Skip to content

Integrate SecretsStoreCSI Driver (Vault Provider) as secrets source option #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kosyfrances merged 4 commits into from
Mar 11, 2025
Merged

Integrate SecretsStoreCSI Driver (Vault Provider) as secrets source option #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2aea849
WIP
kosyfrances Feb 24, 2025
d07045b
Cleanup
kosyfrances Mar 4, 2025
3dfc7bb
Disable CSI
kosyfrances Mar 5, 2025
9a10574
Document vault CSI provider
kosyfrances Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,14 @@ Terraform Enterprise now supports the inclusion of a custom pod template via `ag
With this, you can define your own specifications for the creation of the agent worker pods.
The custom pod template must be a valid `corev1.PodTemplateSpec` and should be provided in YAML format. The `PodTemplateSpec` is
documented at <https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-template-v1/#PodTemplateSpec>.


## Vault CSI Provider
Terraform Enterprise now supports [Vault CSI provider](https://developer.hashicorp.com/vault/docs/platform/k8s/csi). This allows TFE pods to consume Vault secrets using CSI Secrets Store volumes.

The settings for this can be found in the `values.yaml` file under the `csi` section.
If `csi.enabled` is set to true, the Vault CSI provider will be used to retrieve secrets, as it is the only supported provider. This requires using an external Vault.

The Secrets Store CSI Driver also supports syncing to Kubernetes secret objects. The `secretObjects` section adds secret syncing for TFE if values are provided.

**Note:** The Vault CSI Provider requires the [CSI Secret Store Driver](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html) to be installed.
13 changes: 13 additions & 0 deletions templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,14 @@ spec:
secret:
secretName: terraform-enterprise-ca-certificates
{{- end }}
{{- if .Values.csi.enabled }}
- name: secrets-store
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "{{ .Values.csi.secretProviderClass }}"
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -127,6 +135,11 @@ spec:
mountPath: {{ include "cacert.path" . }}
subPath: {{ .Values.tls.caCertFileName }}
{{- end }}
{{- if .Values.csi.enabled }}
- name: secrets-store
mountPath: "{{ .Values.csi.mountPath }}"
readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
Expand Down
38 changes: 38 additions & 0 deletions templates/secretproviderclass.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{{- if .Values.csi.enabled }}
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: {{ .Values.csi.secretProviderClass }}
namespace: {{ .Release.Namespace }}
{{- with .Values.csi.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.csi.labels }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
provider: vault
parameters:
roleName: "{{ .Values.csi.vaultRole }}"
vaultAddress: "{{ .Values.csi.vaultAddress }}"
objects: |
{{- range .Values.csi.secrets }}
- objectName: "{{ .objectName }}"
secretPath: "{{ .secretPath }}"
secretKey: "{{ .secretKey }}"
{{- end }}
{{- if .Values.csi.secretObjects }}
secretObjects:
{{- range .Values.csi.secretObjects }}
- data:
{{- range .data }}
- key: {{ .key }}
objectName: {{ .objectName }}
{{- end }}
secretName: {{ .secretName }}
type: {{ .type }}
{{- end }}
{{- end }}
{{- end }}
30 changes: 29 additions & 1 deletion values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ agents:
annotations: {}
labels: {}

# Extra volumes to add to the deployment's pod.
# Extra volumes to add to the deployment's pod.
# Reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes
# Usecases:
## mount external secrets, such as certificates from cert-manager
Expand Down Expand Up @@ -331,3 +331,31 @@ pdb:
replicaCount: 1
annotations: {}
labels: {}

# CSI driver settings for Vault provider
csi:
enabled: false
annotations: {}
labels: {}
secretProviderClass: terraform-enterprise-vault-secrets
vaultRole: ""
vaultAddress: "" # Example: http://vault.vault-namespace.svc.cluster.local:8200
mountPath: "" # Example: /mnt/secrets-store
secrets:
# The path to the secret defined in Vault. Example: secret/data/db
- secretPath: ""
# The key of the secret defined in Vault.
secretKey: ""
# A name for the secret
objectName: ""
# If this is added, secrets will be synced to Kubernetes secrets.
secretObjects:
- data:
# secret key from secrets section
- key: ""
# Object name from secrets section
objectName: ""
# Name of the Kubernetes secret
secretName: ""
# Type of the Kubernetes secret. Example: Opaque
type: ""
Loading