Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve readme around SecretStore/ ClusterSecretStore #19

Open
1 task done
domenicbove opened this issue Sep 11, 2023 · 0 comments
Open
1 task done

Improve readme around SecretStore/ ClusterSecretStore #19

domenicbove opened this issue Sep 11, 2023 · 0 comments
Labels
feature-request New feature

Comments

@domenicbove
Copy link

domenicbove commented Sep 11, 2023
edited
Loading

Contact Details (optional)

I am attempting to add your terraform module, but found it was unclear what to put into the SecretStore object

Summary

Thanks a lot for open sourcing this terraform code! I finally got it working on my end, but ran into a few gotchas. The first thing I found is if you have your EKS clustername, you don't need to provide the arns as input variables, you could do something like this:

data "aws_eks_cluster" "this" {
  name = var.cluster_name
}

data "aws_iam_openid_connect_provider" "this" {
  url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}

# Role
data "aws_iam_policy_document" "external_secrets_assume" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [data.aws_iam_openid_connect_provider.this.arn]
    }

    condition {
      test     = "StringEquals"
      variable = "${replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "")}:sub"

      values = [
        "system:serviceaccount:${var.namespace}:${var.service_account_name}",
      ]
    }

    effect = "Allow"
  }
}

But thats fairly low priority. The next one that I had to figure out was what to put into the SecretStore/ ExternalSecretStore. Your readme just provides links, which wasn't too clear. Most of those links say to put AWS creds into a secret, which is not what you want to do. I settled on going with this:

terraform {
  required_providers {
    kubectl = {
      source  = "gavinbunney/kubectl"
    }
  }
}

resource "kubectl_manifest" "secret_store" {
  depends_on = [helm_release.external_secrets]

  yaml_body  = <<-EOF
    apiVersion: external-secrets.io/v1alpha1
    kind: ClusterSecretStore
    metadata:
      name: aws-store
      namespace: ${var.namespace}
    spec:
      provider:
        aws:
          service: SecretsManager
          region: us-west-2
          auth:
            jwt:
              serviceAccountRef:
                name: ${var.service_account_name}
                namespace: ${var.namespace}
    EOF
}

And that really closed the loop on making everything work because now my developers only have to think about the ExternalSecret resources and point it to this functional ClusterSecretStore.

Motivation

Improve useablilty

Alternatives

No response

Additional Context

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@domenicbove domenicbove added the feature-request New feature label Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@domenicbove