Kubernetes ESO

Helm-based setup of External Secrets Operator and Reloader with Terraform. External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret. Reloader is a tool that can track the changes in ConfigMap and Secret and apply rolling upgrades on Pods with their associated DeploymentConfigs, Deployments, Daemonsets Statefulsets and Rollouts.

For cloud-specific implementations, the module does not support creation of a ClusterSecretStore Custom Resource Definition. This module is supposed to be used as a basis for the cloud-specific implementations that cover integration with cloud secrets storages.

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_k8s_eso" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
  version = "~> 1.0.2"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 1.0 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "1.0.2"

€190

BUY

1,069

License

v1.0.2 released 10 months, 1 week ago

New version approx. every 12 weeks

Changelog

Deploy External Secrets Operator and Reloader with default parameters:

 hclmodule "eso" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
  version = "~> 1.0"
}

Deploy External Secrets Operator only (without Reloader service):

 hclmodule "eso" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
  version = "~> 1.0"

  reloader = {
    enabled = false
  }
}

Deploy External Secrets Operator with a custom service account and Reloader selectors:

 hclmodule "eso" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
  version = "~> 1.0"

  eso = {
    serviceaccount = {
      create = true
      name   = "secrets-operator"

      annotations = {
        "eks\\.amazonaws\\.com/role-arn" = data.aws_iam_role.allow_k8s_manage_secrets.arn
      }
    }
  }

  reloader = {
    namespace_selector = ["foo=bar"]
    resource_selector  = ["reload=yes"]
  }
}

Deploy External Secrets Operator and Reloader with full customization:

 hclmodule "eso" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-eso/helm"
  version = "~> 1.0"

  name_prefix      = "stage"
  namespace        = "eso"
  create_namespace = true

  node_selector = {
    node = "maintenance"
  }

  eso = {
    enabled       = true
    chart_version = "yyyyy"
    app_version   = "xxxxx"
    install_crds  = true

    custom_values = {
      foo = "bar"
    }

    serviceaccount = {
      create = true
      name   = "secrets-operator"

      annotations = {
        "eks\\.amazonaws\\.com/role-arn" = data.aws_iam_role.allow_k8s_manage_secrets.arn
      }
    }
  }

  reloader = {
    enabled            = true
    chart_version      = "yyyyy"
    app_version        = "xxxxx"
    namespace_selector = ["foo=bar"]
    resource_selector  = ["reload=yes"]
  }
}

Variable	Description	Type	Default	Required	Sensitive
`name_prefix`	Naming prefix for all the resources created by the module	`string`		yes	no
`create_namespace`	Indicates whether to create a dedicated namespace for the stack deployment	`bool`	`true`	no	no
`eso`	External Secrets Operator parameters	`object`	`{}`	no	no
`eso.app_version`	External Secrets Operator version to deploy (image tag). If not set, the chart uses its corresponding default	`string`		no	no
`eso.chart_version`	External Secrets Operator Helm chart version to deploy	`string`	`0.10.7`	no	no
`eso.custom_values`	External Secrets Operator Helm chart custom values	`map(string)`	`{}`	no	no
`eso.enabled`	Indicates either to deploy the External Secrets Operator Helm chart into the Kubernetes cluster	`bool`	`true`	no	no
`eso.install_crds`	Indicates either to manage CRDs through Helm chart	`bool`	`true`	no	no
`eso.serviceaccount`	External Secrets Operator service account parameters	`object`		no	no
`eso.serviceaccount.annotations`	External Secrets Operator service account annotations	`map(string)`	`{}`	no	no
`eso.serviceaccount.create`	Indicates creation of External Secrets Operator service account	`bool`	`false`	no	no
`eso.serviceaccount.name`	External Secrets Operator service account name	`string`	`secrets-operator`	no	no
`namespace`	The namespace to install the External Secrets Operator and Reloader into	`string`	`external-secrets-operator`	no	no
`node_selector`	Node selector for the stack components	`map(string)`	`{}`	no	no
`reloader`	Reloader parameters	`object`	`{}`	no	no
`reloader.app_version`	Reloader version to deploy (image tag)	`string`	`v1.0.64`	no	no
`reloader.chart_version`	Reloader Helm chart version to deploy	`string`	`1.0.65`	no	no
`reloader.enabled`	Indicates either to deploy the Reloader Helm chart into the Kubernetes cluster	`bool`	`true`	no	no
`reloader.namespace_selector`	Comma separated list of k8s label selectors for Namespace selection	`list(string)`	`[]`	no	no
`reloader.resource_selector`	Comma separated list of k8s label selectors for ConfigMap/Secret selection	`list(string)`	`[]`	no	no