Merge pull request #111 from patoarvizu/terraform-add-secret-mounts

Add option to mount Kubernetes secrets on pods
patoarvizu · Oct 8, 2023 · d8a38fc · d8a38fc
2 parents 18dc418 + 48c9e4d
commit d8a38fc
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 2 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -5,13 +5,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.9 |
-| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.8.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.8.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | ~> 2.8.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.8.0 |
 
 ## Modules
 
@@ -54,6 +54,7 @@ No modules.
 | <a name="input_image_version"></a> [image\_version](#input\_image\_version) | The label of the image to run. | `string` | `"latest"` | no |
 | <a name="input_namespace_name"></a> [namespace\_name](#input\_namespace\_name) | The name of the namespace to create or look up. | `string` | `"kms-vault-operator"` | no |
 | <a name="input_pod_annotations"></a> [pod\_annotations](#input\_pod\_annotations) | Map of annotations to add to the operator pods. | `map` | `{}` | no |
+| <a name="input_secret_mounts"></a> [secret\_mounts](#input\_secret\_mounts) | References to Kubernetes secrets to be mounted on the workloads | <pre>list(object({<br>    secret_name = string<br>    mount_path = string<br>  }))</pre> | `[]` | no |
 | <a name="input_service_monitor_custom_labels"></a> [service\_monitor\_custom\_labels](#input\_service\_monitor\_custom\_labels) | Custom labels to add to the `ServiceMonitor` objects. | `map` | `{}` | no |
 | <a name="input_sync_period_seconds"></a> [sync\_period\_seconds](#input\_sync\_period\_seconds) | The secret sync frequency, in seconds. | `number` | `120` | no |
 | <a name="input_tls_cert_file_name"></a> [tls\_cert\_file\_name](#input\_tls\_cert\_file\_name) | The name of the TLS certificate file mounted on the operator. | `string` | `"tls.crt"` | no |

diff --git a/terraform/deployment.tf b/terraform/deployment.tf
@@ -100,6 +100,14 @@ resource kubernetes_deployment_v1 kms_vault_operator {
             }
           }
 
+          dynamic "volume_mount" {
+            for_each = var.secret_mounts
+            content {
+              name = volume_mount.value.secret_name
+              mount_path = volume_mount.value.mount_path
+            }
+          }
+
           image_pull_policy = "IfNotPresent"
         }
 
@@ -113,6 +121,16 @@ resource kubernetes_deployment_v1 kms_vault_operator {
           }
         }
 
+        dynamic "volume" {
+          for_each = var.secret_mounts
+          content {
+            name = volume.value.secret_name
+            secret {
+              secret_name = volume.value.secret_name
+            }
+          }
+        }
+
         service_account_name = kubernetes_service_account_v1.kms_vault_operator.metadata[0].name
       }
     }

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -227,4 +227,13 @@ variable webhook_private_file_name {
   type = string
   default = "tls.key"
   description = "The name of the TLS certificate private key file mounted on the webhook."
+}
+
+variable secret_mounts {
+  type = list(object({
+    secret_name = string
+    mount_path = string
+  }))
+  default = []
+  description = "References to Kubernetes secrets to be mounted on the workloads"
 }
diff --git a/terraform/webhook.tf b/terraform/webhook.tf
@@ -101,6 +101,14 @@ resource kubernetes_deployment_v1 kms_vault_validating_webhook {
             mount_path = "/tls"
           }
 
+          dynamic "volume_mount" {
+            for_each = var.secret_mounts
+            content {
+              name = volume_mount.value.secret_name
+              mount_path = volume_mount.value.mount_path
+            }
+          }
+
           image_pull_policy = "IfNotPresent"
         }
 
@@ -112,6 +120,16 @@ resource kubernetes_deployment_v1 kms_vault_validating_webhook {
           }
         }
 
+        dynamic "volume" {
+          for_each = var.secret_mounts
+          content {
+            name = volume.value.secret_name
+            secret {
+              secret_name = volume.value.secret_name
+            }
+          }
+        }
+
         service_account_name = kubernetes_service_account_v1.kms_vault_operator.metadata[0].name
       }
     }