clouddrove · Tanveer143s · Jan 25, 2024 · Feb 5, 2024 · Feb 6, 2024 · Feb 6, 2024
@@ -2,9 +2,10 @@
   name            = "helm-addons"
   environment     = "test"
   region          = "us-central1"
-  cluster_version = "latest"
+  cluster_version = "1.29.0-gke.1381000"
   gcp_project_id  = "dev-env-3b53"
+  cluster_name    = "test-cluster1"
   tags = {
     Name        = local.name
     Environment = local.environment
    GithubRepo  = "terraform-helm-gke-addons"

@@ -96,7 +96,7 @@ module "gke" {
     {
       name                         = "general"
       machine_type                 = "g1-small"
-      node_locations               = "${local.region}-a"
+      node_locations               = "${local.region}-c"
       min_count                    = 1
       max_count                    = 5
       local_ssd_count              = 0
@@ -117,6 +117,7 @@ module "gke" {
     {
       name                         = "critical"
       machine_type                 = "g1-small"
+      node_locations               = "${local.region}-a"
       node_locations               = "${local.region}-c"
       min_count                    = 1
       max_count                    = 3
@@ -167,12 +168,8 @@ module "gke" {
   }
 
   node_pools_tags = {
-    all = [
-      local.tags.Name,
-      local.tags.Environment,
-      local.tags.GithubRepo,
-      local.tags.GithubOrg,
-    ]
+    all = []
+
     default-node-pool = [
       "default-node-pool",
     ]
@@ -189,14 +186,17 @@ module "addons" {
 
   depends_on       = [module.gke]
   gke_cluster_name = module.gke.name
+  environment      = local.environment
   project_id       = local.gcp_project_id
   region           = local.region
 
-  cluster_autoscaler    = true
-  reloader              = true
-  ingress_nginx         = true
-  certification_manager = true
-  keda                  = true
-  kubeclarity           = true
-  external_dns          = true
+  cluster_autoscaler      = true
+  reloader                = true
+  ingress_nginx           = true
+  certification_manager   = true
+  keda                    = true
+  external_secret_enabled = true
+  kubeclarity             = true
+  external_dns            = true
+
 }
@@ -0,0 +1,21 @@
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: "cloud.google.com/gke-nodepool"
+          operator: In
+          values:
+          - "critical"
+
+## Using limits and requests
+resourc_helm_configes:
+  limits:
+    cpu: 100m
+    memory: 512Mi
+  requests:
+    cpu: 10m
+    memory: 128Mi
+
+podAnnotations:
+  co.elastic.logs/enabled: "true"
@@ -2,8 +2,9 @@
   name            = "helm-addons"
   environment     = "test"
   region          = "us-central1"
-  cluster_version = "latest"
+  cluster_version = "1.29.0-gke.1381000"
   gcp_project_id  = "dev-env-3b53"
+  cluster_name    = "test-cluster1"
   tags = {
     Name        = local.name
     Environment = local.environment

@@ -191,30 +191,37 @@ module "addons" {
   gke_cluster_name = module.gke.name
   project_id       = local.gcp_project_id
   region           = local.region
+  environment      = "test"
 
   cluster_autoscaler    = false
   reloader              = false
   ingress_nginx         = false
   certification_manager = false
   keda                  = false
+  external_secrets      = false
   external_dns          = false
   kubeclarity           = false
 
+
   # -- Path of override-values.yaml file
   cluster_autoscaler_helm_config    = { values = [file("./config/override-cluster-autoscaler.yaml")] }
   reloader_helm_config              = { values = [file("./config/reloader/override-reloader.yaml")] }
   ingress_nginx_helm_config         = { values = [file("./config/override-ingress-nginx.yaml")] }
   certification_manager_helm_config = { values = [file("./config/override-certification-manager.yaml")] }
   keda_helm_config                  = { values = [file("./config/keda/override-keda.yaml")] }
+  external_secrets_helm_config      = { values = [file("./config/override-externalsecret.yaml")] }
   external_dns_helm_config          = { values = [file("./config/override-external-dns.yaml")] }
   kubeclarity_helm_config           = { values = [file("./config/override-kubeclarity.yaml")] }
 
+
   # -- Override Helm Release attributes
   cluster_autoscaler_extra_configs    = var.cluster_autoscaler_extra_configs
   reloader_extra_configs              = var.reloader_extra_configs
   ingress_nginx_extra_configs         = var.ingress_nginx_extra_configs
   certification_manager_extra_configs = var.certification_manager_extra_configs
   keda_extra_configs                  = var.keda_extra_configs
+  external_secrets_extra_configs      = var.external_secrets_extra_configs
   external_dns_extra_configs          = var.external_dns_extra_configs
   kubeclarity_extra_configs           = var.kubeclarity_extra_configs
+
 }
@@ -32,7 +32,14 @@ variable "keda_extra_configs" {
   default = {}
 }
 
-# ------------------ EXTERNAL DNS --------------------------------------------------
+# ------------------ EXTERNAL SECRET ------------------------------------------
+variable "external_secrets_extra_configs" {
+  description = "Override attributes of helm_release terraform resource"
+  type        = any
+  default     = {}
+}
+
+# ------------------ EXTERNAL DNS ---------------------------------------------
 variable "external_dns_extra_configs" {
   type    = any
   default = {}
@@ -42,3 +49,4 @@ variable "kubeclarity_extra_configs" {
   type    = any
   default = {}
 }
+
@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: test
+spec:
+  refreshInterval: 1h             # rate SecretManager pulls GCPSM
+  secretStoreRef:
+    kind: SecretStore
+    name: gcp-store               # name of the SecretStore (or kind specified)
+  target:
+    name: test    # name of the k8s Secret to be created
+    creationPolicy: Owner
+  data:
+  dataFrom:
+  - extract:
+      key: test
+      property: cert.key  # optional field Label to match exactly
+  - secretKey: test
+    remoteRef:
+      key: test      # name of the GCPSM secret key
@@ -0,0 +1,8 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: gcp-store
+spec:
+  provider:
+    gcpsm:
+      projectID: ""
@@ -0,0 +1,61 @@
+replicaCount: 1
+
+# -- If set, install and upgrade CRDs through helm chart.
+installCRDs: true
+
+resources: {}
+
+podAnnotations:
+  co.elastic.logs/enabled: "true"
+
+serviceAccount:
+  annotations:
+    iam.gke.io/gcp-service-account: ${service_account_email}
+
+serviceMonitor:
+  enabled: ${enable_service_monitor}
+  namespace: "secrets"
+  additionalLabels:
+    release: "prometheus-operator"
+
+affinity: {}
+
+
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+
+
+webhook:
+  create: true
+  certCheckInterval: "5m"
+  replicaCount: 1
+  affinity: {}         
+  resources: {}
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+  serviceMonitor:
+    enabled: ${enable_service_monitor}
+    additionalLabels:
+      release: "prometheus-operator"
+    interval: 30s
+    scrapeTimeout: 25s
+  serviceAccount:
+    create: true
+    annotations:
+      iam.gke.io/gcp-service-account: ${service_account_email}
+
+
+
+certController:
+  create: true
+  requeueInterval: "5m"
+  affinity: {}
+  resources: {}
+  podAnnotations:
+    co.elastic.logs/enabled: "true"
+  serviceMonitor:
+    enabled: ${enable_service_monitor}
+    additionalLabels:
+      release: "prometheus-operator"
+    interval: 30s
@@ -0,0 +1,15 @@
+locals {
+  name = "external-secrets"
+
+  default_helm_config = {
+    repository = try(var.external_secrets_extra_configs.repository, "https://charts.external-secrets.io/")
+    version    = try(var.external_secrets_extra_configs.version, "0.9.11")
+    namespace  = try(var.external_secrets_extra_configs.namespace, "secret")
+
+  }
+
+  helm_config = merge(
+    local.default_helm_config,
+    var.helm_config,
+  )
+}
@@ -0,0 +1,46 @@
+resource "google_service_account" "external_secrets" {
+  project      = var.project_id
+  account_id   = format("%s-%s-%s", var.environment, var.GCP_GSA_NAME, var.name)
+  display_name = "Service Account for External Secrets"
+}
+
+resource "google_project_iam_member" "secretadmin" {
+  project = var.project_id
+  role    = "roles/secretmanager.admin"
+  member  = "serviceAccount:${google_service_account.external_secrets.email}"
+}
+
+resource "google_project_iam_member" "service_account_token_creator" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountTokenCreator"
+  member  = "serviceAccount:${google_service_account.external_secrets.email}"
+}
+
+resource "google_service_account_iam_member" "pod_identity" {
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[secrets/${var.GCP_KSA_NAME}]"
+  service_account_id = google_service_account.external_secrets.name
+}
+
+resource "kubernetes_namespace" "external_secrets" {
+  metadata {
+    name = "secrets"
+  }
+}
+
+resource "helm_release" "external_secrets" {
+  depends_on = [kubernetes_namespace.external_secrets]
+  name       = "external-secrets"
+  repository = "https://charts.external-secrets.io"
+  chart      = "external-secrets"
+  namespace  = "secrets"
+  timeout    = 300
+  version    = var.external_secrets_version
+
+  values = [
+    templatefile("${path.module}/config/values.yaml", {
+      enable_service_monitor = var.enable_service_monitor,
+      service_account_email  = "${var.environment}-${var.GCP_GSA_NAME}-${var.name}@${var.project_id}.iam.gserviceaccount.com"
+    })
+  ]
+}
@@ -0,0 +1,11 @@
+output "namespace" {
+  value = local.default_helm_config.namespace
+}
+
+output "chart_version" {
+  value = local.default_helm_config.version
+}
+
+output "repository" {
+  value = local.default_helm_config.repository
+}