Skip to content

Commit 90a9b92

Browse files
khatrivarunkhatrivarun
committed
feat(ferret): configure secrets and references to be pushed to openbao
1 parent f5b6975 commit 90a9b92

5 files changed

Lines changed: 210 additions & 74 deletions

File tree

infrastructure/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@ module "cnpg" {
132132

133133
# FerretDB Deployment for MongoDB Database Solution
134134
module "ferretdb" {
135-
source = "git::https://github.com/necro-cloud/modules//modules/ferretdb?ref=main"
135+
source = "git::https://github.com/necro-cloud/modules//modules/ferretdb?ref=task/118/ferret-secrets"
136136

137137
// Cluster Secret Store Details
138138
cluster_secret_store_name = module.openbao.cluster_secret_store_name

modules/ferretdb/cluster.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ resource "kubernetes_manifest" "cluster" {
8282
"login" = true
8383
"name" = "ferret"
8484
"passwordSecret" = {
85-
"name" = kubernetes_secret.ferret_database_credentials.metadata[0].name
85+
"name" = kubernetes_manifest.ferret_database_credentials_sync.object.spec.target.name
8686
}
8787
"replication" = false
8888
"superuser" = false

modules/ferretdb/locals.tf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,17 @@
11
locals {
22
access_namespaces = [for config in var.clients : config.namespace]
3-
managed_roles = [for secret in kubernetes_secret.client_database_credentials : {
3+
managed_roles = [for index, client in var.clients : {
44
"bypassrls" = false
5-
"comment" = "${secret.data.username} user for postgresql"
5+
"comment" = "${client.user} user for postgresql"
66
"connectionLimit" = -1
77
"createdb" = true
88
"createrole" = true
99
"ensure" = "present"
1010
"inherit" = true
1111
"login" = true
12-
"name" = secret.data.username
12+
"name" = client.user
1313
"passwordSecret" = {
14-
"name" = secret.metadata[0].name
14+
"name" = kubernetes_manifest.client_database_credentials_sync[index].object.spec.target.name
1515
}
1616
"replication" = false
1717
"superuser" = false

modules/ferretdb/mongo-express.tf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ resource "kubernetes_deployment" "mongo_express" {
6363
name = "DB_USERNAME"
6464
value_from {
6565
secret_key_ref {
66-
name = kubernetes_secret.ferret_database_credentials.metadata[0].name
66+
name = kubernetes_manifest.ferret_database_credentials_sync.object.spec.target.name
6767
key = "username"
6868
}
6969
}
@@ -73,7 +73,7 @@ resource "kubernetes_deployment" "mongo_express" {
7373
name = "DB_PASSWORD"
7474
value_from {
7575
secret_key_ref {
76-
name = kubernetes_secret.ferret_database_credentials.metadata[0].name
76+
name = kubernetes_manifest.ferret_database_credentials_sync.object.spec.target.name
7777
key = "password"
7878
}
7979
}
@@ -99,7 +99,7 @@ resource "kubernetes_deployment" "mongo_express" {
9999
name = "ME_CONFIG_BASICAUTH_USERNAME"
100100
value_from {
101101
secret_key_ref {
102-
name = kubernetes_secret.ui_credentials.metadata[0].name
102+
name = kubernetes_manifest.client_database_credentials_sync[count.index].object.spec.target.name
103103
key = "username"
104104
}
105105
}
@@ -109,7 +109,7 @@ resource "kubernetes_deployment" "mongo_express" {
109109
name = "ME_CONFIG_BASICAUTH_PASSWORD"
110110
value_from {
111111
secret_key_ref {
112-
name = kubernetes_secret.ui_credentials.metadata[0].name
112+
name = kubernetes_manifest.client_database_credentials_sync[count.index].object.spec.target.name
113113
key = "password"
114114
}
115115
}

modules/ferretdb/secrets.tf

Lines changed: 200 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -38,90 +38,226 @@ resource "kubernetes_manifest" "garage_configuration_sync" {
3838
}
3939
}
4040

41-
// Database credentials configuration for Ferret
42-
resource "random_password" "ferret_password" {
43-
length = 20
44-
lower = true
45-
numeric = true
46-
special = false
41+
// Password Generator for generating random passwords
42+
resource "kubernetes_manifest" "password_generator" {
43+
manifest = {
44+
apiVersion = "generators.external-secrets.io/v1alpha1"
45+
kind = "Password"
46+
metadata = {
47+
name = "password-generator"
48+
namespace = kubernetes_namespace.namespace.metadata[0].name
49+
}
50+
spec = {
51+
length = 20
52+
digits = 5
53+
symbols = 0
54+
noUpper = true
55+
}
56+
}
4757
}
4858

49-
resource "kubernetes_secret" "ferret_database_credentials" {
50-
metadata {
51-
name = "credentials-ferret"
52-
namespace = kubernetes_namespace.namespace.metadata[0].name
53-
54-
labels = {
55-
app = var.app_name
56-
component = "secret"
59+
// Database credentials configuration for Ferret
60+
resource "kubernetes_manifest" "ferret_database_credentials_sync" {
61+
manifest = {
62+
apiVersion = "external-secrets.io/v1"
63+
kind = "ExternalSecret"
64+
metadata = {
65+
name = "credentials-ferret"
66+
namespace = kubernetes_namespace.namespace.metadata[0].name
67+
}
68+
spec = {
69+
refreshInterval = "0"
70+
target = {
71+
name = "credentials-ferret"
72+
template = {
73+
type = "kubernetes.io/basic-auth"
74+
data = {
75+
username = "ferret"
76+
password = "{{ .password }}"
77+
}
78+
}
79+
}
80+
dataFrom = [{
81+
sourceRef = {
82+
generatorRef = {
83+
apiVersion = "generators.external-secrets.io/v1alpha1"
84+
kind = "Password"
85+
name = kubernetes_manifest.password_generator.object.metadata.name
86+
}
87+
}
88+
}]
5789
}
5890
}
91+
}
5992

60-
data = {
61-
"username" = "ferret"
62-
"password" = random_password.ferret_password.result
93+
resource "kubernetes_manifest" "push_ferret_database_credentials" {
94+
manifest = {
95+
apiVersion = "external-secrets.io/v1alpha1"
96+
kind = "PushSecret"
97+
metadata = {
98+
name = "push-${kubernetes_manifest.keycloak_database_credentials_sync.object.spec.target.name}"
99+
namespace = kubernetes_namespace.namespace.metadata[0].name
100+
}
101+
spec = {
102+
refreshInterval = "1h"
103+
deletionPolicy = "None"
104+
secretStoreRefs = [{
105+
name = var.cluster_secret_store_name
106+
kind = "ClusterSecretStore"
107+
}]
108+
selector = {
109+
secret = {
110+
name = kubernetes_manifest.keycloak_database_credentials_sync.object.spec.target.name
111+
}
112+
}
113+
data = [
114+
{
115+
match = {
116+
remoteRef = {
117+
remoteKey = "${kubernetes_namespace.namespace.metadata[0].name}/credentials/${kubernetes_manifest.ferret_database_credentials_sync.object.spec.target.name}"
118+
}
119+
}
120+
}
121+
]
122+
}
63123
}
64-
65-
type = "kubernetes.io/basic-auth"
124+
depends_on = [kubernetes_manifest.ferret_database_credentials_sync]
66125
}
67126

127+
68128
// Database credentials configuration for all clients
69-
resource "random_password" "client_password" {
129+
resource "kubernetes_manifest" "client_database_credentials_sync" {
70130
count = length(var.clients)
71-
length = 20
72-
lower = true
73-
numeric = true
74-
special = false
75-
}
76-
77-
resource "kubernetes_secret" "client_database_credentials" {
78-
count = length(var.clients)
79-
metadata {
80-
name = "credentials-${var.clients[count.index].user}"
81-
namespace = kubernetes_namespace.namespace.metadata[0].name
82-
83-
labels = {
84-
app = var.app_name
85-
component = "secret"
131+
manifest = {
132+
apiVersion = "external-secrets.io/v1"
133+
kind = "ExternalSecret"
134+
metadata = {
135+
name = "credentials-${var.clients[count.index].user}"
136+
namespace = kubernetes_namespace.namespace.metadata[0].name
86137
}
87-
88-
annotations = {
89-
"reflector.v1.k8s.emberstack.com/reflection-allowed" = "true"
90-
"reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces" = var.clients[count.index].namespace
138+
spec = {
139+
refreshInterval = "0"
140+
target = {
141+
name = "credentials-${var.clients[count.index].user}"
142+
template = {
143+
type = "kubernetes.io/basic-auth"
144+
data = {
145+
username = var.clients[count.index].user
146+
password = "{{ .password }}"
147+
}
148+
}
149+
}
150+
dataFrom = [{
151+
sourceRef = {
152+
generatorRef = {
153+
apiVersion = "generators.external-secrets.io/v1alpha1"
154+
kind = "Password"
155+
name = kubernetes_manifest.password_generator.object.metadata.name
156+
}
157+
}
158+
}]
91159
}
92160
}
161+
}
93162

94-
data = {
95-
"username" = var.clients[count.index].user
96-
"password" = random_password.client_password[count.index].result
163+
resource "kubernetes_manifest" "push_client_database_credentials" {
164+
count = length(var.clients)
165+
manifest = {
166+
apiVersion = "external-secrets.io/v1alpha1"
167+
kind = "PushSecret"
168+
metadata = {
169+
name = "push-${kubernetes_manifest.client_database_credentials_sync[count.index].object.spec.target.name}"
170+
namespace = kubernetes_namespace.namespace.metadata[0].name
171+
}
172+
spec = {
173+
refreshInterval = "1h"
174+
deletionPolicy = "None"
175+
secretStoreRefs = [{
176+
name = var.cluster_secret_store_name
177+
kind = "ClusterSecretStore"
178+
}]
179+
selector = {
180+
secret = {
181+
name = kubernetes_manifest.client_database_credentials_sync[count.index].object.spec.target.name
182+
}
183+
}
184+
data = [
185+
{
186+
match = {
187+
remoteRef = {
188+
remoteKey = "${kubernetes_namespace.namespace.metadata[0].name}/credentials/${kubernetes_manifest.client_database_credentials_sync[count.index].object.spec.target.name}"
189+
}
190+
}
191+
}
192+
]
193+
}
97194
}
98-
99-
type = "kubernetes.io/basic-auth"
195+
depends_on = [kubernetes_manifest.client_database_credentials_sync]
100196
}
101197

102198
// UI credentials configuration for MongoExpress
103-
resource "random_password" "ui_password" {
104-
length = 20
105-
lower = true
106-
numeric = true
107-
special = false
108-
}
109-
110-
resource "kubernetes_secret" "ui_credentials" {
111-
metadata {
112-
name = "ui-ferret"
113-
namespace = kubernetes_namespace.namespace.metadata[0].name
114-
115-
labels = {
116-
app = var.app_name
117-
component = "secret"
199+
resource "kubernetes_manifest" "mongo_express_credentials_sync" {
200+
manifest = {
201+
apiVersion = "external-secrets.io/v1"
202+
kind = "ExternalSecret"
203+
metadata = {
204+
name = "mongo-express-credentials"
205+
namespace = kubernetes_namespace.namespace.metadata[0].name
206+
}
207+
spec = {
208+
refreshInterval = "0"
209+
target = {
210+
name = "mongo-express-credentials"
211+
template = {
212+
data = {
213+
username = "ferret"
214+
password = "{{ .password }}"
215+
}
216+
}
217+
}
218+
dataFrom = [{
219+
sourceRef = {
220+
generatorRef = {
221+
apiVersion = "generators.external-secrets.io/v1alpha1"
222+
kind = "Password"
223+
name = kubernetes_manifest.password_generator.object.metadata.name
224+
}
225+
}
226+
}]
118227
}
119228
}
229+
}
120230

121-
data = {
122-
"username" = "ferret"
123-
"password" = random_password.ferret_password.result
231+
resource "kubernetes_manifest" "push_mongo_express_credentials" {
232+
manifest = {
233+
apiVersion = "external-secrets.io/v1alpha1"
234+
kind = "PushSecret"
235+
metadata = {
236+
name = "push-${kubernetes_manifest.mongo_express_credentials_sync.object.spec.target.name}"
237+
namespace = kubernetes_namespace.namespace.metadata[0].name
238+
}
239+
spec = {
240+
refreshInterval = "1h"
241+
deletionPolicy = "None"
242+
secretStoreRefs = [{
243+
name = var.cluster_secret_store_name
244+
kind = "ClusterSecretStore"
245+
}]
246+
selector = {
247+
secret = {
248+
name = kubernetes_manifest.mongo_express_credentials_sync.object.spec.target.name
249+
}
250+
}
251+
data = [
252+
{
253+
match = {
254+
remoteRef = {
255+
remoteKey = "${kubernetes_namespace.namespace.metadata[0].name}/credentials/ui/${kubernetes_manifest.mongo_express_credentials_sync.object.spec.target.name}"
256+
}
257+
}
258+
}
259+
]
260+
}
124261
}
125-
126-
type = "kubernetes.io/basic-auth"
262+
depends_on = [kubernetes_manifest.mongo_express_credentials_sync]
127263
}

0 commit comments

Comments
 (0)