feat(weave): Add CSI driver support for internal service authentication

main.tf

@@ -426,6 +426,30 @@ locals {
       parquet = {
         extraEnv = var.parquet_wandb_env
       }
+
+      weave-trace-worker = {
+        serviceAccount = {
+          annotations = {
+            "eks.amazonaws.com/role-arn" = module.app_eks.weave_worker_iam_role_arn
+          }
+        }
+        secretsStore = {
+          enabled = true
+        }
+      }
+
+      secretsStore = {
+        enabled  = true
+        provider = "aws"
+        secrets = [
+          {
+            name            = "weave-worker-auth"
+            cloudSecretName = module.app_eks.weave_worker_auth_secret_name
+            k8sSecretName   = "weave-worker-auth"
+            k8sSecretKey    = "key"
+          }
+        ]
+      }
     }
   }
 }

modules/app_eks/iam-policies.tf

@@ -63,3 +63,10 @@ resource "aws_iam_policy" "irsa" {
     ]
   })
 }
+
+# IAM Policy for Weave Workers
+resource "aws_iam_policy" "weave_worker" {
+  name        = "${var.namespace}-weave-worker-secrets-access"
+  description = "Weave worker IRSA policy for accessing secrets"
+  policy      = data.aws_iam_policy_document.weave_worker_secrets_access.json
+}

modules/app_eks/iam-policy-docs.tf

@@ -127,3 +127,14 @@ data "aws_iam_policy_document" "secrets_manager" {
     resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.namespace}*"]
   }
 }
+
+data "aws_iam_policy_document" "weave_worker_secrets_access" {
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+    ]
+    effect    = "Allow"
+    resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.namespace}-*"]
+  }
+}

modules/app_eks/iam-role-attachments.tf

@@ -59,3 +59,9 @@ resource "aws_iam_policy_attachment" "irsa" {
   roles      = [aws_iam_role.irsa.name]
   policy_arn = aws_iam_policy.irsa.arn
 }
+
+# Attach Weave Worker Policy to Weave Worker Role
+resource "aws_iam_role_policy_attachment" "weave_worker" {
+  role       = aws_iam_role.weave_worker.name
+  policy_arn = aws_iam_policy.weave_worker.arn
+}

modules/app_eks/iam-roles.tf

@@ -27,3 +27,27 @@ resource "aws_iam_role" "irsa" {
     ]
   })
 }
+
+# IAM Role for Weave Workers
+resource "aws_iam_role" "weave_worker" {
+  name = "${var.namespace}-weave-worker-irsa"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = ""
+        Effect = "Allow"
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${aws_iam_openid_connect_provider.eks.url}"
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringLike = {
+            "${aws_iam_openid_connect_provider.eks.url}:sub" = "system:serviceaccount:${var.k8s_namespace}:*"
+            "${aws_iam_openid_connect_provider.eks.url}:aud" = "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+}

modules/app_eks/main.tf

@@ -205,6 +205,17 @@ module "cluster_autoscaler" {
   ]
 }
 
+module "secrets_store" {
+  source = "./secrets_store"
+
+  secrets_store_csi_driver_version              = var.secrets_store_csi_driver_version
+  secrets_store_csi_driver_provider_aws_version = var.secrets_store_csi_driver_provider_aws_version
+
+  depends_on = [
+    module.eks
+  ]
+}
+
 # Weave worker authentication token
 resource "random_password" "weave_worker_auth" {
   length  = 32
@@ -252,16 +263,8 @@ resource "aws_iam_role_policy_attachment" "weave_worker_auth_secret_reader" {
   policy_arn = aws_iam_policy.weave_worker_auth_secret_reader.arn
 }
 
-# Create Kubernetes secret with the token
-resource "kubernetes_secret" "weave_worker_auth" {
-  metadata {
-    name      = "weave-worker-auth"
-    namespace = var.k8s_namespace
-  }
-
-  binary_data = {
-    "key" = random_password.weave_worker_auth.result
-  }
 
-  depends_on = [module.eks]
-}
+# NOTE: The Kubernetes secrets are now created by the Secrets Store CSI Driver
+# via the SecretProviderClass defined in the operator-wandb Helm chart.
+# This eliminates the need to manage secrets in both Terraform and Kubernetes,
+# and provides automatic secret rotation capabilities.

modules/app_eks/outputs.tf

@@ -21,3 +21,13 @@ output "primary_workers_security_group_id" {
 output "aws_iam_openid_connect_provider" {
   value = aws_iam_openid_connect_provider.eks.url
 }
+
+output "weave_worker_auth_secret_name" {
+  value       = aws_secretsmanager_secret.weave_worker_auth.name
+  description = "Name of the AWS Secrets Manager secret containing the weave worker auth token (used by SecretProviderClass)"
+}
+
+output "weave_worker_iam_role_arn" {
+  value       = aws_iam_role.weave_worker.arn
+  description = "ARN of the IAM role for weave worker service accounts to access AWS Secrets Manager via CSI driver"
+}

modules/app_eks/secrets_store/secrets_store.tf

@@ -0,0 +1,40 @@
+# Install Secrets Store CSI Driver via Helm
+resource "helm_release" "secrets_store_csi_driver" {
+  name       = "secrets-store-csi-driver"
+  repository = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts"
+  chart      = "secrets-store-csi-driver"
+  version    = var.secrets_store_csi_driver_version
+  namespace  = "kube-system"
+
+  set {
+    name  = "syncSecret.enabled"
+    value = "true"
+  }
+
+  set {
+    name  = "enableSecretRotation"
+    value = "true"
+  }
+
+  set {
+    name  = "rotationPollInterval"
+    value = "120s"
+  }
+}
+
+# Install AWS Secrets Manager Provider for Secrets Store CSI Driver
+resource "helm_release" "secrets_store_csi_driver_provider_aws" {
+  depends_on = [
+    helm_release.secrets_store_csi_driver
+  ]
+
+  name       = "secrets-store-csi-driver-provider-aws"
+  repository = "https://aws.github.io/secrets-store-csi-driver-provider-aws"
+  chart      = "secrets-store-csi-driver-provider-aws"
+  version    = var.secrets_store_csi_driver_provider_aws_version
+  namespace  = "kube-system"
+}
+
+# NOTE: The SecretProviderClass is created by the application Helm chart (operator-wandb),
+# not by Terraform. This avoids CRD timing issues and keeps application-specific configuration
+# with the application deployment.

modules/app_eks/secrets_store/variables.tf

@@ -0,0 +1,9 @@
+variable "secrets_store_csi_driver_version" {
+  type        = string
+  description = "The version of the Secrets Store CSI Driver Helm chart to install."
+}
+
+variable "secrets_store_csi_driver_provider_aws_version" {
+  type        = string
+  description = "The version of the AWS Secrets Manager Provider for Secrets Store CSI Driver Helm chart to install."
+}

modules/app_eks/variables.tf

@@ -254,3 +254,15 @@ variable "cluster_autoscaler_image_tag" {
   description = "The tag of the cluster-autoscaler to deploy."
   default     = null
 }
+
+variable "secrets_store_csi_driver_version" {
+  type        = string
+  description = "The version of the Secrets Store CSI Driver Helm chart to install."
+  default     = "1.4.7"
+}
+
+variable "secrets_store_csi_driver_provider_aws_version" {
+  type        = string
+  description = "The version of the AWS Secrets Manager Provider for Secrets Store CSI Driver Helm chart to install."
+  default     = "0.3.9"
+}