Merge pull request #87 from XenitAB/feature/csi-secrets-store-provide…

…r-azure Add csi-secrets-store-provider-azure
XenitAB · Dec 15, 2020 · 52a2f15 · 52a2f15
2 parents 83e6443 + 8973834
commit 52a2f15
Show file tree

Hide file tree

Showing 11 changed files with 143 additions and 4 deletions.
diff --git a/modules/kubernetes/README.md b/modules/kubernetes/README.md
@@ -7,6 +7,7 @@ This directory contains all the Kubernetes Terraform modules.
 - [`aks-core`](aks-core/README.md)
 - [`aad-pod-identity`](aad-pod-identity/README.md)
 - [`cert-manager`](cert-manager/README.md)
+- [`csi-secrets-store-provider-azure`](csi-secrets-store-provider-azure/README.md)
 - [`external-dns`](external-dns/README.md)
 - [`fluxcd-v1`](fluxcd-v1/README.md)
 - [`fluxcd-v2-azdo`](fluxcd-v2-azdo/README.md)

diff --git a/modules/kubernetes/aks-core/README.md b/modules/kubernetes/aks-core/README.md
@@ -31,6 +31,7 @@ This module is used to create AKS clusters.
 | aad\_pod\_identity\_enabled | Should aad-pod-identity be enabled | `bool` | `true` | no |
 | cert\_manager\_config | Cert Manager configuration | <pre>object({<br>    notification_email = string<br>  })</pre> | n/a | yes |
 | cert\_manager\_enabled | Should Cert Manager be enabled | `bool` | `true` | no |
+| csi\_secrets\_store\_provider\_azure\_enabled | Should csi-secrets-store-provider-azure be enabled | `bool` | `true` | no |
 | environment | The environment name to use for the deploy | `string` | n/a | yes |
 | external\_dns\_config | External DNS configuration | <pre>object({<br>    client_id   = string<br>    resource_id = string<br>  })</pre> | n/a | yes |
 | external\_dns\_enabled | Should External DNS be enabled | `bool` | `true` | no |

diff --git a/modules/kubernetes/aks-core/modules.tf b/modules/kubernetes/aks-core/modules.tf
@@ -10,7 +10,7 @@ module "opa_gatekeeper" {
 
   exclude = [
     {
-      excluded_namespaces = ["kube-system", "gatekeeper-system", "aad-pod-identity", "cert-manager", "ingress-nginx", "velero", "azdo-proxy", "flux-system", "external-dns", "kyverno"]
+      excluded_namespaces = ["kube-system", "gatekeeper-system", "aad-pod-identity", "cert-manager", "ingress-nginx", "velero", "azdo-proxy", "flux-system", "external-dns", "kyverno", "csi-secrets-store-provider-azure"]
       processes           = ["*"]
     }
   ]
@@ -195,3 +195,16 @@ module "kyverno" {
 
   namespaces = [for ns in var.namespaces : ns.name]
 }
+
+# csi-secrets-store-provider-azure
+module "csi_secrets_store_provider_azure" {
+  depends_on = [module.opa_gatekeeper]
+
+  for_each = {
+    for s in ["csi-secrets-store-provider-azure"] :
+    s => s
+    if var.csi_secrets_store_provider_azure_enabled
+  }
+
+  source = "../../kubernetes/csi-secrets-store-provider-azure"
+}
diff --git a/modules/kubernetes/aks-core/variables.tf b/modules/kubernetes/aks-core/variables.tf
@@ -181,3 +181,9 @@ variable "kyverno_enabled" {
   type        = bool
   default     = true
 }
+
+variable "csi_secrets_store_provider_azure_enabled" {
+  description = "Should csi-secrets-store-provider-azure be enabled"
+  type        = bool
+  default     = true
+}
diff --git a/modules/kubernetes/csi-secrets-store-provider-azure/README.md b/modules/kubernetes/csi-secrets-store-provider-azure/README.md
@@ -0,0 +1,27 @@
+# Azure Key Vault Provider for Secrets Store CSI Driver
+
+Adds [csi-secrets-store-provider-azure](https://github.com/Azure/secrets-store-csi-driver-provider-azure) to a Kubernetes cluster.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | 0.13.5 |
+| helm | 1.3.2 |
+| kubernetes | 1.13.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| helm | 1.3.2 |
+| kubernetes | 1.13.3 |
+
+## Inputs
+
+No input.
+
+## Outputs
+
+No output.
+
diff --git a/modules/kubernetes/csi-secrets-store-provider-azure/main.tf b/modules/kubernetes/csi-secrets-store-provider-azure/main.tf
@@ -0,0 +1,60 @@
+/**
+  * # Azure Key Vault Provider for Secrets Store CSI Driver
+  *
+  * Adds [csi-secrets-store-provider-azure](https://github.com/Azure/secrets-store-csi-driver-provider-azure) to a Kubernetes cluster.
+  */
+
+terraform {
+  required_version = "0.13.5"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "1.13.3"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "1.3.2"
+    }
+  }
+}
+
+locals {
+  namespace          = "csi-secrets-store-provider-azure"
+  chart_release_name = "csi-secrets-store-provider-azure"
+  chart_repository   = "https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts"
+  chart_name         = "csi-secrets-store-provider-azure"
+  chart_version      = "0.0.13"
+}
+
+resource "kubernetes_namespace" "this" {
+  metadata {
+    labels = {
+      name = local.namespace
+    }
+    name = local.namespace
+  }
+}
+
+resource "helm_release" "csi_secrets_store_provider_azure" {
+  name       = local.chart_release_name
+  repository = local.chart_repository
+  chart      = local.chart_name
+  version    = local.chart_version
+  namespace  = kubernetes_namespace.this.metadata[0].name
+
+  set {
+    name  = "linux.tolerations[0].operator"
+    value = "Exists"
+  }
+
+  set {
+    name  = "secrets-store-csi-driver.linux.metricsAddr"
+    value = ":8081"
+  }
+
+  set {
+    name  = "secrets-store-csi-driver.linux.tolerations[0].operator"
+    value = "Exists"
+  }
+}
diff --git a/modules/kubernetes/csi-secrets-store-provider-azure/outputs.tf b/modules/kubernetes/csi-secrets-store-provider-azure/outputs.tf
diff --git a/modules/kubernetes/csi-secrets-store-provider-azure/variables.tf b/modules/kubernetes/csi-secrets-store-provider-azure/variables.tf
diff --git a/modules/kubernetes/opa-gatekeeper/README.md b/modules/kubernetes/opa-gatekeeper/README.md
@@ -100,7 +100,7 @@ as the same values are passed to both of the charts, there will never be a diffe
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | additional\_constraints | Additional constraints that should be added | <pre>list(object({<br>    kind               = string<br>    name               = string<br>    enforcement_action = string<br>    match = object({<br>      kinds = list(object({<br>        apiGroups = list(string)<br>        kinds     = list(string)<br>      }))<br>      namespaces = list(string)<br>    })<br>    parameters = any<br>  }))</pre> | `[]` | no |
-| default\_constraints | Default constraints that should be added | <pre>list(object({<br>    kind               = string<br>    name               = string<br>    enforcement_action = string<br>    match = object({<br>      kinds = list(object({<br>        apiGroups = list(string)<br>        kinds     = list(string)<br>      }))<br>      namespaces = list(string)<br>    })<br>    parameters = any<br>  }))</pre> | <pre>[<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPAllowPrivilegeEscalationContainer",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-allow-privilege-escalation-container",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPHostNamespace",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-host-namespace",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPHostNetworkingPorts",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-host-network-ports",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPFlexVolumes",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-flexvolume-drivers",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPPrivilegedContainer",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-privileged-container",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPProcMount",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-proc-mount",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPReadOnlyRootFilesystem",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-readonlyrootfilesystem",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPVolumeTypes",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-volume-types",<br>    "parameters": {<br>      "volumes": [<br>        "configMap",<br>        "downwardAPI",<br>        "emptyDir",<br>        "persistentVolumeClaim",<br>        "secret",<br>        "projected"<br>      ]<br>    }<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPCapabilities",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-capabilities",<br>    "parameters": {<br>      "allowedCapabilities": [<br>        ""<br>      ],<br>      "requiredDropCapabilities": [<br>        "NET_RAW"<br>      ]<br>    }<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sBlockNodePort",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "block-node-port",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sRequiredProbes",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "required-probes",<br>    "parameters": {<br>      "probeTypes": [<br>        "tcpSocket",<br>        "httpGet",<br>        "exec"<br>      ],<br>      "probes": [<br>        "readinessProbe"<br>      ]<br>    }<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPodPriorityClass",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "pod-priority-class",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sExternalIPs",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "external-ips",<br>    "parameters": {}<br>  }<br>]</pre> | no |
+| default\_constraints | Default constraints that should be added | <pre>list(object({<br>    kind               = string<br>    name               = string<br>    enforcement_action = string<br>    match = object({<br>      kinds = list(object({<br>        apiGroups = list(string)<br>        kinds     = list(string)<br>      }))<br>      namespaces = list(string)<br>    })<br>    parameters = any<br>  }))</pre> | <pre>[<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPAllowPrivilegeEscalationContainer",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-allow-privilege-escalation-container",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPHostNamespace",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-host-namespace",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPHostNetworkingPorts",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-host-network-ports",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPFlexVolumes",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-flexvolume-drivers",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPPrivilegedContainer",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-privileged-container",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPProcMount",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-proc-mount",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPReadOnlyRootFilesystem",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-readonlyrootfilesystem",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPVolumeTypes",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-volume-types",<br>    "parameters": {<br>      "volumes": [<br>        "configMap",<br>        "downwardAPI",<br>        "emptyDir",<br>        "persistentVolumeClaim",<br>        "secret",<br>        "projected",<br>        "csi"<br>      ]<br>    }<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPSPCapabilities",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "psp-capabilities",<br>    "parameters": {<br>      "allowedCapabilities": [<br>        ""<br>      ],<br>      "requiredDropCapabilities": [<br>        "NET_RAW"<br>      ]<br>    }<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sBlockNodePort",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "block-node-port",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "dryrun",<br>    "kind": "K8sRequiredProbes",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "required-probes",<br>    "parameters": {<br>      "probeTypes": [<br>        "tcpSocket",<br>        "httpGet",<br>        "exec"<br>      ],<br>      "probes": [<br>        "readinessProbe"<br>      ]<br>    }<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sPodPriorityClass",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "pod-priority-class",<br>    "parameters": {}<br>  },<br>  {<br>    "enforcement_action": "",<br>    "kind": "K8sExternalIPs",<br>    "match": {<br>      "kinds": [],<br>      "namespaces": []<br>    },<br>    "name": "external-ips",<br>    "parameters": {}<br>  }<br>]</pre> | no |
 | exclude | Namespaces to opt out of constraints | <pre>list(object({<br>    excluded_namespaces = list(string)<br>    processes           = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "excluded_namespaces": [<br>      "kube-system",<br>      "gatekeeper-system"<br>    ],<br>    "processes": [<br>      "*"<br>    ]<br>  }<br>]</pre> | no |
 
 ## Outputs

diff --git a/modules/kubernetes/opa-gatekeeper/variables.tf b/modules/kubernetes/opa-gatekeeper/variables.tf
@@ -93,7 +93,7 @@ variable "default_constraints" {
         namespaces = []
       }
       parameters = {
-        volumes = ["configMap", "downwardAPI", "emptyDir", "persistentVolumeClaim", "secret", "projected"]
+        volumes = ["configMap", "downwardAPI", "emptyDir", "persistentVolumeClaim", "secret", "projected", "csi"]
       }
     },
     {
@@ -122,7 +122,7 @@ variable "default_constraints" {
     {
       kind               = "K8sRequiredProbes"
       name               = "required-probes"
-      enforcement_action = ""
+      enforcement_action = "dryrun"
       match = {
         kinds      = []
         namespaces = []

diff --git a/validation/kubernetes/csi-secrets-store-provider-azure/main.tf b/validation/kubernetes/csi-secrets-store-provider-azure/main.tf
@@ -0,0 +1,31 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "1.13.3"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "1.3.2"
+    }
+  }
+}
+
+provider "kubernetes" {
+  load_config_file = "false"
+}
+
+provider "helm" {
+  kubernetes {
+    load_config_file = "false"
+  }
+}
+
+module "csi_secrets_store_provider_azure" {
+  source = "../../../modules/kubernetes/csi-secrets-store-provider-azure"
+
+  providers = {
+    kubernetes = kubernetes
+    helm = helm
+  }
+}