diff --git a/cert_mounter/README.md b/cert_mounter/README.md
index a2af5993..de42516d 100644
--- a/cert_mounter/README.md
+++ b/cert_mounter/README.md
@@ -40,10 +40,14 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [cert\_mounter\_chart\_version](#input\_cert\_mounter\_chart\_version) | (Optional) Cert mounter chart version | `string` | `"1.0.4"` | no |
| [certificate\_name](#input\_certificate\_name) | (Required) Name of the certificate stored in the keyvault, that will be installed as a secret in aks | `string` | n/a | yes |
| [kv\_name](#input\_kv\_name) | (Required) Key vault name where to retrieve the certificate | `string` | n/a | yes |
| [namespace](#input\_namespace) | (Required) Namespace where the cert secret will be created | `string` | n/a | yes |
| [tenant\_id](#input\_tenant\_id) | (Required) Tenant identifier | `string` | n/a | yes |
+| [workload\_identity\_client\_id](#input\_workload\_identity\_client\_id) | ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity | `string` | `null` | no |
+| [workload\_identity\_enabled](#input\_workload\_identity\_enabled) | Enable workload identity chart | `bool` | `false` | no |
+| [workload\_identity\_service\_account\_name](#input\_workload\_identity\_service\_account\_name) | Service account name linked to workload identity | `string` | `null` | no |
## Outputs
diff --git a/cert_mounter/helm/cert-mounter-yaml.tpl b/cert_mounter/helm/cert-mounter-pod-identity.yaml.tpl
similarity index 100%
rename from cert_mounter/helm/cert-mounter-yaml.tpl
rename to cert_mounter/helm/cert-mounter-pod-identity.yaml.tpl
diff --git a/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl b/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl
new file mode 100644
index 00000000..d4288c7f
--- /dev/null
+++ b/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl
@@ -0,0 +1,17 @@
+namespace: ${NAMESPACE}
+
+deployment:
+ create: true
+
+kvCertificatesName:
+ - ${CERTIFICATE_NAME}
+
+keyvault:
+ name: ${KEY_VAULT_NAME}
+ tenantId: ${TENANT_ID}
+
+serviceAccount:
+ name: ${SERVICE_ACCOUNT_NAME}
+
+azure:
+ workloadIdentityClientId: ${WORKLOAD_IDENTITY_CLIENT_ID}
diff --git a/cert_mounter/main.tf b/cert_mounter/main.tf
index b04b67db..8ec21663 100644
--- a/cert_mounter/main.tf
+++ b/cert_mounter/main.tf
@@ -2,18 +2,26 @@ resource "helm_release" "cert_mounter" {
name = "cert-mounter-blueprint"
repository = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint"
chart = "cert-mounter-blueprint"
- version = "1.0.4"
+ version = local.chart_version
namespace = var.namespace
timeout = 120
force_update = true
values = [
- templatefile("${path.module}/helm/cert-mounter-yaml.tpl", {
+ var.workload_identity_enabled ?
+ templatefile("${path.module}/helm/cert-mounter-workload-identity.yaml.tpl", {
+ NAMESPACE = var.namespace,
+ CERTIFICATE_NAME = var.certificate_name,
+ KEY_VAULT_NAME = var.kv_name
+ TENANT_ID = var.tenant_id
+ SERVICE_ACCOUNT_NAME = var.workload_identity_service_account_name
+ WORKLOAD_IDENTITY_CLIENT_ID = var.workload_identity_client_id
+ }) :
+ templatefile("${path.module}/helm/cert-mounter-pod-identity.yaml.tpl", {
NAMESPACE = var.namespace,
CERTIFICATE_NAME = var.certificate_name,
KEY_VAULT_NAME = var.kv_name
TENANT_ID = var.tenant_id
})
-
]
}
diff --git a/cert_mounter/variables.tf b/cert_mounter/variables.tf
index ad885c94..831598e8 100644
--- a/cert_mounter/variables.tf
+++ b/cert_mounter/variables.tf
@@ -1,3 +1,7 @@
+locals {
+ chart_version = var.workload_identity_enabled ? "2.0.0" : "1.0.4"
+}
+
variable "namespace" {
type = string
description = "(Required) Namespace where the cert secret will be created"
@@ -18,3 +22,28 @@ variable "tenant_id" {
description = "(Required) Tenant identifier"
}
+variable "cert_mounter_chart_version" {
+ type = string
+ description = "(Optional) Cert mounter chart version"
+ default = "1.0.4"
+}
+
+variable "workload_identity_enabled" {
+ type = bool
+ description = "Enable workload identity chart"
+ default = false
+}
+
+variable "workload_identity_service_account_name" {
+ type = string
+ description = "Service account name linked to workload identity"
+ default = null
+}
+
+variable "workload_identity_client_id" {
+ type = string
+ description = "ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity"
+ default = null
+}
+
+