feat: Cert-mounter added workload identity option (#340)

* added configuration for workload identity * minor fix * fix path for template * pre-commit fixs
pagopa · Aug 14, 2024 · de3c0de · de3c0de
1 parent a81fd3f
commit de3c0de
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 3 deletions.
diff --git a/cert_mounter/README.md b/cert_mounter/README.md
@@ -40,10 +40,14 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cert_mounter_chart_version"></a> [cert\_mounter\_chart\_version](#input\_cert\_mounter\_chart\_version) | (Optional) Cert mounter chart version | `string` | `"1.0.4"` | no |
 | <a name="input_certificate_name"></a> [certificate\_name](#input\_certificate\_name) | (Required) Name of the certificate stored in the keyvault, that will be installed as a secret in aks | `string` | n/a | yes |
 | <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | (Required) Key vault name where to retrieve the certificate | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | (Required) Namespace where the cert secret will be created | `string` | n/a | yes |
 | <a name="input_tenant_id"></a> [tenant\_id](#input\_tenant\_id) | (Required) Tenant identifier | `string` | n/a | yes |
+| <a name="input_workload_identity_client_id"></a> [workload\_identity\_client\_id](#input\_workload\_identity\_client\_id) | ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity | `string` | `null` | no |
+| <a name="input_workload_identity_enabled"></a> [workload\_identity\_enabled](#input\_workload\_identity\_enabled) | Enable workload identity chart | `bool` | `false` | no |
+| <a name="input_workload_identity_service_account_name"></a> [workload\_identity\_service\_account\_name](#input\_workload\_identity\_service\_account\_name) | Service account name linked to workload identity | `string` | `null` | no |
 
 ## Outputs
 

diff --git a/cert_mounter/helm/cert-mounter-yaml.tpl → ...r/helm/cert-mounter-pod-identity.yaml.tpl b/cert_mounter/helm/cert-mounter-yaml.tpl → ...r/helm/cert-mounter-pod-identity.yaml.tpl
diff --git a/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl b/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl
@@ -0,0 +1,17 @@
+namespace: ${NAMESPACE}
+
+deployment:
+  create: true
+
+kvCertificatesName:
+  - ${CERTIFICATE_NAME}
+
+keyvault:
+  name: ${KEY_VAULT_NAME}
+  tenantId: ${TENANT_ID}
+
+serviceAccount:
+  name: ${SERVICE_ACCOUNT_NAME}
+
+azure:
+  workloadIdentityClientId: ${WORKLOAD_IDENTITY_CLIENT_ID}
diff --git a/cert_mounter/main.tf b/cert_mounter/main.tf
@@ -2,18 +2,26 @@ resource "helm_release" "cert_mounter" {
   name         = "cert-mounter-blueprint"
   repository   = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint"
   chart        = "cert-mounter-blueprint"
-  version      = "1.0.4"
+  version      = local.chart_version
   namespace    = var.namespace
   timeout      = 120
   force_update = true
 
   values = [
-    templatefile("${path.module}/helm/cert-mounter-yaml.tpl", {
+    var.workload_identity_enabled ?
+    templatefile("${path.module}/helm/cert-mounter-workload-identity.yaml.tpl", {
+      NAMESPACE                   = var.namespace,
+      CERTIFICATE_NAME            = var.certificate_name,
+      KEY_VAULT_NAME              = var.kv_name
+      TENANT_ID                   = var.tenant_id
+      SERVICE_ACCOUNT_NAME        = var.workload_identity_service_account_name
+      WORKLOAD_IDENTITY_CLIENT_ID = var.workload_identity_client_id
+    }) :
+    templatefile("${path.module}/helm/cert-mounter-pod-identity.yaml.tpl", {
       NAMESPACE        = var.namespace,
       CERTIFICATE_NAME = var.certificate_name,
       KEY_VAULT_NAME   = var.kv_name
       TENANT_ID        = var.tenant_id
     })
-
   ]
 }
diff --git a/cert_mounter/variables.tf b/cert_mounter/variables.tf
@@ -1,3 +1,7 @@
+locals {
+  chart_version = var.workload_identity_enabled ? "2.0.0" : "1.0.4"
+}
+
 variable "namespace" {
   type        = string
   description = "(Required) Namespace where the cert secret will be created"
@@ -18,3 +22,28 @@ variable "tenant_id" {
   description = "(Required) Tenant identifier"
 }
 
+variable "cert_mounter_chart_version" {
+  type        = string
+  description = "(Optional) Cert mounter chart version"
+  default     = "1.0.4"
+}
+
+variable "workload_identity_enabled" {
+  type        = bool
+  description = "Enable workload identity chart"
+  default     = false
+}
+
+variable "workload_identity_service_account_name" {
+  type        = string
+  description = "Service account name linked to workload identity"
+  default     = null
+}
+
+variable "workload_identity_client_id" {
+  type        = string
+  description = "ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity"
+  default     = null
+}
+
+