From e61ec7b14e87a2d7af33a9749f24eefd559d8e9f Mon Sep 17 00:00:00 2001
From: Bruce MacDonald <brucewmacdonald@gmail.com>
Date: Fri, 13 Aug 2021 17:46:07 -0700
Subject: [PATCH] Give the registry permission to read namespace secrets(#187)

- Update the registry helm chart to grant the service account permission to read secrets in the current namespace
- Specify that infra should not run in the default namespace in the docs
- Update Makefile for local development
---
 Makefile                                     |  2 +-
 README.md                                    |  2 +-
 docs/okta.md                                 |  9 +++++----
 helm/charts/infra/templates/role.yaml        |  9 +++++++++
 helm/charts/infra/templates/rolebinding.yaml | 13 +++++++++++++
 5 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 helm/charts/infra/templates/role.yaml
 create mode 100644 helm/charts/infra/templates/rolebinding.yaml

diff --git a/Makefile b/Makefile
index d3f4c407e4..72d7bbb586 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ dev:
 	kubectl config use-context docker-desktop
 	docker build . -t infrahq/infra:0.0.0-development
 	helm upgrade --install infra ./helm/charts/infra --set image.pullPolicy=Never --set image.tag=0.0.0-development
-	helm upgrade --install infra-engine ./helm/charts/engine --set image.pullPolicy=Never --set image.tag=0.0.0-development --set registry=infra --set apiKey=$(kubectl get secrets/infra --template={{.data.defaultApiKey}} | base64 -D)
+	helm upgrade --install infra-engine ./helm/charts/engine --set image.pullPolicy=Never --set image.tag=0.0.0-development --set endpoint=kubernetes.docker.internal:6443 --set name=docker-desktop-infra --set registry=infra --set apiKey=$(kubectl get secrets/infra --template={{.data.defaultApiKey}} | base64 -D)
 	kubectl rollout restart deployment/infra
 	kubectl rollout restart deployment/infra-engine
 
diff --git a/README.md b/README.md
index be471fd521..e02edd5c7d 100644
--- a/README.md
+++ b/README.md
@@ -52,7 +52,7 @@ Please follow [Okta configuration guide](./docs/okta.md) to obtain your Okta API
 ```
 helm repo add infrahq https://helm.infrahq.com
 
-helm install infra infrahq/infra --set-file config=./infra.yaml 
+helm install infra infrahq/infra --namespace infrahq --set-file config=./infra.yaml 
 ```
 
 3. Connect Kubernetes Cluster(s)
diff --git a/docs/okta.md b/docs/okta.md
index 606b966e15..6987f14275 100644
--- a/docs/okta.md
+++ b/docs/okta.md
@@ -54,11 +54,12 @@ The Okta client secret and API token are sensitive information which cannot be s
 Create [Kubernetes Secret objects](https://kubernetes.io/docs/tasks/configmap-secret/) to store the Okta client secret and API token (noted in steps 4 and 5 of `Create an Okta App` respectively). You can name these Secrets as you desire, these names will be specified in the Infra configuration.
 
 #### Example Secret Creation
-Store the Okta client secret and API token on the same Kubernetes Secret object.
+Store the Okta client secret and API token on the same Kubernetes Secret object in the namespace that Infra registry is running in.
 ```
-kubectl create secret generic infra-okta /
---from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 /
---from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd /
+kubectl create secret generic infra-okta \
+--namespace=infrahq \
+--from-literal=clientSecret=jfpn0qwiQPiMIfs408fjs048fjpn0qwiQPiMajsdf08j10j2 \
+--from-literal=apiToken=001XJv9xhv899sdfns938haos3h8oahsdaohd2o8hdao82hd
 ```
 
 ### Add Okta information to Infra registry
diff --git a/helm/charts/infra/templates/role.yaml b/helm/charts/infra/templates/role.yaml
new file mode 100644
index 0000000000..6860e088b8
--- /dev/null
+++ b/helm/charts/infra/templates/role.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infra-pod-secret-access
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
diff --git a/helm/charts/infra/templates/rolebinding.yaml b/helm/charts/infra/templates/rolebinding.yaml
new file mode 100644
index 0000000000..13416fb66a
--- /dev/null
+++ b/helm/charts/infra/templates/rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: infra-pod-secret-access
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: User
+  name: system:serviceaccount:{{ .Release.Namespace }}:default
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-pod-secret-access
\ No newline at end of file