Merge pull request #1349 from GiganticMinecraft/feature/cluster-secrets

Add MariaDB monitoring ClusterSecret
GiganticMinecraft · Oct 2, 2023 · dd35cf8 · dd35cf8
2 parents 97988f8 + cfed110
commit dd35cf8
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 28 deletions.
diff --git a/terraform/onp_cluster_namespaces.tf b/terraform/onp_cluster_namespaces.tf
@@ -28,6 +28,12 @@ resource "kubernetes_namespace" "onp_argocd" {
   }
 }
 
+resource "kubernetes_namespace" "onp_clustersecret" {
+  metadata {
+    name = "clustersecret"
+  }
+}
+
 resource "kubernetes_namespace" "onp_monitoring" {
   metadata {
     name = "monitoring"

diff --git a/terraform/onp_cluster_secrets.tf b/terraform/onp_cluster_secrets.tf
@@ -1,3 +1,19 @@
+# 複数 Namespace 間で共有する秘匿値があるので、ClusterSecret controller を利用する
+resource "helm_release" "onp_cluster_clustersecret" {
+  depends_on = [kubernetes_namespace.onp_clustersecret]
+
+  # https://github.com/zakkg3/ClusterSecret/tree/bab429d98b9da19debf97259fdba01211fa8dd43#using-the-official-helm-chart
+  repository = "https://charts.clustersecret.io/"
+  chart      = "cluster-secret"
+  name       = "clustersecret"
+  namespace  = "kube-system"
+  version    = "0.2.1"
+
+  reset_values    = true
+  recreate_pods   = true
+  cleanup_on_fail = true
+}
+
 resource "kubernetes_secret" "onp_argocd_github_oauth_app_secret" {
   depends_on = [kubernetes_namespace.onp_argocd]
 
@@ -144,32 +160,21 @@ resource "random_password" "minecraft__prod_mariadb_monitoring_password" {
   special = false // MariaDBのパスワードがぶっ壊れて困るので記号を含めない
 }
 
-resource "kubernetes_secret" "onp_minecraft_grafana_mariadb_monitoring_password" {
-  depends_on = [kubernetes_namespace.onp_monitoring]
-
-  metadata {
-    name      = "mariadb-monitoring"
-    namespace = "monitoring"
-  }
-
-  data = {
-    "monitoring-password" = random_password.minecraft__prod_mariadb_monitoring_password.result
-  }
-
-  type = "Opaque"
-}
-
-resource "kubernetes_secret" "onp_minecraft_prod_mariadb_monitoring_password" {
-  depends_on = [kubernetes_namespace.onp_seichi_minecraft]
-
-  metadata {
-    name      = "mariadb-monitoring"
-    namespace = "seichi-minecraft"
-  }
-
-  data = {
-    "monitoring-password" = random_password.minecraft__prod_mariadb_monitoring_password.result
-  }
-
-  type = "Opaque"
+resource "kubernetes_manifest" "onp_minecraft_mariadb_monitoring_password" {
+  depends_on = [helm_release.onp_cluster_clustersecret]
+
+  manifest = yamldecode(<<-EOS
+    kind: ClusterSecret
+    apiVersion: clustersecret.io/v1
+    metadata:
+      namespace: clustersecret
+      name: mariadb-monitoring-password
+    matchNamespace:
+      - monitoring
+      - seichi-minecraft
+      - seichi-debug-minecraft-on-seichiassist-pr-*
+    data:
+      monitoring-password: ${base64encode(random_password.minecraft__prod_mariadb_monitoring_password.result)}
+  EOS
+  )
 }