Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External secrets operator #612

Merged
merged 10 commits into from Jun 30, 2022
Merged

External secrets operator #612

merged 10 commits into from Jun 30, 2022

Conversation

bobdoah
Copy link
Contributor

@bobdoah bobdoah commented Jun 8, 2022

What does this PR do?

Adds the External Secrets operator as an addon

Motivation

The External Secrets operator integrates external secrets management services with a Kubernetes cluster. It's more flexible than the Secret Store CSI driver. It transparently handles secret rotation, as secrets are kept synchronised. By using Kubernetes secrets, it's easy to map secrets as environment variables.

More

Note: Not all the PRs required examples and docs except a new pattern or add-on added.

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

@bobdoah bobdoah mentioned this pull request Jun 8, 2022
Merged
@bobdoah bobdoah force-pushed the external-secrets-operator branch from cf3c304 to 0ab9979 Compare June 8, 2022 13:14
askulkarni2
askulkarni2 requested changes Jun 9, 2022
View reviewed changes
Copy link
Contributor

@askulkarni2 askulkarni2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bobdoah thank for the PR. Its looking good. While deploying the helm-addon is a good first step, a couple of additional items need to be addressed.

  1. Need a non-trivial example preferably showing use of both AWS SSM Parameter Store and Secrets Manager.
  2. For these two external stores, we need to provide a way for the platform team persona to define authentication mechanism. This can be done by attaching an IRSA role to the pod. This method is described here. Configuring IRSA in the addon can be optional if customers are using AWS SSM or SM.

@bobdoah
Copy link
Contributor Author

bobdoah commented Jun 9, 2022

@bobdoah thank for the PR. Its looking good. While deploying the helm-addon is a good first step, a couple of additional items need to be addressed.

  1. Need a non-trivial example preferably showing use of both AWS SSM Parameter Store and Secrets Manager.
  2. For these two external stores, we need to provide a way for the platform team persona to define authentication mechanism. This can be done by attaching an IRSA role to the pod. This method is described here. Configuring IRSA in the addon can be optional if customers are using AWS SSM or SM.

I do actually have an example, that I used to test this. I extended the examples/complete-kubernetes-addons. I would assume though, that you'd prefer a separate example in the examples directory, even if it's largely based on the complete add-ons example.

@bobdoah
Copy link
Contributor Author

bobdoah commented Jun 10, 2022

Added an example @askulkarni2

@bobdoah bobdoah requested a review from askulkarni2 June 10, 2022 11:03
@bobdoah
Copy link
Contributor Author

bobdoah commented Jun 14, 2022

@askulkarni2 any chance you could review this again?

@bobdoah bobdoah temporarily deployed to EKS Blueprints Test June 24, 2022 08:48 Inactive
askulkarni2
askulkarni2 reviewed Jun 28, 2022
View reviewed changes
Copy link
Contributor

@askulkarni2 askulkarni2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bobdoah apologies for the delay and thank you for your patience. A few minor changes based on the recent awscli update and merge confict, otherwise this is looking good to go.

examples/external-secrets-kubernetes-addon/main.tf Outdated Show resolved Hide resolved
examples/external-secrets-kubernetes-addon/main.tf Outdated Show resolved Hide resolved
examples/external-secrets-kubernetes-addon/main.tf Outdated Show resolved Hide resolved
@bobdoah bobdoah temporarily deployed to EKS Blueprints Test June 29, 2022 11:24 Inactive
@bobdoah
Copy link
Contributor Author

bobdoah commented Jun 29, 2022

@bobdoah apologies for the delay and thank you for your patience. A few minor changes based on the recent awscli update and merge confict, otherwise this is looking good to go.

Thanks @askulkarni2. I've applied the requested fixes. I also noticed another example had the same v1alpha1 reference so I've updated that too. Hopefully this is good to go now.

askulkarni2
askulkarni2 reviewed Jun 29, 2022
View reviewed changes
Copy link
Contributor

@askulkarni2 askulkarni2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bobdoah there's CI failure with tflint.

In the example, please add a aws_kms_key resource like this and provide it in the aws_secretmanager_secret resource like this.

@bobdoah
Add the External Secrets Operator
941c95b 
The External Secrets Operator integrates external secrets management
systems with Kubernetes. The operator reads secrets from these systems
and injects them as values into Kubernetes Secrets.
@bobdoah
Fix repository url
ad43644
@bobdoah
Support external secrets from the main module
05cb8c5 
Allow the external-secrets operator to be enabled from the main addon
module.
@bobdoah
Support external secrets from the main module
6005b1a 
Allow the external-secrets operator to be enabled from the main addon
module.
@bobdoah
Add documentation
3328d76
@bobdoah
Add an example of the external-secrets operator
0021b69 
Add an example, using IRSA for authentication with AWS.
@bobdoah
Fix provider authentication api version
eb36c31
@bobdoah
Use a more restrictive secrets policy
e6eab46
@bobdoah
Do not use the default kms key
99bc325
@bobdoah bobdoah temporarily deployed to EKS Blueprints Test June 30, 2022 11:13 Inactive
@bobdoah bobdoah temporarily deployed to EKS Blueprints Test June 30, 2022 15:02 Inactive
askulkarni2
askulkarni2 approved these changes Jun 30, 2022
View reviewed changes
Copy link
Contributor

@askulkarni2 askulkarni2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for this awesome PR!

@askulkarni2 askulkarni2 merged commit 8e93c90 into aws-ia:main Jun 30, 2022
@bobdoah
Copy link
Contributor Author

bobdoah commented Jun 30, 2022

LGTM! Thanks for this awesome PR!

Amazing, thanks for merging!

@bobdoah bobdoah deleted the external-secrets-operator branch July 13, 2022 09:37
allamand pushed a commit to allamand/terraform-aws-eks-blueprints that referenced this pull request Dec 15, 2022
@bobdoah @allamand
feat(addon): External secrets operator (aws-ia#612)
7429921
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@askulkarni2 askulkarni2 askulkarni2 approved these changes

@kcoleman731 kcoleman731 Awaiting requested review from kcoleman731

@vara-bonthu vara-bonthu Awaiting requested review from vara-bonthu

@bryantbiggs bryantbiggs Awaiting requested review from bryantbiggs

@Zvikan Zvikan Awaiting requested review from Zvikan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bobdoah @askulkarni2