Introduction
The Terraform Enterprise Helm chart provides several approaches for supplying application configuration settings. This guide outlines secure methods for providing sensitive values, such as passwords and the TLS certificate key pair, to the Helm chart. These methods include using external Kubernetes secrets.
While this guide provides an example of creating a Kubernetes secret, the specific method of creating or syncing secrets with external managers is left to your organization's practices.
Procedure
This section details three secure methods for providing sensitive configuration values to the Terraform Enterprise Helm chart.
Method 1: Use an External Kubernetes Secret for the TLS Key Pair
Securely provide a certificate key pair to the Terraform Enterprise Helm chart by referencing an external Kubernetes secret. First, create a Kubernetes TLS secret in the Terraform Enterprise namespace.
$ kubectl create secret tls terraform-enterprise-certificates \ -n terraform-enterprise \ --cert /path/to/cert \ --key /path/to/key
Next, provide the name of this TLS secret using the tls.certificateSecret value in your configuration file or through the command line with --set tls.certificateSecret=<SECRET>.
tls: certificateSecret: terraform-enterprise-certificates
The resulting pod template of the Terraform Enterprise deployment will be configured with a volume referencing this secret and volume mounts which mount the certificate and key data to the configured paths in the container.
containers:
- envFrom:
## ...
- secretRef:
name: terraform-enterprise-env-secrets
image: images.releases.hashicorp.com/hashicorp/terraform-enterprise:v202405-1
imagePullPolicy: Always
name: terraform-enterprise
## ...
volumeMounts:
- mountPath: /etc/ssl/private/terraform-enterprise/cert.pem
name: certificates
subPath: tls.crt
- mountPath: /etc/ssl/private/terraform-enterprise/key.pem
name: certificates
subPath: tls.key
volumes:
- name: certificates
secret:
defaultMode: 420
secretName: terraform-enterprise-certificatesMethod 2: Use an External Kubernetes Secret for Configuration Options
You can source sensitive configuration options, such as the encryption password or the database user's password, from external Kubernetes secrets. First, create a generic secret in the Terraform Enterprise namespace.
$ kubectl create secret generic terraform-enterprise-secret-config \ -n terraform-enterprise \ --from-literal=TFE_DATABASE_PASSWORD=<PASSWORD> \ --from-literal=TFE_ENCRYPTION_PASSWORD=<ENC_PASSWORD> ## ...
Next, add this secret to the list of secrets under env.secretRefs in your override values file or via the command line with --set 'env.secretRefs[0].name=terraform-enterprise-secret-config'.
env:
secretRefs:
- name: terraform-enterprise-secret-configThe resulting pod template of the Terraform Enterprise deployment will be configured with an envFromsecretRef for each provided secret.
containers:
- envFrom:
## ...
- secretRef:
name: terraform-enterprise-secret-config
## ...Method 3: Use a Local Secrets File
Another option is to provide the path to a local file containing secret values. First, create a local YAML file with your secret values. This example uses the filename env-secrets.yaml.
TFE_ENCRYPTION_PASSWORD: "enc-password" TFE_DATABASE_PASSWORD: "db-password"
Then, reference the file under the env.secretsFilePath value in your configuration or through the command line with --set env.secretsFilePath=env-secrets.yaml.
env: secretsFilePath: env-secrets.yaml
The secrets defined in the environment file are added to a terraform-enterprise-env-secrets secret created by Helm. This secret is then used as a secretRef by the resulting pod template of the Terraform Enterprise deployment.
containers:
- envFrom:
## ...
- secretRef:
name: terraform-enterprise-env-secrets
## ...