Skip to content

Commit

Permalink
Serviceaccount imagepullsecret support (#977)
Browse files Browse the repository at this point in the history
* imagePullSecrets added as option

* adding note of functionality
  • Loading branch information
Pacobart authored Sep 21, 2022
1 parent 441d553 commit adfbef6
Show file tree
Hide file tree
Showing 13 changed files with 48 additions and 10 deletions.
6 changes: 6 additions & 0 deletions docs/add-ons/cert-manager.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@ You can set an email address for expiration emails with:
cert_manager_letsencrypt_email = "user@example.com"
```

You can pass previously created secrets for use as `imagePullSecrets` on the Service Account

```
cert_manager_kubernetes_svc_image_pull_secrets = ["regcred"]
```

### GitOps Configuration

The following properties are made available for use when managing the add-on via GitOps.
Expand Down
1 change: 1 addition & 0 deletions modules/irsa/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ No modules.
| <a name="input_irsa_iam_role_path"></a> [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
| <a name="input_kubernetes_namespace"></a> [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes Namespace name | `string` | n/a | yes |
| <a name="input_kubernetes_service_account"></a> [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes Service Account Name | `string` | n/a | yes |
| <a name="input_kubernetes_svc_image_pull_secrets"></a> [kubernetes\_svc\_image\_pull\_secrets](#input\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |

## Outputs
Expand Down
7 changes: 7 additions & 0 deletions modules/irsa/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,13 @@ resource "kubernetes_service_account_v1" "irsa" {
annotations = var.irsa_iam_policies != null ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null
}

dynamic "image_pull_secret" {
for_each = var.kubernetes_svc_image_pull_secrets != null ? var.kubernetes_svc_image_pull_secrets : []
content {
name = image_pull_secret.value
}
}

automount_service_account_token = true
}

Expand Down
6 changes: 6 additions & 0 deletions modules/irsa/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ variable "kubernetes_service_account" {
type = string
}

variable "kubernetes_svc_image_pull_secrets" {
description = "list(string) of kubernetes imagePullSecrets"
type = list(string)
default = []
}

variable "irsa_iam_policies" {
type = list(string)
description = "IAM Policies for IRSA IAM role"
Expand Down
1 change: 1 addition & 0 deletions modules/kubernetes-addons/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@
| <a name="input_cert_manager_helm_config"></a> [cert\_manager\_helm\_config](#input\_cert\_manager\_helm\_config) | Cert Manager Helm Chart config | `any` | `{}` | no |
| <a name="input_cert_manager_install_letsencrypt_issuers"></a> [cert\_manager\_install\_letsencrypt\_issuers](#input\_cert\_manager\_install\_letsencrypt\_issuers) | Install Let's Encrypt Cluster Issuers | `bool` | `true` | no |
| <a name="input_cert_manager_irsa_policies"></a> [cert\_manager\_irsa\_policies](#input\_cert\_manager\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
| <a name="input_cert_manager_kubernetes_svc_image_pull_secrets"></a> [cert\_manager\_kubernetes\_svc\_image\_pull\_secrets](#input\_cert\_manager\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no |
| <a name="input_cert_manager_letsencrypt_email"></a> [cert\_manager\_letsencrypt\_email](#input\_cert\_manager\_letsencrypt\_email) | Email address for expiration emails from Let's Encrypt | `string` | `""` | no |
| <a name="input_chaos_mesh_helm_config"></a> [chaos\_mesh\_helm\_config](#input\_chaos\_mesh\_helm\_config) | Chaos Mesh Helm Chart config | `any` | `{}` | no |
| <a name="input_cilium_helm_config"></a> [cilium\_helm\_config](#input\_cilium\_helm\_config) | Cilium Helm Chart config | `any` | `{}` | no |
Expand Down
1 change: 1 addition & 0 deletions modules/kubernetes-addons/cert-manager/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ cert-manager docker image is available at this repo:
| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | cert-manager Helm chart configuration | `any` | `{}` | no |
| <a name="input_install_letsencrypt_issuers"></a> [install\_letsencrypt\_issuers](#input\_install\_letsencrypt\_issuers) | Install Let's Encrypt Cluster Issuers. | `bool` | `true` | no |
| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies used for the add-on service account. | `list(string)` | `[]` | no |
| <a name="input_kubernetes_svc_image_pull_secrets"></a> [kubernetes\_svc\_image\_pull\_secrets](#input\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no |
| <a name="input_letsencrypt_email"></a> [letsencrypt\_email](#input\_letsencrypt\_email) | Email address for expiration emails from Let's Encrypt. | `string` | `""` | no |
| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |

Expand Down
1 change: 1 addition & 0 deletions modules/kubernetes-addons/cert-manager/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ locals {
kubernetes_service_account = local.service_account_name
create_kubernetes_namespace = try(local.helm_config["create_namespace"], true)
create_kubernetes_service_account = true
kubernetes_svc_image_pull_secrets = var.kubernetes_svc_image_pull_secrets
irsa_iam_policies = concat([aws_iam_policy.cert_manager.arn], var.irsa_policies)
}

Expand Down
6 changes: 6 additions & 0 deletions modules/kubernetes-addons/cert-manager/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,9 @@ variable "addon_context" {
irsa_iam_permissions_boundary = string
})
}

variable "kubernetes_svc_image_pull_secrets" {
description = "list(string) of kubernetes imagePullSecrets"
type = list(string)
default = []
}
2 changes: 1 addition & 1 deletion modules/kubernetes-addons/helm-addon/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ Helm Addon module can be used to provision a generic Helm Chart as an Add-On for
|------|-------------|------|---------|:--------:|
| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br> aws_caller_identity_account_id = string<br> aws_caller_identity_arn = string<br> aws_eks_cluster_endpoint = string<br> aws_partition_id = string<br> aws_region_name = string<br> eks_cluster_id = string<br> eks_oidc_issuer_url = string<br> eks_oidc_provider_arn = string<br> tags = map(string)<br> irsa_iam_role_path = optional(string)<br> irsa_iam_permissions_boundary = optional(string)<br> })</pre> | n/a | yes |
| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs | `any` | n/a | yes |
| <a name="input_irsa_config"></a> [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | <pre>object({<br> kubernetes_namespace = string<br> create_kubernetes_namespace = optional(bool)<br> kubernetes_service_account = string<br> create_kubernetes_service_account = optional(bool)<br> irsa_iam_policies = optional(list(string))<br> })</pre> | `null` | no |
| <a name="input_irsa_config"></a> [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | <pre>object({<br> kubernetes_namespace = string<br> create_kubernetes_namespace = optional(bool)<br> kubernetes_service_account = string<br> create_kubernetes_service_account = optional(bool)<br> kubernetes_svc_image_pull_secrets = optional(list(string))<br> irsa_iam_policies = optional(list(string))<br> })</pre> | `null` | no |
| <a name="input_irsa_iam_role_name"></a> [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no |
| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no |
| <a name="input_set_sensitive_values"></a> [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no |
Expand Down
1 change: 1 addition & 0 deletions modules/kubernetes-addons/helm-addon/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ module "irsa" {
create_kubernetes_service_account = try(var.irsa_config.create_kubernetes_service_account, true)
kubernetes_namespace = var.irsa_config.kubernetes_namespace
kubernetes_service_account = var.irsa_config.kubernetes_service_account
kubernetes_svc_image_pull_secrets = var.irsa_config.kubernetes_svc_image_pull_secrets
irsa_iam_policies = var.irsa_config.irsa_iam_policies
irsa_iam_role_name = var.irsa_iam_role_name
irsa_iam_role_path = var.addon_context.irsa_iam_role_path
Expand Down
1 change: 1 addition & 0 deletions modules/kubernetes-addons/helm-addon/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ variable "irsa_config" {
create_kubernetes_namespace = optional(bool)
kubernetes_service_account = string
create_kubernetes_service_account = optional(bool)
kubernetes_svc_image_pull_secrets = optional(list(string))
irsa_iam_policies = optional(list(string))
})
default = null
Expand Down
19 changes: 10 additions & 9 deletions modules/kubernetes-addons/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -153,15 +153,16 @@ module "aws_node_termination_handler" {
}

module "cert_manager" {
count = var.enable_cert_manager ? 1 : 0
source = "./cert-manager"
helm_config = var.cert_manager_helm_config
manage_via_gitops = var.argocd_manage_add_ons
irsa_policies = var.cert_manager_irsa_policies
addon_context = local.addon_context
domain_names = var.cert_manager_domain_names
install_letsencrypt_issuers = var.cert_manager_install_letsencrypt_issuers
letsencrypt_email = var.cert_manager_letsencrypt_email
count = var.enable_cert_manager ? 1 : 0
source = "./cert-manager"
helm_config = var.cert_manager_helm_config
manage_via_gitops = var.argocd_manage_add_ons
irsa_policies = var.cert_manager_irsa_policies
addon_context = local.addon_context
domain_names = var.cert_manager_domain_names
install_letsencrypt_issuers = var.cert_manager_install_letsencrypt_issuers
letsencrypt_email = var.cert_manager_letsencrypt_email
kubernetes_svc_image_pull_secrets = var.cert_manager_kubernetes_svc_image_pull_secrets
}

module "cert_manager_csi_driver" {
Expand Down
6 changes: 6 additions & 0 deletions modules/kubernetes-addons/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -679,6 +679,12 @@ variable "cert_manager_csi_driver_helm_config" {
default = {}
}

variable "cert_manager_kubernetes_svc_image_pull_secrets" {
description = "list(string) of kubernetes imagePullSecrets"
type = list(string)
default = []
}

#-----------Argo Rollouts ADDON-------------
variable "enable_argo_rollouts" {
description = "Enable Argo Rollouts add-on"
Expand Down

0 comments on commit adfbef6

Please sign in to comment.