github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-08 07:04:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

misc: add rbac/permissions for daemonsets and statefulsets

Browse Source
This commit is contained in:
Sheen Capadngan
2025-02-28 13:01:45 +09:00
parent 31dc36d4e2
commit 428dc5d371
4 changed files with 348 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
helm-charts/secrets-operator/templates/manager-rbac.yaml
View File

@@ -45,7 +45,9 @@ rules:
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- list

11
k8-operator/config/rbac/role.yaml
View File

@@ -35,6 +35,17 @@ rules:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- list
- update
- watch
- apiGroups:
- apps
resources:

2
k8-operator/controllers/infisicalsecret/infisicalsecret_controller.go
View File

@@ -42,7 +42,7 @@ func (r *InfisicalSecretReconciler) GetLogger(req ctrl.Request) logr.Logger {
//+kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicalsecrets/finalizers,verbs=update
//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;delete
//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch;get;update
//+kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;statefulsets,verbs=list;watch;get;update
//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch
// Reconcile is part of the main kubernetes reconciliation loop which aims to

336
k8-operator/kubectl-install/install-secrets-operator.yaml
View File

@@ -13,6 +13,269 @@ metadata:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: infisicaldynamicsecrets.secrets.infisical.com
spec:
group: secrets.infisical.com
names:
kind: InfisicalDynamicSecret
listKind: InfisicalDynamicSecretList
plural: infisicaldynamicsecrets
singular: infisicaldynamicsecret
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: InfisicalDynamicSecret is the Schema for the infisicaldynamicsecrets API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: InfisicalDynamicSecretSpec defines the desired state of InfisicalDynamicSecret.
properties:
authentication:
properties:
awsIamAuth:
properties:
identityId:
type: string
required:
- identityId
type: object
azureAuth:
properties:
identityId:
type: string
resource:
type: string
required:
- identityId
type: object
gcpIamAuth:
properties:
identityId:
type: string
serviceAccountKeyFilePath:
type: string
required:
- identityId
- serviceAccountKeyFilePath
type: object
gcpIdTokenAuth:
properties:
identityId:
type: string
required:
- identityId
type: object
kubernetesAuth:
properties:
identityId:
type: string
serviceAccountRef:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
required:
- identityId
- serviceAccountRef
type: object
universalAuth:
properties:
credentialsRef:
properties:
secretName:
description: The name of the Kubernetes Secret
type: string
secretNamespace:
description: The name space where the Kubernetes Secret is located
type: string
required:
- secretName
- secretNamespace
type: object
required:
- credentialsRef
type: object
type: object
dynamicSecret:
properties:
environmentSlug:
type: string
projectId:
type: string
secretName:
type: string
secretsPath:
type: string
required:
- environmentSlug
- projectId
- secretName
- secretsPath
type: object
hostAPI:
type: string
leaseRevocationPolicy:
type: string
leaseTTL:
type: string
managedSecretReference:
properties:
creationPolicy:
default: Orphan
description: 'The Kubernetes Secret creation policy. Enum with values: ''Owner'', ''Orphan''. Owner creates the secret and sets .metadata.ownerReferences of the InfisicalSecret CRD that created it. Orphan will not set the secret owner. This will result in the secret being orphaned and not deleted when the resource is deleted.'
type: string
secretName:
description: The name of the Kubernetes Secret
type: string
secretNamespace:
description: The name space where the Kubernetes Secret is located
type: string
secretType:
default: Opaque
description: 'The Kubernetes Secret type (experimental feature). More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
type: string
template:
description: The template to transform the secret data
properties:
data:
additionalProperties:
type: string
description: The template key values
type: object
includeAllSecrets:
description: This injects all retrieved secrets into the top level of your template. Secrets defined in the template will take precedence over the injected ones.
type: boolean
type: object
required:
- secretName
- secretNamespace
type: object
tls:
properties:
caRef:
description: Reference to secret containing CA cert
properties:
key:
description: The name of the secret property with the CA certificate value
type: string
secretName:
description: The name of the Kubernetes Secret
type: string
secretNamespace:
description: The namespace where the Kubernetes Secret is located
type: string
required:
- key
- secretName
- secretNamespace
type: object
type: object
required:
- authentication
- dynamicSecret
- leaseRevocationPolicy
- leaseTTL
- managedSecretReference
type: object
status:
description: InfisicalDynamicSecretStatus defines the observed state of InfisicalDynamicSecret.
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
dynamicSecretId:
type: string
lease:
properties:
creationTimestamp:
format: date-time
type: string
expiresAt:
format: date-time
type: string
id:
type: string
version:
format: int64
type: integer
required:
- creationTimestamp
- expiresAt
- id
- version
type: object
maxTTL:
description: The MaxTTL can be null, if it's null, there's no max TTL and we should never have to renew.
type: string
required:
- conditions
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
@@ -97,7 +360,6 @@ spec:
- serviceAccountRef
type: object
universalAuth:
description: PushSecretUniversalAuth defines universal authentication
properties:
credentialsRef:
properties:
@@ -495,6 +757,40 @@ spec:
hostAPI:
description: Infisical host to pull secrets from
type: string
managedKubeSecretReferences:
items:
properties:
creationPolicy:
default: Orphan
description: 'The Kubernetes Secret creation policy. Enum with values: ''Owner'', ''Orphan''. Owner creates the secret and sets .metadata.ownerReferences of the InfisicalSecret CRD that created it. Orphan will not set the secret owner. This will result in the secret being orphaned and not deleted when the resource is deleted.'
type: string
secretName:
description: The name of the Kubernetes Secret
type: string
secretNamespace:
description: The name space where the Kubernetes Secret is located
type: string
secretType:
default: Opaque
description: 'The Kubernetes Secret type (experimental feature). More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
type: string
template:
description: The template to transform the secret data
properties:
data:
additionalProperties:
type: string
description: The template key values
type: object
includeAllSecrets:
description: This injects all retrieved secrets into the top level of your template. Secrets defined in the template will take precedence over the injected ones.
type: boolean
type: object
required:
- secretName
- secretNamespace
type: object
type: array
managedSecretReference:
properties:
creationPolicy:
@@ -563,7 +859,6 @@ spec:
- secretNamespace
type: object
required:
- managedSecretReference
- resyncInterval
type: object
status:
@@ -715,6 +1010,17 @@ rules:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- statefulsets
verbs:
- get
- list
- update
- watch
- apiGroups:
- apps
resources:
@@ -724,6 +1030,32 @@ rules:
- list
- update
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets/finalizers
verbs:
- update
- apiGroups:
- secrets.infisical.com
resources:
- infisicaldynamicsecrets/status
verbs:
- get
- patch
- update
- apiGroups:
- secrets.infisical.com
resources: