We value your privacy
Helm-based setup of External Secrets Operator and Reloader with Terraform. External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret. Reloader is a tool that can track the changes in ConfigMap and Secret and apply rolling upgrades on Pods with their associated DeploymentConfigs, Deployments, Daemonsets Statefulsets and Rollouts.
For cloud-specific implementations, the module does not support creation of a ClusterSecretStore Custom Resource Definition. This module is supposed to be used as a basis for the cloud-specific implementations that cover integration with cloud secrets storages.
Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:
shellterraform login solutions.corewide.com
Initialize mandatory providers:
Copy and paste into your Terraform configuration and insert the variables:
hclmodule "tf_k8s_eso" {
source = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
version = "~> 1.0.1"
# specify module inputs here or try one of the examples below
...
}
Initialize the setup:
shellterraform init
Corewide DevOps team strictly follows Semantic Versioning
Specification
to
provide our clients with products that have predictable upgrades between versions. We
recommend
pinning
patch versions of our modules using pessimistic
constraint operator (~>) to prevent breaking changes during upgrades.
To get new features during the upgrades (without breaking compatibility), use
~> 1.0 and run
terraform init -upgrade
For the safest setup, use strict pinning with version = "1.0.1"
All notable changes to this project are documented here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
installCRDs parameter having string type by changing it to auto0.10.7 for compatibility with Kubernetes versions v1.30+First stable version
Deploy External Secrets Operator with a custom service account and Reloader selectors:
hclmodule "eso" {
source = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
version = "~> 1.0"
eso = {
serviceaccount = {
create = true
name = "secrets-operator"
annotations = {
"eks\\.amazonaws\\.com/role-arn" = data.aws_iam_role.allow_k8s_manage_secrets.arn
}
}
}
reloader = {
namespace_selector = ["foo", "bar", "baz"]
resource_selector = ["my-secret-name"]
}
}
Deploy External Secrets Operator and Reloader with full customization:
hclmodule "eso" {
source = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
version = "~> 1.0"
name_prefix = "stage"
namespace = "eso"
create_namespace = true
node_selector = {
node = "maintenance"
}
eso = {
enabled = true
chart_version = "yyyyy"
app_version = "xxxxx"
install_crds = true
custom_values = {
foo = "bar"
}
serviceaccount = {
create = true
name = "secrets-operator"
annotations = {
"eks\\.amazonaws\\.com/role-arn" = data.aws_iam_role.allow_k8s_manage_secrets.arn
}
}
}
reloader = {
enabled = true
chart_version = "yyyyy"
app_version = "xxxxx"
namespace_selector = ["foo", "bar", "baz"]
resource_selector = ["my-secret-name"]
}
}
Deploy External Secrets Operator and Reloader with default parameters:
hclmodule "eso" {
source = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
version = "~> 1.0"
}
Deploy External Secrets Operator only (without Reloader service):
hclmodule "eso" {
source = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
version = "~> 1.0"
reloader = {
enabled = false
}
}
| Variable | Description | Type | Default | Required | Sensitive |
|---|---|---|---|---|---|
name_prefix |
Naming prefix for all the resources created by the module | string |
yes | no | |
create_namespace |
Indicates whether to create a dedicated namespace for the stack deployment | bool |
true |
no | no |
eso |
External Secrets Operator parameters | object |
{} |
no | no |
eso.app_version |
External Secrets Operator version to deploy (image tag). If not set, the chart uses its corresponding default | string |
no | no | |
eso.chart_version |
External Secrets Operator Helm chart version to deploy | string |
0.10.7 |
no | no |
eso.custom_values |
External Secrets Operator Helm chart custom values | map(string) |
{} |
no | no |
eso.enabled |
Indicates either to deploy the External Secrets Operator Helm chart into the Kubernetes cluster | bool |
true |
no | no |
eso.install_crds |
Indicates either to manage CRDs through Helm chart | bool |
true |
no | no |
eso.serviceaccount |
External Secrets Operator service account parameters | object |
no | no | |
eso.serviceaccount.annotations |
External Secrets Operator service account annotations | map(string) |
{} |
no | no |
eso.serviceaccount.create |
Indicates creation of External Secrets Operator service account | bool |
false |
no | no |
eso.serviceaccount.name |
External Secrets Operator service account name | string |
secrets-operator |
no | no |
namespace |
The namespace to install the External Secrets Operator and Reloader into | string |
external-secrets-operator |
no | no |
node_selector |
Node selector for the stack components | map(string) |
{} |
no | no |
reloader |
Reloader parameters | object |
{} |
no | no |
reloader.app_version |
Reloader version to deploy (image tag) | string |
v1.0.64 |
no | no |
reloader.chart_version |
Reloader Helm chart version to deploy | string |
1.0.65 |
no | no |
reloader.enabled |
Indicates either to deploy the Reloader Helm chart into the Kubernetes cluster | bool |
true |
no | no |
reloader.namespace_selector |
Comma separated list of k8s label selectors for Namespace selection | list(string) |
[] |
no | no |
reloader.resource_selector |
Comma separated list of k8s label selectors for ConfigMap/Secret selection | list(string) |
[] |
no | no |
| Output | Description | Type | Sensitive |
|---|---|---|---|
namespace |
The namespace name where External Secrets Operator and Reloader were installed | resource |
no |
| Dependency | Version | Kind |
|---|---|---|
terraform |
>= 1.3 |
CLI |
hashicorp/helm |
~> 2.5 |
provider |
hashicorp/kubernetes |
~> 2.9 |
provider |
