From 795ad1c13c829bced733d93680d704bd9ed66ef5 Mon Sep 17 00:00:00 2001 From: = Date: Sun, 13 Apr 2025 22:45:48 +0530 Subject: [PATCH 01/10] Breaking: Added support for trusted profile as an input --- modules/eso-external-secret/main.tf | 55 +++++++++++++++++++++--- modules/eso-external-secret/variables.tf | 10 ++++- 2 files changed, 58 insertions(+), 7 deletions(-) diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 46c8cabc..52f0f12d 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -17,9 +17,9 @@ locals { # dockerjsonconfig secrets chain flag is_dockerjsonconfig_chain = length(var.es_container_registry_secrets_chain) > 0 ? true : false - # validation for dockerjsonconfig secrets chain -> if it is a chain the kube secret type must be dockerconfigjson and sm secret type iam_credentials - validate_condition_chain = local.is_dockerjsonconfig_chain == true && (var.es_kubernetes_secret_type != "dockerconfigjson" || var.sm_secret_type != "iam_credentials") # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value - validate_msg_chain = "If the externalsecret is expected to generate a dockerjsonconfig secrets chain the only supported value for es_kubernetes_secret_type is dockerconfigjson and for sm_secret_type is iam_credentials" + # validation for dockerjsonconfig secrets chain -> if it is a chain the kube secret type must be dockerconfigjson and sm secret types iam_credentials, trusted_profile + validate_condition_chain = local.is_dockerjsonconfig_chain == true && (var.es_kubernetes_secret_type != "dockerconfigjson" || (var.sm_secret_type != "iam_credentials" && var.sm_secret_type != "trusted_profile")) # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value + validate_msg_chain = "If the externalsecret is expected to generate a dockerjsonconfig secrets chain the only supported value for es_kubernetes_secret_type is dockerconfigjson and for sm_secret_type is iam_credentials and trusted_profile" # tflint-ignore: terraform_unused_declarations validate_check_chain = regex("^${local.validate_msg_chain}$", (!local.validate_condition_chain ? local.validate_msg_chain : "")) @@ -46,7 +46,7 @@ locals { certificate_spec_data = local.is_certificate ? (var.sm_secret_type == "public_cert" ? local.public_certificate_spec_data : (var.sm_secret_type == "imported_cert" ? local.imported_certificate_spec_data : (var.sm_secret_type == "private_cert" ? local.private_certificate_spec_data : ""))) : "" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value # dockerjson format - docker_user = var.sm_secret_type == "username_password" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value + docker_user = var.sm_secret_type == "username_password" || var.sm_secret_type=="trusted_profile" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value docker_password = var.sm_secret_type == "username_password" ? "{{ .password }}" : "{{ .secretid }}" # setting data_type according to the kube secret and the SM secret types @@ -85,6 +85,10 @@ locals { "username" : "iamapikey", "password" : "{{ .secretid_${index} }}", "email" : (element.es_container_registry_email) } : + (element.trusted_profile != null && element.trusted_profile != "") ? + { + "username" : element.trusted_profile, "password" : "{{ .secretid_${index} }}" + }: { "username" : "iamapikey", "password" : "{{ .secretid_${index} }}" } @@ -168,7 +172,7 @@ resource "helm_release" "kubernetes_secret" { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials and kubernetes secret type dockerjsonconfig and configured with a chain of secrets resource "helm_release" "kubernetes_secret_chain_list" { - count = local.is_dockerjsonconfig_chain == true ? 1 : 0 + count = local.is_dockerjsonconfig_chain == true && var.sm_secret_type!="trusted_profile" ? 1 : 0 name = local.helm_secret_name namespace = local.es_helm_rls_namespace chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" @@ -207,6 +211,47 @@ resource "helm_release" "kubernetes_secret_chain_list" { ] } +resource "helm_release" "kubernetes_secret_chain_list_tp" { + count = local.is_dockerjsonconfig_chain == true && var.sm_secret_type=="trusted_profile" ? 1 : 0 + name = local.helm_secret_name + namespace = local.es_helm_rls_namespace + chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" + version = local.helm_raw_chart_version + timeout = 600 + values = [ + <<-EOF + resources: + - apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: "${var.es_kubernetes_secret_name}" + namespace: "${var.es_kubernetes_namespace}" + spec: + refreshInterval: ${var.es_refresh_interval} + secretStoreRef: + name: "${var.eso_store_name}" + kind: "${local.secret_store_ref_kind}" + target: + name: "${var.es_kubernetes_secret_name}" + template: + engineVersion: v2 + type: "${local.es_kubernetes_secret_type}" + metadata: + annotations: + ${local.reloader_annotation} + data: + ${local.data_chain} + data: +%{for index, element in var.es_container_registry_secrets_chain~} + - secretKey: secretid_${index} + remoteRef: + key: "${element.sm_secret_id}" +%{endfor~} + EOF + ] +} + + ### Define kubernetes secret to be installed in cluster for opaque secret type based on SM user credential secret type resource "helm_release" "kubernetes_secret_user_pw" { count = var.sm_secret_type == "username_password" ? 1 : 0 diff --git a/modules/eso-external-secret/variables.tf b/modules/eso-external-secret/variables.tf index 3dbb168f..4ba083d4 100644 --- a/modules/eso-external-secret/variables.tf +++ b/modules/eso-external-secret/variables.tf @@ -53,9 +53,9 @@ variable "sm_secret_type" { description = "Secrets-manager secret type to be used as source data by ESO. Valid input types are 'arbitrary', 'username_password' and 'iam_credentials'" type = string validation { - condition = can(regex("^iam_credentials$|^username_password$|^arbitrary$|^imported_cert$|^public_cert$|^private_cert|^kv$|$^$", var.sm_secret_type)) + condition = can(regex("^iam_credentials$|^username_password$|^trusted_profile$|^arbitrary$|^imported_cert$|^public_cert$|^private_cert|^kv$|$^$", var.sm_secret_type)) # If it is empty, no secret will be created - error_message = "The sm_secret_type value must be one of the following: iam_credentials, username_password, arbitrary, imported_cert, public_cert, private_cert, kv or leave it empty." + error_message = "The sm_secret_type value must be one of the following: iam_credentials, trusted_profile, username_password, arbitrary, imported_cert, public_cert, private_cert, kv or leave it empty." } } @@ -82,10 +82,16 @@ variable "es_container_registry_secrets_chain" { es_container_registry = string sm_secret_id = string # id of the secret storing the apikey that will be used for the secrets chain es_container_registry_email = optional(string, null) + trusted_profile = optional(string,null) })) default = [] nullable = false } +variable "deploy_username_apikey" { + description = "The secret manager certificate is provided with intermediate certificate. By enabling this flag the certificate body on kube will contain certificate and intermediate content, otherwise only certificate will be added. Valid only for public and imported certificate" + type = bool + default = true +} variable "es_helm_rls_name" { description = "Name to use for the helm release for externalsecrets resource. Must be unique in the namespace" From cda23e984941e1ab498905124e6431bc3b081643 Mon Sep 17 00:00:00 2001 From: = Date: Sun, 13 Apr 2025 22:58:28 +0530 Subject: [PATCH 02/10] Chore: Removed unused variables --- modules/eso-external-secret/variables.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/eso-external-secret/variables.tf b/modules/eso-external-secret/variables.tf index 4ba083d4..903dab3d 100644 --- a/modules/eso-external-secret/variables.tf +++ b/modules/eso-external-secret/variables.tf @@ -87,11 +87,6 @@ variable "es_container_registry_secrets_chain" { default = [] nullable = false } -variable "deploy_username_apikey" { - description = "The secret manager certificate is provided with intermediate certificate. By enabling this flag the certificate body on kube will contain certificate and intermediate content, otherwise only certificate will be added. Valid only for public and imported certificate" - type = bool - default = true -} variable "es_helm_rls_name" { description = "Name to use for the helm release for externalsecrets resource. Must be unique in the namespace" From ec54d5631ae65074bb7214eeb93ea1e6fa4ada75 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 15 Apr 2025 14:35:05 +0530 Subject: [PATCH 03/10] Chore: removed trusted_profile from docker_user --- modules/eso-external-secret/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 52f0f12d..a7f502d4 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -46,7 +46,7 @@ locals { certificate_spec_data = local.is_certificate ? (var.sm_secret_type == "public_cert" ? local.public_certificate_spec_data : (var.sm_secret_type == "imported_cert" ? local.imported_certificate_spec_data : (var.sm_secret_type == "private_cert" ? local.private_certificate_spec_data : ""))) : "" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value # dockerjson format - docker_user = var.sm_secret_type == "username_password" || var.sm_secret_type=="trusted_profile" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value + docker_user = var.sm_secret_type == "username_password" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value docker_password = var.sm_secret_type == "username_password" ? "{{ .password }}" : "{{ .secretid }}" # setting data_type according to the kube secret and the SM secret types From c0e5d5fa6e60554e6cc1869133d0de245e0287f6 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 15 Apr 2025 14:38:04 +0530 Subject: [PATCH 04/10] Chore: Updated the comments --- modules/eso-external-secret/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index a7f502d4..5390a027 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -17,9 +17,9 @@ locals { # dockerjsonconfig secrets chain flag is_dockerjsonconfig_chain = length(var.es_container_registry_secrets_chain) > 0 ? true : false - # validation for dockerjsonconfig secrets chain -> if it is a chain the kube secret type must be dockerconfigjson and sm secret types iam_credentials, trusted_profile + # validation for dockerjsonconfig secrets chain -> if it is a chain the kube secret type must be dockerconfigjson and sm secret types iam_credentials or trusted_profile validate_condition_chain = local.is_dockerjsonconfig_chain == true && (var.es_kubernetes_secret_type != "dockerconfigjson" || (var.sm_secret_type != "iam_credentials" && var.sm_secret_type != "trusted_profile")) # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value - validate_msg_chain = "If the externalsecret is expected to generate a dockerjsonconfig secrets chain the only supported value for es_kubernetes_secret_type is dockerconfigjson and for sm_secret_type is iam_credentials and trusted_profile" + validate_msg_chain = "If the externalsecret is expected to generate a dockerjsonconfig secrets chain the only supported value for es_kubernetes_secret_type is dockerconfigjson and for sm_secret_type is iam_credentials or trusted_profile" # tflint-ignore: terraform_unused_declarations validate_check_chain = regex("^${local.validate_msg_chain}$", (!local.validate_condition_chain ? local.validate_msg_chain : "")) From 5e71c549df6e7b5bd3b747b63757d2cebd4fb305 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 15 Apr 2025 14:41:06 +0530 Subject: [PATCH 05/10] Chore: Updated the description and error message for the variable sm_secret_type --- modules/eso-external-secret/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/eso-external-secret/variables.tf b/modules/eso-external-secret/variables.tf index 903dab3d..bb08ebcb 100644 --- a/modules/eso-external-secret/variables.tf +++ b/modules/eso-external-secret/variables.tf @@ -50,12 +50,12 @@ variable "es_kubernetes_secret_data_key" { } variable "sm_secret_type" { - description = "Secrets-manager secret type to be used as source data by ESO. Valid input types are 'arbitrary', 'username_password' and 'iam_credentials'" + description = "Secrets-manager secret type to be used as source data by ESO. Valid input types are 'iam_credentials', 'username_password', 'trusted_profile', 'arbitrary', 'imported_cert', 'public_cert', 'private_cert', 'kv'" type = string validation { condition = can(regex("^iam_credentials$|^username_password$|^trusted_profile$|^arbitrary$|^imported_cert$|^public_cert$|^private_cert|^kv$|$^$", var.sm_secret_type)) # If it is empty, no secret will be created - error_message = "The sm_secret_type value must be one of the following: iam_credentials, trusted_profile, username_password, arbitrary, imported_cert, public_cert, private_cert, kv or leave it empty." + error_message = "The sm_secret_type value must be one of the following: iam_credentials, username_password, trusted_profile, arbitrary, imported_cert, public_cert, private_cert, kv or leave it empty." } } From a12369bb382d442a15fa558b08195420e899e7c7 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 15 Apr 2025 14:48:19 +0530 Subject: [PATCH 06/10] Chore: Updated the docker_user --- modules/eso-external-secret/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 5390a027..b6bf3b23 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -46,7 +46,7 @@ locals { certificate_spec_data = local.is_certificate ? (var.sm_secret_type == "public_cert" ? local.public_certificate_spec_data : (var.sm_secret_type == "imported_cert" ? local.imported_certificate_spec_data : (var.sm_secret_type == "private_cert" ? local.private_certificate_spec_data : ""))) : "" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value # dockerjson format - docker_user = var.sm_secret_type == "username_password" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value + docker_user = var.sm_secret_type == "username_password" || var.sm_secret_type=="trusted_profile" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value docker_password = var.sm_secret_type == "username_password" ? "{{ .password }}" : "{{ .secretid }}" # setting data_type according to the kube secret and the SM secret types From be521bd2a04e97c700652c46a843dd881322d7ab Mon Sep 17 00:00:00 2001 From: = Date: Wed, 23 Apr 2025 10:47:23 +0530 Subject: [PATCH 07/10] Update: Merged the secret chain list blocks --- modules/eso-external-secret/main.tf | 48 +++-------------------------- 1 file changed, 4 insertions(+), 44 deletions(-) diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index b6bf3b23..206ec70c 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -133,7 +133,7 @@ locals { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials or arbitrary resource "helm_release" "kubernetes_secret" { - count = (var.sm_secret_type == "iam_credentials" || var.sm_secret_type == "arbitrary") && local.is_dockerjsonconfig_chain == false ? 1 : 0 + count = (var.sm_secret_type == "iam_credentials" || var.sm_secret_type == "arbitrary" || var.sm_secret_type == "trusted_profile") && local.is_dockerjsonconfig_chain == false ? 1 : 0 name = local.helm_secret_name namespace = local.es_helm_rls_namespace chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" @@ -172,7 +172,7 @@ resource "helm_release" "kubernetes_secret" { ### Define kubernetes secret to be installed in cluster for sm_secret_type iam_credentials and kubernetes secret type dockerjsonconfig and configured with a chain of secrets resource "helm_release" "kubernetes_secret_chain_list" { - count = local.is_dockerjsonconfig_chain == true && var.sm_secret_type!="trusted_profile" ? 1 : 0 + count = local.is_dockerjsonconfig_chain == true ? 1 : 0 name = local.helm_secret_name namespace = local.es_helm_rls_namespace chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" @@ -205,47 +205,7 @@ resource "helm_release" "kubernetes_secret_chain_list" { %{for index, element in var.es_container_registry_secrets_chain~} - secretKey: secretid_${index} remoteRef: - key: "${var.sm_secret_type}/${element.sm_secret_id}" -%{endfor~} - EOF - ] -} - -resource "helm_release" "kubernetes_secret_chain_list_tp" { - count = local.is_dockerjsonconfig_chain == true && var.sm_secret_type=="trusted_profile" ? 1 : 0 - name = local.helm_secret_name - namespace = local.es_helm_rls_namespace - chart = "${path.module}/../../chart/${local.helm_raw_chart_name}" - version = local.helm_raw_chart_version - timeout = 600 - values = [ - <<-EOF - resources: - - apiVersion: external-secrets.io/v1beta1 - kind: ExternalSecret - metadata: - name: "${var.es_kubernetes_secret_name}" - namespace: "${var.es_kubernetes_namespace}" - spec: - refreshInterval: ${var.es_refresh_interval} - secretStoreRef: - name: "${var.eso_store_name}" - kind: "${local.secret_store_ref_kind}" - target: - name: "${var.es_kubernetes_secret_name}" - template: - engineVersion: v2 - type: "${local.es_kubernetes_secret_type}" - metadata: - annotations: - ${local.reloader_annotation} - data: - ${local.data_chain} - data: -%{for index, element in var.es_container_registry_secrets_chain~} - - secretKey: secretid_${index} - remoteRef: - key: "${element.sm_secret_id}" + key: "${var.sm_secret_type == "trusted_profile" ? "iam_credentials/${element.sm_secret_id}" : "${var.sm_secret_type}/${element.sm_secret_id}"}" %{endfor~} EOF ] @@ -410,4 +370,4 @@ resource "helm_release" "kubernetes_secret_kv_all" { key: "${local.es_remoteref_key}" EOF ] -} +} \ No newline at end of file From 2616e81c3608941b75b73aef7e40dd8517d01e4b Mon Sep 17 00:00:00 2001 From: = Date: Thu, 24 Apr 2025 20:17:23 +0530 Subject: [PATCH 08/10] Chore: Removed the trusted profile type from docker_user --- modules/eso-external-secret/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 206ec70c..71b853d3 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -46,7 +46,7 @@ locals { certificate_spec_data = local.is_certificate ? (var.sm_secret_type == "public_cert" ? local.public_certificate_spec_data : (var.sm_secret_type == "imported_cert" ? local.imported_certificate_spec_data : (var.sm_secret_type == "private_cert" ? local.private_certificate_spec_data : ""))) : "" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value # dockerjson format - docker_user = var.sm_secret_type == "username_password" || var.sm_secret_type=="trusted_profile" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value + docker_user = var.sm_secret_type == "username_password" ? "{{ .username }}" : "iamapikey" # checkov:skip=CKV_SECRET_6: does not require high entropy string as is static value docker_password = var.sm_secret_type == "username_password" ? "{{ .password }}" : "{{ .secretid }}" # setting data_type according to the kube secret and the SM secret types From beb805e005d22ec4626dd24235a7a3a8098cadd2 Mon Sep 17 00:00:00 2001 From: = Date: Fri, 25 Apr 2025 15:20:41 +0530 Subject: [PATCH 09/10] Chore: Pre-commit correction --- README.md | 4 ++-- modules/eso-external-secret/README.md | 4 ++-- modules/eso-external-secret/main.tf | 4 ++-- modules/eso-external-secret/variables.tf | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 43cbf92f..95c2d91f 100644 --- a/README.md +++ b/README.md @@ -518,12 +518,12 @@ module "es_kubernetes_secret" { |------|-------------|------|---------|:--------:| | [eso\_chart\_location](#input\_eso\_chart\_location) | The location of the External Secrets Operator Helm chart. | `string` | `"https://charts.external-secrets.io"` | no | | [eso\_chart\_version](#input\_eso\_chart\_version) | The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso\_image\_version. | `string` | `"0.15.1"` | no | -| [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | 
object({
    nodeSelector = object({
      label = string
      value = string
    })
    tolerations = object({
      key      = string
      operator = string
      value    = string
      effect   = string
    })
  })
| `null` | no | +| [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | 
object({
    nodeSelector = object({
      label = string
      value = string
    })
    tolerations = object({
      key      = string
      operator = string
      value    = string
      effect   = string
    })
  })
| `null` | no | | [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no | | [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no | | [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.15.1-ubi@sha256:f9daa7f7072cddc71a1e23ea57574c9e90af65aa21f829d5ed1b092e7704f29f"` | no | | [eso\_namespace](#input\_eso\_namespace) | Namespace to create and be used to install ESO components including helm releases. If eso\_store\_scope == cluster, this will also be used to deploy ClusterSecretStore/cluster\_store in it | `string` | `null` | no | -| [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | 
object({
    annotations = optional(object({
      # The annotations for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The annotations for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The annotations for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})

    labels = optional(object({
      # The labels for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The labels for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The labels for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})
  })
| `{}` | no | +| [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | 
object({
    annotations = optional(object({
      # The annotations for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The annotations for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The annotations for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})

    labels = optional(object({
      # The labels for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The labels for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The labels for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})
  })
| `{}` | no | | [existing\_eso\_namespace](#input\_existing\_eso\_namespace) | Existing Namespace to be used to install ESO components including helm releases. If eso\_store\_scope == cluster, this will also be used to deploy ClusterSecretStore/cluster\_store in it | `string` | `null` | no | | [reloader\_chart\_location](#input\_reloader\_chart\_location) | The location of the Reloader Helm chart. | `string` | `"https://stakater.github.io/stakater-charts"` | no | | [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.0.0"` | no | diff --git a/modules/eso-external-secret/README.md b/modules/eso-external-secret/README.md index 19a9b5fa..5e465fce 100644 --- a/modules/eso-external-secret/README.md +++ b/modules/eso-external-secret/README.md @@ -38,7 +38,7 @@ No modules. |------|-------------|------|---------|:--------:| | [es\_container\_registry](#input\_es\_container\_registry) | The registry URL to be used in dockerconfigjson | `string` | `"us.icr.io"` | no | | [es\_container\_registry\_email](#input\_es\_container\_registry\_email) | Optional - Email to be used in dockerconfigjson | `string` | `null` | no | -| [es\_container\_registry\_secrets\_chain](#input\_es\_container\_registry\_secrets\_chain) | Structure to generate a chain of secrets into a single dockerjsonconfig secret for multiple registries authentication. | 
list(object({
    es_container_registry       = string
    sm_secret_id                = string # id of the secret storing the apikey that will be used for the secrets chain
    es_container_registry_email = optional(string, null)
  }))
| `[]` | no | +| [es\_container\_registry\_secrets\_chain](#input\_es\_container\_registry\_secrets\_chain) | Structure to generate a chain of secrets into a single dockerjsonconfig secret for multiple registries authentication. | 
list(object({
    es_container_registry       = string
    sm_secret_id                = string # id of the secret storing the apikey that will be used for the secrets chain
    es_container_registry_email = optional(string, null)
    trusted_profile             = optional(string, null)
  }))
| `[]` | no | | [es\_helm\_rls\_name](#input\_es\_helm\_rls\_name) | Name to use for the helm release for externalsecrets resource. Must be unique in the namespace | `string` | n/a | yes | | [es\_helm\_rls\_namespace](#input\_es\_helm\_rls\_namespace) | Namespace to deploy the helm release for the externalsecret. Default if null is the externalsecret namespace | `string` | `null` | no | | [es\_kubernetes\_namespace](#input\_es\_kubernetes\_namespace) | Namespace to use to generate the externalsecret | `string` | n/a | yes | @@ -54,7 +54,7 @@ No modules. | [sm\_kv\_keyid](#input\_sm\_kv\_keyid) | Secrets-Manager key value (kv) keyid | `string` | `null` | no | | [sm\_kv\_keypath](#input\_sm\_kv\_keypath) | Secrets-Manager key value (kv) keypath | `string` | `null` | no | | [sm\_secret\_id](#input\_sm\_secret\_id) | Secrets-Manager secret ID where source data will be synchronized with Kubernetes secret. It can be null only in the case of a dockerjsonconfig secrets chain | `string` | n/a | yes | -| [sm\_secret\_type](#input\_sm\_secret\_type) | Secrets-manager secret type to be used as source data by ESO. Valid input types are 'arbitrary', 'username\_password' and 'iam\_credentials' | `string` | n/a | yes | +| [sm\_secret\_type](#input\_sm\_secret\_type) | Secrets-manager secret type to be used as source data by ESO. Valid input types are 'iam\_credentials', 'username\_password', 'trusted\_profile', 'arbitrary', 'imported\_cert', 'public\_cert', 'private\_cert', 'kv' | `string` | n/a | yes | ### Outputs diff --git a/modules/eso-external-secret/main.tf b/modules/eso-external-secret/main.tf index 71b853d3..97db163d 100644 --- a/modules/eso-external-secret/main.tf +++ b/modules/eso-external-secret/main.tf @@ -88,7 +88,7 @@ locals { (element.trusted_profile != null && element.trusted_profile != "") ? { "username" : element.trusted_profile, "password" : "{{ .secretid_${index} }}" - }: + } : { "username" : "iamapikey", "password" : "{{ .secretid_${index} }}" } @@ -370,4 +370,4 @@ resource "helm_release" "kubernetes_secret_kv_all" { key: "${local.es_remoteref_key}" EOF ] -} \ No newline at end of file +} diff --git a/modules/eso-external-secret/variables.tf b/modules/eso-external-secret/variables.tf index bb08ebcb..dae5da24 100644 --- a/modules/eso-external-secret/variables.tf +++ b/modules/eso-external-secret/variables.tf @@ -82,7 +82,7 @@ variable "es_container_registry_secrets_chain" { es_container_registry = string sm_secret_id = string # id of the secret storing the apikey that will be used for the secrets chain es_container_registry_email = optional(string, null) - trusted_profile = optional(string,null) + trusted_profile = optional(string, null) })) default = [] nullable = false From d54ab6d2b65d0c0e7853054e9699c356872cac8c Mon Sep 17 00:00:00 2001 From: Daniel Butler Date: Fri, 25 Apr 2025 13:47:01 +0100 Subject: [PATCH 10/10] docs: fix readmes --- README.md | 4 ++-- modules/eso-external-secret/README.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 95c2d91f..43cbf92f 100644 --- a/README.md +++ b/README.md @@ -518,12 +518,12 @@ module "es_kubernetes_secret" { |------|-------------|------|---------|:--------:| | [eso\_chart\_location](#input\_eso\_chart\_location) | The location of the External Secrets Operator Helm chart. | `string` | `"https://charts.external-secrets.io"` | no | | [eso\_chart\_version](#input\_eso\_chart\_version) | The version of the External Secrets Operator Helm chart. Ensure that the chart version is compatible with the image version specified in eso\_image\_version. | `string` | `"0.15.1"` | no | -| [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | 
object({
    nodeSelector = object({
      label = string
      value = string
    })
    tolerations = object({
      key      = string
      operator = string
      value    = string
      effect   = string
    })
  })
| `null` | no | +| [eso\_cluster\_nodes\_configuration](#input\_eso\_cluster\_nodes\_configuration) | Configuration to use to customise ESO deployment on specific cluster nodes. Setting appropriate values will result in customising ESO helm release. Default value is null to keep ESO standard deployment. | 
object({
    nodeSelector = object({
      label = string
      value = string
    })
    tolerations = object({
      key      = string
      operator = string
      value    = string
      effect   = string
    })
  })
| `null` | no | | [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no | | [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no | | [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.15.1-ubi@sha256:f9daa7f7072cddc71a1e23ea57574c9e90af65aa21f829d5ed1b092e7704f29f"` | no | | [eso\_namespace](#input\_eso\_namespace) | Namespace to create and be used to install ESO components including helm releases. If eso\_store\_scope == cluster, this will also be used to deploy ClusterSecretStore/cluster\_store in it | `string` | `null` | no | -| [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | 
object({
    annotations = optional(object({
      # The annotations for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The annotations for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The annotations for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})

    labels = optional(object({
      # The labels for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The labels for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The labels for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})
  })
| `{}` | no | +| [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | 
object({
    annotations = optional(object({
      # The annotations for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The annotations for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The annotations for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})

    labels = optional(object({
      # The labels for external secret controller pods.
      external_secrets = optional(map(string), {})
      # The labels for external secret cert controller pods.
      external_secrets_cert_controller = optional(map(string), {})
      # The labels for external secret controller pods.
      external_secrets_webhook = optional(map(string), {})
    }), {})
  })
| `{}` | no | | [existing\_eso\_namespace](#input\_existing\_eso\_namespace) | Existing Namespace to be used to install ESO components including helm releases. If eso\_store\_scope == cluster, this will also be used to deploy ClusterSecretStore/cluster\_store in it | `string` | `null` | no | | [reloader\_chart\_location](#input\_reloader\_chart\_location) | The location of the Reloader Helm chart. | `string` | `"https://stakater.github.io/stakater-charts"` | no | | [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.0.0"` | no | diff --git a/modules/eso-external-secret/README.md b/modules/eso-external-secret/README.md index 5e465fce..82ddc532 100644 --- a/modules/eso-external-secret/README.md +++ b/modules/eso-external-secret/README.md @@ -38,7 +38,7 @@ No modules. |------|-------------|------|---------|:--------:| | [es\_container\_registry](#input\_es\_container\_registry) | The registry URL to be used in dockerconfigjson | `string` | `"us.icr.io"` | no | | [es\_container\_registry\_email](#input\_es\_container\_registry\_email) | Optional - Email to be used in dockerconfigjson | `string` | `null` | no | -| [es\_container\_registry\_secrets\_chain](#input\_es\_container\_registry\_secrets\_chain) | Structure to generate a chain of secrets into a single dockerjsonconfig secret for multiple registries authentication. | 
list(object({
    es_container_registry       = string
    sm_secret_id                = string # id of the secret storing the apikey that will be used for the secrets chain
    es_container_registry_email = optional(string, null)
    trusted_profile             = optional(string, null)
  }))
| `[]` | no | +| [es\_container\_registry\_secrets\_chain](#input\_es\_container\_registry\_secrets\_chain) | Structure to generate a chain of secrets into a single dockerjsonconfig secret for multiple registries authentication. | 
list(object({
    es_container_registry       = string
    sm_secret_id                = string # id of the secret storing the apikey that will be used for the secrets chain
    es_container_registry_email = optional(string, null)
    trusted_profile             = optional(string, null)
  }))
| `[]` | no | | [es\_helm\_rls\_name](#input\_es\_helm\_rls\_name) | Name to use for the helm release for externalsecrets resource. Must be unique in the namespace | `string` | n/a | yes | | [es\_helm\_rls\_namespace](#input\_es\_helm\_rls\_namespace) | Namespace to deploy the helm release for the externalsecret. Default if null is the externalsecret namespace | `string` | `null` | no | | [es\_kubernetes\_namespace](#input\_es\_kubernetes\_namespace) | Namespace to use to generate the externalsecret | `string` | n/a | yes |