Skip to content

Commit 2f3bf59

Browse files
fiddlermikeyfiddlermikey
authored
Merge pull request #19 from Keyfactor/secret
v1.0.5: Implement namespace-scoped access to secret containing credentials
2 parents 037e9d9 + 1d1fb25 commit 2f3bf59

24 files changed

+581
-136
lines changed

CHANGELOG.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,4 +8,13 @@
88
* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
99
* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
1010
* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
11-
* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.
11+
* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.
12+
13+
# v1.0.5
14+
15+
## Features
16+
* feat(controller): Implement Kubernetes `client-go` REST client for Secret/ConfigMap retrieval to bypass `controller-runtime` caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.
17+
18+
## Fixes
19+
* fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
20+
* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.

api/v1alpha1/clusterissuer_types.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
Copyright 2023 The Keyfactor Command Authors.
2+
Copyright © 2023 Keyfactor
33
44
Licensed under the Apache License, Version 2.0 (the "License");
55
you may not use this file except in compliance with the License.

api/v1alpha1/groupversion_info.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
Copyright 2023 The Keyfactor Command Authors.
2+
Copyright © 2023 Keyfactor
33
44
Licensed under the Apache License, Version 2.0 (the "License");
55
you may not use this file except in compliance with the License.

api/v1alpha1/issuer_types.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
Copyright 2023 The Keyfactor Command Authors.
2+
Copyright © 2023 Keyfactor
33
44
Licensed under the Apache License, Version 2.0 (the "License");
55
you may not use this file except in compliance with the License.

deploy/charts/command-cert-manager-issuer/README.md

Lines changed: 45 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -18,56 +18,72 @@ The Command external issuer for cert-manager allows users to enroll certificates
1818

1919
### Add Helm Repository
2020

21-
```bash
21+
```shell
2222
helm repo add command-issuer https://keyfactor.github.io/command-cert-manager-issuer
2323
helm repo update
2424
```
2525

2626
### Install Chart
2727

28-
```bash
29-
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer
28+
```shell
29+
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
30+
--namespace command-issuer-system \
31+
--create-namespace \
32+
--set image.repository=<your container registry>/keyfactor/command-cert-manager-issuer \
33+
--set image.tag=<tag> \
34+
--set crd.create=true \
35+
# --set image.pullPolicy=Never # Only required if using a local image
3036
```
3137

32-
Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `replicaCount` value, run the following command:
33-
```bash
38+
Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `secretConfig.useClusterRoleForSecretAccess` to configure the chart to use a cluster role for secret access, run the following command:
39+
40+
```shell
3441
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
35-
--set replicaCount=2
42+
--namespace command-issuer-system \
43+
--create-namespace \
44+
--set image.repository=<your container registry>/keyfactor/command-cert-manager-issuer \
45+
--set image.tag=<tag> \
46+
--set crd.create=true \
47+
--set secretConfig.useClusterRoleForSecretAccess=true
3648
```
3749

38-
Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `replicaCount` value, modify the `replicaCount` value in the `values.yaml` file:
50+
Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `secretConfig.useClusterRoleForSecretAccess` value to configure the chart to use a cluster role for secret access, modify the `secretConfig.useClusterRoleForSecretAccess` value in the `values.yaml` file by creating an override file:
3951
```yaml
4052
cat <<EOF > override.yaml
41-
replicaCount: 2
53+
secretConfig:
54+
useClusterRoleForSecretAccess: true
4255
EOF
4356
```
4457
Then, use the `-f` flag to specify the `values.yaml` file:
45-
```bash
58+
```shell
4659
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
60+
--namespace command-issuer-system \
4761
-f override.yaml
4862
```
4963

5064
## Configuration
5165

5266
The following table lists the configurable parameters of the `command-cert-manager-issuer` chart and their default values.
5367

54-
| Parameter | Description | Default |
55-
|-----------------------------------|-------------------------------------------------------|-------------------------------------------------------|
56-
| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` |
57-
| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` |
58-
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
59-
| `image.tag` | Image tag | `""` |
60-
| `imagePullSecrets` | Image pull secrets | `[]` |
61-
| `nameOverride` | Name override | `""` |
62-
| `fullnameOverride` | Full name override | `""` |
63-
| `crd.create` | Specifies if CRDs will be created | `true` |
64-
| `crd.annotations` | Annotations to add to the CRD | `{}` |
65-
| `serviceAccount.create` | Specifies if a service account should be created | `true` |
66-
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
67-
| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) |
68-
| `podAnnotations` | Annotations for the pod | `{}` |
69-
| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` |
70-
| `securityContext` | Security context for the pod | `{}` (with commented out options) |
71-
| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) |
72-
| `nodeSelector` | Node labels for pod assignment | `{}` |
73-
| `tolerations` | Tolerations for pod assignment | `[]` |
68+
| Parameter | Description | Default |
69+
|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
70+
| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` |
71+
| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` |
72+
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
73+
| `image.tag` | Image tag | `""` |
74+
| `imagePullSecrets` | Image pull secrets | `[]` |
75+
| `nameOverride` | Name override | `""` |
76+
| `fullnameOverride` | Full name override | `""` |
77+
| `crd.create` | Specifies if CRDs will be created | `true` |
78+
| `crd.annotations` | Annotations to add to the CRD | `{}` |
79+
| `serviceAccount.create` | Specifies if a service account should be created | `true` |
80+
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
81+
| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) |
82+
| `podAnnotations` | Annotations for the pod | `{}` |
83+
| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` |
84+
| `securityContext` | Security context for the pod | `{}` (with commented out options) |
85+
| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) |
86+
| `nodeSelector` | Node labels for pod assignment | `{}` |
87+
| `tolerations` | Tolerations for pod assignment | `[]` |
88+
| `secureMetrics.enabled` | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false` |
89+
| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false` |

deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,6 @@ metadata:
55
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
66
name: {{ include "command-cert-manager-issuer.name" . }}-manager-role
77
rules:
8-
- apiGroups:
9-
- ""
10-
resources:
11-
- secrets
12-
verbs:
13-
- get
14-
- list
15-
- watch
168
- apiGroups:
179
- cert-manager.io
1810
resources:

deploy/charts/command-cert-manager-issuer/templates/deployment.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,9 @@ spec:
5555
- --health-probe-bind-address=:8081
5656
- --metrics-bind-address=127.0.0.1:8080
5757
- --leader-elect
58+
{{- if .Values.secretConfig.useClusterRoleForSecretAccess}}
59+
- --secret-access-granted-at-cluster-level
60+
{{- end}}
5861
command:
5962
- /manager
6063
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

deploy/charts/command-cert-manager-issuer/templates/secretrole.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
3+
metadata:
4+
labels:
5+
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
6+
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
7+
rules:
8+
- apiGroups:
9+
- ""
10+
resources:
11+
- secrets
12+
verbs:
13+
- get
14+
- list
15+
- watch
16+
---
17+
apiVersion: rbac.authorization.k8s.io/v1
18+
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRoleBinding{{ else }}RoleBinding{{ end }}
19+
metadata:
20+
labels:
21+
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
22+
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-rolebinding
23+
roleRef:
24+
apiGroup: rbac.authorization.k8s.io
25+
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
26+
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
27+
subjects:
28+
- kind: ServiceAccount
29+
name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
30+
namespace: {{ .Release.Namespace }}

deploy/charts/command-cert-manager-issuer/values.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,16 @@ fullnameOverride: ""
1818
secureMetrics:
1919
enabled: false
2020

21+
secretConfig:
22+
# If true, when using Issuer resources, the credential secret must be created in the same namespace as the
23+
# Issuer resource. This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret
24+
# API at the cluster level.
25+
#
26+
# If false, both Issuer and ClusterIssuer must reference a secret in the same namespace as the chart/reconciler.
27+
# This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret API only for the
28+
# namespace the chart is deployed in.
29+
useClusterRoleForSecretAccess: false
30+
2131
crd:
2232
# Specifies whether CRDs will be created
2333
create: true

docs/config_usage.markdown

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ cat <<EOF >> metadata.json
2727
{
2828
"AllowAPI": true,
2929
"DataType": 1,
30-
"Description": "The namespace that the issuer resource was created in.",
30+
"Description": "The namespace that the issuer resource was created in that .",
3131
"Name": "Issuer-Namespace"
3232
},
3333
{
@@ -83,6 +83,7 @@ kfutil import --metadata --file metadata.json
8383

8484
### Authentication
8585
Authentication to the Command platform is done using basic authentication. The credentials must be provided as a Kubernetes `kubernetes.io/basic-auth` secret. These credentials should be for a user with "Certificate Enrollment: Enroll CSR" and "API: Read" permissions in Command.
86+
If the Helm chart was deployed with the `--set "secretConfig.useClusterRoleForSecretAccess=true"` flag, the secret must be created in the same namespace as any Issuer resources deployed. Otherwise, the secret must be created in the same namespace as the controller.
8687

8788
Create a `kubernetes.io/basic-auth` secret with the Keyfactor Command username and password:
8889
```shell

0 commit comments

Comments
 (0)