feat: secrets manager integration for ingress #672
Conversation
|
/run pipeline |
|
/run pipeline |
|
/run pipeline |
|
@ocofaigh @daniel-butler-irl The code here looks correct so I've approved, but please have a look at the variable names in the solution/catalog to make sure they look ok as well. |
ocofaigh
left a comment
ocofaigh
left a comment
There was a problem hiding this comment.
Left a few comments. We also now need to update the ibm_catalog.json and add mappings for the new inputs since secrets manager DA is marked as a dependent DA
ocofaigh
left a comment
ocofaigh
left a comment
There was a problem hiding this comment.
As discussed on slack, I think OCP DA should create the secret group that the secrets manager integration will use. I would use the cluster ID in the name of the secret group. And use https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-secret-group to create it, as this also supports creating an associated access group for the secret group.
We should also support using existing group, but default to create new one.
ocofaigh
left a comment
ocofaigh
left a comment
There was a problem hiding this comment.
@Vipin654 Left one more comment. Are you planning to add secret group support in this PR?
Yes @ocofaigh. I will add secrets group creation in this PR only. |
|
I added comments in this PR where possible for the Readme file. Other content suggestions are included in this comment for the Readme file: terraform-ibm-base-ocp-vpc/README.md Line 294 in 029eee2 Specify which type of endpoint to use for cluster config access: 'default', 'private', 'vpe', 'link'. A 'default' value uses the default endpoint of the cluster. terraform-ibm-base-ocp-vpc/README.md Line 295 in 029eee2 The name that is assigned to the provisioned cluster. terraform-ibm-base-ocp-vpc/README.md Line 296 in 029eee2 The cluster is ready based on one of the following: terraform-ibm-base-ocp-vpc/README.md Line 322 in 029eee2 ID of the VPC instance where this cluster is provisioned. terraform-ibm-base-ocp-vpc/README.md Line 323 in 029eee2 Metadata that describes the VPC's subnets. Obtain this information from the VPC where this cluster is created terraform-ibm-base-ocp-vpc/README.md Line 332 in 029eee2 CRN for the cluster terraform-ibm-base-ocp-vpc/README.md Line 333 in 029eee2 ID of the cluster terraform-ibm-base-ocp-vpc/README.md Line 334 in 029eee2 Name of the cluster |
|
/run pipeline |
|
/run pipeline |
2 similar comments
|
/run pipeline |
|
/run pipeline |
|
/run pipeline |
…raform-ibm-base-ocp-vpc into sm-integration
|
/run pipeline |
| # decide the iam endpoint depending upon the IBMCLOUD_IAM_API_ENDPOINT env variable set by the user and | ||
| # whether provider visibility is public or private | ||
| iam_cloud_endpoint="${IBMCLOUD_IAM_API_ENDPOINT:-"iam.cloud.ibm.com"}" | ||
| IBMCLOUD_IAM_API_ENDPOINT=${iam_cloud_endpoint#https://} |
There was a problem hiding this comment.
why are you stripping https:// from IBMCLOUD_IAM_API_ENDPOINT ? You are adding it back again later, so I see no point in this logic. The default value of IBMCLOUD_IAM_API_ENDPOINT should be https://iam.cloud.ibm.com
There was a problem hiding this comment.
I guess if we need to use private endpoint for IAM, then removing https:// is needed so that we can later add private. I took the same logic from reset_api_key script.
|
/run pipeline |
|
/run pipeline |
|
🎉 This PR is included in version 3.48.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Description
Add support for setting up Secrets Manager in a Kubernetes Service cluster. AKA the steps documented here: https://cloud.ibm.com/docs/containers?topic=containers-secrets-mgr
Release required?
x.x.X)x.X.x)X.x.x)Release notes content
Run the pipeline
If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.
Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:
Checklist for reviewers
For mergers