Add rekor-mysql ExternalSecret (#1099)

Add a kubectl_manifest terraform resource to create an ExternalSecret
for rekor to use to connect to the searchindexes MySQL database when
using MySQL as the index storage backend.

The username and password are the same as for the trillian database, but
they need to be accessible from the rekor-system namespace, so we create
another ExternalSecret but it can pull from the same GCP secret.

Signed-off-by: Colleen Murphy <[email protected]>

terraform/gcp/modules/external_secrets/external_secrets.tf

@@ -112,3 +112,42 @@ YAML
     kubectl_manifest.trillian_namespace
   ]
 }
+
+resource "kubectl_manifest" "rekor_namespace" {
+  yaml_body = <<YAML
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rekor-system
+YAML
+}
+
+resource "kubectl_manifest" "rekor_mysql_external_secret" {
+  yaml_body = <<YAML
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rekor-mysql
+  namespace: rekor-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-backend
+  target:
+    name: rekor-mysql
+    template:
+      data:
+        mysql-database: "${var.rekor_mysql_dbname}"
+        mysql-password: "{{ .mysqlPassword | toString }}"  # <-- convert []byte to string
+        mysql-user: trillian
+  data:
+  - secretKey: mysqlPassword
+    remoteRef:
+      key: mysql-password
+YAML
+
+  depends_on = [
+    kubectl_manifest.secretstore_gcp_backend,
+    kubectl_manifest.rekor_namespace
+  ]
+}

terraform/gcp/modules/external_secrets/variables.tf

@@ -37,3 +37,9 @@ variable "mysql_dbname" {
   description = "Name of MySQL database."
   default     = "trillian"
 }
+
+variable "rekor_mysql_dbname" {
+  type        = string
+  description = "Name of the MySQL database for Rekor search indexes."
+  default     = "searchindexes"
+}