feat(external): allow adding extra third party secrets

2024-12-22 20:34:32 +07:00 · 2024-03-14 20:07:27 +07:00 · 2024-03-14 20:07:27 +07:00 · 0b3fe1c82a
commit 0b3fe1c82a
parent 946203aac0
8 changed files with 62 additions and 0 deletions
--- a/docs/concepts/secrets-management.md
+++ b/docs/concepts/secrets-management.md
@ -39,6 +39,14 @@ This is useful when you want to generate random secrets like admin password and
 --8<--
 ```

+## Extra third-party secrets
+
+For third-party secrets that you don't control, add them to `external/terraform.tfvars` under the `extra_secrets` key,
+then run `make external`.
+
+They will be available as a Secret named `external` in the `global-secrets` namespace.
+You can use it with `ExternalSecret` just like any other global secret.
+
 ## How secrets are pulled from global secrets to other namespaces

 When you apply an `ExternalSecret` object, for example:
--- a/external/main.tf
+++ b/external/main.tf
@ -17,3 +17,8 @@ module "ntfy" {
  source = "./modules/ntfy"
  auth   = var.ntfy
 }
+
+module "extra_secrets" {
+  source = "./modules/extra-secrets"
+  data   = var.extra_secrets
+}
--- a/external/modules/extra-secrets/main.tf
+++ b/external/modules/extra-secrets/main.tf
@ -0,0 +1,12 @@
+resource "kubernetes_secret" "external" {
+  metadata {
+    name      = var.name
+    namespace = var.namespace
+
+    annotations = {
+      "app.kubernetes.io/managed-by" = "Terraform"
+    }
+  }
+
+  data = var.data
+}
--- a/external/modules/extra-secrets/variables.tf
+++ b/external/modules/extra-secrets/variables.tf
@ -0,0 +1,13 @@
+variable "name" {
+  type    = string
+  default = "external"
+}
+
+variable "namespace" {
+  type    = string
+  default = "global-secrets"
+}
+
+variable "data" {
+  type = map(string)
+}
--- a/external/modules/extra-secrets/versions.tf
+++ b/external/modules/extra-secrets/versions.tf
@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.26.0"
+    }
+  }
+}
--- a/external/namespaces.yml
+++ b/external/namespaces.yml
@ -10,6 +10,7 @@
        - cert-manager
        - cloudflared
        - external-dns
+        - global-secrets
        - k8up-operator
        - monitoring-system
        - zerotier
--- a/external/terraform.tfvars.example
+++ b/external/terraform.tfvars.example
@ -14,3 +14,11 @@ ntfy = {
  # Your topic name
  topic = "random_topic_name_here_a8sd7fkjxlkcjasdw33813"
 }
+
+extra_secrets = {
+  # Try to keep this to a minimum with third-party secrets
+  # Consider using the secret generator if possible
+  # ../platform/global-secrets/files/secret-generator/config.yaml
+  #
+  # key = "value"
+}
--- a/external/variables.tf
+++ b/external/variables.tf
@ -23,3 +23,10 @@ variable "ntfy" {

  sensitive = true
 }
+
+variable "extra_secrets" {
+  type        = map(string)
+  description = "Key-value pairs of extra secrets that cannot be randomly generated (e.g. third party API tokens)"
+  sensitive   = true
+  default     = {}
+}