Resource Definitions

Driver

Capability

Flavor

Resource Type

Secret Store

This example shows how you can create an Environment-local Secret store  definition with each Deployment.

The mechanism uses a Resource Definition of type base-env  to create a SecretStore Custom Resource (CR) in the Kubernetes namespace of the target Environment.

You have a choice to make the SecretStore name either context-agnostic, i.e. static, or context-specific using Placeholders . Note that secret references used for accessing secrets from that store cannot currently use Placeholders as well , so involved parties will have to follow an agreed on convention to use the same store names.

The example follows the recommended practice to source configuration values for the SecretStore object from a config Resource.

The secret store defined in the base-env may be used normally in Secret references  using the secret store ID specified in metadata.name of the SecretStore manifest.

In edge cases, an Operator error may occur on the first deployment using this mechanism saying “secret store is not found in application and operator system namespaces”. This may be due to the timing of the SecretStore manifest creation and a Resource requiring it to be present, not reoccur for all subsequent deployments given the setup is otherwise correct.

Two Resource Definitions are provided:

  • base-env-secretstore.yaml: Defines the base-env creating the SecretStore CR in the target namespace of the Environment
  • config-secretstore.yaml: Defines the config Resource for providing parameters to the base-env to define the SecretStore

Resource Definitions

base-env-secretstore.yaml (view on GitHub ) :

# This Resource Definition uses the base-env Resource type to create
# a SecretStore definition in the namespace of the Application Environment
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: base-env
entity:
  name: base-env
  type: base-env
  driver_type: humanitec/template
  driver_inputs:
    values:
      templates:
        manifests: |-
          secretstore.yaml:
            location: namespace
            data:
              apiVersion: humanitec.io/v1alpha1
              kind: SecretStore
              metadata:
                # Use this line for context-agnostic naming:
                name: my-local-gsm
                # Use this line instead for context-specific naming:
                # name: ${context.app.id}-${context.env.id}
              spec:
                # Configure the secret store according to its type
                # This example shows a Google Cloud Secret Manager
                gcpsm:
                  auth: {}
                  projectID: ${resources['config.secretstore'].outputs.project_id}
  # Adjust matching criteria as required
  criteria:
  - app_id: my-secretstore-app

config-secretstore.yaml (view on GitHub ) :

# This Resource Definition uses the Echo Driver to provide configuration values
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
  id: secretstore-config
entity:
  name: secretstore-config
  type: config
  driver_type: humanitec/echo
  driver_inputs:
    # Any Driver inputs will be returned as outputs by the Echo Driver
    values:
      project_id: my-gcp-project-id
  # Adjust matching criteria as required
  criteria:
  - class: secretstore
    app_id: my-secretstore-app

base-env-secretstore.tf (view on GitHub ) :

resource "humanitec_resource_definition" "base-env" {
  driver_type = "humanitec/template"
  id          = "base-env"
  name        = "base-env"
  type        = "base-env"
  driver_inputs = {
    values_string = jsonencode({
      "templates" = {
        "manifests" = "secretstore.yaml:\n  location: namespace\n  data:\n    apiVersion: humanitec.io/v1alpha1\n    kind: SecretStore\n    metadata:\n      # Use this line for context-agnostic naming:\n      name: my-local-gsm\n      # Use this line instead for context-specific naming:\n      # name: $${context.app.id}-$${context.env.id}\n    spec:\n      # Configure the secret store according to its type\n      # This example shows a Google Cloud Secret Manager\n      gcpsm:\n        auth: {}\n        projectID: $${resources['config.secretstore'].outputs.project_id}"
      }
    })
  }
}

resource "humanitec_resource_definition_criteria" "base-env_criteria_0" {
  resource_definition_id = resource.humanitec_resource_definition.base-env.id
  app_id                 = "my-secretstore-app"
}

config-secretstore.tf (view on GitHub ) :

resource "humanitec_resource_definition" "secretstore-config" {
  driver_type = "humanitec/echo"
  id          = "secretstore-config"
  name        = "secretstore-config"
  type        = "config"
  driver_inputs = {
    values_string = jsonencode({
      "project_id" = "my-gcp-project-id"
    })
  }
}

resource "humanitec_resource_definition_criteria" "secretstore-config_criteria_0" {
  resource_definition_id = resource.humanitec_resource_definition.secretstore-config.id
  class                  = "secretstore"
  app_id                 = "my-secretstore-app"
}