From 0dbd91f8d7783e07528adca73401792f6f6fa51a Mon Sep 17 00:00:00 2001
From: Bruce MacDonald <brucewmacdonald@gmail.com>
Date: Mon, 16 Aug 2021 10:33:29 -0700
Subject: [PATCH] Helm secret reader (#194)

* Give the registry permission to read namespace secrets

- Update the registry helm chart to grant the service account permission to read secrets in the current namespace
- Specify that infra should not run in the default namespace in the docs
- Change name of example secrets
- Add a registry service account
---
 README.md                                       |  8 ++++----
 docs/configuration.md                           |  4 ++--
 docs/okta.md                                    | 17 +++++++++--------
 helm/charts/registry/templates/deployment.yaml  |  1 +
 helm/charts/registry/templates/role.yaml        |  9 +++++++++
 helm/charts/registry/templates/rolebinding.yaml | 13 +++++++++++++
 .../registry/templates/serviceaccount.yaml      |  5 +++++
 7 files changed, 43 insertions(+), 14 deletions(-)
 create mode 100644 helm/charts/registry/templates/role.yaml
 create mode 100644 helm/charts/registry/templates/rolebinding.yaml
 create mode 100644 helm/charts/registry/templates/serviceaccount.yaml

diff --git a/README.md b/README.md
index 6f8d7e54eb..078e63cc54 100644
--- a/README.md
+++ b/README.md
@@ -21,8 +21,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: infra-okta/clientSecret 
-    apiToken: infra-okta/apiToken
+    clientSecret: infra-registry-okta/clientSecret
+    apiToken: infra-registry-okta/apiToken
 
 # Map groups or individual users pulled from identity providers
 # Roles refer to available roles or cluster-roles currently 
@@ -52,7 +52,7 @@ Please follow [Okta configuration guide](./docs/okta.md) to obtain your Okta API
 ```
 helm repo add infrahq https://helm.infrahq.com
 
-helm install infra-registry infrahq/registry --set-file config=./infra.yaml 
+helm install infra-registry infrahq/registry --namespace infrahq --create-namespace --set-file config=./infra.yaml 
 ```
 
 3. Connect Kubernetes Cluster(s)
@@ -60,7 +60,7 @@ helm install infra-registry infrahq/registry --set-file config=./infra.yaml
 In a web browser visit the Infra Registry dashboard. The URL may be found using: 
 
 ```
-kubectl get svc -n default -w infra -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']
+kubectl get svc -n default -w infra -o jsonpath="{.status.loadBalancer.ingress[*]['ip', 'hostname']}"
 ```
 ![Login](https://user-images.githubusercontent.com/251292/128047128-7bb0da64-4111-4116-b39b-03ca70687ad2.png)
 
diff --git a/docs/configuration.md b/docs/configuration.md
index 8c6a09e31e..07918d0031 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -41,8 +41,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2
-    apiToken: 001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
+    clientSecret: infra-registry-okta/clientSecret
+    apiToken: infra-registry-okta/apiToken
 
 users:
   - name: admin@example.com
diff --git a/docs/okta.md b/docs/okta.md
index 606b966e15..991ce0424f 100644
--- a/docs/okta.md
+++ b/docs/okta.md
@@ -6,8 +6,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: infra-okta/clientSecret
-    apiToken: infra-okta/apiToken
+    clientSecret: infra-registry-okta/clientSecret
+    apiToken: infra-registry-okta/apiToken
 ```
 
 ## Contents
@@ -54,11 +54,12 @@ The Okta client secret and API token are sensitive information which cannot be s
 Create [Kubernetes Secret objects](https://kubernetes.io/docs/tasks/configmap-secret/) to store the Okta client secret and API token (noted in steps 4 and 5 of `Create an Okta App` respectively). You can name these Secrets as you desire, these names will be specified in the Infra configuration.
 
 #### Example Secret Creation
-Store the Okta client secret and API token on the same Kubernetes Secret object.
+Store the Okta client secret and API token on the same Kubernetes Secret object in the namespace that Infra registry is running in.
 ```
-kubectl create secret generic infra-okta /
---from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 /
---from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd /
+kubectl create secret generic infra-registry-okta \
+--namespace=infrahq \
+--from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 \
+--from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
 ```
 
 ### Add Okta information to Infra registry
@@ -70,8 +71,8 @@ sources:
   - type: okta
     domain: acme.okta.com
     clientId: 0oapn0qwiQPiMIyR35d6
-    clientSecret: infra-okta/clientSecret # <kubernetes secret object name>/<key of the secret>
-    apiToken: infra-okta/apiToken
+    clientSecret: infra-registry-okta/clientSecret # <kubernetes secret object name>/<key of the secret>
+    apiToken: infra-registry-okta/apiToken
 
 users:
   - name: admin@example.com
diff --git a/helm/charts/registry/templates/deployment.yaml b/helm/charts/registry/templates/deployment.yaml
index b2de7245e2..f721714531 100644
--- a/helm/charts/registry/templates/deployment.yaml
+++ b/helm/charts/registry/templates/deployment.yaml
@@ -14,6 +14,7 @@ spec:
         app: infra-registry
     spec:
       automountServiceAccountToken: true
+      serviceAccountName: infra-registry
       containers:
         - name: registry
           image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
diff --git a/helm/charts/registry/templates/role.yaml b/helm/charts/registry/templates/role.yaml
new file mode 100644
index 0000000000..50402e783f
--- /dev/null
+++ b/helm/charts/registry/templates/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infra-registry-secret-reader
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
diff --git a/helm/charts/registry/templates/rolebinding.yaml b/helm/charts/registry/templates/rolebinding.yaml
new file mode 100644
index 0000000000..81fde98b36
--- /dev/null
+++ b/helm/charts/registry/templates/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: infra-registry-secret-reader
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: infra-registry
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-registry-secret-reader
\ No newline at end of file
diff --git a/helm/charts/registry/templates/serviceaccount.yaml b/helm/charts/registry/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..39e53c707f
--- /dev/null
+++ b/helm/charts/registry/templates/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: infra-registry
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file