init add proper support for AWS

Signed-off-by: David van der Spek <[email protected]>

Author: davidspek

external-secrets/helm/external-secrets/crds/bundle.yaml

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "external-secrets.name" -}}
+{{- define "external-secrets-plural.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "external-secrets.fullname" -}}
+{{- define "external-secrets-plural.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "external-secrets.chart" -}}
+{{- define "external-secrets-plural.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "external-secrets.labels" -}}
-helm.sh/chart: {{ include "external-secrets.chart" . }}
-{{ include "external-secrets.selectorLabels" . }}
+{{- define "external-secrets-plural.labels" -}}
+helm.sh/chart: {{ include "external-secrets-plural.chart" . }}
+{{ include "external-secrets-plural.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "external-secrets.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "external-secrets.name" . }}
+{{- define "external-secrets-plural.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets-plural.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "external-secrets.serviceAccountName" -}}
+{{- define "external-secrets-plural.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "external-secrets-plural.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

external-secrets/helm/external-secrets/templates/_helpers.tpl

@@ -0,0 +1,11 @@
+{{- if .Values.clusterSecretStore.create -}}
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: default
+spec:
+  {{- with .Values.clusterSecretStore.provider }}
+  provider:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

external-secrets/helm/external-secrets/templates/cluster-secret-store.yaml

@@ -1,82 +1,26 @@
-# Default values for external-secrets.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: nginx
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: ""
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  # Specifies whether a service account should be created
+clusterSecretStore:
   create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-service:
-  type: ClusterIP
-  port: 80
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-autoscaling:
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 100
-  targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
+  provider: {}
+
+external-secrets:
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+    tag: ""
+    resources: {}
+  serviceMonitor:
+    enabled: true
+  installCRDs: false
+  webhook:
+    image:
+      repository: ghcr.io/external-secrets/external-secrets
+      tag: ""
+    resources: {}
+    serviceMonitor:
+      enabled: true
+  certController:
+    image:
+      repository: ghcr.io/external-secrets/external-secrets
+      tag: ""
+    resources: {}
+    serviceMonitor:
+      enabled: true

external-secrets/helm/external-secrets/templates/tests/test-connection.yaml

@@ -1 +1,13 @@
-{}
+{{- if eq .Provider "aws" }}
+external-secrets:
+  serviceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::{{ .Project }}:role/{{ .Cluster }}-external-secrets"
+{{- end }}
+{{- if eq .Provider "aws" }}
+clusterSecretStore:
+  provider:
+    aws:
+      service: SecretsManager
+      region: {{ .Region }}
+{{- end }}

external-secrets/helm/external-secrets/values.yaml

@@ -1,6 +1,7 @@
 name: external-secrets-azure
 description: Installs external-secrets on an aws eks cluster
 provider: AZURE
+private: true
 dependencies:
 - repo: bootstrap
   name: azure-k8s

external-secrets/helm/external-secrets/values.yaml.tpl

@@ -1,6 +1,7 @@
 name: external-secrets-gcp
 description: Installs external-secrets on an aws eks cluster
 provider: GCP
+private: true
 dependencies:
 - repo: bootstrap
   name: gcp-k8s

external-secrets/plural/recipes/external-secrets-azure.yaml

@@ -0,0 +1,3 @@
+locals {
+  policy_arns = concat([aws_iam_policy.external_secrets.arn], var.extra_policy_arns)
+}

external-secrets/plural/recipes/external-secrets-gcp.yaml

@@ -9,3 +9,41 @@ resource "kubernetes_namespace" "external-secrets" {
   }
 }
 
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_name
+}
+
+module "assumable_role_external_secrets" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.14.0"
+  create_role                   = true
+  role_name                     = "${var.cluster_name}-${var.role_name}"
+  provider_url                  = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
+  role_policy_arns              = local.policy_arns
+  oidc_subjects_with_wildcards = [
+    "system:serviceaccount:${var.namespace}:${var.serviceaccount}",
+  ]
+}
+
+resource "aws_iam_policy" "external_secrets" {
+  name_prefix = var.role_name
+  description = "policy for the plural admin console"
+  policy      = data.aws_iam_policy_document.external_secrets.json
+}
+
+data "aws_iam_policy_document" "external_secrets" {
+  statement {
+    sid    = "admin"
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds"
+    ]
+
+    resources = [
+      "arn:aws:secretsmanager:${var.region}:${var.account_id}:secret:${var.secret_prefix}"
+    ]
+  }
+}