Skip to content

Commit

Permalink
Feat: External-Secrets custom irsa iam-policy (#38)
Browse files Browse the repository at this point in the history 
* Feat: custom irsa iam-policy

* fix- removed unused namespace resource and extra_configs attribute

* fix- typo in default_helm_config for repository_username attribute

* fix- updated basic example usage

* info- about istio-ingress installation in other namespaces
  • Loading branch information
@h1manshu98
h1manshu98 committed Oct 5, 2023
1 parent e60ed6b commit b53e931
Show file tree
Hide file tree
Showing 41 changed files with 122 additions and 223 deletions.
13 changes: 8 additions & 5 deletions _examples/basic/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,12 +166,13 @@ module "addons" {
aws_node_termination_handler = true
aws_efs_csi_driver = true
aws_ebs_csi_driver = true
karpenter = false
calico_tigera = false
kube_state_metrics = true
karpenter = false # -- Set to `false` or comment line to Uninstall Karpenter if installed using terraform.
calico_tigera = true
new_relic = true
kubeclarity = true
ingress_nginx = true
fluent_bit = true
velero = true
keda = true
certification_manager = true

Expand All @@ -181,7 +182,9 @@ module "addons" {
kiali_server = true
kiali_manifests = var.kiali_manifests
external_secrets = true
velero = true
velero_extra_configs = {
bucket_name = "velero-addons"
}

# -- Extra helm_release attributes
velero_extra_configs = var.velero_extra_configs
}
10 changes: 0 additions & 10 deletions _examples/basic/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,4 @@ variable "kiali_manifests" {
kiali_virtualservice_file_path = "./config/kiali/kiali_vs.yaml"
}
description = "Path to VirtualService manifest for kiali-dashboard"
}

#------------ EXTRA CONFIGS -----------
variable "velero_extra_configs" {
type = any
default = {
timeout = 300
atomic = true
bucket_name = "velero-addons"
}
}
8 changes: 4 additions & 4 deletions _examples/complete/config/external-secret/external-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ spec:
name: external-secrets-store # -- Provide previously created secret store name
kind: SecretStore
target:
name: externalsecret-data # -- Name of secret which will contain data specified below
name: externalsecret-data # -- Name of Kubernetes secret which will contain data specified below
creationPolicy: Owner
data:
- secretKey: do_not_delete_this_key # -- AWS Secret-Manager secret key
- secretKey: external_secret_key # -- Kubernetes Secret `externalsecret-data` KEY name
remoteRef:
key: external_secrets # -- Same as 'externalsecrets_manifest["secret_manager_name"]
property: do_not_delete_this_key # -- AWS Secret-Manager secret key
key: external_secrets_addon # -- AWS Secret Name, same as `var.external_secrets_extra_configs.secret_manager_name`
property: external_secret # -- AWS Secret-Manager secret key
14 changes: 14 additions & 0 deletions _examples/complete/custom-iam-policies/external-secrets.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ExternalSecretsDefault"
}
],
"Version": "2012-10-17"
}
23 changes: 2 additions & 21 deletions _examples/complete/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,30 +217,11 @@ module "addons" {
kube_state_metrics_extra_configs = var.kube_state_metrics_extra_configs
keda_extra_configs = var.keda_extra_configs
certification_manager_extra_configs = var.certification_manager_extra_configs

external_secrets_extra_configs = {
irsa_assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : module.eks.oidc_provider_arn
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringLike" : {
"${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:aud" : "sts.amazonaws.com"
}
}
}
]
})
secret_manager_name = "external_secrets_addon"
}
external_secrets_extra_configs = var.external_secrets_extra_configs

# -- Custom IAM Policy Json for Addon's ServiceAccount
cluster_autoscaler_iampolicy_json_content = file("./custom-iam-policies/cluster-autoscaler.json")
external_secrets_iampolicy_json_content = file("./custom-iam-policies/external-secrets.json")
}

module "addons-internal" {
Expand Down
4 changes: 4 additions & 0 deletions _examples/complete/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,8 @@ output "update_kubeconfig" {

output "velero_post_installation" {
value = indent(2, "Once velero server is up and running you need the client before you can use it - \n 1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.11.1/velero-v1.11.1-darwin-amd64.tar.gz \n 2. tar -xvf velero-v1.11.1-darwin-amd64.tar.gz -C velero-client")
}

output "istio-ingress" {
value = indent(2, "Istio does not support the installation of istio-helmchart in a namespace other than istio-system. We have provided a namespace feature in case Istio-helmchart maintainers fix this issue.")
}
20 changes: 13 additions & 7 deletions _examples/complete/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,13 +145,11 @@ variable "istio_manifests_internal" {
variable "istio_ingress_extra_configs_internal" {
type = any
default = {
name = "istio-ingress-internal"
namespace = "istio-system"
istiobase_release_name = "base-internal"
istiod_release_name = "istiod-internal"
create_namespace = true
install_istiobase = false
install_istiod = false
name = "istio-ingress-internal"
namespace = "istio-system"
create_namespace = false
install_istiobase = false
install_istiod = false
}
}

Expand All @@ -168,4 +166,12 @@ variable "kiali_manifests" {
variable "kiali_server_extra_configs" {
type = any
default = {}
}

# ------------------ EXTERNAL SECRETS ------------------------------------------
variable "external_secrets_extra_configs" {
type = any
default = {
secret_manager_name = "external_secrets_addon"
}
}
5 changes: 1 addition & 4 deletions addons/aws-ebs-csi-driver/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ locals {
lint = try(var.aws_ebs_csi_driver_extra_configs.lint, "false")
repository_key_file = try(var.aws_ebs_csi_driver_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_ebs_csi_driver_extra_configs.repository_cert_file, "")
repository_username = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "")
repository_username = try(var.aws_ebs_csi_driver_extra_configs.repository_username, "")
repository_password = try(var.aws_ebs_csi_driver_extra_configs.repository_password, "")
verify = try(var.aws_ebs_csi_driver_extra_configs.verify, "false")
keyring = try(var.aws_ebs_csi_driver_extra_configs.keyring, "")
Expand All @@ -33,11 +33,8 @@ locals {
replace = try(var.aws_ebs_csi_driver_extra_configs.replace, "false")
}

aws_ebs_csi_driver_extra_configs = var.aws_ebs_csi_driver_extra_configs

helm_config = merge(
local.default_helm_config,
var.helm_config,
local.aws_ebs_csi_driver_extra_configs
)
}
11 changes: 1 addition & 10 deletions addons/aws-ebs-csi-driver/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context

depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "controller.serviceAccount.create"
Expand Down Expand Up @@ -59,12 +58,4 @@ resource "aws_iam_policy" "policy" {
]
}
EOT
}

resource "kubernetes_namespace_v1" "this" {
count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0

metadata {
name = local.helm_config["namespace"]
}
}
}
2 changes: 1 addition & 1 deletion addons/aws-efs-csi-driver/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ locals {
lint = try(var.aws_efs_csi_driver_extra_configs.lint, "false")
repository_key_file = try(var.aws_efs_csi_driver_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_efs_csi_driver_extra_configs.repository_cert_file, "")
repository_username = try(var.aws_efs_csi_driver_extra_configs.repository_password, "")
repository_username = try(var.aws_efs_csi_driver_extra_configs.repository_username, "")
repository_password = try(var.aws_efs_csi_driver_extra_configs.repository_password, "")
verify = try(var.aws_efs_csi_driver_extra_configs.verify, "false")
keyring = try(var.aws_efs_csi_driver_extra_configs.keyring, "")
Expand Down
11 changes: 1 addition & 10 deletions addons/aws-efs-csi-driver/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context

depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "image.repository"
Expand Down Expand Up @@ -93,12 +92,4 @@ resource "aws_iam_policy" "policy" {
]
}
EOT
}

resource "kubernetes_namespace_v1" "this" {
count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0

metadata {
name = local.helm_config["namespace"]
}
}
}
5 changes: 1 addition & 4 deletions addons/aws-load-balancer-controller/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ locals {
lint = try(var.aws_load_balancer_controller_extra_configs.lint, "false")
repository_key_file = try(var.aws_load_balancer_controller_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_load_balancer_controller_extra_configs.repository_cert_file, "")
repository_username = try(var.aws_load_balancer_controller_extra_configs.repository_password, "")
repository_username = try(var.aws_load_balancer_controller_extra_configs.repository_username, "")
repository_password = try(var.aws_load_balancer_controller_extra_configs.repository_password, "")
verify = try(var.aws_load_balancer_controller_extra_configs.verify, "false")
keyring = try(var.aws_load_balancer_controller_extra_configs.keyring, "")
Expand All @@ -33,11 +33,8 @@ locals {
replace = try(var.aws_load_balancer_controller_extra_configs.replace, "false")
}

aws_load_balancer_controller_extra_configs = var.aws_load_balancer_controller_extra_configs

helm_config = merge(
local.default_helm_config,
var.helm_config,
local.aws_load_balancer_controller_extra_configs
)
}
11 changes: 1 addition & 10 deletions addons/aws-load-balancer-controller/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ module "helm_addon" {
helm_config = local.helm_config
addon_context = var.addon_context

depends_on = [kubernetes_namespace_v1.this]
set_values = [
{
name = "clusterName"
Expand Down Expand Up @@ -289,12 +288,4 @@ resource "aws_iam_policy" "policy" {
]
}
EOT
}

resource "kubernetes_namespace_v1" "this" {
count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0

metadata {
name = local.helm_config["namespace"]
}
}
}
5 changes: 1 addition & 4 deletions addons/aws-node-termination-handler/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ locals {
lint = try(var.aws_node_termination_handler_extra_configs.lint, "false")
repository_key_file = try(var.aws_node_termination_handler_extra_configs.repository_key_file, "")
repository_cert_file = try(var.aws_node_termination_handler_extra_configs.repository_cert_file, "")
repository_username = try(var.aws_node_termination_handler_extra_configs.repository_password, "")
repository_username = try(var.aws_node_termination_handler_extra_configs.repository_username, "")
repository_password = try(var.aws_node_termination_handler_extra_configs.repository_password, "")
verify = try(var.aws_node_termination_handler_extra_configs.verify, "false")
keyring = try(var.aws_node_termination_handler_extra_configs.keyring, "")
Expand All @@ -33,11 +33,8 @@ locals {
replace = try(var.aws_node_termination_handler_extra_configs.replace, "false")
}

aws_node_termination_handler_extra_configs = var.aws_node_termination_handler_extra_configs

helm_config = merge(
local.default_helm_config,
var.helm_config,
local.aws_node_termination_handler_extra_configs
)
}
10 changes: 0 additions & 10 deletions addons/aws-node-termination-handler/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,4 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context

depends_on = [kubernetes_namespace_v1.this]
}

resource "kubernetes_namespace_v1" "this" {
count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0

metadata {
name = local.helm_config["namespace"]
}
}
5 changes: 1 addition & 4 deletions addons/calico-tigera/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ locals {
lint = try(var.calico_tigera_extra_configs.lint, "false")
repository_key_file = try(var.calico_tigera_extra_configs.repository_key_file, "")
repository_cert_file = try(var.calico_tigera_extra_configs.repository_cert_file, "")
repository_username = try(var.calico_tigera_extra_configs.repository_password, "")
repository_username = try(var.calico_tigera_extra_configs.repository_username, "")
repository_password = try(var.calico_tigera_extra_configs.repository_password, "")
verify = try(var.calico_tigera_extra_configs.verify, "false")
keyring = try(var.calico_tigera_extra_configs.keyring, "")
Expand All @@ -34,11 +34,8 @@ locals {
replace = try(var.calico_tigera_extra_configs.replace, "false")
}

calico_tigera_extra_configs = var.calico_tigera_extra_configs

helm_config = merge(
local.default_helm_config,
var.helm_config,
local.calico_tigera_extra_configs
)
}
11 changes: 0 additions & 11 deletions addons/calico-tigera/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,6 @@ module "helm_addon" {
manage_via_gitops = var.manage_via_gitops
helm_config = local.helm_config
addon_context = var.addon_context

depends_on = [kubernetes_namespace.this]

}

resource "kubernetes_namespace" "this" {
count = try(local.helm_config["create_namespace"], true) && local.helm_config["namespace"] != "kube-system" ? 1 : 0

metadata {
name = local.helm_config["namespace"]
}
}

resource "kubectl_manifest" "calico_node" {
Expand Down
2 changes: 1 addition & 1 deletion addons/cert-manager/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ locals {
lint = try(var.certification_manager_extra_configs.lint, "false")
repository_key_file = try(var.certification_manager_extra_configs.repository_key_file, "")
repository_cert_file = try(var.certification_manager_extra_configs.repository_cert_file, "")
repository_username = try(var.certification_manager_extra_configs.repository_password, "")
repository_username = try(var.certification_manager_extra_configs.repository_username, "")
repository_password = try(var.certification_manager_extra_configs.repository_password, "")
verify = try(var.certification_manager_extra_configs.verify, "false")
keyring = try(var.certification_manager_extra_configs.keyring, "")
Expand Down
5 changes: 1 addition & 4 deletions addons/cluster-autoscaler/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ locals {
lint = try(var.cluster_autoscaler_extra_configs.lint, "false")
repository_key_file = try(var.cluster_autoscaler_extra_configs.repository_key_file, "")
repository_cert_file = try(var.cluster_autoscaler_extra_configs.repository_cert_file, "")
repository_username = try(var.cluster_autoscaler_extra_configs.repository_password, "")
repository_username = try(var.cluster_autoscaler_extra_configs.repository_username, "")
repository_password = try(var.cluster_autoscaler_extra_configs.repository_password, "")
verify = try(var.cluster_autoscaler_extra_configs.verify, "false")
keyring = try(var.cluster_autoscaler_extra_configs.keyring, "")
Expand All @@ -33,11 +33,8 @@ locals {
replace = try(var.cluster_autoscaler_extra_configs.replace, "false")
}

cluster_autoscaler_extra_configs = var.cluster_autoscaler_extra_configs

helm_config = merge(
local.default_helm_config,
var.helm_config,
local.cluster_autoscaler_extra_configs
)
}

0 comments on commit b53e931

Please sign in to comment.