From 693655d52e380a1abcda44357c2b8e7f785ea3e4 Mon Sep 17 00:00:00 2001 From: Frank Carta Date: Wed, 26 Apr 2023 19:41:40 -0700 Subject: [PATCH] Refactor csi secrets store provider addon for v5 --- README.md | 6 +- main.tf | 74 +++++++++++++++++-- .../csi-secrets-store-provider-aws/README.md | 50 ------------- .../csi-secrets-store-provider-aws/main.tf | 36 --------- .../csi-secrets-store-provider-aws/outputs.tf | 24 ------ .../variables.tf | 28 ------- .../versions.tf | 10 --- tests/complete/main.tf | 38 +++++----- variables.tf | 29 ++++---- 9 files changed, 105 insertions(+), 190 deletions(-) delete mode 100644 modules/csi-secrets-store-provider-aws/README.md delete mode 100644 modules/csi-secrets-store-provider-aws/main.tf delete mode 100644 modules/csi-secrets-store-provider-aws/outputs.tf delete mode 100644 modules/csi-secrets-store-provider-aws/variables.tf delete mode 100644 modules/csi-secrets-store-provider-aws/versions.tf diff --git a/README.md b/README.md index f036af56..e42e06ed 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Please note: not all addons will be supported as they are today in the main EKS | [cloudwatch\_metrics](#module\_cloudwatch\_metrics) | ./modules/eks-blueprints-addon | n/a | | [cluster\_autoscaler](#module\_cluster\_autoscaler) | ./modules/eks-blueprints-addon | n/a | | [cluster\_proportional\_autoscaler](#module\_cluster\_proportional\_autoscaler) | ./modules/eks-blueprints-addon | n/a | -| [csi\_secrets\_store\_provider\_aws](#module\_csi\_secrets\_store\_provider\_aws) | ./modules/csi-secrets-store-provider-aws | n/a | +| [csi\_secrets\_store\_provider\_aws](#module\_csi\_secrets\_store\_provider\_aws) | ./modules/eks-blueprints-addon | n/a | | [efs\_csi\_driver](#module\_efs\_csi\_driver) | ./modules/eks-blueprints-addon | n/a | | [external\_dns](#module\_external\_dns) | ./modules/eks-blueprints-addon | n/a | | [external\_secrets](#module\_external\_secrets) | ./modules/eks-blueprints-addon | n/a | @@ -108,7 +108,7 @@ Please note: not all addons will be supported as they are today in the main EKS | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [cluster\_proportional\_autoscaler](#input\_cluster\_proportional\_autoscaler) | Cluster Proportional Autoscaler add-on configurations | `any` | `{}` | no | | [cluster\_version](#input\_cluster\_version) | Kubernetes `.` version to use for the EKS cluster (i.e.: `1.24`) | `string` | n/a | yes | -| [csi\_secrets\_store\_provider\_aws\_helm\_config](#input\_csi\_secrets\_store\_provider\_aws\_helm\_config) | CSI Secrets Store Provider AWS Helm Configurations | `any` | `null` | no | +| [csi\_secrets\_store\_provider\_aws](#input\_csi\_secrets\_store\_provider\_aws) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no | | [efs\_csi\_driver](#input\_efs\_csi\_driver) | EFS CSI Driver addon configuration values | `any` | `{}` | no | | [eks\_addons](#input\_eks\_addons) | Map of EKS addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | `any` | `{}` | no | | [eks\_addons\_timeouts](#input\_eks\_addons\_timeouts) | Create, update, and delete timeout configurations for the EKS addons | `map(string)` | `{}` | no | @@ -123,6 +123,7 @@ Please note: not all addons will be supported as they are today in the main EKS | [enable\_cloudwatch\_metrics](#input\_enable\_cloudwatch\_metrics) | Enable AWS Cloudwatch Metrics add-on for Container Insights | `bool` | `false` | no | | [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no | | [enable\_cluster\_proportional\_autoscaler](#input\_enable\_cluster\_proportional\_autoscaler) | Enable Cluster Proportional Autoscaler | `bool` | `false` | no | +| [enable\_csi\_secrets\_store\_provider\_aws](#input\_enable\_csi\_secrets\_store\_provider\_aws) | Enable AWS CSI Secrets Store Provider | `bool` | `false` | no | | [enable\_efs\_csi\_driver](#input\_enable\_efs\_csi\_driver) | Enable AWS EFS CSI Driver add-on | `bool` | `false` | no | | [enable\_external\_dns](#input\_enable\_external\_dns) | Enable external-dns operator add-on | `bool` | `false` | no | | [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no | @@ -134,7 +135,6 @@ Please note: not all addons will be supported as they are today in the main EKS | [enable\_kube\_prometheus\_stack](#input\_enable\_kube\_prometheus\_stack) | Enable Kube Prometheus Stack | `bool` | `false` | no | | [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no | | [enable\_secrets\_store\_csi\_driver](#input\_enable\_secrets\_store\_csi\_driver) | Enable CSI Secrets Store Provider | `bool` | `false` | no | -| [enable\_secrets\_store\_csi\_driver\_provider\_aws](#input\_enable\_secrets\_store\_csi\_driver\_provider\_aws) | Enable AWS CSI Secrets Store Provider | `bool` | `false` | no | | [enable\_velero](#input\_enable\_velero) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no | | [enable\_vpa](#input\_enable\_vpa) | Enable Vertical Pod Autoscaler add-on | `bool` | `false` | no | | [external\_dns](#input\_external\_dns) | external-dns addon configuration values | `any` | `{}` | no | diff --git a/main.tf b/main.tf index 2a2e830d..fd68bc45 100644 --- a/main.tf +++ b/main.tf @@ -2108,6 +2108,73 @@ module "secrets_store_csi_driver" { tags = var.tags } + +################################################################################ +# CSI Secrets Store Provider AWS +################################################################################ + +locals { + csi_secrets_store_provider_aws_name = "secrets-store-csi-driver-provider-aws" + csi_secrets_store_provider_aws_service_account = try(var.csi_secrets_store_provider_aws.service_account_name, "${local.csi_secrets_store_provider_aws_name}-sa") +} + +module "csi_secrets_store_provider_aws" { + + # source = "aws-ia/eks-blueprints-addon/aws" + source = "./modules/eks-blueprints-addon" + + create = var.enable_csi_secrets_store_provider_aws + + # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml + name = try(var.csi_secrets_store_provider_aws.name, local.csi_secrets_store_provider_aws_name) + description = try(var.csi_secrets_store_provider_aws.description, "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster.") + namespace = try(var.csi_secrets_store_provider_aws.namespace, "kube-system") + create_namespace = try(var.csi_secrets_store_provider_aws.create_namespace, false) + chart = "secrets-store-csi-driver-provider-aws" + chart_version = try(var.csi_secrets_store_provider_aws.chart_version, "0.3.2") + repository = try(var.csi_secrets_store_provider_aws.repository, "https://aws.github.io/secrets-store-csi-driver-provider-aws") + values = try(var.csi_secrets_store_provider_aws.values, []) + + timeout = try(var.csi_secrets_store_provider_aws.timeout, null) + repository_key_file = try(var.csi_secrets_store_provider_aws.repository_key_file, null) + repository_cert_file = try(var.csi_secrets_store_provider_aws.repository_cert_file, null) + repository_ca_file = try(var.csi_secrets_store_provider_aws.repository_ca_file, null) + repository_username = try(var.csi_secrets_store_provider_aws.repository_username, null) + repository_password = try(var.csi_secrets_store_provider_aws.repository_password, null) + devel = try(var.csi_secrets_store_provider_aws.devel, null) + verify = try(var.csi_secrets_store_provider_aws.verify, null) + keyring = try(var.csi_secrets_store_provider_aws.keyring, null) + disable_webhooks = try(var.csi_secrets_store_provider_aws.disable_webhooks, null) + reuse_values = try(var.csi_secrets_store_provider_aws.reuse_values, null) + reset_values = try(var.csi_secrets_store_provider_aws.reset_values, null) + force_update = try(var.csi_secrets_store_provider_aws.force_update, null) + recreate_pods = try(var.csi_secrets_store_provider_aws.recreate_pods, null) + cleanup_on_fail = try(var.csi_secrets_store_provider_aws.cleanup_on_fail, null) + max_history = try(var.csi_secrets_store_provider_aws.max_history, null) + atomic = try(var.csi_secrets_store_provider_aws.atomic, null) + skip_crds = try(var.csi_secrets_store_provider_aws.skip_crds, null) + render_subchart_notes = try(var.csi_secrets_store_provider_aws.render_subchart_notes, null) + disable_openapi_validation = try(var.csi_secrets_store_provider_aws.disable_openapi_validation, null) + wait = try(var.csi_secrets_store_provider_aws.wait, null) + wait_for_jobs = try(var.csi_secrets_store_provider_aws.wait_for_jobs, null) + dependency_update = try(var.csi_secrets_store_provider_aws.dependency_update, null) + replace = try(var.csi_secrets_store_provider_aws.replace, null) + lint = try(var.csi_secrets_store_provider_aws.lint, null) + + postrender = try(var.csi_secrets_store_provider_aws.postrender, []) + set = concat([ + { + name = "serviceAccount.name" + value = local.csi_secrets_store_provider_aws_service_account + }], + try(var.csi_secrets_store_provider_aws.set, []) + ) + set_sensitive = try(var.csi_secrets_store_provider_aws.set_sensitive, []) + + tags = var.tags +} + + ################################################################################ # AWS for Fluent-bit ################################################################################ @@ -2783,13 +2850,6 @@ resource "kubernetes_config_map_v1" "aws_logging" { #-----------------Kubernetes Add-ons---------------------- -module "csi_secrets_store_provider_aws" { - count = var.enable_secrets_store_csi_driver_provider_aws ? 1 : 0 - source = "./modules/csi-secrets-store-provider-aws" - helm_config = var.csi_secrets_store_provider_aws_helm_config - addon_context = local.addon_context -} - module "velero" { count = var.enable_velero ? 1 : 0 source = "./modules/velero" diff --git a/modules/csi-secrets-store-provider-aws/README.md b/modules/csi-secrets-store-provider-aws/README.md deleted file mode 100644 index 34f0950c..00000000 --- a/modules/csi-secrets-store-provider-aws/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# CSI Secrets Store Provider Helm Chart - -# Introduction - -AWS Secrets Manager and Config Provider for Secret Store CSI Driver allows you to get secret contents stored in AWS Key Management Service instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods. - -# Helm Chart - -### Instructions to use the Helm Chart - -See the [csi-secrets-store-provider-aws](https://github.com/aws/eks-charts/tree/master/stable/csi-secrets-store-provider-aws). - - -## Requirements - -[Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html) to be provisioned. - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a | - -## Resources - -| Name | Type | -|------|------| -| [kubernetes_namespace.csi_secrets_store_provider_aws](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [addon\_context](#input\_addon\_context) | Input configuration for the addon | 
object({
    aws_caller_identity_account_id = string
    aws_caller_identity_arn        = string
    aws_eks_cluster_endpoint       = string
    aws_partition_id               = string
    aws_region_name                = string
    eks_cluster_id                 = string
    eks_oidc_issuer_url            = string
    eks_oidc_provider_arn          = string
    tags                           = map(string)
  })
| n/a | yes | -| [helm\_config](#input\_helm\_config) | Cluster Autoscaler Helm Config | `any` | `{}` | no | -| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD | - - diff --git a/modules/csi-secrets-store-provider-aws/main.tf b/modules/csi-secrets-store-provider-aws/main.tf deleted file mode 100644 index 3cc21a55..00000000 --- a/modules/csi-secrets-store-provider-aws/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - name = try(var.helm_config.name, "secrets-store-csi-driver-provider-aws") - namespace = try(var.helm_config.namespace, "kube-system") -} - -resource "kubernetes_namespace_v1" "csi_secrets_store_provider_aws" { - count = local.namespace == "kube-system" ? 0 : 1 - - metadata { - name = local.namespace - } -} - -module "helm_addon" { - source = "../helm-addon" - - # https://github.com/aws/eks-charts/blob/master/stable/csi-secrets-store-provider-aws/Chart.yaml - helm_config = merge( - { - name = local.name - chart = local.name - repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws" - version = "0.3.1" - namespace = local.namespace - description = "A Helm chart to install the Secrets Store CSI Driver and the AWS Key Management Service Provider inside a Kubernetes cluster." - }, - var.helm_config - ) - - manage_via_gitops = var.manage_via_gitops - addon_context = var.addon_context - - depends_on = [ - kubernetes_namespace_v1.csi_secrets_store_provider_aws, - ] -} diff --git a/modules/csi-secrets-store-provider-aws/outputs.tf b/modules/csi-secrets-store-provider-aws/outputs.tf deleted file mode 100644 index 4d3d2c65..00000000 --- a/modules/csi-secrets-store-provider-aws/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "argocd_gitops_config" { - description = "Configuration used for managing the add-on with ArgoCD" - value = var.manage_via_gitops ? { enable = true } : null -} - -output "release_metadata" { - description = "Map of attributes of the Helm release metadata" - value = module.helm_addon.release_metadata -} - -output "irsa_arn" { - description = "IAM role ARN for the service account" - value = module.helm_addon.irsa_arn -} - -output "irsa_name" { - description = "IAM role name for the service account" - value = module.helm_addon.irsa_name -} - -output "service_account" { - description = "Name of Kubernetes service account" - value = module.helm_addon.service_account -} diff --git a/modules/csi-secrets-store-provider-aws/variables.tf b/modules/csi-secrets-store-provider-aws/variables.tf deleted file mode 100644 index 619698f9..00000000 --- a/modules/csi-secrets-store-provider-aws/variables.tf +++ /dev/null @@ -1,28 +0,0 @@ -variable "helm_config" { - description = "CSI Secrets Store Provider AWS Helm Configurations" - type = any - default = {} -} - -variable "manage_via_gitops" { - description = "Determines if the add-on should be managed via GitOps" - type = bool - default = false -} - -variable "addon_context" { - description = "Input configuration for the addon" - type = object({ - aws_caller_identity_account_id = string - aws_caller_identity_arn = string - aws_eks_cluster_endpoint = string - aws_partition_id = string - aws_region_name = string - eks_cluster_id = string - eks_oidc_issuer_url = string - eks_oidc_provider_arn = string - tags = map(string) - irsa_iam_role_path = string - irsa_iam_permissions_boundary = string - }) -} diff --git a/modules/csi-secrets-store-provider-aws/versions.tf b/modules/csi-secrets-store-provider-aws/versions.tf deleted file mode 100644 index 55fba733..00000000 --- a/modules/csi-secrets-store-provider-aws/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0" - - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } - } -} diff --git a/tests/complete/main.tf b/tests/complete/main.tf index 61929a77..82973446 100644 --- a/tests/complete/main.tf +++ b/tests/complete/main.tf @@ -132,25 +132,25 @@ module "eks_blueprints_addons" { } } - enable_efs_csi_driver = true - enable_fsx_csi_driver = true - enable_argocd = true - enable_cloudwatch_metrics = true - enable_aws_privateca_issuer = true - enable_cert_manager = true - enable_cluster_autoscaler = true - enable_secrets_store_csi_driver = true - enable_secrets_store_csi_driver_provider_aws = true - enable_kube_prometheus_stack = true - enable_external_dns = true - enable_external_secrets = true - enable_gatekeeper = true - enable_ingress_nginx = true - enable_aws_load_balancer_controller = true - enable_metrics_server = true - enable_vpa = true - enable_aws_for_fluentbit = true - enable_fargate_fluentbit = true + enable_efs_csi_driver = true + enable_fsx_csi_driver = true + enable_argocd = true + enable_cloudwatch_metrics = true + enable_aws_privateca_issuer = true + enable_cert_manager = true + enable_cluster_autoscaler = true + enable_secrets_store_csi_driver = true + enable_csi_secrets_store_provider_aws = true + enable_kube_prometheus_stack = true + enable_external_dns = true + enable_external_secrets = true + enable_gatekeeper = true + enable_ingress_nginx = true + enable_aws_load_balancer_controller = true + enable_metrics_server = true + enable_vpa = true + enable_aws_for_fluentbit = true + enable_fargate_fluentbit = true enable_aws_node_termination_handler = true aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn] diff --git a/variables.tf b/variables.tf index 258d5caf..c6d992ad 100644 --- a/variables.tf +++ b/variables.tf @@ -281,6 +281,22 @@ variable "secrets_store_csi_driver" { default = {} } +################################################################################ +# CSI Secrets Store Provider AWS +################################################################################ + +variable "enable_csi_secrets_store_provider_aws" { + description = "Enable AWS CSI Secrets Store Provider" + type = bool + default = false +} + +variable "csi_secrets_store_provider_aws" { + description = "CSI Secrets Store Provider add-on configurations" + type = any + default = {} +} + ################################################################################ # AWS for Fluentbit ################################################################################ @@ -519,16 +535,3 @@ variable "velero_backup_s3_bucket" { type = string default = "" } - -#-----------AWS CSI Secrets Store Provider------------- -variable "enable_secrets_store_csi_driver_provider_aws" { - type = bool - default = false - description = "Enable AWS CSI Secrets Store Provider" -} - -variable "csi_secrets_store_provider_aws_helm_config" { - type = any - default = null - description = "CSI Secrets Store Provider AWS Helm Configurations" -}