diff --git a/cert_mounter/README.md b/cert_mounter/README.md index a2af5993..de42516d 100644 --- a/cert_mounter/README.md +++ b/cert_mounter/README.md @@ -40,10 +40,14 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cert\_mounter\_chart\_version](#input\_cert\_mounter\_chart\_version) | (Optional) Cert mounter chart version | `string` | `"1.0.4"` | no | | [certificate\_name](#input\_certificate\_name) | (Required) Name of the certificate stored in the keyvault, that will be installed as a secret in aks | `string` | n/a | yes | | [kv\_name](#input\_kv\_name) | (Required) Key vault name where to retrieve the certificate | `string` | n/a | yes | | [namespace](#input\_namespace) | (Required) Namespace where the cert secret will be created | `string` | n/a | yes | | [tenant\_id](#input\_tenant\_id) | (Required) Tenant identifier | `string` | n/a | yes | +| [workload\_identity\_client\_id](#input\_workload\_identity\_client\_id) | ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity | `string` | `null` | no | +| [workload\_identity\_enabled](#input\_workload\_identity\_enabled) | Enable workload identity chart | `bool` | `false` | no | +| [workload\_identity\_service\_account\_name](#input\_workload\_identity\_service\_account\_name) | Service account name linked to workload identity | `string` | `null` | no | ## Outputs diff --git a/cert_mounter/helm/cert-mounter-yaml.tpl b/cert_mounter/helm/cert-mounter-pod-identity.yaml.tpl similarity index 100% rename from cert_mounter/helm/cert-mounter-yaml.tpl rename to cert_mounter/helm/cert-mounter-pod-identity.yaml.tpl diff --git a/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl b/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl new file mode 100644 index 00000000..d4288c7f --- /dev/null +++ b/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl @@ -0,0 +1,17 @@ +namespace: ${NAMESPACE} + +deployment: + create: true + +kvCertificatesName: + - ${CERTIFICATE_NAME} + +keyvault: + name: ${KEY_VAULT_NAME} + tenantId: ${TENANT_ID} + +serviceAccount: + name: ${SERVICE_ACCOUNT_NAME} + +azure: + workloadIdentityClientId: ${WORKLOAD_IDENTITY_CLIENT_ID} diff --git a/cert_mounter/main.tf b/cert_mounter/main.tf index b04b67db..8ec21663 100644 --- a/cert_mounter/main.tf +++ b/cert_mounter/main.tf @@ -2,18 +2,26 @@ resource "helm_release" "cert_mounter" { name = "cert-mounter-blueprint" repository = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint" chart = "cert-mounter-blueprint" - version = "1.0.4" + version = local.chart_version namespace = var.namespace timeout = 120 force_update = true values = [ - templatefile("${path.module}/helm/cert-mounter-yaml.tpl", { + var.workload_identity_enabled ? + templatefile("${path.module}/helm/cert-mounter-workload-identity.yaml.tpl", { + NAMESPACE = var.namespace, + CERTIFICATE_NAME = var.certificate_name, + KEY_VAULT_NAME = var.kv_name + TENANT_ID = var.tenant_id + SERVICE_ACCOUNT_NAME = var.workload_identity_service_account_name + WORKLOAD_IDENTITY_CLIENT_ID = var.workload_identity_client_id + }) : + templatefile("${path.module}/helm/cert-mounter-pod-identity.yaml.tpl", { NAMESPACE = var.namespace, CERTIFICATE_NAME = var.certificate_name, KEY_VAULT_NAME = var.kv_name TENANT_ID = var.tenant_id }) - ] } diff --git a/cert_mounter/variables.tf b/cert_mounter/variables.tf index ad885c94..831598e8 100644 --- a/cert_mounter/variables.tf +++ b/cert_mounter/variables.tf @@ -1,3 +1,7 @@ +locals { + chart_version = var.workload_identity_enabled ? "2.0.0" : "1.0.4" +} + variable "namespace" { type = string description = "(Required) Namespace where the cert secret will be created" @@ -18,3 +22,28 @@ variable "tenant_id" { description = "(Required) Tenant identifier" } +variable "cert_mounter_chart_version" { + type = string + description = "(Optional) Cert mounter chart version" + default = "1.0.4" +} + +variable "workload_identity_enabled" { + type = bool + description = "Enable workload identity chart" + default = false +} + +variable "workload_identity_service_account_name" { + type = string + description = "Service account name linked to workload identity" + default = null +} + +variable "workload_identity_client_id" { + type = string + description = "ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity" + default = null +} + +