Skip to content

Commit

Permalink
feat: secret provider class
Browse files Browse the repository at this point in the history
  • Loading branch information
Telemaco019 committed Aug 6, 2024
1 parent 75fdc2d commit c8890d3
Show file tree
Hide file tree
Showing 3 changed files with 95 additions and 16 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,12 +86,12 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a
- resource.azurerm_cognitive_deployment.gpt_4_turbo (/terraform-docs/main.tf#407)
- resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#422)
- resource.azurerm_key_vault.main (/terraform-docs/main.tf#127)
- resource.azurerm_key_vault_secret.api_key (/terraform-docs/main.tf#437)
- resource.azurerm_key_vault_secret.auth_jwt (/terraform-docs/main.tf#648)
- resource.azurerm_key_vault_secret.azure_openai_api_key (/terraform-docs/main.tf#437)
- resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#208)
- resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#213)
- resource.azurerm_key_vault_secret.postgres_passwords (/terraform-docs/main.tf#371)
- resource.azurerm_key_vault_secret.postgres_users (/terraform-docs/main.tf#362)
- resource.azurerm_key_vault_secret.jwt_signing_key (/terraform-docs/main.tf#648)
- resource.azurerm_key_vault_secret.postgres_password (/terraform-docs/main.tf#371)
- resource.azurerm_key_vault_secret.postgres_user (/terraform-docs/main.tf#362)
- resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#609)
- resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#305)
- resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#313)
Expand All @@ -118,7 +118,7 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a
- resource.azurerm_storage_container.models (/terraform-docs/main.tf#463)
- resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#222)
- resource.tls_private_key.aks (/terraform-docs/main.tf#536)
- resource.tls_private_key.auth_jwt (/terraform-docs/main.tf#644)
- resource.tls_private_key.jwt_signing_key (/terraform-docs/main.tf#644)
- data source.azurerm_client_config.current (/terraform-docs/main.tf#47)
- data source.azurerm_resource_group.main (/terraform-docs/main.tf#44)
- data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#53)
Expand Down
44 changes: 33 additions & 11 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,7 @@ resource "azurerm_monitor_metric_alert" "postgres_server_alerts" {

tags = var.tags
}
resource "azurerm_key_vault_secret" "postgres_users" {
resource "azurerm_key_vault_secret" "postgres_user" {
name = "${var.resource_prefix}-postgres-username"
value = var.postgres_server_admin_username
key_vault_id = azurerm_key_vault.main.id
Expand All @@ -368,7 +368,7 @@ resource "azurerm_key_vault_secret" "postgres_users" {
azurerm_role_assignment.key_vault_secret_officer__current
]
}
resource "azurerm_key_vault_secret" "postgres_passwords" {
resource "azurerm_key_vault_secret" "postgres_password" {
name = "${var.resource_prefix}-postgres-password"
value = random_password.postgres_server_admin_password.result
key_vault_id = azurerm_key_vault.main.id
Expand Down Expand Up @@ -434,7 +434,7 @@ resource "azurerm_cognitive_deployment" "gpt_4o_mini" {
capacity = var.azure_openai_rate_limits.gpt_4o_mini
}
}
resource "azurerm_key_vault_secret" "api_key" {
resource "azurerm_key_vault_secret" "azure_openai_api_key" {
name = "${var.resource_prefix}-openai-api-key"
value = azurerm_cognitive_account.main.primary_access_key
key_vault_id = azurerm_key_vault.main.id
Expand Down Expand Up @@ -641,14 +641,14 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_pools" {


# ------ Auth ------ #
resource "tls_private_key" "auth_jwt" {
resource "tls_private_key" "jwt_signing_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "azurerm_key_vault_secret" "auth_jwt" {
resource "azurerm_key_vault_secret" "jwt_signing_key" {
key_vault_id = azurerm_key_vault.main.id
name = format("%s-jwt-signing-key", var.resource_prefix)
value = tls_private_key.auth_jwt.private_key_pem
value = tls_private_key.jwt_signing_key.private_key_pem
}


Expand All @@ -658,10 +658,13 @@ locals {
secret_provider_class_name = "nebuly-platform"
secret_provider_class_secret_name = "nebuly-platform-credentials"

k8s_secret_key_db_username = "db-username"
k8s_secret_key_db_password = "db-password"
k8s_secret_key_jwt_signing_key = "jwt-signing-key"
k8s_secret_key_openai_api_key = "openai-api-key"
# k8s secrets keys
k8s_secret_key_db_username = "db-username"
k8s_secret_key_db_password = "db-password"
k8s_secret_key_jwt_signing_key = "jwt-signing-key"
k8s_secret_key_openai_api_key = "openai-api-key"
k8s_secret_key_azure_client_id = "azure-client-id"
k8s_secret_key_azure_client_secret = "azure-client-secret"

helm_values = templatefile(
"templates/helm-values.tpl.yaml",
Expand All @@ -687,7 +690,26 @@ locals {
secret_provider_class = templatefile(
"templates/secret-provider-class.tpl.yaml",
{
secret_provider_class_name = local.secret_provider_class_name
secret_provider_class_name = local.secret_provider_class_name
secret_provider_class_secret_name = local.secret_provider_class_secret_name

key_vault_name = azurerm_key_vault.main.name
tenant_id = data.azurerm_client_config.current.tenant_id
aks_managed_identity_id = module.aks.key_vault_secrets_provider.secret_identity[0]

secret_name_jwt_signing_key = azurerm_key_vault_secret.jwt_signing_key.name
secret_name_db_username = azurerm_key_vault_secret.postgres_user.name
secret_name_db_password = azurerm_key_vault_secret.postgres_password.name
secret_name_openai_api_key = azurerm_key_vault_secret.azure_openai_api_key.name
secret_name_azure_client_id = azurerm_key_vault_secret.azuread_application_client_id.name
secret_name_azure_client_secret = azurerm_key_vault_secret.azuread_application_client_secret.name

k8s_secret_key_db_username = local.k8s_secret_key_db_username
k8s_secret_key_db_password = local.k8s_secret_key_db_password
k8s_secret_key_jwt_signing_key = local.k8s_secret_key_jwt_signing_key
k8s_secret_key_openai_api_key = local.k8s_secret_key_openai_api_key
k8s_secret_key_azure_client_id = local.k8s_secret_key_azure_client_id
k8s_secret_key_azure_client_secret = local.k8s_secret_key_azure_client_secret
},
)
}
Expand Down
57 changes: 57 additions & 0 deletions templates/secret-provider-class.tpl.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: ${secret_provider_class_name}
namespace: nebuly
spec:
provider: azure
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: ${aks_managed_identity_id}
keyvaultName: ${key_vault_name}
tenantId: ${tenant_id}

objects: |
array:
- |
objectName: ${secret_name_db_username}
objectType: secret
objectVersion: ""
- |
objectName: ${secret_name_db_password}
objectType: secret
objectVersion: ""
- |
objectName: ${secret_name_openai_api_key}
objectType: secret
objectVersion: ""
- |
objectName: ${secret_name_jwt_signing_key}
objectType: secret
objectVersion: ""
- |
objectName: ${secret_name_azure_client_id}
objectType: secret
objectVersion: ""
- |
objectName: ${secret_name_azure_client_secret}
objectType: secret
objectVersion: ""
secretObjects:
- data:
- key: ${k8s_secret_key_db_password}
objectName: ${secret_name_db_password}
- key: ${k8s_secret_key_db_username}
objectName: ${secret_name_db_username}
- key: ${k8s_secret_key_openai_api_key}
objectName: ${secret_name_openai_api_key}
- key: ${k8s_secret_key_azure_client_id}
objectName: ${secret_name_azure_client_id}
- key: ${k8s_secret_key_azure_client_secret}
objectName: ${secret_name_azure_client_secret}
- key: ${k8s_secret_key_jwt_signing_key}
objectName: ${secret_name_jwt_signing_key}
secretName: ${secret_provider_class_secret_name}
type: Opaque

0 comments on commit c8890d3

Please sign in to comment.