Allow mounting secrets to prober server (#365)

Signed-off-by: Nghia Tran <tcnghia@gmail.com>
chainguard-dev · May 23, 2024 · 564b5e6 · 564b5e6
1 parent 6089f7d
commit 564b5e6
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/modules/prober/README.md b/modules/prober/README.md
@@ -114,6 +114,7 @@ No requirements.
 | <a name="input_period"></a> [period](#input\_period) | The period for the prober in seconds. | `string` | `"300s"` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The project that will host the prober. | `string` | n/a | yes |
 | <a name="input_regions"></a> [regions](#input\_regions) | A map from region names to a network and subnetwork.  A prober service will be created in each region. | <pre>map(object({<br>    network = string<br>    subnet  = string<br>  }))</pre> | n/a | yes |
+| <a name="input_secret_env"></a> [secret\_env](#input\_secret\_env) | A map of secrets to mount as environment variables from Google Secrets Manager (e.g. secret\_key=secret\_name) | `map` | `{}` | no |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The email address of the service account to run the service as. | `string` | n/a | yes |
 | <a name="input_slo_notification_channels"></a> [slo\_notification\_channels](#input\_slo\_notification\_channels) | A list of notification channels to send alerts to. | `list(string)` | `[]` | no |
 | <a name="input_slo_policy_link"></a> [slo\_policy\_link](#input\_slo\_policy\_link) | An optional link to the SLO policy to include in the alert documentation. | `string` | `""` | no |

diff --git a/modules/prober/main.tf b/modules/prober/main.tf
@@ -41,11 +41,23 @@ module "this" {
       }
       ports = [{ container_port = 8080 }]
       env = concat([{
-        // This is a shared secret with the uptime check, which must be
-        // passed in an Authorization header for the probe to do work.
-        name  = "AUTHORIZATION"
-        value = random_password.secret.result
-      }], [for k, v in var.env : { name = k, value = v }])
+          // This is a shared secret with the uptime check, which must be
+          // passed in an Authorization header for the probe to do work.
+          name  = "AUTHORIZATION"
+          value = random_password.secret.result
+        }],
+        [for k, v in var.env : { name = k, value = v }],
+        [
+          for k, v in var.secret_env : {
+            name = k,
+            value_source = {
+              secret_key_ref = {
+                secret  = v
+                version = "latest"
+              }
+            }
+          }
+        ])
       resources = {
         limits = {
           cpu    = var.cpu

diff --git a/modules/prober/variables.tf b/modules/prober/variables.tf
@@ -65,6 +65,11 @@ variable "env" {
   description = "A map of custom environment variables (e.g. key=value)"
 }
 
+variable "secret_env" {
+  default     = {}
+  description = "A map of secrets to mount as environment variables from Google Secrets Manager (e.g. secret_key=secret_name)"
+}
+
 variable "timeout" {
   type        = string
   default     = "60s"
@@ -140,3 +145,4 @@ variable "enable_profiler" {
   default     = false
   description = "Enable cloud profiler."
 }
+