Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.0.5: Implement namespace-scoped access to secret containing credentials #19

Merged
merged 9 commits into from
Dec 19, 2023
Merged

v1.0.5: Implement namespace-scoped access to secret containing credentials #19

merged 9 commits into from
Dec 19, 2023

Conversation

m8rmclaren
Copy link
Contributor

@m8rmclaren m8rmclaren commented Dec 2, 2023
edited
Loading

Add configuration field to Helm chart that changes the scope of the ServiceAccount to grant cluster access to the K8s Secrets API.

secretConfig:
  # If true, when using Issuer resources, the credential secret must be created in the same namespace as the
  # Issuer resource. This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret
  # API at the cluster level.
  #
  # If false, both Issuer and ClusterIssuer must reference a secret in the same namespace as the chart/reconciler.
  # This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret API only for the
  # namespace the chart is deployed in.
  useClusterRoleForSecretAccess: false

v1.0.5 Changelog

Features

  • feat(controller): Implement Kubernetes client-go REST client for Secret/ConfigMap retrieval to bypass controller-runtime caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.

Fixes

  • fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
  • fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.

@m8rmclaren m8rmclaren added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 2, 2023
@m8rmclaren m8rmclaren self-assigned this Dec 2, 2023
@m8rmclaren m8rmclaren changed the title feat(helm): Add flag that customizes API access to secret resources v1.0.5: Implement namespace-scoped access to secret containing credentials Dec 8, 2023
@fiddlermikey fiddlermikey self-requested a review December 19, 2023 17:30
fiddlermikey
fiddlermikey approved these changes Dec 19, 2023
View reviewed changes
Copy link
Contributor

@fiddlermikey fiddlermikey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved on ab#53189

@fiddlermikey fiddlermikey merged commit 2f3bf59 into v1.0.5 Dec 19, 2023
16 checks passed
@m8rmclaren m8rmclaren deleted the secret branch December 21, 2023 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fiddlermikey fiddlermikey fiddlermikey approved these changes

@JDKeyfactor JDKeyfactor Awaiting requested review from JDKeyfactor

Assignees

@m8rmclaren m8rmclaren

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@m8rmclaren @fiddlermikey