From c8890d31ce62ce1902e6e0da19851ba6704db540 Mon Sep 17 00:00:00 2001 From: Michele Zanotti Date: Tue, 6 Aug 2024 13:41:25 +0200 Subject: [PATCH] feat: secret provider class --- README.md | 10 ++--- main.tf | 44 +++++++++++++----- templates/secret-provider-class.tpl.yaml | 57 ++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 743f32b..fc10de0 100644 --- a/README.md +++ b/README.md @@ -86,12 +86,12 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a - resource.azurerm_cognitive_deployment.gpt_4_turbo (/terraform-docs/main.tf#407) - resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#422) - resource.azurerm_key_vault.main (/terraform-docs/main.tf#127) -- resource.azurerm_key_vault_secret.api_key (/terraform-docs/main.tf#437) -- resource.azurerm_key_vault_secret.auth_jwt (/terraform-docs/main.tf#648) +- resource.azurerm_key_vault_secret.azure_openai_api_key (/terraform-docs/main.tf#437) - resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#208) - resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#213) -- resource.azurerm_key_vault_secret.postgres_passwords (/terraform-docs/main.tf#371) -- resource.azurerm_key_vault_secret.postgres_users (/terraform-docs/main.tf#362) +- resource.azurerm_key_vault_secret.jwt_signing_key (/terraform-docs/main.tf#648) +- resource.azurerm_key_vault_secret.postgres_password (/terraform-docs/main.tf#371) +- resource.azurerm_key_vault_secret.postgres_user (/terraform-docs/main.tf#362) - resource.azurerm_kubernetes_cluster_node_pool.linux_pools (/terraform-docs/main.tf#609) - resource.azurerm_management_lock.postgres_server (/terraform-docs/main.tf#305) - resource.azurerm_monitor_metric_alert.postgres_server_alerts (/terraform-docs/main.tf#313) @@ -118,7 +118,7 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a - resource.azurerm_storage_container.models (/terraform-docs/main.tf#463) - resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#222) - resource.tls_private_key.aks (/terraform-docs/main.tf#536) -- resource.tls_private_key.auth_jwt (/terraform-docs/main.tf#644) +- resource.tls_private_key.jwt_signing_key (/terraform-docs/main.tf#644) - data source.azurerm_client_config.current (/terraform-docs/main.tf#47) - data source.azurerm_resource_group.main (/terraform-docs/main.tf#44) - data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#53) diff --git a/main.tf b/main.tf index 95340f5..ea6ef66 100644 --- a/main.tf +++ b/main.tf @@ -359,7 +359,7 @@ resource "azurerm_monitor_metric_alert" "postgres_server_alerts" { tags = var.tags } -resource "azurerm_key_vault_secret" "postgres_users" { +resource "azurerm_key_vault_secret" "postgres_user" { name = "${var.resource_prefix}-postgres-username" value = var.postgres_server_admin_username key_vault_id = azurerm_key_vault.main.id @@ -368,7 +368,7 @@ resource "azurerm_key_vault_secret" "postgres_users" { azurerm_role_assignment.key_vault_secret_officer__current ] } -resource "azurerm_key_vault_secret" "postgres_passwords" { +resource "azurerm_key_vault_secret" "postgres_password" { name = "${var.resource_prefix}-postgres-password" value = random_password.postgres_server_admin_password.result key_vault_id = azurerm_key_vault.main.id @@ -434,7 +434,7 @@ resource "azurerm_cognitive_deployment" "gpt_4o_mini" { capacity = var.azure_openai_rate_limits.gpt_4o_mini } } -resource "azurerm_key_vault_secret" "api_key" { +resource "azurerm_key_vault_secret" "azure_openai_api_key" { name = "${var.resource_prefix}-openai-api-key" value = azurerm_cognitive_account.main.primary_access_key key_vault_id = azurerm_key_vault.main.id @@ -641,14 +641,14 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_pools" { # ------ Auth ------ # -resource "tls_private_key" "auth_jwt" { +resource "tls_private_key" "jwt_signing_key" { algorithm = "RSA" rsa_bits = 4096 } -resource "azurerm_key_vault_secret" "auth_jwt" { +resource "azurerm_key_vault_secret" "jwt_signing_key" { key_vault_id = azurerm_key_vault.main.id name = format("%s-jwt-signing-key", var.resource_prefix) - value = tls_private_key.auth_jwt.private_key_pem + value = tls_private_key.jwt_signing_key.private_key_pem } @@ -658,10 +658,13 @@ locals { secret_provider_class_name = "nebuly-platform" secret_provider_class_secret_name = "nebuly-platform-credentials" - k8s_secret_key_db_username = "db-username" - k8s_secret_key_db_password = "db-password" - k8s_secret_key_jwt_signing_key = "jwt-signing-key" - k8s_secret_key_openai_api_key = "openai-api-key" + # k8s secrets keys + k8s_secret_key_db_username = "db-username" + k8s_secret_key_db_password = "db-password" + k8s_secret_key_jwt_signing_key = "jwt-signing-key" + k8s_secret_key_openai_api_key = "openai-api-key" + k8s_secret_key_azure_client_id = "azure-client-id" + k8s_secret_key_azure_client_secret = "azure-client-secret" helm_values = templatefile( "templates/helm-values.tpl.yaml", @@ -687,7 +690,26 @@ locals { secret_provider_class = templatefile( "templates/secret-provider-class.tpl.yaml", { - secret_provider_class_name = local.secret_provider_class_name + secret_provider_class_name = local.secret_provider_class_name + secret_provider_class_secret_name = local.secret_provider_class_secret_name + + key_vault_name = azurerm_key_vault.main.name + tenant_id = data.azurerm_client_config.current.tenant_id + aks_managed_identity_id = module.aks.key_vault_secrets_provider.secret_identity[0] + + secret_name_jwt_signing_key = azurerm_key_vault_secret.jwt_signing_key.name + secret_name_db_username = azurerm_key_vault_secret.postgres_user.name + secret_name_db_password = azurerm_key_vault_secret.postgres_password.name + secret_name_openai_api_key = azurerm_key_vault_secret.azure_openai_api_key.name + secret_name_azure_client_id = azurerm_key_vault_secret.azuread_application_client_id.name + secret_name_azure_client_secret = azurerm_key_vault_secret.azuread_application_client_secret.name + + k8s_secret_key_db_username = local.k8s_secret_key_db_username + k8s_secret_key_db_password = local.k8s_secret_key_db_password + k8s_secret_key_jwt_signing_key = local.k8s_secret_key_jwt_signing_key + k8s_secret_key_openai_api_key = local.k8s_secret_key_openai_api_key + k8s_secret_key_azure_client_id = local.k8s_secret_key_azure_client_id + k8s_secret_key_azure_client_secret = local.k8s_secret_key_azure_client_secret }, ) } diff --git a/templates/secret-provider-class.tpl.yaml b/templates/secret-provider-class.tpl.yaml index e69de29..457e6a6 100644 --- a/templates/secret-provider-class.tpl.yaml +++ b/templates/secret-provider-class.tpl.yaml @@ -0,0 +1,57 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: ${secret_provider_class_name} + namespace: nebuly +spec: + provider: azure + parameters: + usePodIdentity: "false" + useVMManagedIdentity: "true" + userAssignedIdentityID: ${aks_managed_identity_id} + keyvaultName: ${key_vault_name} + tenantId: ${tenant_id} + + objects: | + array: + - | + objectName: ${secret_name_db_username} + objectType: secret + objectVersion: "" + - | + objectName: ${secret_name_db_password} + objectType: secret + objectVersion: "" + - | + objectName: ${secret_name_openai_api_key} + objectType: secret + objectVersion: "" + - | + objectName: ${secret_name_jwt_signing_key} + objectType: secret + objectVersion: "" + - | + objectName: ${secret_name_azure_client_id} + objectType: secret + objectVersion: "" + - | + objectName: ${secret_name_azure_client_secret} + objectType: secret + objectVersion: "" + + secretObjects: + - data: + - key: ${k8s_secret_key_db_password} + objectName: ${secret_name_db_password} + - key: ${k8s_secret_key_db_username} + objectName: ${secret_name_db_username} + - key: ${k8s_secret_key_openai_api_key} + objectName: ${secret_name_openai_api_key} + - key: ${k8s_secret_key_azure_client_id} + objectName: ${secret_name_azure_client_id} + - key: ${k8s_secret_key_azure_client_secret} + objectName: ${secret_name_azure_client_secret} + - key: ${k8s_secret_key_jwt_signing_key} + objectName: ${secret_name_jwt_signing_key} + secretName: ${secret_provider_class_secret_name} + type: Opaque