From 2de5f6a65be26568e599824d9947d848e59fa5cf Mon Sep 17 00:00:00 2001 From: Terraform IBM Modules Operations Date: Mon, 26 May 2025 15:39:54 +0000 Subject: [PATCH 1/7] chore(deps): update terraform dependencies --- examples/all-combined/main.tf | 2 +- examples/all-combined/privatecertificate.tf | 2 +- examples/all-combined/secretsmanager.tf | 4 ++-- examples/all-combined/tpauth_cluster_sstore.tf | 2 +- examples/all-combined/tpauth_namespaced_sstore.tf | 8 ++++---- examples/basic/main.tf | 4 ++-- examples/trusted-profiles-authentication/main.tf | 2 +- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/examples/all-combined/main.tf b/examples/all-combined/main.tf index 2ae47d6c..b4107a6f 100644 --- a/examples/all-combined/main.tf +++ b/examples/all-combined/main.tf @@ -186,7 +186,7 @@ module "network_acl" { # OCP CLUSTER creation module "ocp_base" { source = "terraform-ibm-modules/base-ocp-vpc/ibm" - version = "3.46.17" + version = "3.48.3" cluster_name = "${var.prefix}-vpc" resource_group_id = module.resource_group.resource_group_id region = var.region diff --git a/examples/all-combined/privatecertificate.tf b/examples/all-combined/privatecertificate.tf index 13c4d3e8..ddc0370f 100644 --- a/examples/all-combined/privatecertificate.tf +++ b/examples/all-combined/privatecertificate.tf @@ -13,7 +13,7 @@ locals { # private certificate engine module "secrets_manager_private_secret_engine" { source = "terraform-ibm-modules/secrets-manager-private-cert-engine/ibm" - version = "1.4.0" + version = "1.5.2" secrets_manager_guid = local.sm_guid region = local.sm_region root_ca_name = var.pvt_ca_name != null ? var.pvt_ca_name : "pvt-${var.prefix}-project-root-ca" diff --git a/examples/all-combined/secretsmanager.tf b/examples/all-combined/secretsmanager.tf index 23bc2feb..5c83ac60 100644 --- a/examples/all-combined/secretsmanager.tf +++ b/examples/all-combined/secretsmanager.tf @@ -36,7 +36,7 @@ resource "ibm_resource_instance" "secrets_manager" { # create secrets group for secrets module "secrets_manager_group" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid secret_group_name = "${var.prefix}-secret-group" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value @@ -49,7 +49,7 @@ module "secrets_manager_group" { # additional secrets manager secret group for service level secrets module "secrets_manager_group_acct" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid #tfsec:ignore:general-secrets-no-plaintext-exposure diff --git a/examples/all-combined/tpauth_cluster_sstore.tf b/examples/all-combined/tpauth_cluster_sstore.tf index 81f94da6..4c5d4f34 100644 --- a/examples/all-combined/tpauth_cluster_sstore.tf +++ b/examples/all-combined/tpauth_cluster_sstore.tf @@ -7,7 +7,7 @@ # creating a secrets group for clustersecretstore with trustedprofile auth module "tp_clusterstore_secrets_manager_group" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid secret_group_name = "${var.prefix}-cpstore-tp-secret-group" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value diff --git a/examples/all-combined/tpauth_namespaced_sstore.tf b/examples/all-combined/tpauth_namespaced_sstore.tf index b814b308..b7e3d912 100644 --- a/examples/all-combined/tpauth_namespaced_sstore.tf +++ b/examples/all-combined/tpauth_namespaced_sstore.tf @@ -40,7 +40,7 @@ module "eso_tp_namespace_secretstores" { # creating a secrets group for each namespace to be used for namespaced secretstores with trustedprofile auth module "tp_secrets_manager_groups" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" count = length(var.es_namespaces_tp) region = local.sm_region secrets_manager_guid = local.sm_guid @@ -140,7 +140,7 @@ module "eso_tp_namespace_secretstore_multisg" { # creating two secrets groups for a single namespace to test trusted profile policy on multiple secrets groups module "tp_secrets_manager_group_multi_1" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid secret_group_name = "${var.prefix}-tp-secret-group-multisg-1" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value @@ -152,7 +152,7 @@ module "tp_secrets_manager_group_multi_1" { module "tp_secrets_manager_group_multi_2" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid secret_group_name = "${var.prefix}-tp-secret-group-multisg-21" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value @@ -285,7 +285,7 @@ module "eso_tp_namespace_secretstore_nosecgroup" { # creating secrets group for a single namespace to test trusted profile policy without any secret group in the TP policy module "tp_secrets_manager_group_not_for_policy" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid secret_group_name = "${var.prefix}-tp-secret-group-not-for-policy" #checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 9855be9b..bbec78d4 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -198,7 +198,7 @@ module "network_acl" { # OCP CLUSTER creation module "ocp_base" { source = "terraform-ibm-modules/base-ocp-vpc/ibm" - version = "3.46.17" + version = "3.48.3" cluster_name = "${var.prefix}-vpc" resource_group_id = module.resource_group.resource_group_id region = var.region @@ -267,7 +267,7 @@ resource "ibm_resource_instance" "secrets_manager" { # Additional Secrets-Manager Secret-Group for SERVICE level secrets module "secrets_manager_group_acct" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" region = local.sm_region secrets_manager_guid = local.sm_guid #tfsec:ignore:general-secrets-no-plaintext-exposure diff --git a/examples/trusted-profiles-authentication/main.tf b/examples/trusted-profiles-authentication/main.tf index 830d1726..1b4caa28 100644 --- a/examples/trusted-profiles-authentication/main.tf +++ b/examples/trusted-profiles-authentication/main.tf @@ -41,7 +41,7 @@ resource "ibm_resource_instance" "secrets_manager" { module "secrets_manager_groups" { source = "terraform-ibm-modules/secrets-manager-secret-group/ibm" - version = "1.3.5" + version = "1.3.7" count = length(kubernetes_namespace.examples) region = local.sm_region secrets_manager_guid = local.sm_guid From b085a06f984752fa43a8f0561b8cfe4eb88a42b7 Mon Sep 17 00:00:00 2001 From: Terraform IBM Modules Operations Date: Mon, 26 May 2025 15:42:36 +0000 Subject: [PATCH 2/7] fix(deps): update helm release external-secrets to latest --- README.md | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f67018ec..8a40daa0 100644 --- a/README.md +++ b/README.md @@ -517,7 +517,7 @@ module "es_kubernetes_secret" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [eso\_chart\_location](#input\_eso\_chart\_location) | The location of the External Secrets Operator Helm chart. | `string` | `"https://charts.external-secrets.io"` | no | -| [eso\_chart\_version](#input\_eso\_chart\_version) | The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso\_image\_version. | `string` | `"0.16.2"` | no | +| [eso\_chart\_version](#input\_eso\_chart\_version) | The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso\_image\_version. | `string` | `"0.17.0"` | no | | [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | 
object({
    nodeSelector = object({
      label = string
      value = string
    })
    tolerations = object({
      key      = string
      operator = string
      value    = string
      effect   = string
    })
  })
| `null` | no | | [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no | | [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no | diff --git a/variables.tf b/variables.tf index 222441aa..7ce512bc 100644 --- a/variables.tf +++ b/variables.tf @@ -95,7 +95,7 @@ variable "eso_chart_location" { variable "eso_chart_version" { type = string description = "The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso_image_version." - default = "0.16.2" # registryUrl: charts.external-secrets.io + default = "0.17.0" # registryUrl: charts.external-secrets.io nullable = false } From bb41faffc1c8f0be6f3fb9703977cfe678e57d17 Mon Sep 17 00:00:00 2001 From: valerio-bontempi Date: Wed, 28 May 2025 18:03:24 +0200 Subject: [PATCH 3/7] fix: updated version for test --- examples/basic/version.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/basic/version.tf b/examples/basic/version.tf index b55f4153..310c4b01 100644 --- a/examples/basic/version.tf +++ b/examples/basic/version.tf @@ -15,7 +15,7 @@ terraform { } ibm = { source = "IBM-Cloud/ibm" - version = "= 1.76.0" + version = "= 1.78.2" } null = { source = "hashicorp/null" From f41e7449563674ad16a0ef8a0ead6e0f00e16157 Mon Sep 17 00:00:00 2001 From: valerio-bontempi Date: Wed, 28 May 2025 18:24:02 +0200 Subject: [PATCH 4/7] fix: changed manifest to v1 from v1beta for eso --- README.md | 2 +- modules/eso-clusterstore/main.tf | 4 ++-- modules/eso-external-secret/main.tf | 12 ++++++------ modules/eso-secretstore/main.tf | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 8a40daa0..a72b5688 100644 --- a/README.md +++ b/README.md @@ -343,7 +343,7 @@ Labels: app=raw release=apikeynspace1-es-docker-uc Annotations: meta.helm.sh/release-name: apikeynspace1-es-docker-uc meta.helm.sh/release-namespace: apikeynspace1 -API Version: external-secrets.io/v1beta1 +API Version: external-secrets.io/v1 Kind: ExternalSecret Metadata: (...) diff --git a/modules/eso-clusterstore/main.tf b/modules/eso-clusterstore/main.tf index ab6d0f4a..916475cf 100644 --- a/modules/eso-clusterstore/main.tf +++ b/modules/eso-clusterstore/main.tf @@ -36,7 +36,7 @@ resource "helm_release" "cluster_secret_store_apikey" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: name: "${var.clusterstore_name}" @@ -70,7 +70,7 @@ resource "helm_release" "cluster_secret_store_tp" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: name: "${var.clusterstore_name}" diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index a64596ee..19fc3cd2 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -112,7 +112,7 @@ resource "helm_release" "kubernetes_secret" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: "${var.es_kubernetes_secret_name}" @@ -151,7 +151,7 @@ resource "helm_release" "kubernetes_secret_chain_list" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: "${var.es_kubernetes_secret_name}" @@ -193,7 +193,7 @@ resource "helm_release" "kubernetes_secret_user_pw" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: "${var.es_kubernetes_secret_name}" @@ -237,7 +237,7 @@ resource "helm_release" "kubernetes_secret_certificate" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: "${var.es_kubernetes_secret_name}" @@ -274,7 +274,7 @@ resource "helm_release" "kubernetes_secret_kv_key" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: "${var.es_kubernetes_secret_name}" @@ -314,7 +314,7 @@ resource "helm_release" "kubernetes_secret_kv_all" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: "${var.es_kubernetes_secret_name}" diff --git a/modules/eso-secretstore/main.tf b/modules/eso-secretstore/main.tf index 77c3d755..a5772431 100644 --- a/modules/eso-secretstore/main.tf +++ b/modules/eso-secretstore/main.tf @@ -31,7 +31,7 @@ resource "helm_release" "external_secret_store_apikey" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: SecretStore metadata: name: "${var.sstore_store_name}" @@ -60,7 +60,7 @@ resource "helm_release" "external_secret_store_tp" { values = [ <<-EOF resources: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1 kind: SecretStore metadata: name: "${var.sstore_store_name}" From 72b9c9415dc2a0a9c7cbbb2c07f8e096e24375f8 Mon Sep 17 00:00:00 2001 From: valerio-bontempi Date: Thu, 29 May 2025 18:24:08 +0200 Subject: [PATCH 5/7] fix: added force_reload to helm release --- modules/eso-clusterstore/main.tf | 26 +++++----- modules/eso-external-secret/main.tf | 78 ++++++++++++++++------------- modules/eso-secretstore/main.tf | 26 +++++----- 3 files changed, 70 insertions(+), 60 deletions(-) diff --git a/modules/eso-clusterstore/main.tf b/modules/eso-clusterstore/main.tf index 916475cf..a7385f41 100644 --- a/modules/eso-clusterstore/main.tf +++ b/modules/eso-clusterstore/main.tf @@ -27,12 +27,13 @@ resource "kubernetes_secret" "eso_clusterstore_secret" { # define cluster secret store for cluster scope and apikey auth resource "helm_release" "cluster_secret_store_apikey" { - count = var.eso_authentication == "api_key" ? 1 : 0 - name = "${var.clusterstore_helm_rls_name}-apikey" - namespace = var.eso_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = var.eso_authentication == "api_key" ? 1 : 0 + name = "${var.clusterstore_helm_rls_name}-apikey" + namespace = var.eso_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -61,12 +62,13 @@ resource "helm_release" "cluster_secret_store_apikey" { # define cluster secret store for cluster scope and trusted store auth # ContainerAuth with CRI based authentication resource "helm_release" "cluster_secret_store_tp" { - count = var.eso_authentication == "trusted_profile" ? 1 : 0 - name = "${var.clusterstore_helm_rls_name}-tp" - namespace = var.eso_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = var.eso_authentication == "trusted_profile" ? 1 : 0 + name = "${var.clusterstore_helm_rls_name}-tp" + namespace = var.eso_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 19fc3cd2..70eaa251 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -103,12 +103,13 @@ locals { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials or arbitrary resource "helm_release" "kubernetes_secret" { - count = (var.sm_secret_type == "iam_credentials" || var.sm_secret_type == "arbitrary" || var.sm_secret_type == "trusted_profile") && local.is_dockerjsonconfig_chain == false ? 1 : 0 - name = local.helm_secret_name - namespace = local.es_helm_rls_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = (var.sm_secret_type == "iam_credentials" || var.sm_secret_type == "arbitrary" || var.sm_secret_type == "trusted_profile") && local.is_dockerjsonconfig_chain == false ? 1 : 0 + name = local.helm_secret_name + namespace = local.es_helm_rls_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -142,12 +143,13 @@ resource "helm_release" "kubernetes_secret" { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials and kubernetes secret type dockerjsonconfig and configured with a chain of secrets resource "helm_release" "kubernetes_secret_chain_list" { - count = local.is_dockerjsonconfig_chain == true ? 1 : 0 - name = local.helm_secret_name - namespace = local.es_helm_rls_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = local.is_dockerjsonconfig_chain == true ? 1 : 0 + name = local.helm_secret_name + namespace = local.es_helm_rls_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -184,12 +186,13 @@ resource "helm_release" "kubernetes_secret_chain_list" { ### Define kubernetes secret to be installed in cluster for opaque secret type based on SM user credential secret type resource "helm_release" "kubernetes_secret_user_pw" { - count = var.sm_secret_type == "username_password" ? 1 : 0 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = var.sm_secret_type == "username_password" ? 1 : 0 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -228,12 +231,13 @@ resource "helm_release" "kubernetes_secret_user_pw" { ### Define kubernetes secret to be installed in cluster for certificate secret based on SM certificate secret type resource "helm_release" "kubernetes_secret_certificate" { - count = local.is_certificate ? 1 : 0 #checkov:skip=CKV_SECRET_6 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = local.is_certificate ? 1 : 0 #checkov:skip=CKV_SECRET_6 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -265,12 +269,13 @@ resource "helm_release" "kubernetes_secret_certificate" { ### Define kubernetes secret to be installed in cluster for key-value secret based on SM kv secret type based on keyid or key path resource "helm_release" "kubernetes_secret_kv_key" { - count = local.is_kv && local.kv_remoteref_property != "" ? 1 : 0 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = local.is_kv && local.kv_remoteref_property != "" ? 1 : 0 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -305,12 +310,13 @@ resource "helm_release" "kubernetes_secret_kv_key" { ### Define kubernetes secret to be installed in cluster for key-value secret based on SM kv secret type pulling all the keys structure resource "helm_release" "kubernetes_secret_kv_all" { - count = local.is_kv && local.kv_remoteref_property == "" ? 1 : 0 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = local.is_kv && local.kv_remoteref_property == "" ? 1 : 0 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: diff --git a/modules/eso-secretstore/main.tf b/modules/eso-secretstore/main.tf index a5772431..29c6187f 100644 --- a/modules/eso-secretstore/main.tf +++ b/modules/eso-secretstore/main.tf @@ -22,12 +22,13 @@ resource "kubernetes_secret" "eso_secretsstore_secret" { ### Define secret store used to connect with SM instance for apikey auth resource "helm_release" "external_secret_store_apikey" { - count = var.eso_authentication == "api_key" ? 1 : 0 - name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) - namespace = var.sstore_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = var.eso_authentication == "api_key" ? 1 : 0 + name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) + namespace = var.sstore_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: @@ -51,12 +52,13 @@ resource "helm_release" "external_secret_store_apikey" { # Trusted profile authentication Use ContainerAuth with CRI based authentication (trusted profile support) resource "helm_release" "external_secret_store_tp" { - count = var.eso_authentication == "trusted_profile" ? 1 : 0 - name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) - namespace = var.sstore_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 + count = var.eso_authentication == "trusted_profile" ? 1 : 0 + name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) + namespace = var.sstore_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + force_update = true values = [ <<-EOF resources: From de2b59901381e593f2c7decf9145ee774f20fd44 Mon Sep 17 00:00:00 2001 From: valerio-bontempi Date: Fri, 30 May 2025 16:05:20 +0200 Subject: [PATCH 6/7] feat: restored chart version to 0.16.2 to allow two steps upgrade avoiding breaking change --- README.md | 2 +- modules/eso-clusterstore/main.tf | 26 +++++----- modules/eso-external-secret/main.tf | 78 +++++++++++++---------------- modules/eso-secretstore/main.tf | 26 +++++----- variables.tf | 2 +- 5 files changed, 62 insertions(+), 72 deletions(-) diff --git a/README.md b/README.md index a72b5688..cd375ff6 100644 --- a/README.md +++ b/README.md @@ -517,7 +517,7 @@ module "es_kubernetes_secret" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [eso\_chart\_location](#input\_eso\_chart\_location) | The location of the External Secrets Operator Helm chart. | `string` | `"https://charts.external-secrets.io"` | no | -| [eso\_chart\_version](#input\_eso\_chart\_version) | The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso\_image\_version. | `string` | `"0.17.0"` | no | +| [eso\_chart\_version](#input\_eso\_chart\_version) | The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso\_image\_version. | `string` | `"0.16.2"` | no | | [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | 
object({
    nodeSelector = object({
      label = string
      value = string
    })
    tolerations = object({
      key      = string
      operator = string
      value    = string
      effect   = string
    })
  })
| `null` | no | | [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no | | [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no | diff --git a/modules/eso-clusterstore/main.tf b/modules/eso-clusterstore/main.tf index a7385f41..916475cf 100644 --- a/modules/eso-clusterstore/main.tf +++ b/modules/eso-clusterstore/main.tf @@ -27,13 +27,12 @@ resource "kubernetes_secret" "eso_clusterstore_secret" { # define cluster secret store for cluster scope and apikey auth resource "helm_release" "cluster_secret_store_apikey" { - count = var.eso_authentication == "api_key" ? 1 : 0 - name = "${var.clusterstore_helm_rls_name}-apikey" - namespace = var.eso_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = var.eso_authentication == "api_key" ? 1 : 0 + name = "${var.clusterstore_helm_rls_name}-apikey" + namespace = var.eso_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -62,13 +61,12 @@ resource "helm_release" "cluster_secret_store_apikey" { # define cluster secret store for cluster scope and trusted store auth # ContainerAuth with CRI based authentication resource "helm_release" "cluster_secret_store_tp" { - count = var.eso_authentication == "trusted_profile" ? 1 : 0 - name = "${var.clusterstore_helm_rls_name}-tp" - namespace = var.eso_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = var.eso_authentication == "trusted_profile" ? 1 : 0 + name = "${var.clusterstore_helm_rls_name}-tp" + namespace = var.eso_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 70eaa251..19fc3cd2 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -103,13 +103,12 @@ locals { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials or arbitrary resource "helm_release" "kubernetes_secret" { - count = (var.sm_secret_type == "iam_credentials" || var.sm_secret_type == "arbitrary" || var.sm_secret_type == "trusted_profile") && local.is_dockerjsonconfig_chain == false ? 1 : 0 - name = local.helm_secret_name - namespace = local.es_helm_rls_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = (var.sm_secret_type == "iam_credentials" || var.sm_secret_type == "arbitrary" || var.sm_secret_type == "trusted_profile") && local.is_dockerjsonconfig_chain == false ? 1 : 0 + name = local.helm_secret_name + namespace = local.es_helm_rls_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -143,13 +142,12 @@ resource "helm_release" "kubernetes_secret" { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials and kubernetes secret type dockerjsonconfig and configured with a chain of secrets resource "helm_release" "kubernetes_secret_chain_list" { - count = local.is_dockerjsonconfig_chain == true ? 1 : 0 - name = local.helm_secret_name - namespace = local.es_helm_rls_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = local.is_dockerjsonconfig_chain == true ? 1 : 0 + name = local.helm_secret_name + namespace = local.es_helm_rls_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -186,13 +184,12 @@ resource "helm_release" "kubernetes_secret_chain_list" { ### Define kubernetes secret to be installed in cluster for opaque secret type based on SM user credential secret type resource "helm_release" "kubernetes_secret_user_pw" { - count = var.sm_secret_type == "username_password" ? 1 : 0 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = var.sm_secret_type == "username_password" ? 1 : 0 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -231,13 +228,12 @@ resource "helm_release" "kubernetes_secret_user_pw" { ### Define kubernetes secret to be installed in cluster for certificate secret based on SM certificate secret type resource "helm_release" "kubernetes_secret_certificate" { - count = local.is_certificate ? 1 : 0 #checkov:skip=CKV_SECRET_6 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = local.is_certificate ? 1 : 0 #checkov:skip=CKV_SECRET_6 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -269,13 +265,12 @@ resource "helm_release" "kubernetes_secret_certificate" { ### Define kubernetes secret to be installed in cluster for key-value secret based on SM kv secret type based on keyid or key path resource "helm_release" "kubernetes_secret_kv_key" { - count = local.is_kv && local.kv_remoteref_property != "" ? 1 : 0 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = local.is_kv && local.kv_remoteref_property != "" ? 1 : 0 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -310,13 +305,12 @@ resource "helm_release" "kubernetes_secret_kv_key" { ### Define kubernetes secret to be installed in cluster for key-value secret based on SM kv secret type pulling all the keys structure resource "helm_release" "kubernetes_secret_kv_all" { - count = local.is_kv && local.kv_remoteref_property == "" ? 1 : 0 - name = local.helm_secret_name - namespace = var.es_kubernetes_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = local.is_kv && local.kv_remoteref_property == "" ? 1 : 0 + name = local.helm_secret_name + namespace = var.es_kubernetes_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: diff --git a/modules/eso-secretstore/main.tf b/modules/eso-secretstore/main.tf index 29c6187f..a5772431 100644 --- a/modules/eso-secretstore/main.tf +++ b/modules/eso-secretstore/main.tf @@ -22,13 +22,12 @@ resource "kubernetes_secret" "eso_secretsstore_secret" { ### Define secret store used to connect with SM instance for apikey auth resource "helm_release" "external_secret_store_apikey" { - count = var.eso_authentication == "api_key" ? 1 : 0 - name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) - namespace = var.sstore_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = var.eso_authentication == "api_key" ? 1 : 0 + name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) + namespace = var.sstore_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: @@ -52,13 +51,12 @@ resource "helm_release" "external_secret_store_apikey" { # Trusted profile authentication Use ContainerAuth with CRI based authentication (trusted profile support) resource "helm_release" "external_secret_store_tp" { - count = var.eso_authentication == "trusted_profile" ? 1 : 0 - name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) - namespace = var.sstore_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - force_update = true + count = var.eso_authentication == "trusted_profile" ? 1 : 0 + name = substr(join("-", [var.sstore_namespace, var.sstore_helm_rls_name]), 0, 52) + namespace = var.sstore_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 values = [ <<-EOF resources: diff --git a/variables.tf b/variables.tf index 7ce512bc..222441aa 100644 --- a/variables.tf +++ b/variables.tf @@ -95,7 +95,7 @@ variable "eso_chart_location" { variable "eso_chart_version" { type = string description = "The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso_image_version." - default = "0.17.0" # registryUrl: charts.external-secrets.io + default = "0.16.2" # registryUrl: charts.external-secrets.io nullable = false } From 3270b69a5002b9b32d5541bd7423e8d830bf10fd Mon Sep 17 00:00:00 2001 From: valerio-bontempi Date: Fri, 30 May 2025 20:01:37 +0200 Subject: [PATCH 7/7] docs: fixed README usage SKIP UPGRADE TEST --- README.md | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index cd375ff6..eedc557b 100644 --- a/README.md +++ b/README.md @@ -469,23 +469,10 @@ data: ## Usage ```hcl -module "es_kubernetes_secret" { - source = "../modules/eso-external-secret" - es_kubernetes_secret_type = "dockerconfigjson" - sm_secret_type = "iam_credentials" - sm_secret_id = module.docker_config.serviceid_apikey_secret_id - eso_setup = true - es_kubernetes_namespaces = var.es_kubernetes_namespaces - es_docker_email = "terraform@ibm.com" - eso_generic_secret_apikey = data.ibm_secrets_manager_secret.secret_puller_secret.api_key # pragma: allowlist secret - secrets_manager_guid = module.secrets_manager_iam_configuration.secrets_manager_guid - region = "us-south" - es_kubernetes_secret_name = "dockerconfigjson-iam" - depends_on = [ - kubernetes_namespace.cluster_namespaces - ] - es_kubernetes_secret_data_key = "apiKey" - es_helm_rls_name = "es-docker-iam" +# Replace "master" with a GIT release version to lock into a specific release +module "external_secrets_operator" { + source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-external-secrets-operator.git?ref=master" + eso_namespace = var.eso_namespace } ```