Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1.0.5: Implement namespace-scoped access to secret containing credentials #19

Merged
merged 9 commits into from
Dec 19, 2023
Merged

v1.0.5: Implement namespace-scoped access to secret containing credentials #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
25eefed
feat(helm): Add flag that customizes API access to secret resources
m8rmclaren Dec 2, 2023
6a9bf0a
chore(values): Change default for useClusterRoleForSecretAccess to false
m8rmclaren Dec 4, 2023
0cc5920
chore(docs): Refactor docs to reflect addition of secretConfig.useClu…
m8rmclaren Dec 5, 2023
40fefb7
chore(meta): Add description to meta creation
m8rmclaren Dec 5, 2023
cfa0956
fix(config): Implement K8s client-go in secondary API client for secr…
m8rmclaren Dec 6, 2023
8fd8dea
fix(lint): Run linters
m8rmclaren Dec 6, 2023
579442e
chore(changelog): Update changelog
m8rmclaren Dec 7, 2023
1828126
chore(comments): Write function comments and update license header
m8rmclaren Dec 14, 2023
1d1fb25
chore(comments): Write function comments and update license header
m8rmclaren Dec 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,13 @@
* fix(helm): CRDs now correspond to correct values for the `command-issuer`.
* fix(helm): Signer Helm Chart now includes a `secureMetrics` value to enable/disable sidecar RBAC container for further protection of the `/metrics` endpoint.
* fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.
* fix(role): Removed permissions for `configmaps` resource types for the `leader-election-role` role.

# v1.0.5

## Features
* feat(controller): Implement Kubernetes `client-go` REST client for Secret/ConfigMap retrieval to bypass `controller-runtime` caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.

## Fixes
* fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
* fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
2 changes: 1 addition & 1 deletion api/v1alpha1/clusterissuer_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2023 The Keyfactor Command Authors.
Copyright © 2023 Keyfactor

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/groupversion_info.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2023 The Keyfactor Command Authors.
Copyright © 2023 Keyfactor

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/issuer_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
Copyright 2023 The Keyfactor Command Authors.
Copyright © 2023 Keyfactor

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
74 changes: 45 additions & 29 deletions deploy/charts/command-cert-manager-issuer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,56 +18,72 @@ The Command external issuer for cert-manager allows users to enroll certificates

### Add Helm Repository

```bash
```shell
helm repo add command-issuer https://keyfactor.github.io/command-cert-manager-issuer
helm repo update
```

### Install Chart

```bash
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer
```shell
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
--namespace command-issuer-system \
--create-namespace \
--set image.repository=<your container registry>/keyfactor/command-cert-manager-issuer \
--set image.tag=<tag> \
--set crd.create=true \
# --set image.pullPolicy=Never # Only required if using a local image
```

Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `replicaCount` value, run the following command:
```bash
Modifications can be made by overriding the default values in the `values.yaml` file with the `--set` flag. For example, to override the `secretConfig.useClusterRoleForSecretAccess` to configure the chart to use a cluster role for secret access, run the following command:

```shell
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
--set replicaCount=2
--namespace command-issuer-system \
--create-namespace \
--set image.repository=<your container registry>/keyfactor/command-cert-manager-issuer \
--set image.tag=<tag> \
--set crd.create=true \
--set secretConfig.useClusterRoleForSecretAccess=true
```

Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `replicaCount` value, modify the `replicaCount` value in the `values.yaml` file:
Modifications can also be made by modifying the `values.yaml` file directly. For example, to override the `secretConfig.useClusterRoleForSecretAccess` value to configure the chart to use a cluster role for secret access, modify the `secretConfig.useClusterRoleForSecretAccess` value in the `values.yaml` file by creating an override file:
```yaml
cat <<EOF > override.yaml
replicaCount: 2
secretConfig:
useClusterRoleForSecretAccess: true
EOF
```
Then, use the `-f` flag to specify the `values.yaml` file:
```bash
```shell
helm install command-cert-manager-issuer command-issuer/command-cert-manager-issuer \
--namespace command-issuer-system \
-f override.yaml
```

## Configuration

The following table lists the configurable parameters of the `command-cert-manager-issuer` chart and their default values.

| Parameter | Description | Default |
|-----------------------------------|-------------------------------------------------------|-------------------------------------------------------|
| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` |
| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.tag` | Image tag | `""` |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Name override | `""` |
| `fullnameOverride` | Full name override | `""` |
| `crd.create` | Specifies if CRDs will be created | `true` |
| `crd.annotations` | Annotations to add to the CRD | `{}` |
| `serviceAccount.create` | Specifies if a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) |
| `podAnnotations` | Annotations for the pod | `{}` |
| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` |
| `securityContext` | Security context for the pod | `{}` (with commented out options) |
| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| Parameter | Description | Default |
|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
| `replicaCount` | Number of replica command-cert-manager-issuers to run | `1` |
| `image.repository` | Image repository | `ghcr.io/keyfactor/command-cert-manager-issuer` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.tag` | Image tag | `""` |
| `imagePullSecrets` | Image pull secrets | `[]` |
| `nameOverride` | Name override | `""` |
| `fullnameOverride` | Full name override | `""` |
| `crd.create` | Specifies if CRDs will be created | `true` |
| `crd.annotations` | Annotations to add to the CRD | `{}` |
| `serviceAccount.create` | Specifies if a service account should be created | `true` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `serviceAccount.name` | Name of the service account to use | `""` (uses the fullname template if `create` is true) |
| `podAnnotations` | Annotations for the pod | `{}` |
| `podSecurityContext.runAsNonRoot` | Run pod as non-root | `true` |
| `securityContext` | Security context for the pod | `{}` (with commented out options) |
| `resources` | CPU/Memory resource requests/limits | `{}` (with commented out options) |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `secureMetrics.enabled` | Whether to enable and configure the kube-rbac-proxy sidecar for authorized and authenticated use of the /metrics endpoint by Prometheus. | `false` |
| `secretConfig.useClusterRoleForSecretAccess` | Specifies if the ServiceAccount should be granted access to the Secret resource using a ClusterRole | `false` |
8 changes: 0 additions & 8 deletions deploy/charts/command-cert-manager-issuer/templates/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,6 @@ metadata:
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
name: {{ include "command-cert-manager-issuer.name" . }}-manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- cert-manager.io
resources:
Expand Down
3 changes: 3 additions & 0 deletions deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ spec:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
{{- if .Values.secretConfig.useClusterRoleForSecretAccess}}
- --secret-access-granted-at-cluster-level
{{- end}}
command:
- /manager
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
Expand Down
30 changes: 30 additions & 0 deletions deploy/charts/command-cert-manager-issuer/templates/secretrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
metadata:
labels:
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRoleBinding{{ else }}RoleBinding{{ end }}
metadata:
labels:
{{- include "command-cert-manager-issuer.labels" . | nindent 4 }}
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ if .Values.secretConfig.useClusterRoleForSecretAccess }}ClusterRole{{ else }}Role{{ end }}
name: {{ include "command-cert-manager-issuer.name" . }}-secret-reader-role
subjects:
- kind: ServiceAccount
name: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
10 changes: 10 additions & 0 deletions deploy/charts/command-cert-manager-issuer/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,16 @@ fullnameOverride: ""
secureMetrics:
enabled: false

secretConfig:
# If true, when using Issuer resources, the credential secret must be created in the same namespace as the
# Issuer resource. This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret
# API at the cluster level.
#
# If false, both Issuer and ClusterIssuer must reference a secret in the same namespace as the chart/reconciler.
# This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret API only for the
# namespace the chart is deployed in.
useClusterRoleForSecretAccess: false

crd:
# Specifies whether CRDs will be created
create: true
Expand Down
3 changes: 2 additions & 1 deletion docs/config_usage.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ cat <<EOF >> metadata.json
{
"AllowAPI": true,
"DataType": 1,
"Description": "The namespace that the issuer resource was created in.",
"Description": "The namespace that the issuer resource was created in that .",
"Name": "Issuer-Namespace"
},
{
Expand Down Expand Up @@ -83,6 +83,7 @@ kfutil import --metadata --file metadata.json

### Authentication
Authentication to the Command platform is done using basic authentication. The credentials must be provided as a Kubernetes `kubernetes.io/basic-auth` secret. These credentials should be for a user with "Certificate Enrollment: Enroll CSR" and "API: Read" permissions in Command.
If the Helm chart was deployed with the `--set "secretConfig.useClusterRoleForSecretAccess=true"` flag, the secret must be created in the same namespace as any Issuer resources deployed. Otherwise, the secret must be created in the same namespace as the controller.

Create a `kubernetes.io/basic-auth` secret with the Keyfactor Command username and password:
```shell
Expand Down
Loading
Loading