feat: Added support for using external-secrets with kratos (#48)

bmonkman · web-flow · commit 049e1110d3c0 · 2021-05-18T15:55:36.000-07:00
* feat: Added support for using external-secrets with kratos

* fix: Switched to a more generic form for supplying the external secret source. Changed vars so that JWKS content is passed in instead of secret name.

* fix: Allow user-auth to be used without external-secrets

* chore: Remove brackets around conditional
diff --git a/modules/user_auth/README.md b/modules/user_auth/README.md
@@ -22,7 +22,6 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
 | helm | n/a |
 | kubernetes | n/a |
 | null | n/a |
@@ -34,12 +33,15 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | auth\_namespace | Namespace to use for auth resources | `string` | `"user-auth"` | no |
 | backend\_service\_domain | Domain of the backend service | `string` | n/a | yes |
-| cookie\_sigining\_secret\_key | Default secret key for signing cookies | `string` | n/a | yes |
+| cookie\_signing\_secret\_key | Default secret key for signing cookies | `string` | n/a | yes |
 | create\_namespace | Whether to create the auth namespace(defaults to true), otherwise just references the namespace | `bool` | `true` | no |
+| external\_secret\_backend | The backend external-secrets will pull secret data from to create a corresponding secret in kubernetes. If empty, external-secrets will not be used. You'll need to make sure the secret is created manually. | `string` | `"secretsManager"` | no |
+| external\_secret\_name | Name of a secret in an external secrets backend that contains the content to pull into a kubernetes secret for Kratos to use | `string` | n/a | yes |
 | frontend\_service\_domain | Domain of the frontend | `string` | n/a | yes |
-| jwks\_secret\_name | The name of a secret in the auth namespace containing a JWKS file for Oathkeeper | `string` | n/a | yes |
+| jwks\_content | The content of a JWKS file for Oathkeeper | `string` | n/a | yes |
 | k8s\_local\_exec\_context | Custom resource (Oathkeeper Rules are created using local-exec with kubectl), if not specified it will target your current context from kubeconfig | `string` | `""` | no |
 | kratos\_secret\_name | Secret name for kratos to access Database credentials, created from pre-k8s script | `string` | n/a | yes |
+| kubectl\_extra\_args | Arguments that will be passed to kubectl when using the local executor in cases where the terraform k8s support is not enough | `string` | n/a | yes |
 | name | The name to create user-auth components(kratos/oathkeeper), must be unique in the cluster for helm-resources | `string` | n/a | yes |
 | user\_auth\_mail\_from\_address | Mail from the user management system will come from this address | `string` | `""` | no |
 | whitelisted\_return\_urls | URLs that can be redirected to after completing a flow initialized with the return\_to parameter | `list(string)` | `[]` | no |
diff --git a/modules/user_auth/main.tf b/modules/user_auth/main.tf
@@ -1,10 +1,20 @@
-## Get generated JWKS content from secret
-data "aws_secretsmanager_secret" "jwks_content" {
-  name = var.jwks_secret_name
-}
-data "aws_secretsmanager_secret_version" "jwks_content" {
+locals {
+  # Kubernetes manifest to configure a custom resource that tells external-secrets where to pull secret data from
+  external_secret_definition = {
+    apiVersion : "kubernetes-client.io/v1"
+    kind : "ExternalSecret"
+
+    metadata : {
+      name : var.kratos_secret_name
+      namespace : var.auth_namespace
+    }
+    spec : {
+      backendType : var.external_secret_backend
+      dataFrom : [var.external_secret_name]
+    }
+  }
+
 
-  secret_id = data.aws_secretsmanager_secret.jwks_content.id
 }
 
 resource "kubernetes_namespace" "user_auth" {
@@ -14,19 +24,36 @@ resource "kubernetes_namespace" "user_auth" {
   }
 }
 
+# Use local exec here because we are creating a custom resource which is not yet supported by the terraform kubernetes provider
+resource "null_resource" "external_secret_custom_resource" {
+  count = var.external_secret_backend == "" ? 0 : 1
+
+  triggers = {
+    manifest_sha1 = sha1(jsonencode(local.external_secret_definition))
+  }
+
+  provisioner "local-exec" {
+    command = "kubectl apply ${var.kubectl_extra_args} -n ${var.auth_namespace} -f - <<EOF\n${jsonencode(local.external_secret_definition)}\nEOF"
+  }
+
+  depends_on = [kubernetes_namespace.user_auth]
+}
+
 resource "helm_release" "kratos" {
 
   name       = "kratos-${var.name}"
   repository = "https://k8s.ory.sh/helm/charts"
   chart      = "kratos"
   version    = "0.4.11"
   namespace  = var.auth_namespace
+  depends_on = [kubernetes_namespace.user_auth]
 
   values = [
     file("${path.module}/files/kratos-values.yml"),
   ]
 
   # This secret contains db credentials created during the initial zero apply command
+  # The kubernetes secret will be created automatically by external-secrets based on the content of a secret from the specified secrets source
   set {
     name  = "secret.nameOverride"
     value = var.kratos_secret_name
@@ -46,7 +73,7 @@ resource "helm_release" "kratos" {
 
   set_sensitive {
     name  = "kratos.config.secrets.default[0]"
-    value = var.cookie_sigining_secret_key
+    value = var.cookie_signing_secret_key
   }
 
   set {
@@ -168,6 +195,7 @@ resource "helm_release" "oathkeeper" {
   chart      = "oathkeeper"
   version    = "0.4.11"
   namespace  = var.auth_namespace
+  depends_on = [kubernetes_namespace.user_auth]
 
   values = [
     file("${path.module}/files/oathkeeper-values.yml"),
@@ -186,7 +214,7 @@ resource "helm_release" "oathkeeper" {
   # Clean up and set the JWKS content. This will become a secret mounted into the pod
   set_sensitive {
     name  = "oathkeeper.mutatorIdTokenJWKs"
-    value = replace(jsonencode(jsondecode(data.aws_secretsmanager_secret_version.jwks_content.secret_string)), "/([,\\[\\]{}])/", "\\$1")
+    value = replace(jsonencode(jsondecode(var.jwks_content)), "/([,\\[\\]{}])/", "\\$1")
   }
 
   set {
diff --git a/modules/user_auth/variables.tf b/modules/user_auth/variables.tf
@@ -42,9 +42,10 @@ variable "user_auth_mail_from_address" {
   default     = ""
 }
 
-variable "jwks_secret_name" {
-  description = "The name of a secret in the auth namespace containing a JWKS file for Oathkeeper"
+variable "jwks_content" {
+  description = "The content of a JWKS file for Oathkeeper"
   type        = string
+  sensitive   = true
 }
 
 variable "whitelisted_return_urls" {
@@ -53,8 +54,24 @@ variable "whitelisted_return_urls" {
   default     = []
 }
 
-variable "cookie_sigining_secret_key" {
+variable "cookie_signing_secret_key" {
   description = "Default secret key for signing cookies"
   type        = string
   sensitive   = true
 }
+
+variable "kubectl_extra_args" {
+  description = "Arguments that will be passed to kubectl when using the local executor in cases where the terraform k8s support is not enough"
+  type        = string
+}
+
+variable "external_secret_backend" {
+  description = "The backend external-secrets will pull secret data from to create a corresponding secret in kubernetes. If empty, external-secrets will not be used. You'll need to make sure the secret is created manually."
+  type        = string
+  default     = "secretsManager"
+}
+
+variable "external_secret_name" {
+  description = "Name of a secret in an external secrets backend that contains the content to pull into a kubernetes secret for Kratos to use"
+  type        = string
+}
