search

hashicorp / terraform-enterprise-helm

The official repo for Terraform Enterprise helm charts
Mozilla Public License 2.0
16 stars 17 forks source link

Extra Volume Mounts for TFE Server #53

Open jherlehy opened 1 year ago

jherlehy commented 1 year ago

Other helm charts by the Hashi team have the ability to specify extra volumes and volume mounts via the helm values file. I would like to see the capability added to this chart as well to enable some kubernetes based integrations.

Reason - The CSI secrets-store driver can be used to connect secrets from a cloud platform (AWS Secrets Manager, GCP Secrets Manager, etc) to a k8s resource that requires mounting the secrets as a volume on the pod.

This can let me do something like the following by wrapping the TFE chart and adding some additional templates.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
  name: terraform-enterprise-secrets
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: /terraform-enterprise/license
        objectType: "secretsmanager"
        objectAlias: tfe-license
      - objectName: /terraform-enterprise/database/password
        objectType: "secretsmanager"
        objectAlias: tfe-database-password
      - objectName: /terraform-enterprise/redis/password
        objectType: "secretsmanager"
        objectAlias: tfe-redis-password
      - objectName: /terraform-enterprise/encryption-password
        objectType: "secretsmanager"
        objectAlias: tfe-encryption-password
  secretObjects:
    - secretName: terraform-enterprise-secrets
      type: Opaque
      data:
        - key: TFE_LICENSE
          objectName: tfe-license
        - key: TFE_DATABASE_PASSWORD
          objectName: tfe-database-password
        - key: TFE_REDIS_PASSWORD
          objectName: tfe-redis-password
        - key: TFE_ENCRYPTION_PASSWORD
          objectName: tfe-encryption-password
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: terraform-enterprise
  name: terraform-enterprise
spec:
  replicas: 1
  selector:
    matchLabels:
      app: terraform-enterprise
  template:
    metadata:
      labels:
        app: terraform-enterprise
    spec:
      serviceAccountName: terraform-enterprise
      containers:
        - name: terraform-enterprise
          image: hashicorp/terraform-enterprise:v202310-1
          imagePullPolicy: IfNotPresent
          envFrom:
            - configMapRef:
                name: terraform-enterprise-env-config
            - secretRef:
                name: terraform-enterprise-env-secrets
            - secretRef:
                name: terraform-enterprise-secrets
          ports:
            - containerPort: 8080
            - containerPort: 8443
            - containerPort: 9090
            - containerPort: 9091
          readinessProbe:
            httpGet:
              path: /_health_check
              port: 8080
              scheme: HTTP
          resources:
            limits:
              memory: 8G
            requests:
              cpu: 2000m
              memory: 8G
          volumeMounts:
            - mountPath: /etc/ssl/private/terraform-enterprise/cert.pem
              name: certificates
              subPath: tls.crt
            - mountPath: /etc/ssl/private/terraform-enterprise/key.pem
              name: certificates
              subPath: tls.key
            - mountPath: /etc/secrets
              name: terraform-enterprise-secrets
      volumes:
        - name: certificates
          secret:
            secretName: terraform-enterprise-certificates
        - name: terraform-enterprise-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: terraform-enterprise-secrets

This would help enable management of TFE without introducing potential for tracking credentials in a source control system.