  name   = "tf-helm-2"
+  name   = "tf-helm-eks-addons"
   region = "us-east-1"
 
   vpc_cidr = "10.0.0.0/16"

diff --git a/_examples/complete/main.tf b/_examples/complete/main.tf
@@ -196,19 +196,21 @@ module "addons" {
 
   # -- Enable Addons
   metrics_server               = true
-  cluster_autoscaler           = false
-  karpenter                    = false
+  cluster_autoscaler           = true
+  karpenter                    = true
   aws_load_balancer_controller = true
   aws_node_termination_handler = true
   aws_efs_csi_driver           = true
   aws_ebs_csi_driver           = true
-  calico_tigera                = false
+  calico_tigera                = true
 
   # -- Addons with mandatory variable
-  istio_ingress   = false
-  istio_manifests = var.istio_manifests
-  kiali_server    = false
-  kiali_manifests = var.kiali_manifests
+  istio_ingress            = true
+  istio_manifests          = var.istio_manifests
+  kiali_server             = true
+  kiali_manifests          = var.kiali_manifests
+  external_secrets         = true
+  externalsecrets_manifest = var.externalsecrets_manifest
 
   # -- Path of override-values.yaml file
   metrics_server_helm_config               = { values = ["${file("./config/override-metrics-server.yaml")}"] }
@@ -221,5 +223,6 @@ module "addons" {
   calico_tigera_helm_config                = { values = ["${file("./config/calico-tigera-values.yaml")}"] }
   istio_ingress_helm_config                = { values = ["${file("./config/istio/override-values.yaml")}"] }
   kiali_server_helm_config                 = { values = ["${file("./config/kiali/override-values.yaml")}"] }
+  external_secrets_helm_config             = { values = ["${file("./config/override-external_secrets.yaml")}"] }
 }
 
diff --git a/_examples/complete/variables.tf b/_examples/complete/variables.tf
@@ -56,4 +56,16 @@ variable "kiali_manifests" {
     kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml"
     enable_monitoring              = true
   }
-}
+}
+
+# ------------------ EXTERNAL SECRETS -----------------------
+variable "externalsecrets_manifest" {
+  type = object({
+    secret_store_manifest_file_path     = string
+    external_secrets_manifest_file_path = string
+  })
+  default = {
+    secret_store_manifest_file_path     = "./config/external-secret/secret-store.yaml"
+    external_secrets_manifest_file_path = "./config/external-secret/external-secret.yaml"
+  }
+}
diff --git a/addons/external-secrets/README.md b/addons/external-secrets/README.md
@@ -0,0 +1,33 @@
+# External Secrets Helm Chart
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+External Secrets Operator is a Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, Akeyless, CyberArk Conjur and many more. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret.
+
+## Installation
+Below terraform script shows how to use External Secrets Terraform Addon, A complete example is also given [here](https://github.com/clouddrove/terraform-helm-eks-addons/blob/master/_examples/complete/main.tf).
+
+Note : User need to change the properties of SecretStore according to their usage by editing  "/complete/config/external-secret/secret-store.yaml"
+and they also need to change properties of ExternalSecrets according to their usage by editing  "/complete/config/external-secret/external-secret.yaml"
+
+```bash
+module "addons" {
+  source = "../../"
+  depends_on       = [null_resource.kubectl]
+  eks_cluster_name = module.eks.cluster_name
+
+  external_secrets         = true
+  externalsecrets_manifest = var.externalsecrets_manifest
+
+}
+```
+
+
+## Inputs
+
+| Name | Description | Default | Required |
+|------|-------------|---------|:--------:|
+| eks_cluster_name | Name of Kubernetes Cluster in which you want to install External Secrets |  | Yes |
+| external_secrets | To install External Secrets helmchart set this to true | false | Yes |
+| external_secrets_helm_config | Override [attributes](https://github.com/clouddrove/terraform-helm-eks-addons/blob/master/addons/helm/main.tf#L1-L33) of helm_release terraform resource. | `name`, `chart`, `repository`, `version`, `namespace`,`description` are can not be override | No |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/addons/external-secrets/config/external_secrets.yaml b/addons/external-secrets/config/external_secrets.yaml
@@ -0,0 +1,24 @@
+## Node affinity for particular node in which labels key is "Infra-Services" and value is "true"
+
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: "eks.amazonaws.com/nodegroup"
+          operator: In
+          values:
+          - "critical"
+
+## Using limits and requests
+
+resources:
+  limits:
+    cpu: 200m
+    memory: 250Mi
+  requests:
+    cpu: 50m
+    memory: 150Mi
+
+podAnnotations:
+  co.elastic.logs/enabled: "true"
diff --git a/addons/external-secrets/data.tf b/addons/external-secrets/data.tf
@@ -0,0 +1,6 @@
+data "aws_eks_cluster" "eks_cluster" {
+  # this makes downstream resources wait for data plane to be ready
+  name = var.eks_cluster_name
+}
+
+data "aws_region" "current" {}
diff --git a/addons/external-secrets/locals.tf b/addons/external-secrets/locals.tf
@@ -0,0 +1,21 @@
+locals {
+  name = "external-secrets"
+
+  default_helm_config = {
+    name        = local.name
+    chart       = local.name
+    repository  = "https://charts.external-secrets.io/"
+    version     = "0.9.2"
+    namespace   = "kube-system"
+    description = "external-secrets helm Chart deployment configuration"
+  }
+
+  helm_config = merge(
+    local.default_helm_config,
+    var.helm_config
+  )
+
+  argocd_gitops_config = {
+    enable = true
+  }
+}
diff --git a/addons/external-secrets/main.tf b/addons/external-secrets/main.tf
@@ -0,0 +1,99 @@
+module "helm_addon" {
+  source = "../helm"
+
+  manage_via_gitops = var.manage_via_gitops
+  helm_config       = local.helm_config
+  addon_context     = var.addon_context
+
+  depends_on = [kubernetes_namespace_v1.this]
+  set_values = [
+    {
+      name  = "serviceAccount.create"
+      value = "false"
+    },
+    {
+      name  = "serviceAccount.name"
+      value = "${local.name}-sa"
+    },
+    {
+      name  = "webhook.rbac.serviceAccount.create"
+      value = "false"
+    },
+    {
+      name  = "webhook.rbac.serviceAccount.name"
+      value = "${local.name}-sa"
+    },
+    {
+      name  = "certController.serviceAccount.create"
+      value = "false"
+    },
+    {
+      name  = "certController.serviceAccount.name"
+      value = "${local.name}-sa"
+    }
+
+  ]
+
+  # -- IRSA Configurations
+  irsa_config = {
+    irsa_iam_policies                 = ["${aws_iam_policy.policy.arn}"]
+    irsa_iam_role_name                = "${local.name}-${var.eks_cluster_name}-IAM-Role"
+    create_kubernetes_service_account = true
+    kubernetes_service_account        = "${local.name}-sa"
+    kubernetes_namespace              = local.default_helm_config.namespace
+    eks_oidc_provider_arn             = replace("${data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer}", "https://", "")
+    account_id                        = var.account_id
+  }
+
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "${local.name}-${var.eks_cluster_name}-IAM-Policy"
+  path        = "/"
+  description = "IAM Policy used by ${local.name}-${var.eks_cluster_name} IAM Role"
+  policy      = data.aws_iam_policy_document.iam-policy.json
+}
+
+resource "kubernetes_namespace_v1" "this" {
+  count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0
+
+  metadata {
+    name = local.helm_config["namespace"]
+  }
+}
+
+
+data "aws_iam_policy_document" "iam-policy" {
+  version = "2012-10-17"
+
+  statement {
+    sid    = "VisualEditor0"
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+    ]
+    resources = [
+      "arn:aws:secretsmanager:${data.aws_region.current.name}:${var.account_id}:secret:addon/external_secrets*",
+    ]
+  }
+}
+
+resource "kubectl_manifest" "secret_store" {
+  depends_on = [module.helm_addon]
+  yaml_body  = file("${var.externalsecrets_manifest.secret_store_manifest_file_path}")
+}
+
+resource "kubectl_manifest" "external_secrets" {
+  depends_on = [kubectl_manifest.secret_store]
+  yaml_body  = file("${var.externalsecrets_manifest.external_secrets_manifest_file_path}")
+}
+
+# module "external_secret_secret_manager" {
+#   source  = "clouddrove/secrets-manager/aws"
+#   version = "1.3.0"
+
+#   name        = "addon/exteranl_secretes"
+
+#   secrets = []
+# }
diff --git a/addons/external-secrets/outputs.tf b/addons/external-secrets/outputs.tf