Skip to content

Commit

Permalink
Kubernetes external secrets (#166)
Browse files Browse the repository at this point in the history
  • Loading branch information
sekka1 authored Sep 23, 2021
1 parent eb34917 commit fcc6894
Show file tree
Hide file tree
Showing 5 changed files with 167 additions and 0 deletions.
17 changes: 17 additions & 0 deletions terraform-modules/aws/helm/kubernetes-external-secrets/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# kubernetes-external-secrets

Source project: https://github.com/external-secrets/kubernetes-external-secrets
Source chart: https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets

EKS Kubernetes v1.19+

## Useful guides
Getting the IAM policies and trust relationships to all align up is tricky. If something is not set correctly like
the name is off in one of the place, the entire sequence of chained identity fails and it is hard to figure out where
exactly. You can guess and see if it is something obvious but if it is not, then you should just follow each of the
resources through to make sure everything is setup correctly.

Here is the doc on how to setup IAM for ServiceAccounts: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

At the bottom of this doc it will link to how to create each of the items. Following each one through to make sure these
items exist and the names all match up is critical for this entire setup.
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
env:
AWS_REGION: us-east-1
AWS_DEFAULT_REGION: us-east-1

serviceAccount:
name: ${resource_name}
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/${resource_name}"
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::016733450475:role/kubernetes-external-secrets-${envName}",
"arn:aws:secretsmanager:${awsRegion}:${awsAccountID}:secret:${secretsPrefix}*"
]
}
]
}

68 changes: 68 additions & 0 deletions terraform-modules/aws/helm/kubernetes-external-secrets/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
locals {
base_name = "kubernetes-external-secrets"
iam_policy_file = "iam-policy.tpl.json"
k8s_service_account_name = "kubernetes-external-secrets"
}

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

module "iam_assumable_role_admin" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "3.6.0"
create_role = true
role_name = "${local.base_name}-${var.environment_name}"
# role_path = "/token-file-web-identity/"
provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}-${var.environment_name}"]
}

data "template_file" "iam_policy" {
template = file("${path.module}/iam-policy.tpl.json")
vars = {
awsAccountID = data.aws_caller_identity.current.account_id
awsRegion = data.aws_region.current.name
secretsPrefix = var.secrets_prefix
envName = var.environment_name
}
}

# Policy doc: https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
resource "aws_iam_policy" "cluster_autoscaler" {
name_prefix = "${local.base_name}-${var.environment_name}"
description = "${local.base_name} for ${var.environment_name}"
policy = data.template_file.iam_policy.rendered
}

#
# Helm templating
#
data "template_file" "helm_values" {
template = file("${path.module}/helm_values.tpl.yaml")
vars = {
awsAccountID = data.aws_caller_identity.current.account_id
awsRegion = data.aws_region.current.name
serviceAccountName = local.k8s_service_account_name
resource_name = "${local.base_name}-${var.environment_name}"
}
}

resource "helm_release" "helm_chart" {
chart = "kubernetes-external-secrets"
namespace = var.namespace
create_namespace = var.create_namespace
name = var.chart_name
version = var.helm_version
verify = var.verify
repository = "https://external-secrets.github.io/kubernetes-external-secrets/"

values = [
data.template_file.helm_values.rendered,
var.helm_values,
]

depends_on = [
module.iam_assumable_role_admin
]
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
variable "helm_version" {
type = string
default = "8.3.0"
description = "Helm chart version"
}

variable "verify" {
type = bool
default = false
description = "Verify the helm download"
}

variable "create_namespace" {
type = bool
default = true
description = "Create namespace if it does not exist"
}

variable "namespace" {
type = string
default = "kubernetes-external-secrets"
description = "Namespace to install in"
}

variable "chart_name" {
type = string
default = "kubernetes-external-secrets"
description = "Name to set the helm deployment to"
}

variable "helm_values" {
type = string
default = ""
description = "Additional helm values to pass in. These values would override the default in this module."
}

variable "environment_name" {
type = string
default = "env"
description = "An environment name to attach to some resources. Optional only needed if you are going to create more than one of these items in an AWS account"
}

variable "eks_cluster_oidc_issuer_url" {
type = string
default = ""
description = "EKS cluster oidc issuer url"
}

variable "secrets_prefix" {
type = string
default = ""
description = "The prefix to your AWS Secrets. This allows this module to craft a more tightly controlled set of IAM policies to only allow it to get certain secrets"
}

0 comments on commit fcc6894

Please sign in to comment.