Helm secret reader (#194)

* Give the registry permission to read namespace secrets

- Update the registry helm chart to grant the service account permission to read secrets in the current namespace
- Specify that infra should not run in the default namespace in the docs
- Change name of example secrets
- Add a registry service account

README.md

@@ -21,8 +21,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: infra-okta/clientSecret 
-    apiToken: infra-okta/apiToken
+    clientSecret: infra-registry-okta/clientSecret
+    apiToken: infra-registry-okta/apiToken
 
 # Map groups or individual users pulled from identity providers
 # Roles refer to available roles or cluster-roles currently 
@@ -52,15 +52,15 @@ Please follow [Okta configuration guide](./docs/okta.md) to obtain your Okta API
 ```
 helm repo add infrahq https://helm.infrahq.com
 
-helm install infra-registry infrahq/registry --set-file config=./infra.yaml 
+helm install infra-registry infrahq/registry --namespace infrahq --create-namespace --set-file config=./infra.yaml 
 ```
 
 3. Connect Kubernetes Cluster(s)
 
 In a web browser visit the Infra Registry dashboard. The URL may be found using: 
 
 ```
-kubectl get svc -n default -w infra -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']
+kubectl get svc -n default -w infra -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}"
 ```
 ![Login](https://user-images.githubusercontent.com/251292/128047128-7bb0da64-4111-4116-b39b-03ca70687ad2.png)
 

docs/configuration.md

@@ -41,8 +41,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2
-    apiToken: 001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
+    clientSecret: infra-registry-okta/clientSecret
+    apiToken: infra-registry-okta/apiToken
 
 users:
   - name: [email protected]

docs/okta.md

@@ -6,8 +6,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: infra-okta/clientSecret
-    apiToken: infra-okta/apiToken
+    clientSecret: infra-registry-okta/clientSecret
+    apiToken: infra-registry-okta/apiToken
 ```
 
 ## Contents
@@ -54,11 +54,12 @@ The Okta client secret and API token are sensitive information which cannot be s
 Create [Kubernetes Secret objects](https://kubernetes.io/docs/tasks/configmap-secret/) to store the Okta client secret and API token (noted in steps 4 and 5 of `Create an Okta App` respectively). You can name these Secrets as you desire, these names will be specified in the Infra configuration.
 
 #### Example Secret Creation
-Store the Okta client secret and API token on the same Kubernetes Secret object.
+Store the Okta client secret and API token on the same Kubernetes Secret object in the namespace that Infra registry is running in.
 ```
-kubectl create secret generic infra-okta /
---from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 /
---from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd /
+kubectl create secret generic infra-registry-okta \
+--namespace=infrahq \
+--from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 \
+--from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
 ```
 
 ### Add Okta information to Infra registry
@@ -70,8 +71,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: infra-okta/clientSecret # <kubernetes secret object name>/<key of the secret>
-    apiToken: infra-okta/apiToken
+    clientSecret: infra-registry-okta/clientSecret # <kubernetes secret object name>/<key of the secret>
+    apiToken: infra-registry-okta/apiToken
 
 users:
   - name: [email protected]

helm/charts/registry/templates/deployment.yaml

@@ -14,6 +14,7 @@ spec:
         app: infra-registry
     spec:
       automountServiceAccountToken: true
+      serviceAccountName: infra-registry
       containers:
         - name: registry
           image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}

helm/charts/registry/templates/role.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infra-registry-secret-reader
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]

helm/charts/registry/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: infra-registry-secret-reader
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: infra-registry
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-registry-secret-reader

helm/charts/registry/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: infra-registry
+  namespace: {{ .Release.Namespace }}