1
0
Fork 0

ClusterSecretStore configuration

This commit is contained in:
Massaki Archambault 2023-02-17 12:22:50 -05:00
parent 251f012e9a
commit f1d559e113
9 changed files with 190 additions and 18 deletions

72
.gitignore vendored
View File

@ -1,17 +1,46 @@
# Created by https://www.toptal.com/developers/gitignore/api/vim,visualstudiocode,terraform
# Edit at https://www.toptal.com/developers/gitignore?templates=vim,visualstudiocode,terraform
# Created by https://www.gitignore.io/api/vim,code
# Edit at https://www.gitignore.io/?templates=vim,code
### Terraform ###
# Local .terraform directories
**/.terraform/*
### Code ###
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
### Vim ###
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
@ -24,19 +53,30 @@ Sessionx.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~
# Coc configuration directory
.vim
### VisualStudioCode ###
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
!.vscode/*.code-snippets
# End of https://www.gitignore.io/api/vim,code
.env
kubectl/
# Local History for Visual Studio Code
.history/
# Built Visual Studio Code Extensions
*.vsix
### VisualStudioCode Patch ###
# Ignore all local history of files
.history
.ionide
# End of https://www.toptal.com/developers/gitignore/api/vim,visualstudiocode,terraform
build/
.nfs/
!.gitkeep

View File

@ -5,7 +5,7 @@ metadata:
spec:
serviceAccountName: prometheus
retention: 28d
retentionSize: 9GB
retentionSize: 8GB
ruleSelector:
matchLabels:
monitor: prometheus

View File

@ -0,0 +1,19 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: aws-parameters-store
spec:
provider:
aws:
service: ParameterStore
region: ca-central-1
auth:
secretRef:
accessKeyIDSecretRef:
name: aws-parameters-external-secrets-access-key
key: access-key
namespace: kube-system
secretAccessKeySecretRef:
name: aws-parameters-external-secrets-access-key
key: secret-access-key
namespace: kube-system

View File

@ -1,4 +1,5 @@
resources:
- ../../bases/traefik
- ../../bases/prometheus-operator
- ../../bases/external-secrets
- ../../bases/external-secrets
- clustersecretstore.yaml

View File

@ -0,0 +1,43 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
"zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b",
"zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770",
"zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53",
"zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9",
"zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946",
"zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6",
"zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74",
"zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4",
"zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c",
"zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971",
"zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f",
"zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2",
"zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9",
]
}
provider "registry.terraform.io/hashicorp/kubernetes" {
version = "2.18.0"
hashes = [
"h1:42iWPnVHQYjopA83W35BxsWmhBnfycUZV3ThuAVmP4s=",
"zh:38f24011d5ee8479ed4758c66cad336509ec02b55c1188ce0ec4b826943aaf0a",
"zh:7d34901f2aff2f46748e81e3d4bbc1aeacc1cc78c2c7da34a84311633ccc8458",
"zh:854339357839a8944df9571eb10f2feaa28cdbe1b7198aba2e94574474f8b304",
"zh:872ea16f2634d29da9772bb5bdc2202f56e35371acccc31fab060bb9cfc13a8b",
"zh:8da9e4c95c160aa58de81a3da5a5a43ea09869e79aa7a27303a1d5a107a8b486",
"zh:9200d32e7c9a75365bcd5a48b29ec8c9bbd3329549bc8d04b14e739abcf843e0",
"zh:980f576019d1acb404647c9d7a71ee826e6e046f84c3796c6dc098899fc89033",
"zh:dcd84e89fdbb815dade604543c6ce2b5aa518debc413d627de08c7e6f3d3c075",
"zh:ddbbb7d16d3eff671c2251d6777fcb6fb92843e2b74441c2d4ad43a82a4291c6",
"zh:e50185efe88499bfbb22fc421315f658c9a7ccfee68e6b66cf0f8eb19b879028",
"zh:ed8e76ccb2b0266ee94ab90d76d311509b2cc90e5d9f5aa294dd92e1f676adf0",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}

17
terraform/main.tf Normal file
View File

@ -0,0 +1,17 @@
terraform {
backend "kubernetes" {
secret_suffix = "state"
config_path = "~/.kube/config"
labels = {
"app.kubernetes.io/managed-by": "terraform"
}
}
}
provider "kubernetes" {
config_path = "~/.kube/config"
}
module "aws-parameters-external-secrets" {
source = "./modules/aws-parameters-external-secrets"
}

View File

@ -0,0 +1,14 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameterWithContext",
"ssm:ListTagsForResourceWithContext",
"ssm:DescribeParametersWithContext"
],
"Resource": "*"
}
]
}

View File

@ -0,0 +1,33 @@
resource "aws_iam_user" "default" {
name = "${var.name}-user"
}
resource "aws_iam_policy" "parameters_external_secrets_policy" {
name = "${var.name}-parameters-external-secrets-policy"
policy = file("${path.module}/iam-policies/parameters-external-secrets-policy.json")
}
resource "aws_iam_policy_attachment" "parameters_external_secrets_attachment" {
name = "${var.name}-parameters-external-secrets-attachment"
users = [aws_iam_user.default.name]
policy_arn = aws_iam_policy.parameters_external_secrets_policy.arn
}
resource "aws_iam_access_key" "default" {
user = aws_iam_user.default.name
}
resource "kubernetes_secret" "default" {
metadata {
name = "${var.name}-access-key"
namespace = "kube-system"
labels = {
"app.kubernetes.io/managed-by": "terraform"
}
}
data = {
access-key = aws_iam_access_key.default.id
secret-access-key = aws_iam_access_key.default.secret
}
}

View File

@ -0,0 +1,5 @@
variable "name" {
type = string
description = "The name of the terraform deployment"
default = "aws-parameters-external-secrets"
}