Give the registry permission to read namespace secrets(#187)

- Update the registry helm chart to grant the service account permission to read secrets in the current namespace - Specify that infra should not run in the default namespace in the docs - Update Makefile for local development
infrahq · Aug 14, 2021 · e61ec7b · e61ec7b
1 parent 1a3551b
commit e61ec7b
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -43,7 +43,7 @@ dev:
 	kubectl config use-context docker-desktop
 	docker build . -t infrahq/infra:0.0.0-development
 	helm upgrade --install infra ./helm/charts/infra --set image.pullPolicy=Never --set image.tag=0.0.0-development
-	helm upgrade --install infra-engine ./helm/charts/engine --set image.pullPolicy=Never --set image.tag=0.0.0-development --set registry=infra --set apiKey=$(kubectl get secrets/infra --template={{.data.defaultApiKey}} | base64 -D)
+	helm upgrade --install infra-engine ./helm/charts/engine --set image.pullPolicy=Never --set image.tag=0.0.0-development --set endpoint=kubernetes.docker.internal:6443 --set name=docker-desktop-infra --set registry=infra --set apiKey=$(kubectl get secrets/infra --template={{.data.defaultApiKey}} | base64 -D)
 	kubectl rollout restart deployment/infra
 	kubectl rollout restart deployment/infra-engine
 

diff --git a/README.md b/README.md
@@ -52,7 +52,7 @@ Please follow [Okta configuration guide](./docs/okta.md) to obtain your Okta API
 ```
 helm repo add infrahq https://helm.infrahq.com
 
-helm install infra infrahq/infra --set-file config=./infra.yaml 
+helm install infra infrahq/infra --namespace infrahq --set-file config=./infra.yaml 
 ```
 
 3. Connect Kubernetes Cluster(s)

diff --git a/docs/okta.md b/docs/okta.md
@@ -54,11 +54,12 @@ The Okta client secret and API token are sensitive information which cannot be s
 Create [Kubernetes Secret objects](https://kubernetes.io/docs/tasks/configmap-secret/) to store the Okta client secret and API token (noted in steps 4 and 5 of `Create an Okta App` respectively). You can name these Secrets as you desire, these names will be specified in the Infra configuration.
 
 #### Example Secret Creation
-Store the Okta client secret and API token on the same Kubernetes Secret object.
+Store the Okta client secret and API token on the same Kubernetes Secret object in the namespace that Infra registry is running in.
 ```
-kubectl create secret generic infra-okta /
---from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 /
---from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd /
+kubectl create secret generic infra-okta \
+--namespace=infrahq \
+--from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 \
+--from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
 ```
 
 ### Add Okta information to Infra registry

diff --git a/helm/charts/infra/templates/role.yaml b/helm/charts/infra/templates/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infra-pod-secret-access
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
diff --git a/helm/charts/infra/templates/rolebinding.yaml b/helm/charts/infra/templates/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: infra-pod-secret-access
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: User
+  name: system:serviceaccount:{{ .Release.Namespace }}:default
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-pod-secret-access