Integrate SecretsStoreCSI Driver (Vault Provider) as secrets source option (#118)

kosyfrances · web-flow · commit 961c00356581 · 2025-03-11T17:39:36.000+01:00
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -61,3 +61,14 @@ Terraform Enterprise now supports the inclusion of a custom pod template via `ag
 With this, you can define your own specifications for the creation of the agent worker pods.
 The custom pod template must be a valid `corev1.PodTemplateSpec` and should be provided in YAML format. The `PodTemplateSpec` is
 documented at <https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-template-v1/#PodTemplateSpec>.
+
+
+## Vault CSI Provider
+Terraform Enterprise now supports [Vault CSI provider](https://developer.hashicorp.com/vault/docs/platform/k8s/csi). This allows TFE pods to consume Vault secrets using CSI Secrets Store volumes.
+
+The settings for this can be found in the `values.yaml` file under the `csi` section.
+If `csi.enabled` is set to true, the Vault CSI provider will be used to retrieve secrets, as it is the only supported provider. This requires using an external Vault.
+
+The Secrets Store CSI Driver also supports syncing to Kubernetes secret objects. The `secretObjects` section adds secret syncing for TFE if values are provided.
+
+**Note:** The Vault CSI Provider requires the [CSI Secret Store Driver](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html) to be installed.
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -59,6 +59,14 @@ spec:
           secret:
             secretName: terraform-enterprise-ca-certificates
         {{- end }}
+        {{- if .Values.csi.enabled }}
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "{{ .Values.csi.secretProviderClass }}"
+        {{- end }}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -127,6 +135,11 @@ spec:
             mountPath: {{ include "cacert.path" . }}
             subPath: {{ .Values.tls.caCertFileName }}
           {{- end }}
+          {{- if .Values.csi.enabled }}
+          - name: secrets-store
+            mountPath: "{{ .Values.csi.mountPath }}"
+            readOnly: true
+          {{- end }}
           {{- with .Values.extraVolumeMounts }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
diff --git a/templates/secretproviderclass.yaml b/templates/secretproviderclass.yaml
@@ -0,0 +1,38 @@
+{{- if .Values.csi.enabled }}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ .Values.csi.secretProviderClass }}
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.csi.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.csi.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  provider: vault
+  parameters:
+    roleName: "{{ .Values.csi.vaultRole }}"
+    vaultAddress: "{{ .Values.csi.vaultAddress }}"
+    objects: |
+    {{- range .Values.csi.secrets }}
+      - objectName: "{{ .objectName }}"
+        secretPath: "{{ .secretPath }}"
+        secretKey: "{{ .secretKey }}"
+    {{- end }}
+  {{- if .Values.csi.secretObjects }}
+  secretObjects:
+  {{- range .Values.csi.secretObjects }}
+  - data:
+    {{- range .data }}
+    - key: {{ .key }}
+      objectName: {{ .objectName }}
+    {{- end }}
+    secretName: {{ .secretName }}
+    type: {{ .type }}
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -298,7 +298,7 @@ agents:
     annotations: {}
     labels: {}
 
-# Extra volumes to add to the deployment's pod. 
+# Extra volumes to add to the deployment's pod.
 # Reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes
 # Usecases:
 ## mount external secrets, such as certificates from cert-manager
@@ -331,3 +331,31 @@ pdb:
   replicaCount: 1
   annotations: {}
   labels: {}
+
+# CSI driver settings for Vault provider
+csi:
+  enabled: false
+  annotations: {}
+  labels: {}
+  secretProviderClass: terraform-enterprise-vault-secrets
+  vaultRole: ""
+  vaultAddress: "" # Example: http://vault.vault-namespace.svc.cluster.local:8200
+  mountPath: "" # Example: /mnt/secrets-store
+  secrets:
+    # The path to the secret defined in Vault. Example: secret/data/db
+    - secretPath: ""
+      # The key of the secret defined in Vault.
+      secretKey: ""
+      # A name for the secret
+      objectName: ""
+  # If this is added, secrets will be synced to Kubernetes secrets.
+  secretObjects:
+  - data:
+    # secret key from secrets section
+    - key: ""
+      # Object name from secrets section
+      objectName: ""
+    # Name of the Kubernetes secret
+    secretName: ""
+    # Type of the Kubernetes secret. Example: Opaque
+    type: ""
