search

GalleyBytes / terraform-operator

A Kubernetes CRD to handle terraform operations
http://tf.galleybytes.com
Apache License 2.0
364 stars 47 forks source link

Support for Runner Annotations #49

Closed nolte closed 3 years ago

nolte commented 3 years ago

Description

Hi, thanks for this nice Operator. We use this Operator for Bootstrapping k8s clusters, and it works good! For the required Secrets we use hashicorp/vault, with the Kubernetes Auth Method .

At some other places we allways use the Agent Sidecar Injector for loading secrets from vault or creating a Vault Access Token. This Sidecar injector will be add some additional Init Container to the deployment and generate the secrets to the FileSystem.

For the configuration of Agent Sidecar Injector you will need some Annotations at our deployment.

At the moment, i din`t see any options, to adding Annotations.

Potential Configuration

Adding a optional field like runnerAnnotations of typ map[string]string, and the Listed annotations will be add to each started container, like plan, apply, destroy ....

apiVersion: tf.isaaguilar.com/v1alpha1
kind: Terraform
metadata:
  ...
spec:
  runnerAnnotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "argo-workflows"
    vault.hashicorp.com/agent-inject-token: "true"

    # Load a Secret for Terraform State file access
    vault.hashicorp.com/agent-inject-secret-s3access: secrets-tf/services/s3/users/admin
    vault.hashicorp.com/agent-inject-template-s3access: |
      {{- with secret "secrets-tf/services/s3/users/admin" -}}
        [default]
        aws_access_key_id={{ .Data.data.accesskey }}
        aws_secret_access_key={{ .Data.data.secretkey }}            
      {{- end }}  
    ...
  ...
  env:
    - name: AWS_SHARED_CREDENTIALS_FILE
      value: /vault/secrets/s3access
    - name: VAULT_TOKEN
      value: $(cat /vault/secrets/token)      
  ...
...
isaaguilar commented 3 years ago

@nolte I have included support for spec.runnerAnnotations in both versions of TFO (v0.3.10 and v0.4.0-alpha2). If you're using the v0.3.x versions, you can use the terraform-operator helm-chart to install.

There is also a crd update so make sure to install that update too. This command works for me to update the crd: 

kubectl apply -f crds/terraform.yaml
nolte commented 3 years ago

Hi, it looks good ! Thanks for the quick support !