Kubernetes-external-secrets (#204)

ManagedKube · Oct 8, 2021 · 10995f6 · 10995f6
1 parent 4b792da
commit 10995f6
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 0 deletions.
diff --git a/terraform-environments/aws/dev/helm/kubernetes-external-secrets/README.md b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/README.md
@@ -0,0 +1,40 @@
+# Kubernetes-external-secrets
+
+
+## Creating a secret
+
+String:
+```
+aws secretsmanager create-secret --name myapp/password --secret-string "1234"
+aws secretsmanager create-secret --name myapp/some-key --secret-string "5678"
+```
+
+Binary file:
+```
+aws secretsmanager create-secret --name myapp-dev/file1 --secret-binary fileb://~/Downloads/Testing_MATCH_API-sandbox.p12
+```
+
+
+## Using the secret
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+spec:
+  containers:
+  - name: mypod
+    image: redis
+    volumeMounts:
+    - name: foo
+      mountPath: "/etc/foo"
+      readOnly: true
+  volumes:
+  - name: foo
+    secret:
+      secretName: mysecret
+```
+
+The secret will be mounted into `/etc/foo`
+
diff --git a/terraform-environments/aws/dev/helm/kubernetes-external-secrets/main.tf b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/main.tf
@@ -0,0 +1,77 @@
+locals {
+  aws_region       = "us-east-1"
+  environment_name = "dev"
+  secrets_prefix   = "managedkube/"
+  tags = {
+    ops_env              = "${local.environment_name}"
+    ops_managed_by       = "terraform",
+    ops_source_repo      = "kubernetes-ops",
+    ops_source_repo_path = "terraform-environments/aws/${local.environment_name}/helm/kubernetes-external-secrets",
+    ops_owners           = "devops",
+  }
+}
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.37.0"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+
+  backend "remote" {
+    organization = "managedkube"
+
+    workspaces {
+      name = "kubernetes-ops-dev-helm-kubernetes-external-secrets"
+    }
+  }
+}
+
+provider "aws" {
+  region = local.aws_region
+}
+
+data "terraform_remote_state" "eks" {
+  backend = "remote"
+  config = {
+    organization = "managedkube"
+    workspaces = {
+      name = "kubernetes-ops-${local.environment_name}-20-eks"
+    }
+  }
+}
+
+#
+# EKS authentication
+# # https://registry.terraform.io/providers/hashicorp/helm/latest/docs#exec-plugins
+provider "helm" {
+  kubernetes {
+    host                   = data.terraform_remote_state.eks.outputs.cluster_endpoint
+    cluster_ca_certificate = base64decode(data.terraform_remote_state.eks.outputs.cluster_certificate_authority_data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1alpha1"
+      args        = ["eks", "get-token", "--cluster-name", local.environment_name]
+      command     = "aws"
+    }
+  }
+}
+
+#
+# Helm - kube-prometheus-stack
+#
+module "kubernetes-external-secrets" {
+  source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/kubernetes-external-secrets?ref=v1.0.20"
+
+  eks_cluster_oidc_issuer_url = data.terraform_remote_state.eks.outputs.cluster_oidc_issuer_url
+  helm_values                 = file("${path.module}/values.yaml")
+  environment_name            = local.environment_name
+  secrets_prefix              = local.secrets_prefix
+
+  depends_on = [
+    data.terraform_remote_state.eks
+  ]
+}
diff --git a/terraform-environments/aws/dev/helm/kubernetes-external-secrets/values.yaml b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/values.yaml
@@ -0,0 +1,4 @@
+---
+env:
+  AWS_REGION: us-east-1
+  AWS_DEFAULT_REGION: us-east-1