From 81ea88a3d868a529ceda896ccd665d02266d2723 Mon Sep 17 00:00:00 2001 From: Ronen Hilewicz Date: Thu, 23 Jan 2025 17:35:16 -0500 Subject: [PATCH] Controller authorization --- charts/aserto-lib/templates/_config.tpl | 43 +++++---------------- charts/aserto/values.yaml | 8 ++-- charts/authorizer/templates/deployment.yaml | 6 ++- charts/console/templates/deployment.yaml | 2 +- charts/controller/templates/api_keys.yaml | 6 +-- charts/controller/templates/config.yaml | 42 +++++++++++++++----- charts/controller/templates/deployment.yaml | 18 +++++++-- charts/controller/test/no-tls.values.yaml | 2 +- charts/controller/test/tests.yaml | 26 +++++++++---- charts/controller/test/tls.values.yaml | 2 +- charts/directory/templates/_helpers.tpl | 7 ++-- charts/directory/templates/api_keys.yaml | 6 +-- charts/directory/templates/config.yaml | 20 +++++++--- charts/directory/templates/deployment.yaml | 26 ++++++------- charts/directory/test/no-tls.values.yaml | 2 +- charts/directory/test/tests.yaml | 14 ++++--- charts/directory/test/tls.values.yaml | 2 +- charts/directory/values.yaml | 16 ++++---- charts/discovery/templates/deployment.yaml | 2 +- charts/scim/templates/deployment.yaml | 4 +- 20 files changed, 143 insertions(+), 111 deletions(-) diff --git a/charts/aserto-lib/templates/_config.tpl b/charts/aserto-lib/templates/_config.tpl index 4762d8a..d6cac20 100644 --- a/charts/aserto-lib/templates/_config.tpl +++ b/charts/aserto-lib/templates/_config.tpl @@ -32,43 +32,20 @@ valueFrom: {{- end }} -{{- define "aserto-lib.controllerReadKeyEnv" -}} -{{- with include "aserto-lib.controllerClientCfg" . | fromYaml -}} -{{ include "aserto-lib.dsApiKeyEnv" (list . "read" "controller-keys") }} +{{- define "aserto-lib.controllerKeyEnv" -}} +{{- $scope := first . -}} +{{- $keyType := last . -}} +{{- with include "aserto-lib.controllerClientCfg" $scope | fromYaml -}} +{{ include "aserto-lib.dsApiKeyEnv" (list . $keyType "controller-keys") }} {{- end }} {{- end }} -{{- define "aserto-lib.controllerWriteKeyEnv" -}} -{{- with include "aserto-lib.controllerClientCfg" . | fromYaml -}} -{{ include "aserto-lib.dsApiKeyEnv" (list . "write" "controller-keys") }} -{{- end }} -{{- end }} - - -{{- define "aserto-lib.controllerStoreKeyEnv" -}} -{{- with include "aserto-lib.controllerClientCfg" . | fromYaml -}} -{{ include "aserto-lib.dsApiKeyEnv" (list . "store" "controller-keys") }} -{{- end }} -{{- end }} - -{{- define "aserto-lib.directoryReadKeyEnv" -}} -{{- with include "aserto-lib.directoryClientCfg" . | fromYaml -}} -{{ include "aserto-lib.dsApiKeyEnv" (list . "read" "directory-keys") }} -{{- end }} -{{- end }} - - -{{- define "aserto-lib.directoryWriteKeyEnv" -}} -{{- with include "aserto-lib.directoryClientCfg" . | fromYaml -}} -{{ include "aserto-lib.dsApiKeyEnv" (list . "write" "directory-keys") }} -{{- end }} -{{- end }} - - -{{- define "aserto-lib.directoryStoreKeyEnv" -}} -{{- with include "aserto-lib.directoryClientCfg" . | fromYaml -}} -{{ include "aserto-lib.dsApiKeyEnv" (list . "store" "directory-keys") }} +{{- define "aserto-lib.directoryKeyEnv" -}} +{{- $scope := first . -}} +{{- $keyType := last . -}} +{{- with include "aserto-lib.directoryClientCfg" $scope | fromYaml -}} +{{ include "aserto-lib.dsApiKeyEnv" (list . $keyType "directory-keys") }} {{- end }} {{- end }} diff --git a/charts/aserto/values.yaml b/charts/aserto/values.yaml index 1aecf01..08822a2 100644 --- a/charts/aserto/values.yaml +++ b/charts/aserto/values.yaml @@ -46,11 +46,12 @@ global: # # Address and port of the controller's gRPC service. # # Default: controller..svc.cluster.local:8282 # address: "" - # # [Optiona] Controller API keys. All three fields are required. + # # [Optiona] Controller API keys. All fields are required. # apiKeys: # read: "" # write: "" - # store: "" + # readStore: "" + # writeStore: "" # # [Optional] Kubernetes secret containing the controller's API keys. # apiKeysSecret: controller-keys # # [Optional] Kubernetes secret containing the CA certificate of the root directory. @@ -70,7 +71,8 @@ global: # apiKeys: # read: "" # write: "" - # store: "" + # readStore: "" + # writeStore: "" # # [Optional] Kubernetes secret containing the directory's API keys. # apiKeysSecret: directory-keys # # [Optional] Kubernetes secret containing the directory's CA certificate. diff --git a/charts/authorizer/templates/deployment.yaml b/charts/authorizer/templates/deployment.yaml index 3dedf9e..bb290b7 100644 --- a/charts/authorizer/templates/deployment.yaml +++ b/charts/authorizer/templates/deployment.yaml @@ -107,8 +107,10 @@ spec: readOnly: true {{- end }} env: + {{- with include "aserto-lib.controllerKeyEnv" (list . "read") }} - name: AUTHORIZER_DS0_API_KEY - {{- include "aserto-lib.controllerReadKeyEnv" . | nindent 14 }} + {{- . | nindent 14 }} + {{- end }} {{- with .Values.apiKey }} - name: AUTHORIZER_ROOT_KEY @@ -118,7 +120,7 @@ spec: key: {{ .secretKey }} {{- end }} - {{- with include "aserto-lib.directoryReadKeyEnv" . }} + {{- with include "aserto-lib.directoryKeyEnv" (list . "read") }} - name: AUTHORIZER_REMOTE_DIRECTORY_API_KEY {{- . | nindent 14 }} {{- end }} diff --git a/charts/console/templates/deployment.yaml b/charts/console/templates/deployment.yaml index b1cb07e..7d6ee87 100644 --- a/charts/console/templates/deployment.yaml +++ b/charts/console/templates/deployment.yaml @@ -55,7 +55,7 @@ spec: - name: DS0_TENANT_ID value: {{ .tenant_id }} {{- end }} - {{- with (include "aserto-lib.controllerStoreKeyEnv" .) }} + {{- with include "aserto-lib.controllerKeyEnv" (list . "read") }} - name: DS0_ROOT_KEY {{- . | nindent 14 }} {{- end }} diff --git a/charts/controller/templates/api_keys.yaml b/charts/controller/templates/api_keys.yaml index ec8f3bb..e4e0d8e 100644 --- a/charts/controller/templates/api_keys.yaml +++ b/charts/controller/templates/api_keys.yaml @@ -1,8 +1,8 @@ {{- $cfg := include "aserto-lib.controllerClientCfg" . | fromYaml -}} {{- with $cfg.apiKeys -}} -{{- if list .read .write .store | has nil -}} - {{- fail "controller.apiKeys must include 'read', 'write', and 'store' keys." -}} +{{- if list .read .write .readStore .writeStore | has nil -}} + {{- fail "controller.apiKeys must include 'read', 'write', 'readStore', and 'writeStore' keys." -}} {{- end -}} {{- end -}} @@ -14,7 +14,7 @@ {{- else -}} {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }} {{- if empty $secret | or (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true") -}} - {{- range (list "read" "write" "store") -}} + {{- range (list "read" "write" "readStore" "writeStore") -}} {{- $apiKeys = set $apiKeys . (dig "data" . (randAlphaNum 32 | b64enc) $secret) -}} {{- end -}} {{- end -}} diff --git a/charts/controller/templates/config.yaml b/charts/controller/templates/config.yaml index d44402e..06b20c4 100644 --- a/charts/controller/templates/config.yaml +++ b/charts/controller/templates/config.yaml @@ -76,22 +76,23 @@ stringData: bypass: - /grpc.reflection.v1.ServerReflection/ServerReflectionInfo - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo - bypass_tenants: - - {{ include "aserto-lib.controllerTenantID" . }} + - /aserto.directory.reader.v3.Reader/Check {{- end }} authentication: authenticators_enabled: root_key: true - {{- with include "aserto-lib.oidcConfig" . }} - oidc: true - {{- end }} - root_keys: keys: - - key: ${DIRECTORY_CONTROLLER_CLIENT_API_KEY} - account: "controller" + - key: ${DS_READ_KEY} + account: rk:controller:reader + - key: ${DS_WRITE_KEY} + account: rk:controller:writer + - key: ${STORE_READ_KEY} + account: rk:controller:store-reader + - key: ${STORE_WRITE_KEY} + account: rk:controller:store-writer {{- with include "aserto-lib.oidcConfig" . }} oidc: @@ -106,7 +107,30 @@ stringData: anonymous: true - methods: - - /aserto.directory.reader.v3.Reader/Check + - /aserto.directory.store.v2.Store/GetTenant + - /aserto.directory.store.v2.Store/CreateTenant + - /aserto.directory.store.v2.Store/DeleteTenant + - /aserto.directory.store.v2.Store/ListTenants + - /aserto.directory.store.v2.Store/Info + - /aserto.directory.store.v2.Store/ListTenantMembers + - /aserto.directory.store.v2.Store/ListUserTenants + - /aserto.directory.store.v2.Store/AssignRoleToTenant + - /aserto.directory.store.v2.Store/RemoveRoleFromTenant + - /aserto.directory.store.v2.Store/ListAPIKeys + - /aserto.directory.store.v2.Store/DeleteAPIKey + - /aserto.directory.store.v2.Store/CreateAPIKey + - /aserto.directory.store.v2.Store/GetAPIKeyIdentity + - /aserto.directory.store.v2.Store/GetConfig + - /aserto.directory.store.v2.Store/SetConfig + - /aserto.directory.store.v2.Store/ListConfigs + - /aserto.directory.store.v2.Store/DeleteConfig + - /aserto.directory.store.v2.Store/GetSecret + - /aserto.directory.store.v2.Store/SetSecret + - /aserto.directory.store.v2.Store/ListSecrets + - /aserto.directory.store.v2.Store/DeleteSecret authenticators_enabled: root_key: true + {{- with include "aserto-lib.oidcConfig" . }} + oidc: true + {{- end }} diff --git a/charts/controller/templates/deployment.yaml b/charts/controller/templates/deployment.yaml index bd55cb1..7831782 100644 --- a/charts/controller/templates/deployment.yaml +++ b/charts/controller/templates/deployment.yaml @@ -84,11 +84,21 @@ spec: {{- end }} env: + {{- with include "aserto-lib.controllerKeyEnv" (list . "write") }} - name: DIRECTORY_CONTROLLER_CLIENT_API_KEY - valueFrom: - secretKeyRef: - name: controller-keys - key: read + {{- . | nindent 14 }} + {{- end }} + + {{- range $keyType, $varName := dict + "read" "DS_READ_KEY" + "write" "DS_WRITE_KEY" + "readStore" "STORE_READ_KEY" + "writeStore" "STORE_WRITE_KEY" -}} + {{- with include "aserto-lib.controllerKeyEnv" (list $ $keyType) }} + - name: {{ $varName }} + {{- . | nindent 14 }} + {{- end }} + {{- end }} {{- with .Values.database }} - name: DIRECTORY_DB_WRITER_USER diff --git a/charts/controller/test/no-tls.values.yaml b/charts/controller/test/no-tls.values.yaml index cc6c9b6..7706394 100644 --- a/charts/controller/test/no-tls.values.yaml +++ b/charts/controller/test/no-tls.values.yaml @@ -1,6 +1,6 @@ --- image: - tag: 0.33.10-bf02896d-amd64 + tag: 0.33.11-c7bb8373-amd64 imagePullSecrets: - name: ghcr-creds diff --git a/charts/controller/test/tests.yaml b/charts/controller/test/tests.yaml index 050867e..212ae0e 100644 --- a/charts/controller/test/tests.yaml +++ b/charts/controller/test/tests.yaml @@ -13,9 +13,10 @@ tests: password: controller_reader - name: controller-keys values: - read: controller-read-key - write: controller-write-key - store: controller-store-key + write: apikey_writer + read: apikey_reader + readStore: apikey_store_reader + writeStore: apikey_store_writer config_maps: - name: controller-admin-keys keys: @@ -25,11 +26,15 @@ tests: - chart: controller values: no-tls.values.yaml ports: + 2222: 2222 8282: 8282 run: + - | + ssh -i ${SSH_PRIVATE_KEY:-$(ls -1 ~/.ssh/id_* | head -1)} -p 2222 -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \ + localhost provision root-keys - | ${TOPAZ:-topaz} ds get manifest -H localhost:8282 --tenant-id 00000000-0000-11ef-0000-000000000000 \ - -k controller-read-key --stdout --plaintext + -k apikey_reader --stdout --plaintext - name: controller-tls pull_secret: $GITHUB_TOKEN @@ -44,9 +49,10 @@ tests: password: controller_reader - name: controller-keys values: - read: controller-read-key - write: controller-write-key - store: controller-store-key + write: apikey_writer + read: apikey_reader + readStore: apikey_store_reader + writeStore: apikey_store_writer - name: grpc-cert files: tls.crt: $TOPAZ_CERTS_DIR/grpc.crt @@ -65,8 +71,12 @@ tests: - chart: controller values: tls.values.yaml ports: + 2222: 2222 8282: 8282 run: + - | + ssh -i ${SSH_PRIVATE_KEY:-$(ls -1 ~/.ssh/id_* | head -1)} -p 2222 -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \ + localhost provision root-keys - | ${TOPAZ:-topaz} ds get manifest -H localhost:8282 --tenant-id 00000000-0000-11ef-0000-000000000000 \ - -k controller-read-key --stdout --insecure + -k apikey_reader --stdout --insecure diff --git a/charts/controller/test/tls.values.yaml b/charts/controller/test/tls.values.yaml index f976cb2..79b5c02 100644 --- a/charts/controller/test/tls.values.yaml +++ b/charts/controller/test/tls.values.yaml @@ -1,6 +1,6 @@ --- image: - tag: 0.33.10-bf02896d-amd64 + tag: 0.33.11-c7bb8373-amd64 imagePullSecrets: - name: ghcr-creds diff --git a/charts/directory/templates/_helpers.tpl b/charts/directory/templates/_helpers.tpl index 9a08f8c..8d34e04 100644 --- a/charts/directory/templates/_helpers.tpl +++ b/charts/directory/templates/_helpers.tpl @@ -81,9 +81,10 @@ Create the name of the service account to use {{- end}} -{{- define "directory.controllerReadKeyEnv" -}} -{{- if .Values.controller.enabled -}} -{{ include "aserto-lib.controllerReadKeyEnv" . }} +{{- define "directory.controllerKeyEnv" -}} +{{- $scope := first . -}} +{{- if $scope.Values.controller.enabled -}} +{{ include "aserto-lib.controllerKeyEnv" . }} {{- end }} {{- end }} diff --git a/charts/directory/templates/api_keys.yaml b/charts/directory/templates/api_keys.yaml index 9c8676a..cd28287 100644 --- a/charts/directory/templates/api_keys.yaml +++ b/charts/directory/templates/api_keys.yaml @@ -1,8 +1,8 @@ {{- $cfg := include "aserto-lib.directoryClientCfg" . | fromYaml -}} {{- with $cfg.apiKeys -}} -{{- if list .read .write .store | has nil -}} - {{- fail "directory.apiKeys must include 'read', 'write', and 'store' keys." -}} +{{- if list .read .write .readStore .writeStore | has nil -}} + {{- fail "directory.apiKeys must include 'read', 'write', 'readStore' and 'writeStore' keys." -}} {{- end -}} {{- end -}} @@ -14,7 +14,7 @@ {{- else -}} {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }} {{- if empty $secret | or (include "aserto-lib.isManagedResource" (list $secret .Release.Name) | eq "true") -}} - {{- range (list "read" "write" "store") -}} + {{- range (list "read" "write" "readStore" "writeStore") -}} {{- $apiKeys = set $apiKeys . (dig "data" . (randAlphaNum 32 | b64enc) $secret) -}} {{- end -}} {{- end -}} diff --git a/charts/directory/templates/config.yaml b/charts/directory/templates/config.yaml index 6c9d394..8521d7e 100644 --- a/charts/directory/templates/config.yaml +++ b/charts/directory/templates/config.yaml @@ -95,12 +95,14 @@ stringData: root_keys: keys: - - key: ${DIRECTORY_DS_WRITE_KEY} - account: rk:directory-writer - - key: ${DIRECTORY_DS_READ_KEY} - account: rk:directory-reader - - key: ${DIRECTORY_DS_STORE_KEY} - account: rk:directory-store-writer + - key: ${DS_READ_KEY} + account: rk:directory:reader + - key: ${DS_WRITE_KEY} + account: rk:directory:writer + - key: ${STORE_READ_KEY} + account: rk:directory:store-reader + - key: ${STORE_WRITE_KEY} + account: rk:directory:store-writer {{- with include "aserto-lib.oidcConfig" . }} @@ -108,6 +110,12 @@ stringData: {{- . | nindent 8 }} {{- end }} + {{- if .Values.controller.enabled }} + machine_accounts: + use_controller_resolver: true + {{- end }} + + override: - methods: - /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo diff --git a/charts/directory/templates/deployment.yaml b/charts/directory/templates/deployment.yaml index 7175c13..9a2326b 100644 --- a/charts/directory/templates/deployment.yaml +++ b/charts/directory/templates/deployment.yaml @@ -98,27 +98,23 @@ spec: readOnly: true {{- end }} env: - {{- with include "directory.controllerReadKeyEnv" . }} + {{- with include "directory.controllerKeyEnv" (list . "read") }} - name: DIRECTORY_CONTROLLER_CLIENT_API_KEY {{- . | nindent 14 }} {{- end }} - {{- with include "aserto-lib.directoryReadKeyEnv" . }} - - name: DIRECTORY_DS_READ_KEY - {{- . | nindent 14 }} - {{- end }} - - {{- with include "aserto-lib.directoryWriteKeyEnv" . }} - - name: DIRECTORY_DS_WRITE_KEY - {{- . | nindent 14 }} - {{- end }} - - {{- with include "aserto-lib.directoryStoreKeyEnv" . }} - - name: DIRECTORY_DS_STORE_KEY + {{- range $keyType, $varName := dict + "read" "DS_READ_KEY" + "write" "DS_WRITE_KEY" + "readStore" "STORE_READ_KEY" + "writeStore" "STORE_WRITE_KEY" -}} + {{- with include "aserto-lib.directoryKeyEnv" (list $ $keyType) }} + - name: {{ $varName }} {{- . | nindent 14 }} {{- end }} + {{- end }} - {{- with .Values.database }} + {{- with .Values.database }} - name: DIRECTORY_DB_WRITER_USER valueFrom: secretKeyRef: @@ -139,7 +135,7 @@ spec: secretKeyRef: name: {{ .reader.credentialsSecret }} key: password - {{- end }} + {{- end }} {{- range $_, $tenant := .Values.tenants -}} {{- with $tenant.keysSecret }} diff --git a/charts/directory/test/no-tls.values.yaml b/charts/directory/test/no-tls.values.yaml index 118f8bb..844ad9c 100644 --- a/charts/directory/test/no-tls.values.yaml +++ b/charts/directory/test/no-tls.values.yaml @@ -1,6 +1,6 @@ --- image: - tag: 0.33.10-bf02896d-amd64 + tag: 0.33.11-c7bb8373-amd64 imagePullSecrets: - name: ghcr-creds diff --git a/charts/directory/test/tests.yaml b/charts/directory/test/tests.yaml index 312d12a..c8a1487 100644 --- a/charts/directory/test/tests.yaml +++ b/charts/directory/test/tests.yaml @@ -15,7 +15,8 @@ tests: values: write: apikey_writer read: apikey_reader - store: apikey_store + readStore: apikey_store_reader + writeStore: apikey_store_writer config_maps: - name: directory-admin-keys keys: @@ -29,7 +30,7 @@ tests: run: # Create a tenant. - | - ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store" \ + ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store_writer" \ -d '{"tenant": {"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1", "name": "test-tenant"}}' \ localhost:8282 aserto.directory.store.v2.Store.CreateTenant @@ -49,7 +50,7 @@ tests: cleanup: # Delete tenant. - | - ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store" \ + ${GRPCURL:=grpcurl} -plaintext -H "Authorization: basic apikey_store_writer" \ -d '{"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1"}' \ localhost:8282 aserto.directory.store.v2.Store.DeleteTenant @@ -72,7 +73,8 @@ tests: values: write: apikey_writer read: apikey_reader - store: apikey_store + readStore: apikey_store_reader + writeStore: apikey_store_writer - name: grpc-cert files: tls.crt: $TOPAZ_CERTS_DIR/grpc.crt @@ -95,7 +97,7 @@ tests: run: # Create a tenant. - | - ${GRPCURL:=grpcurl} -insecure -H "Authorization: basic apikey_store" \ + ${GRPCURL:=grpcurl} -insecure -H "Authorization: basic apikey_store_writer" \ -d '{"tenant": {"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1", "name": "test-tenant"}}' \ localhost:8282 aserto.directory.store.v2.Store.CreateTenant @@ -114,6 +116,6 @@ tests: - diff charts/directory/test/manifest.yaml $TMPDIR/manifest.yaml cleanup: - | - ${GRPCURL:=grpcurl} -insecure -H "Authorization: basic apikey_store" \ + ${GRPCURL:=grpcurl} -insecure -H "Authorization: basic apikey_store_writer" \ -d '{"id": "3dbaa470-9c7e-11ef-bf36-00fcb2a75cb1"}' \ localhost:8282 aserto.directory.store.v2.Store.DeleteTenant diff --git a/charts/directory/test/tls.values.yaml b/charts/directory/test/tls.values.yaml index e0f5d8f..95f1367 100644 --- a/charts/directory/test/tls.values.yaml +++ b/charts/directory/test/tls.values.yaml @@ -1,6 +1,6 @@ --- image: - tag: 0.33.10-bf02896d-amd64 + tag: 0.33.11-c7bb8373-amd64 imagePullSecrets: - name: ghcr-creds diff --git a/charts/directory/values.yaml b/charts/directory/values.yaml index efb761b..ddfa5f8 100644 --- a/charts/directory/values.yaml +++ b/charts/directory/values.yaml @@ -59,14 +59,14 @@ controller: # # Address and port of the controller's gRPC service. # # Default: controller..svc.cluster.local:8282 # address: "" -# # [Optional] API key for the controller -# apiKey: "" -# # [Optional] Kubernetes secret containing the API key for the controller -# apiKeySecret: -# # Secret name -# name: "" -# # Secret key -# key: "api-key" +# # [Optiona] Controller API keys. All fields are required. +# apiKeys: +# read: "" +# write: "" +# readStore: "" +# writeStore: "" +# # [Optional] Kubernetes secret containing the controller's API keys. +# apiKeysSecret: controller-keys # # [Optional] Kubernetes secret containing the controller's CA certificate. # caCertSecret: # name: "" diff --git a/charts/discovery/templates/deployment.yaml b/charts/discovery/templates/deployment.yaml index 2503653..866bd5a 100644 --- a/charts/discovery/templates/deployment.yaml +++ b/charts/discovery/templates/deployment.yaml @@ -102,7 +102,7 @@ spec: key: {{ .secretKey }} {{- end }} - {{- with include "aserto-lib.controllerReadKeyEnv" . }} + {{- with include "aserto-lib.controllerKeyEnv" (list . "read") }} - name: DISCOVERY_DS0_API_KEY {{- . | nindent 14 }} {{- end }} diff --git a/charts/scim/templates/deployment.yaml b/charts/scim/templates/deployment.yaml index affd710..d13fc62 100644 --- a/charts/scim/templates/deployment.yaml +++ b/charts/scim/templates/deployment.yaml @@ -81,9 +81,9 @@ spec: secretKeyRef: name: {{ include "scim.auth.secretName" . }} key: {{ include "scim.auth.secretKey" . }} - {{- with (include "aserto-lib.controllerWriteKeyEnv" . | fromYaml) }} + {{- with include "aserto-lib.controllerKeyEnv" (list . "write") }} - name: ASERTO_SCIM_DIRECTORY_API_KEY - {{ . | toYaml | nindent 14 }} + {{ . | nindent 14 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }}