From fd9977d12c2b9b52c80876d2d5a957f925b9f3a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Svantesson?= Date: Wed, 13 Nov 2024 17:48:34 +0100 Subject: [PATCH] feat: support providing values to vault charts --- README.md | 8 +++++--- main.tf | 6 ++++-- modules/backup/README.md | 2 +- modules/cluster/README.md | 6 +++--- modules/vault/README.md | 2 ++ modules/vault/charts.tf | 6 ++++-- modules/vault/variables.tf | 12 ++++++++++++ variables.tf | 12 ++++++++++++ 8 files changed, 43 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 09a80b5..fad05b4 100644 --- a/README.md +++ b/README.md @@ -434,7 +434,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [apex\_domain](#input\_apex\_domain) | The main domain to either use directly or to configure a subdomain from | `string` | `""` | no | | [asm\_role](#input\_asm\_role) | DEPRECATED: Use the new bot\_iam\_role input with he same semantics instead. | `string` | `""` | no | | [boot\_iam\_role](#input\_boot\_iam\_role) | Specify arn of the role to apply to the boot job service account | `string` | `""` | no | -| [boot\_secrets](#input\_boot\_secrets) | n/a | 
list(object({
    name  = string
    value = string
    type  = string
  }))
| `[]` | no | +| [boot\_secrets](#input\_boot\_secrets) | n/a | 
list(object({
    name  = string
    value = string
    type  = string
  }))
| `[]` | no | | [cluster\_name](#input\_cluster\_name) | Variable to provide your desired name for the cluster | `string` | n/a | yes | | [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc provider url for the clustrer | `string` | n/a | yes | | [create\_and\_configure\_subdomain](#input\_create\_and\_configure\_subdomain) | Flag to create an NS record set for the subdomain in the apex domain's Hosted Zone | `bool` | `false` | no | @@ -470,7 +470,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no | | [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no | | [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenkins X cluster git repository | `string` | `""` | no | -| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | 
[
  "/bin/bash",
  "-c"
]
| no | +| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | 
[
  "/bin/bash",
  "-c"
]
| no | | [manage\_apex\_domain](#input\_manage\_apex\_domain) | Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider | `bool` | `true` | no | | [manage\_subdomain](#input\_manage\_subdomain) | Flag to control subdomain creation/management | `bool` | `true` | no | | [nginx\_chart\_version](#input\_nginx\_chart\_version) | nginx chart version | `string` | n/a | yes | @@ -490,6 +490,8 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [use\_asm](#input\_use\_asm) | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no | | [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no | | [use\_vault](#input\_use\_vault) | Flag to control vault resource creation | `bool` | `true` | no | +| [vault\_instance\_values](#input\_vault\_instance\_values) | Extra values for vault-instance chart as a list of yaml formated strings | `list(string)` | `[]` | no | +| [vault\_operator\_values](#input\_vault\_operator\_values) | Extra values for vault-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no | | [vault\_url](#input\_vault\_url) | URL to an external Vault instance in case Jenkins X does not create its own system Vault | `string` | `""` | no | | [velero\_namespace](#input\_velero\_namespace) | Kubernetes namespace for Velero | `string` | `"velero"` | no | | [velero\_schedule](#input\_velero\_schedule) | The Velero backup schedule in cron notation to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup.yaml)) | `string` | `"0 * * * *"` | no | @@ -507,7 +509,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [cluster\_name](#output\_cluster\_name) | The name of the created cluster | | [cluster\_ssm\_iam\_role](#output\_cluster\_ssm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Parameter Store) | | [cm\_cainjector\_iam\_role](#output\_cm\_cainjector\_iam\_role) | The IAM Role that the CM CA Injector pod will assume to authenticate | -| [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,
this command is already executed as part of the apply, you may have to provide the region and
profile as environment variables " | +| [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,
this command is already executed as part of the apply, you may have to provide the region and
profile as environment variables " | | [controllerbuild\_iam\_role](#output\_controllerbuild\_iam\_role) | The IAM Role that the ControllerBuild pod will assume to authenticate | | [external\_dns\_iam\_role](#output\_external\_dns\_iam\_role) | The IAM Role that the External DNS pod will assume to authenticate | | [jx\_requirements](#output\_jx\_requirements) | The jx-requirements rendered output | diff --git a/main.tf b/main.tf index 6740b98..c80d323 100644 --- a/main.tf +++ b/main.tf @@ -50,8 +50,10 @@ module "cluster" { // See https://github.com/bank-vaults/bank-vaults // ---------------------------------------------------------------------------- module "vault" { - source = "./modules/vault" - resource_count = var.use_vault && !local.external_vault && var.install_vault ? 1 : 0 + source = "./modules/vault" + resource_count = var.use_vault && !local.external_vault && var.install_vault ? 1 : 0 + vault_operator_values = var.vault_operator_values + vault_instance_values = var.vault_instance_values } // ---------------------------------------------------------------------------- diff --git a/modules/backup/README.md b/modules/backup/README.md index 40cf9e4..0e4bf47 100644 --- a/modules/backup/README.md +++ b/modules/backup/README.md @@ -20,7 +20,7 @@ No requirements. | [enable\_acl](#input\_enable\_acl) | Flag to enable ACL instead of bucket ownership for S3 storage | `bool` | n/a | yes | | [enable\_backup](#input\_enable\_backup) | Whether or not Velero backups should be enabled | `bool` | `false` | no | | [force\_destroy](#input\_force\_destroy) | Flag to determine whether storage buckets get forcefully destroyed | `bool` | `false` | no | -| [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | 
{
  "Owner": "Jenkins-x"
}
| no | +| [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | 
{
  "Owner": "Jenkins-x"
}
| no | | [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no | | [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no | | [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no | diff --git a/modules/cluster/README.md b/modules/cluster/README.md index f7be6ee..9da7d9c 100644 --- a/modules/cluster/README.md +++ b/modules/cluster/README.md @@ -30,7 +30,7 @@ No requirements. |------|-------------|------|---------|:--------:| | [additional\_tekton\_role\_policy\_arns](#input\_additional\_tekton\_role\_policy\_arns) | Additional Policy ARNs to attach to Tekton IRSA Role | `list(string)` | `[]` | no | | [boot\_iam\_role](#input\_boot\_iam\_role) | Specify arn of the role to apply to the boot job service account | `string` | `""` | no | -| [boot\_secrets](#input\_boot\_secrets) | n/a | 
list(object({
    name  = string
    value = string
    type  = string
  }))
| `[]` | no | +| [boot\_secrets](#input\_boot\_secrets) | n/a | 
list(object({
    name  = string
    value = string
    type  = string
  }))
| `[]` | no | | [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes | | [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc provider url for the clustrer | `string` | n/a | yes | | [content](#input\_content) | Interpolated jx-requirements.yml | `string` | `""` | no | @@ -55,9 +55,9 @@ No requirements. | [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no | | [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no | | [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenins X cluster git repository | `string` | `""` | no | -| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | 
[
  "/bin/bash",
  "-c"
]
| no | +| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | 
[
  "/bin/bash",
  "-c"
]
| no | | [region](#input\_region) | The region to create the resources into | `string` | `"us-east-1"` | no | -| [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | 
{
  "Owner": "Jenkins-x"
}
| no | +| [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | 
{
  "Owner": "Jenkins-x"
}
| no | | [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no | | [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no | | [subnets](#input\_subnets) | The subnet ids to create EKS cluster in if create\_vpc is false | `list(string)` | `[]` | no | diff --git a/modules/vault/README.md b/modules/vault/README.md index 859ad4f..3725179 100644 --- a/modules/vault/README.md +++ b/modules/vault/README.md @@ -15,6 +15,8 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [resource\_count](#input\_resource\_count) | Number of resources to create (0 or 1) | `number` | n/a | yes | +| [vault\_instance\_values](#input\_vault\_instance\_values) | Extra values for vault-instance chart as a list of yaml formated strings | `list(string)` | `[]` | no | +| [vault\_operator\_values](#input\_vault\_operator\_values) | Extra values for vault-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no | #### Outputs No outputs. diff --git a/modules/vault/charts.tf b/modules/vault/charts.tf index 21447b0..37bfca2 100644 --- a/modules/vault/charts.tf +++ b/modules/vault/charts.tf @@ -6,6 +6,7 @@ resource "helm_release" "vault-operator" { repository = "oci://ghcr.io/bank-vaults/helm-charts" version = "1.22.3" create_namespace = true + values = var.vault_operator_values } resource "helm_release" "vault-instance" { @@ -14,7 +15,7 @@ resource "helm_release" "vault-instance" { chart = "vault-instance" namespace = "jx-vault" repository = "https://jenkins-x-charts.github.io/repo" - version = "1.0.28" + version = "1.1.0" depends_on = [helm_release.vault-operator] set { name = "ingress.enabled" @@ -22,7 +23,8 @@ resource "helm_release" "vault-instance" { } set { - name = "bankVaultsImage" + name = "bankVaultsImage" value = "ghcr.io/bank-vaults/bank-vaults:v1.31.2" } + values = var.vault_instance_values } diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf index d2bd7d9..8d34606 100644 --- a/modules/vault/variables.tf +++ b/modules/vault/variables.tf @@ -2,3 +2,15 @@ variable "resource_count" { description = "Number of resources to create (0 or 1)" type = number } + +variable "vault_operator_values" { + description = "Extra values for vault-operator chart as a list of yaml formated strings" + type = list(string) + default = [] +} + +variable "vault_instance_values" { + description = "Extra values for vault-instance chart as a list of yaml formated strings" + type = list(string) + default = [] +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index dd72b54..44dabfd 100644 --- a/variables.tf +++ b/variables.tf @@ -33,6 +33,18 @@ variable "install_vault" { default = true } +variable "vault_operator_values" { + description = "Extra values for vault-operator chart as a list of yaml formated strings" + type = list(string) + default = [] +} + +variable "vault_instance_values" { + description = "Extra values for vault-instance chart as a list of yaml formated strings" + type = list(string) + default = [] +} + // ---------------------------------------------------------------------------- // Velero/backup // ----------------------------------------------------------------------------