From b55bb16220ef9c2e57994a6469a3935b2861a93e Mon Sep 17 00:00:00 2001
From: Colleen Murphy <cmurphy@users.noreply.github.com>
Date: Tue, 14 May 2024 08:27:15 -0700
Subject: [PATCH] Add rekor-mysql ExternalSecret (#1099)

Add a kubectl_manifest terraform resource to create an ExternalSecret
for rekor to use to connect to the searchindexes MySQL database when
using MySQL as the index storage backend.

The username and password are the same as for the trillian database, but
they need to be accessible from the rekor-system namespace, so we create
another ExternalSecret but it can pull from the same GCP secret.

Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
---
 .../external_secrets/external_secrets.tf      | 39 +++++++++++++++++++
 .../gcp/modules/external_secrets/variables.tf |  6 +++
 2 files changed, 45 insertions(+)

diff --git a/terraform/gcp/modules/external_secrets/external_secrets.tf b/terraform/gcp/modules/external_secrets/external_secrets.tf
index f84d18119..d8325f9d4 100644
--- a/terraform/gcp/modules/external_secrets/external_secrets.tf
+++ b/terraform/gcp/modules/external_secrets/external_secrets.tf
@@ -112,3 +112,42 @@ YAML
     kubectl_manifest.trillian_namespace
   ]
 }
+
+resource "kubectl_manifest" "rekor_namespace" {
+  yaml_body = <<YAML
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rekor-system
+YAML
+}
+
+resource "kubectl_manifest" "rekor_mysql_external_secret" {
+  yaml_body = <<YAML
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rekor-mysql
+  namespace: rekor-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-backend
+  target:
+    name: rekor-mysql
+    template:
+      data:
+        mysql-database: "${var.rekor_mysql_dbname}"
+        mysql-password: "{{ .mysqlPassword | toString }}"  # <-- convert []byte to string
+        mysql-user: trillian
+  data:
+  - secretKey: mysqlPassword
+    remoteRef:
+      key: mysql-password
+YAML
+
+  depends_on = [
+    kubectl_manifest.secretstore_gcp_backend,
+    kubectl_manifest.rekor_namespace
+  ]
+}
diff --git a/terraform/gcp/modules/external_secrets/variables.tf b/terraform/gcp/modules/external_secrets/variables.tf
index 33e1e2c20..207b4a2be 100644
--- a/terraform/gcp/modules/external_secrets/variables.tf
+++ b/terraform/gcp/modules/external_secrets/variables.tf
@@ -37,3 +37,9 @@ variable "mysql_dbname" {
   description = "Name of MySQL database."
   default     = "trillian"
 }
+
+variable "rekor_mysql_dbname" {
+  type        = string
+  description = "Name of the MySQL database for Rekor search indexes."
+  default     = "searchindexes"
+}