mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
Add the ability to support scoped RBAC with a scoped namespace
This commit is contained in:
Eric Chan
parent
36077d59ec
commit
553d99a456
5 changed files with 54 additions and 9 deletions
22
cmd/root.go
22
cmd/root.go
|
|
@ -52,6 +52,7 @@ var (
|
|||
concurrent int
|
||||
loglevel string
|
||||
namespace string
|
||||
enableClusterStoreReconciler bool
|
||||
storeRequeueInterval time.Duration
|
||||
serviceName, serviceNamespace string
|
||||
secretName, secretNamespace string
|
||||
|
|
@ -116,15 +117,17 @@ var rootCmd = &cobra.Command{
|
|||
setupLog.Error(err, errCreateController, "controller", "SecretStore")
|
||||
os.Exit(1)
|
||||
}
|
||||
if err = (&secretstore.ClusterStoreReconciler{
|
||||
Client: mgr.GetClient(),
|
||||
Log: ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
|
||||
Scheme: mgr.GetScheme(),
|
||||
ControllerClass: controllerClass,
|
||||
RequeueInterval: storeRequeueInterval,
|
||||
}).SetupWithManager(mgr); err != nil {
|
||||
setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
|
||||
os.Exit(1)
|
||||
if enableClusterStoreReconciler {
|
||||
if err = (&secretstore.ClusterStoreReconciler{
|
||||
Client: mgr.GetClient(),
|
||||
Log: ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
|
||||
Scheme: mgr.GetScheme(),
|
||||
ControllerClass: controllerClass,
|
||||
RequeueInterval: storeRequeueInterval,
|
||||
}).SetupWithManager(mgr); err != nil {
|
||||
setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
if err = (&externalsecret.Reconciler{
|
||||
Client: mgr.GetClient(),
|
||||
|
|
@ -171,5 +174,6 @@ func init() {
|
|||
rootCmd.Flags().IntVar(&concurrent, "concurrent", 1, "The number of concurrent ExternalSecret reconciles.")
|
||||
rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
|
||||
rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
|
||||
rootCmd.Flags().BoolVar(&enableClusterStoreReconciler, "enable-cluster-store-reconciler", true, "Enable cluster store reconciler.")
|
||||
rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Time duration between reconciling (Cluster)SecretStores")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -86,6 +86,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| replicaCount | int | `1` | |
|
||||
| resources | object | `{}` | |
|
||||
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
|
||||
| scopedRBAC | bool | `false` | If true, disable ClusterSecretStore. If scopedNamespace is provided, create scoped RBAC roles under the scoped namespace. |
|
||||
| securityContext | object | `{}` | |
|
||||
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
|
|
|
|||
|
|
@ -52,6 +52,10 @@ spec:
|
|||
{{- if .Values.scopedNamespace }}
|
||||
- --namespace={{ .Values.scopedNamespace }}
|
||||
{{- end }}
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
# when scoped RBAC is enabled. cluster scoped resources are no longer supported.
|
||||
- --enable-cluster-store-reconciler=false
|
||||
{{- end }}
|
||||
{{- if .Values.controllerClass }}
|
||||
- --controller-class={{ .Values.controllerClass }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,15 @@
|
|||
{{- if .Values.rbac.create -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
kind: Role
|
||||
{{- else }}
|
||||
kind: ClusterRole
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ include "external-secrets.fullname" . }}-controller
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
namespace: {{ .Values.scopedNamespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets.labels" . | nindent 4 }}
|
||||
rules:
|
||||
|
|
@ -86,9 +93,16 @@ rules:
|
|||
- "update"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
kind: Role
|
||||
{{- else }}
|
||||
kind: ClusterRole
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ include "external-secrets.fullname" . }}-view
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
namespace: {{ .Values.scopedNamespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets.labels" . | nindent 4 }}
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
|
|
@ -107,9 +121,16 @@ rules:
|
|||
- "list"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
kind: Role
|
||||
{{- else }}
|
||||
kind: ClusterRole
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ include "external-secrets.fullname" . }}-edit
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
namespace: {{ .Values.scopedNamespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets.labels" . | nindent 4 }}
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
|
|
@ -129,14 +150,25 @@ rules:
|
|||
- "update"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
kind: RoleBinding
|
||||
{{- else }}
|
||||
kind: ClusterRoleBinding
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ include "external-secrets.fullname" . }}-controller
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
namespace: {{ .Values.scopedNamespace | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
|
||||
kind: Role
|
||||
{{- else }}
|
||||
kind: ClusterRole
|
||||
{{- end }}
|
||||
name: {{ include "external-secrets.fullname" . }}-controller
|
||||
subjects:
|
||||
- name: {{ include "external-secrets.serviceAccountName" . }}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,10 @@ scopedNamespace: ""
|
|||
# -- Specifies whether an external secret operator deployment be created.
|
||||
createOperator: true
|
||||
|
||||
# -- If true, disable ClusterSecretStore.
|
||||
# If scopedNamespace is provided, create scoped RBAC roles under the scoped namespace.
|
||||
scopedRBAC: false
|
||||
|
||||
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
|
||||
# a time.
|
||||
concurrent: 1
|
||||
|
|
|
|||
Loading…
Reference in a new issue