mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Add the ability to support scoped RBAC with a scoped namespace

Browse source
This commit is contained in:
Eric Chan 2022-03-08 02:19:26 +10:00
parent 36077d59ec
commit 553d99a456
5 changed files with 54 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
cmd/root.go
View file

@ -52,6 +52,7 @@ var (
concurrent int concurrent int
loglevel string loglevel string
namespace string namespace string
enableClusterStoreReconciler bool
storeRequeueInterval time.Duration storeRequeueInterval time.Duration
serviceName, serviceNamespace string serviceName, serviceNamespace string
secretName, secretNamespace string secretName, secretNamespace string
@ -116,15 +117,17 @@ var rootCmd = &cobra.Command{
setupLog.Error(err, errCreateController, "controller", "SecretStore") setupLog.Error(err, errCreateController, "controller", "SecretStore")
os.Exit(1) os.Exit(1)
} }
if err = (&secretstore.ClusterStoreReconciler{ if enableClusterStoreReconciler {
Client: mgr.GetClient(), if err = (&secretstore.ClusterStoreReconciler{
Log: ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"), Client: mgr.GetClient(),
Scheme: mgr.GetScheme(), Log: ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
ControllerClass: controllerClass, Scheme: mgr.GetScheme(),
RequeueInterval: storeRequeueInterval, ControllerClass: controllerClass,
}).SetupWithManager(mgr); err != nil { RequeueInterval: storeRequeueInterval,
setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore") }).SetupWithManager(mgr); err != nil {
os.Exit(1) setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
os.Exit(1)
}
} }
if err = (&externalsecret.Reconciler{ if err = (&externalsecret.Reconciler{
Client: mgr.GetClient(), Client: mgr.GetClient(),
@ -171,5 +174,6 @@ func init() {
rootCmd.Flags().IntVar(&concurrent, "concurrent", 1, "The number of concurrent ExternalSecret reconciles.") rootCmd.Flags().IntVar(&concurrent, "concurrent", 1, "The number of concurrent ExternalSecret reconciles.")
rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal") rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces") rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
rootCmd.Flags().BoolVar(&enableClusterStoreReconciler, "enable-cluster-store-reconciler", true, "Enable cluster store reconciler.")
rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Time duration between reconciling (Cluster)SecretStores") rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Time duration between reconciling (Cluster)SecretStores")
} }

1
deploy/charts/external-secrets/README.md
View file

@ -86,6 +86,7 @@ The command removes all the Kubernetes components associated with the chart and
| replicaCount | int | `1` | | | replicaCount | int | `1` | |
| resources | object | `{}` | | | resources | object | `{}` | |
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace | | scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | `false` | If true, disable ClusterSecretStore. If scopedNamespace is provided, create scoped RBAC roles under the scoped namespace. |
| securityContext | object | `{}` | | | securityContext | object | `{}` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |

4
deploy/charts/external-secrets/templates/deployment.yaml
View file

@ -52,6 +52,10 @@ spec:
{{- if .Values.scopedNamespace }} {{- if .Values.scopedNamespace }}
- --namespace={{ .Values.scopedNamespace }} - --namespace={{ .Values.scopedNamespace }}
{{- end }} {{- end }}
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
# when scoped RBAC is enabled. cluster scoped resources are no longer supported.
- --enable-cluster-store-reconciler=false
{{- end }}
{{- if .Values.controllerClass }} {{- if .Values.controllerClass }}
- --controller-class={{ .Values.controllerClass }} - --controller-class={{ .Values.controllerClass }}
{{- end }} {{- end }}

32
deploy/charts/external-secrets/templates/rbac.yaml
View file

@ -1,8 +1,15 @@
{{- if .Values.rbac.create -}} {{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole kind: ClusterRole
{{- end }}
metadata: metadata:
name: {{ include "external-secrets.fullname" . }}-controller name: {{ include "external-secrets.fullname" . }}-controller
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels: labels:
{{- include "external-secrets.labels" . | nindent 4 }} {{- include "external-secrets.labels" . | nindent 4 }}
rules: rules:
@ -86,9 +93,16 @@ rules:
- "update" - "update"
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole kind: ClusterRole
{{- end }}
metadata: metadata:
name: {{ include "external-secrets.fullname" . }}-view name: {{ include "external-secrets.fullname" . }}-view
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels: labels:
{{- include "external-secrets.labels" . | nindent 4 }} {{- include "external-secrets.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-view: "true"
@ -107,9 +121,16 @@ rules:
- "list" - "list"
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole kind: ClusterRole
{{- end }}
metadata: metadata:
name: {{ include "external-secrets.fullname" . }}-edit name: {{ include "external-secrets.fullname" . }}-edit
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels: labels:
{{- include "external-secrets.labels" . | nindent 4 }} {{- include "external-secrets.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true"
@ -129,14 +150,25 @@ rules:
- "update" - "update"
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding kind: ClusterRoleBinding
{{- end }}
metadata: metadata:
name: {{ include "external-secrets.fullname" . }}-controller name: {{ include "external-secrets.fullname" . }}-controller
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels: labels:
{{- include "external-secrets.labels" . | nindent 4 }} {{- include "external-secrets.labels" . | nindent 4 }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole kind: ClusterRole
{{- end }}
name: {{ include "external-secrets.fullname" . }}-controller name: {{ include "external-secrets.fullname" . }}-controller
subjects: subjects:
- name: {{ include "external-secrets.serviceAccountName" . }} - name: {{ include "external-secrets.serviceAccountName" . }}

4
deploy/charts/external-secrets/values.yaml
View file

@ -28,6 +28,10 @@ scopedNamespace: ""
# -- Specifies whether an external secret operator deployment be created. # -- Specifies whether an external secret operator deployment be created.
createOperator: true createOperator: true
# -- If true, disable ClusterSecretStore.
# If scopedNamespace is provided, create scoped RBAC roles under the scoped namespace.
scopedRBAC: false
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
# a time. # a time.
concurrent: 1 concurrent: 1