Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Activate enableExternalSecretStores option #101

Merged
merged 1 commit into from
Oct 26, 2022
Merged

Activate enableExternalSecretStores option #101

merged 1 commit into from
Oct 26, 2022

Conversation

ZhengjunHUO
Copy link
Contributor

@ZhengjunHUO ZhengjunHUO commented Sep 19, 2022
edited
Loading

Description of your changes

Fixes #100

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

Follow this guide to prepare the local test vault and crossplane, instead of provisioning the provider GCP, we deploy our provider-terraform:

  1. build the images and push them to your registry, make sure you create the regcred secret in your test k8s cluster to authorize the pull if necessary, modify the spec.image and spec.package respectively
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: terraform-config
  labels:
    app: crossplane-provider-terraform
spec:
  image: registry.gitlab.com/.../provider-terraform-controller:v0.3.x-rc1
  imagePullPolicy: Always
  args: 
    - -d
    - --enable-external-secret-stores
  env:
  - name: TF_PLUGIN_CACHE_DIR
    value: /tf
  metadata:
    annotations:
      vault.hashicorp.com/agent-inject: "true"
      vault.hashicorp.com/agent-inject-token: "true"
      vault.hashicorp.com/role: "crossplane"
      vault.hashicorp.com/agent-run-as-user: "2000"
      
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: crossplane-provider-terraform
spec:
  package: registry.gitlab.com/.../provider-terraform:v0.3.x-rc1
  packagePullPolicy: Always
  controllerConfigRef:
    name: terraform-config
  packagePullSecrets:
   - name: "regcred"
  1. Prepare the storeconfig for vault
apiVersion: tf.crossplane.io/v1alpha1
kind: StoreConfig
metadata:
  name: vault
spec:
  type: Vault
  defaultScope: crossplane-system
  vault:
    server: http://vault.vault-system:8200
    mountPath: secret/
    version: v2
    auth:
      method: Token
      token:
        source: Filesystem
        fs:
          path: /vault/secrets/token
  1. Prepare provider config yaml
apiVersion: tf.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    - filename: foo
      source: None
  configuration: |
      provider "random" {
      }

      terraform {
        required_providers {
          random = {
            source = "hashicorp/random"
            version = "3.4.2"
          }
        }

        backend "kubernetes" {
          secret_suffix     = "providerconfig-default"
          namespace         = "crossplane-system"
          in_cluster_config = true
        }
      }

Test example

apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
  name: compositeesss.gcp.platformref.huozj.io
  annotations:
    feature: ess
spec:
  group: gcp.platformref.huozj.io
  names:
    kind: CompositeESS
    plural: compositeesss
  claimNames:
    kind: ESSInstance
    plural: essinstances
  versions:
  - name: v1alpha1
    served: true
    referenceable: true
    schema:
      openAPIV3Schema:
        type: object
        properties:
          spec:
            type: object
            properties:
              parameters:
                type: object
                properties:
                  orgName:
                    type: string
                  projectName:
                    type: string
                  envName:
                    type: string
                required:
                  - orgName
                  - projectName
                  - envName
            required:
              - parameters
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: essinstances.gcp.platformref.huozj.io
  labels:
    feature: ess
spec:
  compositeTypeRef:
    apiVersion: gcp.platformref.huozj.io/v1alpha1
    kind: CompositeESS
  resources:
    - name: web-auth
      base:
        apiVersion: tf.crossplane.io/v1alpha1
        kind: Workspace
        metadata:
          name: web-auth
        spec:
          forProvider:
            source: Remote
            module: git::https://github.com/ZhengjunHUO/terraform-module.git//randompassword?ref=v0.0.1
            vars:
            - key: pwd_length
              value: "20"
            - key: contains_special
              value: "false"
          publishConnectionDetailsTo:
            name: webui
            metadata:
              labels:
                environment: env
            configRef:
              name: vault
      patches:
        - type: CombineFromComposite
          combine:
            variables:
            - fromFieldPath: spec.parameters.orgName
            - fromFieldPath: spec.parameters.projectName
            - fromFieldPath: spec.parameters.envName
            strategy: string
            string:
              fmt: "%s/%s/%s/webui"
          toFieldPath: spec.publishConnectionDetailsTo.name
        - fromFieldPath: spec.parameters.envName
          toFieldPath: spec.publishConnectionDetailsTo.metadata.labels[environment]
apiVersion: gcp.platformref.huozj.io/v1alpha1
kind: ESSInstance
metadata:
  name: my-ess
  namespace: crossplane-system
spec:
  parameters:
    orgName: foo
    projectName: bar
    envName: preprod
  compositionSelector:
    matchLabels:
      feature: ess

Do get composite until ready is true, then connect to the vault and observe the created password, in this case the generated secret is under secret/crossplane-system/foo/bar/preprod/webui

kubectl get composite

@ytsarev
Copy link
Collaborator

ytsarev commented Oct 3, 2022

@ZhengjunHUO this looks like a great contribution, thank you so much! Could you please amend your commit with a signature to comply with https://github.com/crossplane-contrib/provider-terraform/pull/101/checks?check_run_id=8424865341 ?

@ZhengjunHUO
Copy link
Contributor Author

@ytsarev Thank you for your review ! The really cool things happened here in crossplane core project, we just enabled the possiblity to use that! Eh it's embarrassing to have the signoff error in the commit, my first PR 😅

@ytsarev
Copy link
Collaborator

ytsarev commented Oct 26, 2022

@ZhengjunHUO thanks a lot for your contribution! merging it in to include in the next upcoming release!

@ytsarev ytsarev merged commit f3bd7e0 into crossplane-contrib:release-0.3 Oct 26, 2022
@ytsarev
Copy link
Collaborator

ytsarev commented Oct 26, 2022

@ZhengjunHUO hm, I just noticed that the target branch was release-0.3 and not master for some strange reason. Could you elaborate on the logic here?

@ZhengjunHUO
Copy link
Contributor Author

@ytsarev Because we picked up the v0.3.0 at the time we launched our project, all the modifications and tests are done based on that release and it’s now in production. I could do a cherry pick on the master branch and do some tests at our side but could take some time.

@ytsarev
Copy link
Collaborator

ytsarev commented Oct 26, 2022

Please, direct merges to release branches are not something we expect and it actually breaks the provider release process

@ZhengjunHUO
Copy link
Contributor Author

@ytsarev Ah ok I see, I didn’t think about that before thanks to point out, my bad, I’ll make a PR on the master branch.

@ytsarev
Copy link
Collaborator

ytsarev commented Oct 27, 2022

@ZhengjunHUO no worries, thanks a lot!

@ZhengjunHUO ZhengjunHUO mentioned this pull request Nov 3, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ZhengjunHUO @ytsarev