feat: add vault support to store sensitive info

2026-03-10 08:11:21 +00:00 · 2021-02-16 11:02:10 +01:00
parent 08f5b501cb
commit 07d5a22f03
5 changed files with 41 additions and 1 deletions
--- a/lib/aws/bootstrap/helm-aws-vpc-cni.j2.tf
+++ b/lib/aws/bootstrap/helm-aws-vpc-cni.j2.tf
@@ -90,6 +90,7 @@ resource "helm_release" "aws_vpc_cni" {

  depends_on = [
    aws_eks_cluster.eks_cluster,
+    vault_generic_secret.cluster-access,
    null_resource.delete_aws_managed_cni,
  ]
 }
--- a/lib/aws/bootstrap/qovery-vault.j2.tf
+++ b/lib/aws/bootstrap/qovery-vault.j2.tf
@@ -0,0 +1,28 @@
+locals {
+  kubeconfig_base64 = base64encode(local.kubeconfig)
+}
+
+resource "vault_generic_secret" "cluster-access" {
+  // do not run for tests clusters to avoid uncleaned info
+  count = var.test_cluster == "true" ? 0 : 1
+  path = "official-clusters-access/${var.organization_id}-${var.kubernetes_cluster_id}"
+
+  data_json = <<EOT
+{
+  "cloud_provider": "${var.cloud_provider}",
+  "cluster_name": "${var.kubernetes_cluster_name}",
+  "KUBECONFIG_b64": "${local.kubeconfig_base64}",
+  "organization_id": "${var.organization_id}",
+  "test_cluster": "${var.test_cluster}",
+  "grafana_login": "{{ grafana_admin_user }}",
+  "grafana_password": "{{ grafana_admin_password }}",
+  "AWS_ACCESS_KEY_ID": "{{ aws_access_key }}",
+  "AWS_SECRET_ACCESS_KEY": "{{ aws_secret_key }}",
+  "AWS_DEFAULT_REGION": "{{ aws_region }}"
+}
+EOT
+
+  depends_on = [
+    aws_eks_cluster.eks_cluster,
+  ]
+}
--- a/lib/aws/bootstrap/tf-providers-aws.j2.tf
+++ b/lib/aws/bootstrap/tf-providers-aws.j2.tf
@@ -16,6 +16,10 @@ terraform {
      source = "hashicorp/helm"
      version = "~> 1.3.2"
    }
+    vault = {
+      source = "hashicorp/vault"
+      version = "~> 2.18.0"
+    }
    local = {
      source = "hashicorp/local"
      version = "~> 1.4"
@@ -78,4 +82,6 @@ provider "helm" {
      }
    }
  }
-}
+}
+
+provider "vault" {}
--- a/tests/assets/do-options.json
+++ b/tests/assets/do-options.json
@@ -7,6 +7,8 @@
  "agent_version_controller_token": "CHANGE-ME/QOVERY_AGENT_CONTROLLER_TOKEN",
  "grafana_admin_user": "ajdoiawjdiodjidfujij",
  "grafana_admin_password": "ajdoiawjdiojAWDJawdj",
+  "vault_address": "CHANGE-ME/VAULT_ADDRESS",
+  "vault_token": "CHANGE-ME/VAULT_TOKEN",
  "discord_api_key": "CHANGE-ME/DISCORD_API_URL",
  "qovery_nats_url": "CHANGE-ME/QOVERY_NATS_URL",
  "qovery_nats_user": "CHANGE-ME/QOVERY_NATS_USERNNAME",
--- a/tests/assets/eks-options.json
+++ b/tests/assets/eks-options.json
@@ -143,6 +143,9 @@
  "agent_version_controller_token": "CHANGE-ME/QOVERY_AGENT_CONTROLLER_TOKEN",
  "grafana_admin_user": "ajdoiawjdiodjidfujij",
  "grafana_admin_password": "ajdoiawjdiojAWDJawdj",
+  "vault_address": "CHANGE-ME/VAULT_ADDRESS",
+  "vault_token": "CHANGE-ME/VAULT_TOKEN",
+  "discord_api_key": "CHANGE-ME/DISCORD_API_URL",
  "discord_api_key": "CHANGE-ME/DISCORD_API_URL",
  "qovery_nats_url": "CHANGE-ME/QOVERY_NATS_URL",
  "qovery_nats_user": "CHANGE-ME/QOVERY_NATS_USERNNAME",