Helm charts managed through Terraform to deploy an Azure SecretProviderClass on AKS
Introduction
In this article we will see how to benefit from the advantages of two infrastructure and template management solutions:Helm chartsandTerraform.
In order to make the exercise challenging and to prove that the use of these two features works well, I deliberately chose to use theSecretProviderClassbecause it is a complex Kubernetes resource type to model.
Use in order of preference the values provided by the current “range” (file “value-demo.yaml”), then the default values (file “value.yaml”) then those provided by Terraform (“set” function).
# Reference: Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver
# Chapter: Use a user-assigned managed identity https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access?WT.mc_id=AZ-MVP-5003548#use-a-user-assigned-managed-identity
{{- range $key, $value := .Values.secrets }}
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: {{ $value.name }}
namespace: {{ $value.namespace }}
spec:
provider: azure
parameters:
{{ if $value.usePodIdentity }}
usePodIdentity: "{{ $value.usePodIdentity }}"
{{ else }}
usePodIdentity: "{{ $.Values.usePodIdentity }}"
{{ end }}
{{ if $value.useVMManagedIdentity }}
useVMManagedIdentity: "{{ $value.useVMManagedIdentity }}"
{{ else }}
useVMManagedIdentity: "{{ $.Values.useVMManagedIdentity }}"
{{ end }}
userAssignedIdentityID: {{ $.Values.userAssignedIdentityID }}
{{ if $value.keyvaultName }}
keyvaultName: {{ $value.keyvaultName }}
{{ else }}
keyvaultName: {{ $.Values.keyvaultName }}
{{ end }}
objects: |
{{- $value.parameters.objects | nindent 6 }}
tenantId: {{ $.Values.tenantId }}
{{ if $value.secretObjects }}
secretObjects: {{ $value.secretObjects | toYaml | nindent 2 -}}
{{ end }}
---
{{- end }}
Terraform plan
What’s interesting here with Terraform is that we can see the planned changes and we can pass Terraform known information like the Azure Tenant ID and core parameters like the target Azure Key Vault.
Conclusion
Using Terraform and Helm charts will help you reap the benefits of both worlds:
Make full use of your teams’ skills.
Pass calculated values from your cloud provider without writing them in your code.
Manage planned changes that new git commits plan to do before applying them in production.