Installing External Secrets Operator – Securing and Testing Your CI/CD Pipeline

External Secrets Operator is available as a Helm chart, and Argo CD supports it. A Helm chart is a collection of preconfigured Kubernetes resources (such as Deployments, Services, ConfigMaps, and more) organized into a package that makes it easy to deploy and manage applications in Kubernetes. Helm is a package manager for Kubernetes that allows you to define, install, and upgrade even the most complex Kubernetes applications in a repeatable and standardized way. Therefore, we must create an Argo CD application pointing to the Helm chart to install it. To do so, we will create the following manifests/argocd/external-secrets.yaml manifest file:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets
namespace: argocd
spec:
project: default
source:
chart: external-secrets/external-secrets
repoURL: https://charts.external-secrets.io
targetRevision: 0.9.4
helm:
releaseName: external-secrets
destination:
server: “https://kubernetes.default.svc”
namespace: external-secrets

The application manifest creates an external-secrets application on the argocd namespace within the default project. It downloads the 0.9.4 revision from the external-secrets Helm chart repository and deploys the chart on the Kubernetes cluster on the external-secrets namespace.

To install this application, we need to apply this manifest using Terraform. Therefore, to do so, we make the following entry in the app.tf file:
data “kubectl_file_documents” “external-secrets” {
content = file(“../manifests/argocd/external-secrets.yaml”)
}
resource “kubectl_manifest” “external-secrets” {
depends_on = [
kubectl_manifest.argocd,
]
for_each = data.kubectl_file_documents.external-secrets.manifests
yaml_body = each.value
override_namespace = “argocd”
}

To deploy this, we must check these files into source control. Let’s clone the mdo-environments repository that we created in the last chapters.

If you haven’t followed the last chapters, you can do the following to set a baseline. Feel free to skip the next section if you’ve already set up your environment in Chapter 12, Continuous Deployment/ Delivery with Argo CD.

Setting up the baseline

To ensure continuity with the last chapters, let’s start by creating a service account for Terraform to interact with our GCP project using the following commands:
$ gcloud iam service-accounts create terraform \
–description=”Service Account for terraform” \
–display-name=”Terraform”
$ gcloud projects add-iam-policy-binding $PROJECT_ID \
–member=”serviceAccount:terraform@$PROJECT_ID.iam.gserviceaccount.com” \ –role=”roles/editor”
$ gcloud iam service-accounts keys create key-file \
–iam-account=terraform@$PROJECT_ID.iam.gserviceaccount.com

You will see a file called key-file created within your working directory. Now, create a new repository called mdo-environments with a README.md file on GitHub, rename the main branch to prod, and create a new branch called dev using GitHub. Navigate to https://github. com//mdo-environments/settings/secrets/actions/ new and create a secret named GCP_CREDENTIALS. For the value, print the key-file file, copy its contents, and paste it into the values field of the GitHub secret.

Next, create another secret, PROJECT_ID, and specify your GCP project ID within the values field.

Next, we need to create a GCS bucket for Terraform to use as a remote backend. To do this, run the following command:
$ gsutil mb gs://tf-state-mdo-terraform-${PROJECT_ID}

So, now that all the prerequisites are met, we can clone our repository and copy the baseline code.

Run the following commands to do this:
$ cd ~ && git clone [email protected]:/mdo-environments.git
$ cd mdo-environments/
$ git checkout dev
$ cp -r ~/modern-devops/ch13/baseline/* .
$ cp -r ~/modern-devops/ch13/baseline/.github .

As we’re now on the baseline, let’s proceed further to install external secrets with Terraform.

Leave a Reply

Your email address will not be published. Required fields are marked *



          Terms of Use | About Breannaworld | Privacy Policy | Cookies | Accessibility Help | Contact Breannaworld