From 10995f604864988f3826528a2c57393354168500 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Fri, 8 Oct 2021 12:15:28 -0700 Subject: [PATCH] Kubernetes-external-secrets (#204) --- .../kubernetes-external-secrets/README.md | 40 ++++++++++ .../helm/kubernetes-external-secrets/main.tf | 77 +++++++++++++++++++ .../kubernetes-external-secrets/values.yaml | 4 + 3 files changed, 121 insertions(+) create mode 100644 terraform-environments/aws/dev/helm/kubernetes-external-secrets/README.md create mode 100644 terraform-environments/aws/dev/helm/kubernetes-external-secrets/main.tf create mode 100644 terraform-environments/aws/dev/helm/kubernetes-external-secrets/values.yaml diff --git a/terraform-environments/aws/dev/helm/kubernetes-external-secrets/README.md b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/README.md new file mode 100644 index 000000000..0504f75d9 --- /dev/null +++ b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/README.md @@ -0,0 +1,40 @@ +# Kubernetes-external-secrets + + +## Creating a secret + +String: +``` +aws secretsmanager create-secret --name myapp/password --secret-string "1234" +aws secretsmanager create-secret --name myapp/some-key --secret-string "5678" +``` + +Binary file: +``` +aws secretsmanager create-secret --name myapp-dev/file1 --secret-binary fileb://~/Downloads/Testing_MATCH_API-sandbox.p12 +``` + + +## Using the secret + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: mypod +spec: + containers: + - name: mypod + image: redis + volumeMounts: + - name: foo + mountPath: "/etc/foo" + readOnly: true + volumes: + - name: foo + secret: + secretName: mysecret +``` + +The secret will be mounted into `/etc/foo` + diff --git a/terraform-environments/aws/dev/helm/kubernetes-external-secrets/main.tf b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/main.tf new file mode 100644 index 000000000..236671b1b --- /dev/null +++ b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/main.tf @@ -0,0 +1,77 @@ +locals { + aws_region = "us-east-1" + environment_name = "dev" + secrets_prefix = "managedkube/" + tags = { + ops_env = "${local.environment_name}" + ops_managed_by = "terraform", + ops_source_repo = "kubernetes-ops", + ops_source_repo_path = "terraform-environments/aws/${local.environment_name}/helm/kubernetes-external-secrets", + ops_owners = "devops", + } +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.37.0" + } + random = { + source = "hashicorp/random" + } + } + + backend "remote" { + organization = "managedkube" + + workspaces { + name = "kubernetes-ops-dev-helm-kubernetes-external-secrets" + } + } +} + +provider "aws" { + region = local.aws_region +} + +data "terraform_remote_state" "eks" { + backend = "remote" + config = { + organization = "managedkube" + workspaces = { + name = "kubernetes-ops-${local.environment_name}-20-eks" + } + } +} + +# +# EKS authentication +# # https://registry.terraform.io/providers/hashicorp/helm/latest/docs#exec-plugins +provider "helm" { + kubernetes { + host = data.terraform_remote_state.eks.outputs.cluster_endpoint + cluster_ca_certificate = base64decode(data.terraform_remote_state.eks.outputs.cluster_certificate_authority_data) + exec { + api_version = "client.authentication.k8s.io/v1alpha1" + args = ["eks", "get-token", "--cluster-name", local.environment_name] + command = "aws" + } + } +} + +# +# Helm - kube-prometheus-stack +# +module "kubernetes-external-secrets" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/kubernetes-external-secrets?ref=v1.0.20" + + eks_cluster_oidc_issuer_url = data.terraform_remote_state.eks.outputs.cluster_oidc_issuer_url + helm_values = file("${path.module}/values.yaml") + environment_name = local.environment_name + secrets_prefix = local.secrets_prefix + + depends_on = [ + data.terraform_remote_state.eks + ] +} diff --git a/terraform-environments/aws/dev/helm/kubernetes-external-secrets/values.yaml b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/values.yaml new file mode 100644 index 000000000..24d08798d --- /dev/null +++ b/terraform-environments/aws/dev/helm/kubernetes-external-secrets/values.yaml @@ -0,0 +1,4 @@ +--- +env: + AWS_REGION: us-east-1 + AWS_DEFAULT_REGION: us-east-1