Skip to content

Latest commit

 

History

History

eso-external-secret

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

README.md

ESO External Secrets Module

This module allows to configure an ExternalSecrets resource in the desired namespace and with the desired configurations.

It if possible to create ExternalSecret resource referencing either:

  • a ClusterSecretStore for store with cluster scope
  • a SecretStore for 'namespace' for regular namespaced scope by correctly setting the related input variable eso_store_scope

For more information about ExternalSecrets on ESO please refer to the ESO documentation available here

Requirements

Name Version
terraform >= 1.0.0
helm >= 2.8.0

Modules

No modules.

Resources

Name Type
helm_release.kubernetes_secret resource
helm_release.kubernetes_secret_certificate resource
helm_release.kubernetes_secret_chain_list resource
helm_release.kubernetes_secret_kv_all resource
helm_release.kubernetes_secret_kv_key resource
helm_release.kubernetes_secret_user_pw resource

Inputs

Name Description Type Default Required
es_container_registry The registry URL to be used in dockerconfigjson string "us.icr.io" no
es_container_registry_email Optional - Email to be used in dockerconfigjson string null no
es_container_registry_secrets_chain Structure to generate a chain of secrets into a single dockerjsonconfig secret for multiple registries authentication. 
list(object({
    es_container_registry       = string
    sm_secret_id                = string # id of the secret storing the apikey that will be used for the secrets chain
    es_container_registry_email = optional(string, null)
  }))
 [] no
es_helm_rls_name Name to use for the helm release for externalsecrets resource. Must be unique in the namespace string n/a yes
es_helm_rls_namespace Namespace to deploy the helm release for the externalsecret. Default if null is the externalsecret namespace string null no
es_kubernetes_namespace Namespace to use to generate the externalsecret string n/a yes
es_kubernetes_secret_data_key Data key to be used in Kubernetes Opaque secret. Only needed when 'es_kubernetes_secret_type' is configured as opaque and sm_secret_type is set to either 'arbitrary' or 'iam_credentials' string null no
es_kubernetes_secret_name Name of the secret to use for the kubernetes secret object string n/a yes
es_kubernetes_secret_type Secret type/format to be installed in the Kubernetes/Openshift cluster by ESO. Valid inputs are opaque dockerconfigjson and tls string n/a yes
es_refresh_interval Specify interval for es secret synchronization. See recommendations for specifying/customizing refresh interval in this IBM Cloud article > https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-tutorial-kubernetes-secrets#kubernetes-secrets-best-practices string "1h" no
eso_store_name ESO store name to use when creating the externalsecret. Cannot be null and it is mandatory string n/a yes
eso_store_scope Set to 'cluster' to configure ESO store as with cluster scope (ClusterSecretStore) or 'namespace' for regular namespaced scope (SecretStore). This value is used to configure the externalsecret reference string "cluster" no
reloader_watching Flag to enable/disable the reloader watching. If enabled the reloader will watch for changes in the secret and reload the associated annotated pods if needed bool false no
sm_certificate_bundle Flag to enable if the public/intermediate certificate is bundled. If enabled public key is managed as bundled with intermediate and private key, otherwise the template considers the public key not bundled with intermediate certificate and private key bool true no
sm_certificate_has_intermediate The secret manager certificate is provided with intermediate certificate. By enabling this flag the certificate body on kube will contain certificate and intermediate content, otherwise only certificate will be added. Valid only for public and imported certificate bool true no
sm_kv_keyid Secrets-Manager key value (kv) keyid string null no
sm_kv_keypath Secrets-Manager key value (kv) keypath string null no
sm_secret_id Secrets-Manager secret ID where source data will be synchronized with Kubernetes secret. It can be null only in the case of a dockerjsonconfig secrets chain string n/a yes
sm_secret_type Secrets-manager secret type to be used as source data by ESO. Valid input types are 'arbitrary', 'username_password' and 'iam_credentials' string n/a yes

Outputs

No outputs.