added optional flux keys as variables

kuptan · Jan 12, 2021 · 33212f6 · 33212f6
1 parent c735fce
commit 33212f6
Show file tree

Hide file tree

Showing 6 changed files with 152 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -73,3 +73,115 @@ See contributing docs [here](./docs/CONTRIBUTING.md)
 | sealed\_secrets\_generated\_private\_key | n/a |
 | sync\_manifest | n/a |
 
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.13 |
+| flux | >= 0.0.8 |
+| kubectl | >= 1.7.0 |
+| kubernetes | >= 1.13.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| flux | >= 0.0.8 |
+| helm | n/a |
+| kubectl | >= 1.7.0 |
+| kubernetes | >= 1.13.3 |
+| local | n/a |
+| null | n/a |
+| tls | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| components | Toolkit components to include in the install manifests | `list(string)` | <pre>[<br>  "source-controller",<br>  "kustomize-controller",<br>  "helm-controller",<br>  "notification-controller"<br>]</pre> | no |
+| flux\_arch | The arch of Flux (amd64, arm) | `string` | `"amd64"` | no |
+| flux\_auth\_type | The authentication method that flux will use to access th Git repo (ssh, basic) | `string` | `"ssh"` | no |
+| flux\_basic\_auth | The basic auth credentials. Only needed when flux\_auth\_type is basic | `object({ username : string, password : string })` | <pre>{<br>  "password": "",<br>  "username": ""<br>}</pre> | no |
+| flux\_network\_policy\_enabled | A flag to enable/disable network policies | `bool` | `false` | no |
+| flux\_ssh\_keys | The ssh keys for flux. (Active when flux\_auth\_type is ssh) | <pre>object({<br>    genereate_key : bool,<br>    private_key : string,<br>    public_key : string,<br>  })</pre> | <pre>{<br>  "genereate_key": true,<br>  "private_key": "",<br>  "public_key": ""<br>}</pre> | no |
+| flux\_ssh\_scan\_url | The domain that will be used by the ssh-keyscan. Only required when flux\_auth\_type is ssh | `string` | `""` | no |
+| flux\_target\_path | The path of the directory in the Git repository on which Flux will sync | `string` | n/a | yes |
+| flux\_version | The version of flux to install | `string` | `"latest"` | no |
+| git\_branch | The Git branch to be watched | `string` | `"master"` | no |
+| git\_url | The URL of the git repository | `string` | n/a | yes |
+| image\_pull\_secrets | Kubernetes secret name used for pulling the toolkit images from a private registryvalue | `string` | `""` | no |
+| log\_level | Log level for toolkit components | `string` | `"info"` | no |
+| namespace | The namespace on which Flux will be installed | `string` | `"flux-system"` | no |
+| output\_manifests | A flag whether to include the manifests genereated by Flux in the output | `bool` | `false` | no |
+| registry | Container registry where the toolkit images are published | `string` | `"ghcr.io/fluxcd"` | no |
+| sealed\_secrets | The sealed secret default chart version and docker image tag. (if genereate\_key\_cert is false and private\_key and private\_cert are not provided, no custom key will be generated) | <pre>object({<br>    genereate_key_cert : bool,<br>    private_key : string,<br>    private_cert : string,<br>    chart_version : string,<br>    docker_image_tag : string<br>  })</pre> | <pre>{<br>  "chart_version": "1.13.2",<br>  "docker_image_tag": "v0.13.1",<br>  "genereate_key_cert": true,<br>  "private_cert": "",<br>  "private_key": ""<br>}</pre> | no |
+| sync\_interval | Sync interval in minutes | `number` | `1` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| flux\_generated\_private\_key | n/a |
+| flux\_generated\_public\_key | n/a |
+| install\_manifest | n/a |
+| namespace | n/a |
+| sealed\_secrets\_generated\_cert | n/a |
+| sealed\_secrets\_generated\_private\_key | n/a |
+| sync\_manifest | n/a |
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.13 |
+| flux | >= 0.0.8 |
+| kubectl | >= 1.7.0 |
+| kubernetes | >= 1.13.3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| flux | >= 0.0.8 |
+| helm | n/a |
+| kubectl | >= 1.7.0 |
+| kubernetes | >= 1.13.3 |
+| local | n/a |
+| null | n/a |
+| tls | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| components | Toolkit components to include in the install manifests | `list(string)` | <pre>[<br>  "source-controller",<br>  "kustomize-controller",<br>  "helm-controller",<br>  "notification-controller"<br>]</pre> | no |
+| flux\_arch | The arch of Flux (amd64, arm) | `string` | `"amd64"` | no |
+| flux\_auth\_type | The authentication method that flux will use to access th Git repo (ssh, basic) | `string` | `"ssh"` | no |
+| flux\_basic\_auth | The basic auth credentials. Only needed when flux\_auth\_type is basic | `object({ username : string, password : string })` | <pre>{<br>  "password": "",<br>  "username": ""<br>}</pre> | no |
+| flux\_network\_policy\_enabled | A flag to enable/disable network policies | `bool` | `false` | no |
+| flux\_ssh\_keys | The ssh keys for flux. (Active when flux\_auth\_type is ssh) | <pre>object({<br>    generate_key : bool,<br>    private_key : string,<br>    public_key : string,<br>  })</pre> | <pre>{<br>  "generate_key": true,<br>  "private_key": "",<br>  "public_key": ""<br>}</pre> | no |
+| flux\_ssh\_scan\_url | The domain that will be used by the ssh-keyscan. Only required when flux\_auth\_type is ssh | `string` | `""` | no |
+| flux\_target\_path | The path of the directory in the Git repository on which Flux will sync | `string` | n/a | yes |
+| flux\_version | The version of flux to install | `string` | `"latest"` | no |
+| git\_branch | The Git branch to be watched | `string` | `"master"` | no |
+| git\_url | The URL of the git repository | `string` | n/a | yes |
+| image\_pull\_secrets | Kubernetes secret name used for pulling the toolkit images from a private registryvalue | `string` | `""` | no |
+| log\_level | Log level for toolkit components | `string` | `"info"` | no |
+| namespace | The namespace on which Flux will be installed | `string` | `"flux-system"` | no |
+| output\_manifests | A flag whether to include the manifests genereated by Flux in the output | `bool` | `false` | no |
+| registry | Container registry where the toolkit images are published | `string` | `"ghcr.io/fluxcd"` | no |
+| sealed\_secrets | The sealed secret default chart version and docker image tag. (if generate\_key\_cert is false and private\_key and private\_cert are not provided, no custom key will be generated) | <pre>object({<br>    generate_key_cert : bool,<br>    private_key : string,<br>    private_cert : string,<br>    chart_version : string,<br>    docker_image_tag : string<br>  })</pre> | <pre>{<br>  "chart_version": "1.13.2",<br>  "docker_image_tag": "v0.13.1",<br>  "generate_key_cert": true,<br>  "private_cert": "",<br>  "private_key": ""<br>}</pre> | no |
+| sync\_interval | Sync interval in minutes | `number` | `1` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| flux\_generated\_private\_key | n/a |
+| flux\_generated\_public\_key | n/a |
+| install\_manifest | n/a |
+| namespace | n/a |
+| sealed\_secrets\_generated\_cert | n/a |
+| sealed\_secrets\_generated\_private\_key | n/a |
+| sync\_manifest | n/a |
+
diff --git a/examples/cluster-bootstrap/output.tf b/examples/cluster-bootstrap/output.tf
@@ -1,6 +1,6 @@
-output "flux_public_key" {
+output "flux_generated_public_key" {
   sensitive = true
-  value     = module.k8s-flux.flux_public_key
+  value     = module.k8s-flux.flux_generated_public_key
 }
 
 output "sealed_secrets_generated_cert" {

diff --git a/flux-auth.tf b/flux-auth.tf
@@ -1,5 +1,6 @@
+
 resource "tls_private_key" "ssh" {
-  count = var.flux_auth_type == "ssh" ? 1 : 0
+  count = var.flux_auth_type == "ssh" && var.flux_ssh_keys.generate_key ? 1 : 0
 
   algorithm = "RSA"
   rsa_bits  = "2048"
@@ -49,8 +50,8 @@ resource "kubernetes_secret" "ssh" {
   }
 
   data = {
-    "identity"     = tls_private_key.ssh.0.private_key_pem
-    "identity.pub" = tls_private_key.ssh.0.public_key_openssh
+    "identity"     = var.flux_auth_type == "ssh" && var.flux_ssh_keys.generate_key ? tls_private_key.ssh.0.private_key_pem : var.flux_ssh_keys.private_key
+    "identity.pub" = var.flux_auth_type == "ssh" && var.flux_ssh_keys.generate_key ? tls_private_key.ssh.0.public_key_openssh : var.flux_ssh_keys.public_key
     "known_hosts"  = data.local_file.known_hosts.0.content
   }
 }
diff --git a/output.tf b/output.tf
@@ -10,22 +10,22 @@ output "namespace" {
   value = var.namespace
 }
 
-output "flux_private_key" {
+output "flux_generated_private_key" {
   sensitive = true
-  value     = var.flux_auth_type == "ssh" ? tls_private_key.ssh.0.private_key_pem : ""
+  value     = var.flux_auth_type == "ssh" && var.flux_ssh_keys.generate_key ? tls_private_key.ssh.0.private_key_pem : ""
 }
 
-output "flux_public_key" {
+output "flux_generated_public_key" {
   sensitive = true
-  value     = var.flux_auth_type == "ssh" ? tls_private_key.ssh.0.public_key_openssh : ""
+  value     = var.flux_auth_type == "ssh" && var.flux_ssh_keys.generate_key ? tls_private_key.ssh.0.public_key_openssh : ""
 }
 
 output "sealed_secrets_generated_private_key" {
   sensitive = true
-  value     = var.sealed_secrets.genereate_key_cert ? tls_private_key.sealed_secret_key.0.private_key_pem : ""
+  value     = var.sealed_secrets.generate_key_cert ? tls_private_key.sealed_secret_key.0.private_key_pem : ""
 }
 
 output "sealed_secrets_generated_cert" {
   sensitive = true
-  value     = var.sealed_secrets.genereate_key_cert ? tls_self_signed_cert.sealed_secret_cert.0.cert_pem : ""
+  value     = var.sealed_secrets.generate_key_cert ? tls_self_signed_cert.sealed_secret_cert.0.cert_pem : ""
 }
diff --git a/sealed-secret.tf b/sealed-secret.tf
@@ -1,12 +1,12 @@
 resource "tls_private_key" "sealed_secret_key" {
-  count = var.sealed_secrets.genereate_key_cert ? 1 : 0
+  count = var.sealed_secrets.generate_key_cert ? 1 : 0
 
   algorithm = "RSA"
   rsa_bits  = "4096"
 }
 
 resource "tls_self_signed_cert" "sealed_secret_cert" {
-  count = var.sealed_secrets.genereate_key_cert ? 1 : 0
+  count = var.sealed_secrets.generate_key_cert ? 1 : 0
 
   key_algorithm   = "RSA"
   private_key_pem = tls_private_key.sealed_secret_key.0.private_key_pem
@@ -28,7 +28,7 @@ resource "tls_self_signed_cert" "sealed_secret_cert" {
 
 resource "kubernetes_secret" "sealed_secrets_key" {
   depends_on = [kubernetes_namespace.flux_system]
-  count      = var.sealed_secrets.genereate_key_cert || (var.sealed_secrets.private_key != "" && var.sealed_secrets.private_cert != "") ? 1 : 0
+  count      = var.sealed_secrets.generate_key_cert || (var.sealed_secrets.private_key != "" && var.sealed_secrets.private_cert != "") ? 1 : 0
 
   metadata {
     name      = "sealed-secret-flux-key"
@@ -39,8 +39,8 @@ resource "kubernetes_secret" "sealed_secrets_key" {
   }
 
   data = {
-    "tls.key" = var.sealed_secrets.genereate_key_cert ? tls_private_key.sealed_secret_key.0.private_key_pem : var.sealed_secrets.private_key
-    "tls.crt" = var.sealed_secrets.genereate_key_cert ? tls_self_signed_cert.sealed_secret_cert.0.cert_pem : var.sealed_secrets.private_cert
+    "tls.key" = var.sealed_secrets.generate_key_cert ? tls_private_key.sealed_secret_key.0.private_key_pem : var.sealed_secrets.private_key
+    "tls.crt" = var.sealed_secrets.generate_key_cert ? tls_self_signed_cert.sealed_secret_cert.0.cert_pem : var.sealed_secrets.private_cert
   }
 
   type = "kubernetes.io/tls"
@@ -50,7 +50,7 @@ resource "helm_release" "sealed_secrets" {
   name      = "sealed-secrets"
   namespace = kubernetes_namespace.flux_system.metadata.0.name
 
-  repository = "https://charts.helm.sh/stable"
+  repository = "https://bitnami-labs.github.io/sealed-secrets"
   chart      = "sealed-secrets"
   version    = var.sealed_secrets.chart_version
 

diff --git a/variables.tf b/variables.tf
@@ -85,6 +85,21 @@ variable "flux_auth_type" {
   default = "ssh"
 }
 
+variable "flux_ssh_keys" {
+  description = "The ssh keys for flux. (Active when flux_auth_type is ssh)"
+  type = object({
+    generate_key : bool,
+    private_key : string,
+    public_key : string,
+  })
+
+  default = {
+    generate_key = true
+    private_key  = ""
+    public_key   = ""
+  }
+}
+
 variable "flux_basic_auth" {
   description = "The basic auth credentials. Only needed when flux_auth_type is basic"
   sensitive   = true
@@ -104,21 +119,21 @@ variable "flux_ssh_scan_url" {
 }
 
 variable "sealed_secrets" {
-  description = "The sealed secret default chart version and docker image tag. (if genereate_key_cert is false and private_key and private_cert are not provided, no custom key will be generated)"
+  description = "The sealed secret default chart version and docker image tag. (if generate_key_cert is false and private_key and private_cert are not provided, no custom key will be generated)"
   type = object({
-    genereate_key_cert : bool,
+    generate_key_cert : bool,
     private_key : string,
     private_cert : string,
     chart_version : string,
     docker_image_tag : string
   })
 
   default = {
-    genereate_key_cert = true
-    private_key        = ""
-    private_cert       = ""
-    chart_version      = "1.12.2"
-    docker_image_tag   = "v0.13.1"
+    generate_key_cert = true
+    private_key       = ""
+    private_cert      = ""
+    chart_version     = "1.13.2"
+    docker_image_tag  = "v0.13.1"
   }
 }