feat: support providing values to vault charts

msvticket · msvticket · commit fd9977d12c2b · 2024-11-13T18:53:41.000+02:00
diff --git a/README.md b/README.md
@@ -434,7 +434,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
 | <a name="input_apex_domain"></a> [apex\_domain](#input\_apex\_domain) | The main domain to either use directly or to configure a subdomain from | `string` | `""` | no |
 | <a name="input_asm_role"></a> [asm\_role](#input\_asm\_role) | DEPRECATED: Use the new bot\_iam\_role input with he same semantics instead. | `string` | `""` | no |
 | <a name="input_boot_iam_role"></a> [boot\_iam\_role](#input\_boot\_iam\_role) | Specify arn of the role to apply to the boot job service account | `string` | `""` | no |
-| <a name="input_boot_secrets"></a> [boot\_secrets](#input\_boot\_secrets) | n/a | <pre>list(object({<br/>    name  = string<br/>    value = string<br/>    type  = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_boot_secrets"></a> [boot\_secrets](#input\_boot\_secrets) | n/a | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Variable to provide your desired name for the cluster | `string` | n/a | yes |
 | <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc provider url for the clustrer | `string` | n/a | yes |
 | <a name="input_create_and_configure_subdomain"></a> [create\_and\_configure\_subdomain](#input\_create\_and\_configure\_subdomain) | Flag to create an NS record set for the subdomain in the apex domain's Hosted Zone | `bool` | `false` | no |
@@ -470,7 +470,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
 | <a name="input_jx_bot_username"></a> [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
 | <a name="input_jx_git_operator_values"></a> [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
 | <a name="input_jx_git_url"></a> [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenkins X cluster git repository | `string` | `""` | no |
-| <a name="input_local-exec-interpreter"></a> [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | <pre>[<br/>  "/bin/bash",<br/>  "-c"<br/>]</pre> | no |
+| <a name="input_local-exec-interpreter"></a> [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | <pre>[<br>  "/bin/bash",<br>  "-c"<br>]</pre> | no |
 | <a name="input_manage_apex_domain"></a> [manage\_apex\_domain](#input\_manage\_apex\_domain) | Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider | `bool` | `true` | no |
 | <a name="input_manage_subdomain"></a> [manage\_subdomain](#input\_manage\_subdomain) | Flag to control subdomain creation/management | `bool` | `true` | no |
 | <a name="input_nginx_chart_version"></a> [nginx\_chart\_version](#input\_nginx\_chart\_version) | nginx chart version | `string` | n/a | yes |
@@ -490,6 +490,8 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
 | <a name="input_use_asm"></a> [use\_asm](#input\_use\_asm) | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no |
 | <a name="input_use_kms_s3"></a> [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
 | <a name="input_use_vault"></a> [use\_vault](#input\_use\_vault) | Flag to control vault resource creation | `bool` | `true` | no |
+| <a name="input_vault_instance_values"></a> [vault\_instance\_values](#input\_vault\_instance\_values) | Extra values for vault-instance chart as a list of yaml formated strings | `list(string)` | `[]` | no |
+| <a name="input_vault_operator_values"></a> [vault\_operator\_values](#input\_vault\_operator\_values) | Extra values for vault-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
 | <a name="input_vault_url"></a> [vault\_url](#input\_vault\_url) | URL to an external Vault instance in case Jenkins X does not create its own system Vault | `string` | `""` | no |
 | <a name="input_velero_namespace"></a> [velero\_namespace](#input\_velero\_namespace) | Kubernetes namespace for Velero | `string` | `"velero"` | no |
 | <a name="input_velero_schedule"></a> [velero\_schedule](#input\_velero\_schedule) | The Velero backup schedule in cron notation to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup.yaml)) | `string` | `"0 * * * *"` | no |
@@ -507,7 +509,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The name of the created cluster |
 | <a name="output_cluster_ssm_iam_role"></a> [cluster\_ssm\_iam\_role](#output\_cluster\_ssm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Parameter Store) |
 | <a name="output_cm_cainjector_iam_role"></a> [cm\_cainjector\_iam\_role](#output\_cm\_cainjector\_iam\_role) | The IAM Role that the CM CA Injector pod will assume to authenticate |
-| <a name="output_connect"></a> [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,<br/>this command is already executed as part of the apply, you may have to provide the region and<br/>profile as environment variables " |
+| <a name="output_connect"></a> [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,<br>this command is already executed as part of the apply, you may have to provide the region and<br>profile as environment variables " |
 | <a name="output_controllerbuild_iam_role"></a> [controllerbuild\_iam\_role](#output\_controllerbuild\_iam\_role) | The IAM Role that the ControllerBuild pod will assume to authenticate |
 | <a name="output_external_dns_iam_role"></a> [external\_dns\_iam\_role](#output\_external\_dns\_iam\_role) | The IAM Role that the External DNS pod will assume to authenticate |
 | <a name="output_jx_requirements"></a> [jx\_requirements](#output\_jx\_requirements) | The jx-requirements rendered output |
diff --git a/main.tf b/main.tf
@@ -50,8 +50,10 @@ module "cluster" {
 // See https://github.com/bank-vaults/bank-vaults
 // ----------------------------------------------------------------------------
 module "vault" {
-  source         = "./modules/vault"
-  resource_count = var.use_vault && !local.external_vault && var.install_vault ? 1 : 0
+  source                = "./modules/vault"
+  resource_count        = var.use_vault && !local.external_vault && var.install_vault ? 1 : 0
+  vault_operator_values = var.vault_operator_values
+  vault_instance_values = var.vault_instance_values
 }
 
 // ----------------------------------------------------------------------------
diff --git a/modules/backup/README.md b/modules/backup/README.md
@@ -20,7 +20,7 @@ No requirements.
 | <a name="input_enable_acl"></a> [enable\_acl](#input\_enable\_acl) | Flag to enable ACL instead of bucket ownership for S3 storage | `bool` | n/a | yes |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Whether or not Velero backups should be enabled | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Flag to determine whether storage buckets get forcefully destroyed | `bool` | `false` | no |
-| <a name="input_s3_default_tags"></a> [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | <pre>{<br/>  "Owner": "Jenkins-x"<br/>}</pre> | no |
+| <a name="input_s3_default_tags"></a> [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | <pre>{<br>  "Owner": "Jenkins-x"<br>}</pre> | no |
 | <a name="input_s3_extra_tags"></a> [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no |
 | <a name="input_s3_kms_arn"></a> [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no |
 | <a name="input_use_kms_s3"></a> [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
diff --git a/modules/cluster/README.md b/modules/cluster/README.md
@@ -30,7 +30,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_tekton_role_policy_arns"></a> [additional\_tekton\_role\_policy\_arns](#input\_additional\_tekton\_role\_policy\_arns) | Additional Policy ARNs to attach to Tekton IRSA Role | `list(string)` | `[]` | no |
 | <a name="input_boot_iam_role"></a> [boot\_iam\_role](#input\_boot\_iam\_role) | Specify arn of the role to apply to the boot job service account | `string` | `""` | no |
-| <a name="input_boot_secrets"></a> [boot\_secrets](#input\_boot\_secrets) | n/a | <pre>list(object({<br/>    name  = string<br/>    value = string<br/>    type  = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_boot_secrets"></a> [boot\_secrets](#input\_boot\_secrets) | n/a | <pre>list(object({<br>    name  = string<br>    value = string<br>    type  = string<br>  }))</pre> | `[]` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes |
 | <a name="input_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc provider url for the clustrer | `string` | n/a | yes |
 | <a name="input_content"></a> [content](#input\_content) | Interpolated jx-requirements.yml | `string` | `""` | no |
@@ -55,9 +55,9 @@ No requirements.
 | <a name="input_jx_bot_username"></a> [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
 | <a name="input_jx_git_operator_values"></a> [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
 | <a name="input_jx_git_url"></a> [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenins X cluster git repository | `string` | `""` | no |
-| <a name="input_local-exec-interpreter"></a> [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | <pre>[<br/>  "/bin/bash",<br/>  "-c"<br/>]</pre> | no |
+| <a name="input_local-exec-interpreter"></a> [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | <pre>[<br>  "/bin/bash",<br>  "-c"<br>]</pre> | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to create the resources into | `string` | `"us-east-1"` | no |
-| <a name="input_s3_default_tags"></a> [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | <pre>{<br/>  "Owner": "Jenkins-x"<br/>}</pre> | no |
+| <a name="input_s3_default_tags"></a> [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | <pre>{<br>  "Owner": "Jenkins-x"<br>}</pre> | no |
 | <a name="input_s3_extra_tags"></a> [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no |
 | <a name="input_s3_kms_arn"></a> [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | The subnet ids to create EKS cluster in if create\_vpc is false | `list(string)` | `[]` | no |
diff --git a/modules/vault/README.md b/modules/vault/README.md
@@ -15,6 +15,8 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_resource_count"></a> [resource\_count](#input\_resource\_count) | Number of resources to create (0 or 1) | `number` | n/a | yes |
+| <a name="input_vault_instance_values"></a> [vault\_instance\_values](#input\_vault\_instance\_values) | Extra values for vault-instance chart as a list of yaml formated strings | `list(string)` | `[]` | no |
+| <a name="input_vault_operator_values"></a> [vault\_operator\_values](#input\_vault\_operator\_values) | Extra values for vault-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
 #### Outputs
 
 No outputs.
diff --git a/modules/vault/charts.tf b/modules/vault/charts.tf
@@ -6,6 +6,7 @@ resource "helm_release" "vault-operator" {
   repository       = "oci://ghcr.io/bank-vaults/helm-charts"
   version          = "1.22.3"
   create_namespace = true
+  values           = var.vault_operator_values
 }
 
 resource "helm_release" "vault-instance" {
@@ -14,15 +15,16 @@ resource "helm_release" "vault-instance" {
   chart      = "vault-instance"
   namespace  = "jx-vault"
   repository = "https://jenkins-x-charts.github.io/repo"
-  version    = "1.0.28"
+  version    = "1.1.0"
   depends_on = [helm_release.vault-operator]
   set {
     name  = "ingress.enabled"
     value = "false"
   }
 
   set {
-    name = "bankVaultsImage"
+    name  = "bankVaultsImage"
     value = "ghcr.io/bank-vaults/bank-vaults:v1.31.2"
   }
+  values = var.vault_instance_values
 }
diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf
@@ -2,3 +2,15 @@ variable "resource_count" {
   description = "Number of resources to create (0 or 1)"
   type        = number
 }
+
+variable "vault_operator_values" {
+  description = "Extra values for vault-operator chart as a list of yaml formated strings"
+  type        = list(string)
+  default     = []
+}
+
+variable "vault_instance_values" {
+  description = "Extra values for vault-instance chart as a list of yaml formated strings"
+  type        = list(string)
+  default     = []
+}
diff --git a/variables.tf b/variables.tf
@@ -33,6 +33,18 @@ variable "install_vault" {
   default     = true
 }
 
+variable "vault_operator_values" {
+  description = "Extra values for vault-operator chart as a list of yaml formated strings"
+  type        = list(string)
+  default     = []
+}
+
+variable "vault_instance_values" {
+  description = "Extra values for vault-instance chart as a list of yaml formated strings"
+  type        = list(string)
+  default     = []
+}
+
 // ----------------------------------------------------------------------------
 // Velero/backup
 // ----------------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ resource "helm_release" "vault-operator" {`
`6`	`6`	`repository = "oci://ghcr.io/bank-vaults/helm-charts"`
`7`	`7`	`version = "1.22.3"`
`8`	`8`	`create_namespace = true`
	`9`	`+ values = var.vault_operator_values`
`9`	`10`	`}`
`10`	`11`
`11`	`12`	`resource "helm_release" "vault-instance" {`
`@@ -14,15 +15,16 @@ resource "helm_release" "vault-instance" {`
`14`	`15`	`chart = "vault-instance"`
`15`	`16`	`namespace = "jx-vault"`
`16`	`17`	`repository = "https://jenkins-x-charts.github.io/repo"`
`17`		`- version = "1.0.28"`
	`18`	`+ version = "1.1.0"`
`18`	`19`	`depends_on = [helm_release.vault-operator]`
`19`	`20`	`set {`
`20`	`21`	`name = "ingress.enabled"`
`21`	`22`	`value = "false"`
`22`	`23`	`}`
`23`	`24`
`24`	`25`	`set {`
`25`		`- name = "bankVaultsImage"`
	`26`	`+ name = "bankVaultsImage"`
`26`	`27`	`value = "ghcr.io/bank-vaults/bank-vaults:v1.31.2"`
`27`	`28`	`}`
	`29`	`+ values = var.vault_instance_values`
`28`	`30`	`}`