github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-08 23:18:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

rbac fix

Browse Source
This commit is contained in:
Daniel Hougaard
2025-08-27 19:54:31 +02:00
parent af2f21fe93
commit 1165b05e8a
16 changed files with 21 additions and 486 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
helm-charts/secrets-operator/Chart.yaml
View File

@@ -13,9 +13,9 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: v0.10.2
version: v0.10.3
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "v0.10.2"
appVersion: "v0.10.3"

49
helm-charts/secrets-operator/templates/infisicaldynamicsecret-admin-rbac.yaml
View File

@@ -1,49 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-admin-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets
verbs:
- '*'
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-admin-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-admin-role'

55
helm-charts/secrets-operator/templates/infisicaldynamicsecret-editor-rbac.yaml
View File

@@ -1,55 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-editor-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-editor-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-editor-role'

51
helm-charts/secrets-operator/templates/infisicaldynamicsecret-viewer-rbac.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-viewer-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets
verbs:
- get
- list
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-viewer-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicaldynamicsecret-viewer-role'

49
helm-charts/secrets-operator/templates/infisicalpushsecretsecret-admin-rbac.yaml
View File

@@ -1,49 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-admin-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicalpushsecretsecrets
verbs:
- '*'
- apiGroups:
- secrets.infisical.com
resources:
- infisicalpushsecretsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-admin-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-admin-role'

55
helm-charts/secrets-operator/templates/infisicalpushsecretsecret-editor-rbac.yaml
View File

@@ -1,55 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-editor-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicalpushsecretsecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicalpushsecretsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-editor-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-editor-role'

51
helm-charts/secrets-operator/templates/infisicalpushsecretsecret-viewer-rbac.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-viewer-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicalpushsecretsecrets
verbs:
- get
- list
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicalpushsecretsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-viewer-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicalpushsecretsecret-viewer-role'

49
helm-charts/secrets-operator/templates/infisicalsecret-admin-rbac.yaml
View File

@@ -1,49 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-admin-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicalsecrets
verbs:
- '*'
- apiGroups:
- secrets.infisical.com
resources:
- infisicalsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-admin-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicalsecret-admin-role'

55
helm-charts/secrets-operator/templates/infisicalsecret-editor-rbac.yaml
View File

@@ -1,55 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-editor-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicalsecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicalsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-editor-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicalsecret-editor-role'

51
helm-charts/secrets-operator/templates/infisicalsecret-viewer-rbac.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-viewer-role
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- secrets.infisical.com
resources:
- infisicalsecrets
verbs:
- get
- list
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicalsecrets/status
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "secrets-operator.fullname" . }}-infisicalsecret-viewer-rolebinding
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: '{{ include "secrets-operator.fullname" . }}-infisicalsecret-viewer-role'

2
helm-charts/secrets-operator/values.yaml
View File

@@ -12,7 +12,7 @@ controllerManager:
readOnlyRootFilesystem: true
image:
repository: infisical/kubernetes-operator
tag: v0.10.2
tag: v0.10.3
resources:
limits:
cpu: 500m

2
k8-operator/PROJECT
View File

@@ -24,7 +24,7 @@ resources:
controller: true
domain: infisical.com
group: secrets
kind: InfisicalPushSecretSecret
kind: InfisicalPushSecret
path: github.com/Infisical/infisical/k8-operator/api/v1alpha1
version: v1alpha1
- api:

4
k8-operator/api/v1alpha1/infisicalpushsecret_types.go
View File

@@ -16,7 +16,7 @@ type InfisicalPushSecretDestination struct {
ProjectID string `json:"projectId"`
}
type InfisicalPushSecretSecretSource struct {
type InfisicalPushSecretSource struct {
// The name of the Kubernetes Secret
// +kubebuilder:validation:Required
SecretName string `json:"secretName"`
@@ -48,7 +48,7 @@ type SecretPushGenerator struct {
type SecretPush struct {
// +kubebuilder:validation:Optional
Secret *InfisicalPushSecretSecretSource `json:"secret,omitempty"`
Secret *InfisicalPushSecretSource `json:"secret,omitempty"`
// +kubebuilder:validation:Optional
Generators []SecretPushGenerator `json:"generators,omitempty"`
}

18
k8-operator/config/rbac/kustomization.yaml
View File

@@ -22,13 +22,13 @@ resources:
# default, aiding admins in cluster management. Those roles are
# not used by the k8-operator itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
- infisicaldynamicsecret_admin_role.yaml
- infisicaldynamicsecret_editor_role.yaml
- infisicaldynamicsecret_viewer_role.yaml
- infisicalpushsecretsecret_admin_role.yaml
- infisicalpushsecretsecret_editor_role.yaml
- infisicalpushsecretsecret_viewer_role.yaml
- infisicalsecret_admin_role.yaml
- infisicalsecret_editor_role.yaml
- infisicalsecret_viewer_role.yaml
# - infisicaldynamicsecret_admin_role.yaml
# - infisicaldynamicsecret_editor_role.yaml
# - infisicaldynamicsecret_viewer_role.yaml
# - infisicalpushsecret_admin_role.yaml
# - infisicalpushsecret_editor_role.yaml
# - infisicalpushsecret_viewer_role.yaml
# - infisicalsecret_admin_role.yaml
# - infisicalsecret_editor_role.yaml
# - infisicalsecret_viewer_role.yaml

2
k8-operator/internal/controller/infisicalpushsecret_controller.go
View File

@@ -42,7 +42,7 @@ import (
"github.com/go-logr/logr"
)
// InfisicalPushSecretReconciler reconciles a InfisicalPushSecretSecret object
// InfisicalPushSecretReconciler reconciles a InfisicalPushSecret object
type InfisicalPushSecretReconciler struct {
client.Client
BaseLogger logr.Logger

10
k8-operator/internal/controller/infisicalpushsecret_controller_test.go
View File

@@ -30,7 +30,7 @@ import (
secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
)
var _ = Describe("InfisicalPushSecretSecret Controller", func() {
var _ = Describe("InfisicalPushSecret Controller", func() {
Context("When reconciling a resource", func() {
const resourceName = "test-resource"
@@ -40,11 +40,11 @@ var _ = Describe("InfisicalPushSecretSecret Controller", func() {
Name: resourceName,
Namespace: "default", // TODO(user):Modify as needed
}
infisicalpushsecretsecret := &secretsv1alpha1.InfisicalPushSecret{}
infisicalpushsecret := &secretsv1alpha1.InfisicalPushSecret{}
BeforeEach(func() {
By("creating the custom resource for the Kind InfisicalPushSecretSecret")
err := k8sClient.Get(ctx, typeNamespacedName, infisicalpushsecretsecret)
By("creating the custom resource for the Kind InfisicalPushSecret")
err := k8sClient.Get(ctx, typeNamespacedName, infisicalpushsecret)
if err != nil && errors.IsNotFound(err) {
resource := &secretsv1alpha1.InfisicalPushSecret{
ObjectMeta: metav1.ObjectMeta{
@@ -63,7 +63,7 @@ var _ = Describe("InfisicalPushSecretSecret Controller", func() {
err := k8sClient.Get(ctx, typeNamespacedName, resource)
Expect(err).NotTo(HaveOccurred())
By("Cleanup the specific resource instance InfisicalPushSecretSecret")
By("Cleanup the specific resource instance InfisicalPushSecret")
Expect(k8sClient.Delete(ctx, resource)).To(Succeed())
})
It("should successfully reconcile the resource", func() {